E-voting: US panel changes direction on audit trail

Advisory board passes resolution to draft requirements for independently verifiable voting records

A U.S. government board looking for ways to improve the security of electronic voting machines has taken the first step toward requiring the machines to have independent audit mechanisms, a day after it rejected a different audit proposal.

The Technical Guidelines Development Committee (TGDC), an advisory board to the U.S. Elections Assistance Commission (EAC), on Tuesday unanimously passed a resolution calling on its Security and Transparency Subcommittee to draft requirements for independently verifiable voting records, such as voter-verified paper trail printouts, to be used with direct record electronic (DRE) machines.

The new proposal, offered by TGDC member Ronald Rivest, a computer science professor at the Massachusetts Institute of Technology, calls on the subcommittee to write requirements for the next generation of e-voting machines that make them "software independent" -- to include an audit mechanism independent of the software inside the machines.

Rivest said he was happy the second proposal passed, even though the first failed. "I think it's very important for the safety of voting machines in this country," he said of the TGDC's vote.

The Association for Computing Machinery's Public Policy Committee, critics of e-voting, praised the TGDC's Tuesday vote.

"We have long held the position that there needs to be a means of verification that voters recognize as the vote they cast," the group said in a statement. "The committee ... rightly acknowledges that further research in this field is needed to provide innovative solutions to the e-voting challenges remaining."

Critics of e-voting machines have called for paper-trail audits as a way for voters to ensure their votes are tallied correctly. In a November report, staff at the U.S. National Institute of Standards and Technology advocated that the U.S. government require e-voting machines to include independent audit mechanisms, saying DREs without audit mechanisms "cannot be made secure or highly reliable."

But during the TGDC meeting, H. Stephen Berger, chairman of the voting systems standards committee for the Institute of Electrical and Electronics Engineers (IEEE), questioned how other industries could create software that has few errors, such as software on electronic equipment used on airplanes. The software on a typical DRE is less than a megabyte, and e-voting vendors should be able to find a way to make it secure and error-free without adding paper trail audits, he said during debate Tuesday.

"I have to believe we can verify and put very careful controls on that, so that we can get an accurate and verified record of what the voter does in the booth," Berger said.

But Internet browsers have less code than the typical DRE and still have "tons of problems" with security, said Daniel Schutzer, executive director of the Financial Services Technology Consortium.

"If money were no object, if time were no object," e-voting machine vendors could create software that was free of bugs and could be tested and verified, Schutzer added. "Considering what we're working with ... that's still a pipe dream."

Monday's failed proposal, also offered by Rivest, called on the U.S. government to develop e-voting machine guidelines only for machines that included independent audit capabilities. It would be "unwise" to allow the use of DREs that do not include independent audits, it said.

Tuesday's proposal, which passed unanimously, took a slightly less restrictive approach. It called for future DREs to include audit mechanisms, and it said TGDC should "ensure that systems that produce independently verifiable voting records are reliable and provide adequate support for audits."

But the proposal that passed stopped short of requiring the current generation of e-voting machines to add on audit mechanisms. "Election officials and vendors have appropriately responded to the growing complexity of voting systems by adding more stringent access controls, encryption, testing, and physical security to election procedures and systems," the proposal said.

The new proposal addressed some TGDC concerns about accessibility for disabled people and what to do with existing e-voting machines, Rivest said by phone. "It's not a motion to encourage people to dump their machines in any way," he said.

The Election Assistance Commission will hear a report about the TGDC action at a meeting Thursday, but the new audit standards likely wouldn't go into effect until after 2010.

Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies