 |
| Barbara Simons spoke out against some of the electronic
voting systems established after the 2000 election. Prof. Dan Ortiz
looks on. |
Posted September 23, 2004
Voter Verification of Ballot Needed
to Make Computerized Voting Safe
Unless paper copies of ballot choices are made to allow for recounts,
computerized voting systems are far too vulnerable to software bugs
or tampering to be relied on, according to Dr. Barbara Simons, a computer
science researcher now retired from IBM Research. Simons, a past president
of the Association for Computing Machinery and co-chair of its public
policy committee, spoke on “Electronic Voting Machines: Will
Your Vote Count 0, 1 or Many Times?” Sept. 15 at the invitation
of the Virginia Society of Law and Technology. Professor Dan
Ortiz joined her, surveying the perennial issues in election fraud
to introduce the latest permutation.
To direct her listeners to where the problem lies, Simons quoted Josef
Stalin, who, with an insight so natural to a dictator, said, “Those
who cast votes decide nothing. Those who count votes decide everything.”
With the Florida vote counting debacle of 2000 spurring them on, Congress
passed the Help America Vote Act of 2002, turning to computing for
voting salvation. The Act authorized $3.8 billion to pay for computerized
voting equipment, such as Direct Recording Electronic voting systems
(DREs) or optical scanning systems. The act requires that all punch
card and lever machines be replaced by 2004, or, if a waiver is granted,
by 2006 at the latest. The law authorized the National Institute of
Standards and Technology to set standards for the machines, but so
far “no reasonable ones exist,” Simons said, because Congress
did not allocate money to pay for them.
The fact is that “far too chummy relationships exist between
election officials and vendors,” Simons said. Policymakers often
don’t understand the technical implications of a policy, such
as the risks of creating centralized databases of registered voters
in every state and thus making a single security breech potentially
disastrous, said Simons.
DREs commonly have touch screens, though some have knobs or switches.
Experts warn that programmers are capable of writing computing code
that could falsify votes any number of ways, all while the machine’s
screen duplicitously shows the voter the selections he or she actually
entered. Such “Trojan Horse” techniques for falsely recording
or tallying votes could be very difficult to find or prevent, especially
with the inadequate level of testing done today. Or, as another example,
software could be corrupted by someone programming it to respond to
a pattern of selections, entered by accomplice voters, that causes
the software to execute a cheating plan of phony votes.
Simons said computer security experts who’ve looked at the problem
agree that a permanent record of every ballot cast is essential so
that recounts are possible. In fact, she said, the proper starting
point for designing an electronic voting system would be to figure
out which system makes recounting the easiest and proceed from there.
Simons credited California Secretary of State Kevin Shelley with taking
the right position. Shelley insists that by 2005 all new touch screen
machines in his state produce a voter-verified paper trail and that
machines are “parallel tested” (a check of randomly selected
machines taken out of service on election day to perform a simulated
election in which a final tally is known beforehand). California law
requires manual recounts of 1 percent of the ballots in randomly selected
precincts.
Paper trails would not produce “receipts”—a term
Simons acknowledged but objected to—because those could enable
vote-selling if they could be taken away from the polling place. Rather,
voters would be shown a record of their choices, perhaps behind a glass
panel, and they would confirm them, or cancel and reselect. Once verified,
their votes would be recorded in the machine where they could be consulted
in case of a recount. “The idea is that there needs to be an
unchangeable record that can be verified by the voter,” said
Simons.
DREs would have to be refitted to make this possible, but optical
scan voting systems automatically create voter verified paper ballots,
since the voters mark optically scannable paper ballots that are then
counted by optical scan readers/counters. “Retrofitting DREs
to print paper ballots is not a great solution,” said Simons. “It
would be better, in my opinion, if we could eliminate the DREs and
replace them with better designed systems. Unfortunately, so much money
has been spent on some of these systems that it will be difficult to
get them replaced.”
She described the software in current machines as “very buggy.” It
has been developed and tested in secret and the test results are kept
secret, its vendors saying they are protecting proprietary information. “The
only reason it’s secret is to hide the bugs,” Simons said. “I'd
like to see the software made entirely public.”
Vendors also invoke a “security through obscurity” defense,
she said, claiming that software is more difficult to penetrate if
it’s kept secret. “The best way to plan computer security
is to assume an adversary knows everything and yet you are still secure,” Simons
said. The typical test of security is to attack the software, devise
fixes when ways to compromise it are found, and repeat the hacking,
always assuming that undiscovered openings still remain. "Even
if the machines were well tested, “it still could be difficult
to tell if malicious software is influencing the outcome,” she
said.
“Vendors don’t talk about the storage and delivery issues,” times
when a machine could be vulnerable to tampering, she added.
Meanwhile, DREs have been purchased to handle 30 percent of American
elections. Georgia conducted its 2002 elections with machines purchased
from Diebold, the nation’s largest maker of ATMs. Simons called
the company “a poster child” for DRE security issues. According
to pre-election and exit polling results, incumbent democratic Sen.
Max Cleland was expected to win in 2002, but lost in an upset. Some
Georgians suspect the voting machines were tampered with, Simons said, “but
we don’t know.” The Diebold machines do not create any
paper trail to check.
“It’s not a Democrat vs. Republican issue,” she
said. “Some Republicans feel they’ve been cheated too.”
The problem with Diebold’s system, she said, is that it was “built
on insecurities in the Microsoft Windows system that can’t be
fixed.” Some of those securities were undoubtedly unknown when
Diebold created their software, she explained. “But the Diebold
software is so un-robust that attempts by the State of Maryland to
install recently issued Microsoft security patches made the voting
software crash."
Some election officials are worried that if the problem with electronic
voting gets exposed that people will be discouraged from voting. Simon
says the public is worse off not being told.
Even if electronic voting systems need further refinement to be fully
trustworthy, Simons strongly urged everyone to exercise their right
to vote. “Everyone should vote,” Simons said, “but
I use an absentee ballot.”
• Reported by M. Marshall
|