Activists fear e-voting security glitches

[R.A. Hettinga]

<http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1020783,00.html>

TechTarget

Activists fear e-voting security glitches
 By Bill Brenner, News Writer
 01 Nov 2004 | SearchSecurity.com

It's a recurring nightmare for many political activists and IT experts:
electronic voting machines around the country suffer security breaches on
Election Day, affecting the outcome of a bitterly-contested White House
race and other key battles.

 "I'm extremely concerned, especially in states like Florida," said Reed
Hundt, a Democrat who chaired the Federal Communications Commission during
the Clinton Administration. "Republican governors control most of the
battleground states and they haven't done a thing to make these systems
transparent and trustworthy. Democrats will have to turn out in record
numbers to be counted. I worry about a vote-counting catastrophe."

 State and federal efforts to replace paper and punch-card voting systems
with electronic machines gained steam after Florida's 2000 election
debacle. In October 2002 Congress passed the Help America Vote Act,
mandating that every voting district modernize its election systems by 2006
and allocating $3.9 billion for that purpose.


Many states invested the money in electronic voting machines. A study by
Washington D.C.-based Election Data Services estimates more than 48 million
registered voters will cast ballots on electronic equipment Nov. 2,
compared to 53 million who will use optical scan systems and 22 million who
will still use punch cards. About the same number of voters will use lever
machines, while only about a million will use paper ballots, the study
estimated.

 But concerns abound in many states. There are fears people will be able to
use security holes to vote multiple times, that a power failure could wipe
out votes and that no paper trail will exist for backup.

 Interviews with political activists and security experts and an extensive
review of media coverage over the last several months suggests most of the
concern is among Democrats, Green Party members and civil liberty groups.
Democrats worry e-voting security glitches could tip an extremely close
election in President George W. Bush's favor. If Republicans fear problems
could tip the election to Sen. John F. Kerry, they're not talking about it.
President Bush has expressed faith in the nation's e-voting equipment, and
Republican governors like Jeb Bush in Florida believe the machines will
work fine on Election Day.

 Maryland reflects national debate
 Recent events in Maryland reflect what has happened across the country. A
group called TrueVoteMD tried unsuccessfully to stop e-voting and is now
fighting in court to send designated poll watchers to voting stations. The
state has adopted an independent firm's recommendations to boost security
and Republican Gov. Robert Ehrlich believes the machines are ready. Critics
remain skeptical.

 Pam Woodside, chief information officer for Maryland's independent State
Board of Elections, said the state began experimenting with e-voting in
Baltimore City in 1998 using Sequoia Voting System machines. After the 2000
election problems, then-Gov. Parris Glendenning commissioned a panel of
experts to review the best voting technology for the state.

 Texas-based Diebold Election Systems was eventually chosen to provide the
machines. Shortly after the contract was signed, Woodside said the trouble
began.

 First came a report co-authored by Avi Rubin, computer science professor
and technical director of Johns Hopkins University's Information Security
Institute. The report cited several security problems with e-voting
machines that could allow voters to cast unlimited votes without being
detected and without insider privileges. Other problems mentioned included
incorrect use of cryptography and poor software development.

 Woodside said many of the report's conclusions were off base. "It assumed
source code was on the Internet. That was incorrect. It assumed you could
attach a keyboard to the unit. That's not true. It assumed you could vote
multiple times and that's not true either," she said.

 'The most secure' system around
 After the media pounced on the report, Ehrlich ordered a risk assessment.
The state hired Columbia, Md.-based RABA Technologies to do the work, and
its final report said the machines failed to meet 66 of its 328 standards.
Woodside said the state immediately addressed the problems and believes the
machines are now ironclad.

 "One of the items we addressed right away was to get the vendor to change
the software so we could create unique pins for voting units in each
county," she said. "We now use security keys that are dynamically
allocated. We also demanded more secure encryption from the vendor."

 The RABA report also recommended the state use locks and tamper tape to
protect areas housing the server and memory card that will accumulate and
store the votes. "We've done that, put antivirus software on servers,
activated logs and applied applicable Microsoft patches," Woodside said.
"We now have the most secure e-voting system around."

 Lingering worries
 Linda Schade, a member of TrueVoteMD and the Green Party, begs to differ.
While the group failed to block e-voting in Maryland, it is now fighting in
court for the right to send monitors into polling precincts around the
state.

 "The use of paperless electronic voting in Maryland has been marred by
serious problems," Schade said. "It is clear these machines need to be
watched closely. We now know that in the last election, people received
incomplete ballots missing candidates, machines failed to boot, technicians
without identification worked on machines making undocumented alterations.
The State Board of Elections told the media and the public that the
machines worked flawlessly, but since then local boards of elections have
reported widespread problems."

 Rubin also remains fearful security glitches could skew ballot counts and
disenfranchise voters. After spending the day as an election judge in
Baltimore County during the primary, he gained a new appreciation for poll
workers, saying they worked diligently all day to ensure machines worked
properly and everyone's vote was counted. But last week he said most states
that will use e-voting Nov. 2 without a paper trail are "in over their
heads."

 "I am more worried about the fact that the voting machines have the
potential to be rigged than I am that they were actually rigged," said
Rubin. "There's no way to know, and that's not healthy. The worst thing is
that there could be a security breach, and we'd have no way of knowing it."

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'