Electronic-voting security scrutinized at symposium

Concerns raised as presidential election looms

While many of the systems have redundant components, so that votes are recorded in multiple places, that is only used to protect against "obvious things like power failures," according to Douglas Jones, an associate professor of computer science at the University of Iowa in Iowa City who has been a voting machine examiner for that state since 1994. In his conference presentation, Jones added that there is a window of opportunity, albeit of just a few milliseconds, when there is no independent data path, and he pointed out that it is possible to build a system where two redundant mechanisms independently record the voter's action.

Those who are concerned with the security of DREs are calling for audit trails with the systems that allow a voter to verify that a vote has been properly recorded by the machine. How to implement those audit trails is a subject of controversy: A vocal group is demanding voter-verifiable paper audit trails, and recently succeeded in convincing the California secretary of state to mandate that approach. But many election officials seem strongly opposed to introducing that requirement, arguing that adding printers to systems will increase not only costs but the likelihood of mechanical failures as printers break down, jam or run out of paper. Colorado Secretary of State Donnetta Davidson also warned attendees that in recounts when the paper doesn't match the machine tally there will be no way to know which total to trust and "we'll end up in court."

The symposium did see some agreement on the issue of conformance testing to the new specifications that are to be set by the EAC: there appeared to be a consensus that developing the tests is going to be an enormous undertaking. NIST invited Patrick Curran, manager of Java conformance testing at Sun Microsystems Inc., to provide his perspective on the issue. Curran called the current voting systems standard a "broad and ambiguous specification" and observed that "You guys have got a big job ahead of you." He did caution that with regard to security, "don't plug holes in the hardware and software specification by defining processes that humans must implement."

Questioned by attendee Hans von Spakovsky of the U.S. Department of Justice's Civil Rights Division about whether it's a good idea that commercial off-the-shelf (COTS) components of election systems are currently exempt from conformance testing, conference speakers appeared to agree that the exemption is troubling. But the feasibility of such testing is a problem.

"Philosophically we do agree that COTS should not be exempted. But do you have access to the source code?" said Herb Deutsch, who chairs the IEEE committee on voting equipment standards and is employed by Election Systems & Software Inc., a DRE vendor. "If it's a Microsoft operating system, what do you do?"

That gulf between the theoretical and practical is characteristic of the electronic-voting controversy, as computer scientists maintain that no software can be made provably secure and must therefore include audit trails, while election officials need to run elections that go smoothly and where there are no doubts about the outcome. No one wants a repeat of Florida in the 2000 election, the nightmare scenario that HAVA was intended to avert.

Some election officials even charge that the computer security specialists who have joined the voting systems debate are needlessly undermining the confidence of voters. However, according to Iowa's Jones, the opposite is true.