More Calls to Vet Voting Machines
Computer scientists have raised concerns about the security of computerized voting machines for the past few years, but they haven't been able to gather much support from election officials, who remain confident that the systems are basically secure from tampering and breakdowns. The Johns Hopkins study is the first piece of evidence that current touch-screen technology could be seriously flawed. ***we need to get HR 2239 out of committe and out to a vote: TO REQUIRE AUDITABLE PAPER TRAILS. No other activism we do will count if the elections are not free, fair, and verifiable!!!***
A recent report that showed touch-screen voting machines could be vulnerable to hackers spurred the National Association of Secretaries of State, a majority of whose members are in charge of their states' elections, to consider whether the standards for the machines should be beefed up to prevent tampering.
Voting machine standards weren't on the agenda at the association's annual meeting, held in late July in Portland, Maine. But after the study by Johns Hopkins University researchers was publicly released, the group discussed asking the National Institute of Standards and Technology, or NIST, the government's standards-setting organization, to prepare a white paper on security standards for the new generation of computerized voting machines.
No decision was made, said Kay Albowicz, a representative for the Washington, D.C., group. NIST, a nonregulatory agency based in Gaithersburg, Maryland, works with industry to develop and apply technology, measurements and standards.
Computer scientists have raised concerns about the security of computerized voting machines for the past few years, but they haven't been able to gather much support from election officials, who remain confident that the systems are basically secure from tampering and breakdowns. The Johns Hopkins study is the first piece of evidence that current touch-screen technology could be seriously flawed.
While stressing that more studies will have to be conducted to find out just how vulnerable these are, "there is a sense that in the past (critics of computerized machines) were part of the black box crowd and conspiracy theorists," Albowicz said. "No one is saying that now."
Aviel Rubin, technical director of the Johns Hopkins Information Security Institute, led a team of three computer scientists to examine source code for touch-screen voting machines made by Diebold. More than 40,000 Diebold voting machines are in use in 37 states. Most use touch-screen technology, while the rest use optical-scanning equipment, said Mike Jacobsen, a company spokesman.
The code was downloaded earlier this year from a company FTP site. The site isn't public, but it's also not secure. Diebold's field representatives used the site to fix the company's voting machines. Diebold has since pulled the source code off the Internet. The company's employees now carry discs.
Jacobsen confirmed that the source code Rubin's team examined was last used in November 2002 general elections in Georgia, Maryland and in counties in California and Kansas.
Within a half-hour of examining the code, Rubin's team found its first red flag. The password was embedded in the source code. "You learn (not to do) that in security 101," said Tadayoshi Kohno, one of the report's co-authors. "The designers didn't follow standard engineering processes."
Other "stunning flaws" Rubin said the team found in Diebold's source code included voter smart cards that could be manipulated to cast more than one vote, software that could be reconfigured by malicious company workers or election officials to alter voters' ballot choices without their knowledge and machines that could be electronically broken into through remote access.
"The people who wrote this code didn't have very good security training," Rubin said. "They didn't use encryption."
Some computer scientists say HAVA's deadline should be extended to give the government more time to establish better standards for new computerized voting machines. Rebecca Mercuri, a research fellow at Harvard University's John F. Kennedy School of Government and president of Notable Software, a consulting firm in Lawrenceville, New Jersey, says that in the absence of new standards, the Institute of Electrical and Electronics Engineers, of which she is a member, has formed a committee to create standards for the machines. One of the committee's concerns is a voter-verified audit trail.
Rep. Rush Holt (D-N.J.) introduced a bill, H.R. 2239, in May to amend HAVA to require computerized voting machines to provide voter-verified audit trails. So far, his bill has 26 sponsors and it's unlikely to get out of the Committee on House Administration.
"As the computer scientists at Johns Hopkins recently reported, these new machines are vulnerable to massive fraud," Holt said in a statement. "Unless Congress acts to pass legislation that would make sure that all computer voting machines have a paper record that voters can verify when they cast their ballots, voters and election officials will have no way of knowing whether the computers are counting votes properly."
add a comment on this article
add a comment on this article