Computer-science researchers from Johns Hopkins University and Rice University are heaping criticism on electronic voting
machines built by Diebold Election Systems, based on software code for the machine said to have been posted publicly to the
Internet by an activist.
Avi Rubin, technical director of the Information Security Institute at John Hopkins, along with computer science doctoral
students Adam Stubblefield and Toshi Kohno, say their research of the code from the Internet shows a voter could find it very
easy to trick the Diebold Election Systems into accepting more than one ballot per voter.
Another researcher, Dan Wallach, assistant professor of computer science at Rice University, echoed the findings, which have
been issued in a technical report, saying the country needs to have extensive independent security evaluation of all electronic
voting machines on the market.
In response, Diebold indicated that the released code was not a current version of the voting machine's software.
"The work we've released is part of a dialog nationally we want to have," said Wallach, who reviewed the findings of the Johns
Hopkins team's two-week security evaluation of the Diebold software code that had been posted to the Internet. "My opinion
is that the code we looked at is deeply unsuitable for an election."
According to the university researchers, the tens of thousands lines of code for the Diebold Elections Systems voting machine
obtained from the Internet had several serious and irremediable flaws.
For one thing, the electronic voting system could be easily exploited by an individual or group intent on tampering with election
results. The researchers pointed to the smart card necessary to use the machine to cast a single ballot. The researchers said
it would be easy to program a counterfeit card, hide it in a pocket and then use it inside the booth to cast multiple votes.
"A 15-year-old computer enthusiast could make these counterfeit cards in a garage and sell them," said Johns Hopkins' Rubin.
Rubin has conducted other research in the area that makes him feel high-tech balloting should not be conducted in haste. "People
are rushing too quickly to computerize our method of voting before we know how to do it securely," he stated.
Rice's Wallach noted that the Diebold system doesn't use encryption to conceal results and prevent tampering. Wallach added
that he has similar concerns about voting machines marketed by Hart-Inter-Civic, but that the firm has rebuffed any overtures
to do a security check on the machines without a nondisclosure agreement that would prevent any publicizing of spotted flaws.
The strained interaction between voting machine manufacturers and academic researchers with security expertise was apparent
in the criticism of the Diebold code.
The Johns Hopkins researchers decided not to notify Diebold in advance of publicizing their evaluation. Instead, the Johns
Hopkins research team deliberately released the findings publicly and discussed it with the media, triggering a response from
Diebold.
Kohno said the research group "made a judgment call" that there was a "duty to notify" the public about the perceived flaws
in the voting machines to hold the manufacturer of them accountable. For his part, Wallach said he had some worries that the
manufacturer might issue a restraining order.
Diebold's official response to the July 23 Johns Hopkins research report was that the company would "reserve judgment on the
researchers' fundamental conclusions," and Diebold noted the researchers themselves acknowledged they could not be wholly
sure the code was actually from Diebold.
However, Diebold did not deny that the software posted to the Internet was not that of the Diebold electronic voting system,
either. The company said, "the software code they evaluated, while sharing similarities to the current code, is outdated and
was never used in an actual election. In addition, similar to any of our software products, Diebold Election Systems constantly
updates its software to meet certification requirements."
In this official statement, Diebold said, "It is also important to note that the clinical research focused almost solely on
software code, and overlooked the total system of software, hardware, services and poll worker training that have made Diebold
electronic voting systems so effective in real-world implementation."
Maryland recently decided to purchase $55 million worth of the Diebold systems, and they are also used in California and Georgia.
Diebold says it has more than 55,000 electronic voting units installed throughout the U.S.
The statement from Diebold said the company found it "unfortunate that the Johns Hopkins researchers did not involve us or
the election community in their analysis, including the Federal Election Commission, which sets standards that all election
processes must follow." The company claims it welcomes the chance to work with Johns Hopkins.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
