E-Voting Security Ignored

Does anybody care if those nifty electronic voting machines actually work as promised? Are reliable? Tamper-proof? Apparently not. Last week the US Government Accountability Office issued a report on "Federal Efforts to Improve Security and Reliability of Electronic Voting Systems Are Under Way, But Key Activities Need to Be Completed." Among its findings, according to the press release from the House Committee on Government Reform:

Voting System Vulnerabilities Identified by GAO:

• Cast ballots, ballot definition files, memory cards, and audit logs could be modified.

• Supervisor functions were protected with weak or easily guessed passwords, and memory cards that allowed individuals access to voting machines were inadequately protected.

• Systems had easily picked locks and power switches that were exposed and unprotected.

• Voting machine vendors had weak security practices, including the failure to conduct background checks on programmers and system developers, and the failure to establish clear chain of custody procedures for handling software.

The list goes on to note real failures in real elections:

• In California, a county presented voters with an incorrect electronic ballot, meaning they could not vote in certain races.

• In Pennsylvania, a county made a ballot error on an electronic voting system that resulted in the county’s undervote percentage reaching 80% in some precincts.

• In North Carolina, electronic voting machines continued to accept votes after their memories were full, causing over 4,000 votes to be lost.

• In Florida, a county reported that touch screens took up to an hour to activate and had to be activated sequentially, resulting in long delays.

Outside of a few computer trade journals and voting-rights blogs, the report has gone almost entirely unnoticed. ComputerWorld quoted the report:

Until these efforts are completed, there is a risk that many state and local jurisdictions will rely on voting systems that were not developed, acquired, tested, operated or managed in accordance with rigorous security and reliability standards -- potentially affecting the reliability of future elections and voter confidence in the accuracy of the vote count.

As far as the consumer press, the ANG Newspapers group in and around Silicon Valley seems to provide the only coverage, reporting that "fixing [the] problems could be years away."

Congress never granted a full appropriation to the [Election Assistance Commission] or to the National Institute for Standards and Technology, which was to provide technical help. As a result, the new standards for security, performance and accuracy of voting systems have been three years in the making and may not be applied to actual voting systems until 2007. New labs to test voting systems to the standards won't be approved until then, and meanwhile the existing laboratories may continue testing voting systems to older standards until June 2008.

That's nice to know, isn't it?