Report: E-voting systems flawed, even with paper records

The most widely used electronic-voting systems all have flaws that can be addressed relatively easily, but few states and counties have actually implemented recommended security measures, researchers concluded Tuesday.

Even the printing of paper records widely seen as a countermeasure to hacking and other attacks on ATM-like touchscreen machines does little good if audits aren't routinely and automatically performed, researchers said.

While California and 11 other states require audits in addition to paper trails, more than half of the 26 states requiring paper records don't do so.

The report, based on interviews with elections officials and analyses of voting systems, came from the Task Force on Voting System Security convened by New York University's Brennan Center for Justice. Task force members were from government, universities, security companies and nonprofit advocacy groups.

For systems that spit out paper records for voters to check before leaving, the task force said audits should be routinely performed to randomly check a machine's tally against that machine's paper trail.

Otherwise, paper records do little to improve security, said Larry Norden, the task force's chairman and Brennan's associate counsel.

Researchers acknowledged that audits won't uncover attacks that change both the electronic and paper records, something possible because many voters don't bother to check the paper trail before leaving the voting booth.

Recommendations for all types of e-voting machines include banning wireless components, which can create openings for attack, and testing randomly selected machines on Election Day as close to actual conditions as possible to uncover malicious software and other problems triggered only that day.

"We're not talking about dramatic restructuring of the architecture," Norden said. "We're talking about straightforward things, most of which could be in place for the 2006 elections."

Ken Fields, a spokesman for e-voting manufacturer Election Systems & Software Inc., said company officials were still reviewing the report. "We certainly take all factual explanations of security issues seriously," he said.

The company also issued a statement saying that it routinely helps officials implement proper procedures for smoother elections.

The machines studied by the task force ATM-like machines and optical-scan systems that ask voters to fill in the blanks will be used by at least four out of five registered voters this year, up from just over half the voters in 2000, according to Election Data Services, a political consulting firm that tracks election equipment.

Task force member Howard Schmidt, President Bush's former cybersecurity adviser, said no computer system can be made 100 percent risk-free, but the recommendations help by "minimizing the risk of something uncontrollable occurring and if something should occur, you would know about it."

Doug Chapin of Electionline.org, a nonpartisan research group that tracks efforts to revamp election systems, said states and counties typically have been focusing on trying to assure Americans that their vote was being recorded. Chapin, who was not involved with the Brennan study, said he expects more election officials to begin considering systematically how they can use the records more broadly, such as through audits.

According to the report, the 14 states requiring paper trails but not audits are Idaho, Maine, Michigan, Missouri, Montana, New Hampshire, New Jersey, Nevada, Ohio, Oregon, South Dakota, Utah, Vermont and Wisconsin. The 12 that require audits are Alaska, California, Colorado, Connecticut, Hawaii, Illinois, Minnesota, New Mexico, New York, North Carolina, Washington and West Virginia.

Rep. Rush Holt, D-N.J., has introduced legislation requiring paper records and random audits for federal elections in at least 2 percent of precincts in each state.

Just a little more fine tuning to do. The way I see it we are one step closer to the day when Democrats can no longer steal elections by creating votes in a few well chosen precincts in the cities.

Reminds me of Florida redux in 2000 when the Dems claimed that W's totals were inflated because they were higher than in '98 when the totals actually reflected the elimination of fraudulent Democrat votes.

The Information Technology Association of America, whose members include voting-machine vendors, denounced the study as one "based on speculation rather than an examination of the record," adding that voting systems have yet to be successfully attacked in a live election.

That statement is enough to convince me that the ITAA is an untrustworthy pack of spin doctors. Such systems have been very successfully attacked in challenge tests, in which the hackers' goal is to break the system and boast about it. There have not been such dramatic breaks in the vendors' own trials (where the vendors' goal is not to have any) or in live elections (where the hackers' goal is to get away with it).

A vendor who actually wants to build a secure system knows what to do-- anyone who has studied security knows: build a system, make its design totally public (but still legally protected) hold public trials with a substantial purse for anyone who can break it, and resist the urge to protect the system with tricky rules, secrecy or other dodges. And if anyone succeeds in breaking it, scrap the whole system and start again from the very beginning with different people, because your whole design process is flawed.

""For systems that spit out paper records for voters to check before leaving, the task force said audits should be routinely performed to randomly check a machine's tally against that machine's paper trail.""

Giving you receipts is a sop to the suckers.

I'm reading reports now from Utah vote today. They seem to say that the paper receipt is verified and deposited like a ballot to provide for recounts. That might be good.

AS a former student of PC programming I don't trust e voting as far as I can throw the machine.

I have the exact same sentiment.

You can not believe how horrified I was to see one of these machines in my precinct. That horror was doubled when I saw there was no obvious printouts, nor any space anywhere that could store such printouts if there were any.

The way I see it we are one step closer to the day when Democrats can no longer steal elections by creating votes in a few well chosen precincts in the cities.

You're way off base. Check the latest MD voting laws. They are a model for Dem states everywhere. There are "motor voter" registrations - no id required. There are e machines with no paper trail. You can vote in any precinct in the state (not just your own) or absentee. The poll workers cannot ask for id. There is early voting in selected precincts (all Dem) for the 5 days before the election.

Sure it's illegal for you, your cat, dog and hamster to vote multiple times, but even if they catch you, there's no way to correct the vote totals.

Naturally, bastions of communist perfidy will be slow to adopt genuine reform, but even they will eventually join the rest of the country in the 21st century.

Have courage, stand tall, turn around and face the future.

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.