E-voting's Rush to Failure

Opinion by Tommy Peterson

JULY 12, 2004 (COMPUTERWORLD) - In the wake of the painful experiences of 2000, the choice of the mechanism used to record and tally votes in this year's presidential election may be almost as controversial as the battle between the candidates. Unfortunately, a hefty portion of state and local jurisdictions have prematurely adopted electronic voting systems.

E-voting in this year's election is a terrible idea because of both real technical limitations and the perception that the systems are unreliable and vulnerable to tampering. That's something of a problem, considering more than 30% of all voting in the election will be done on electronic machines.

This isn't just a public relations issue or one that will go away when citizens get used to the technology. A mounting record of problems with e-voting has tarnished elections in Georgia, California and Texas, among other places, and seems to justify widespread voter skepticism.

Part of the problem arises from the complexity of e-voting systems. The code that makes up these systems is so large that there's no efficient way for election officials to ensure that it's free of malware or to completely debug it, according to testimony Johns Hopkins University professor Avi Rubin gave before the U.S. Election Assistance Commission this spring.

The technology simply isn't ready to be used for the most basic and critical function in any democracy. And even if it were, the processes and protocols needed to monitor even high-performing systems aren't in place, judging by the report from IT security experts assembled by the Brennan Center for Justice at New York University School of Law and the Leadership Conference on Civil Rights. The panel's mandate was to devise a strategy for ensuring the security of touch-screen direct-recording electronic (DRE) voting systems.

The recommendations of the group are all eminently sensible: Train all election workers on security procedures. Develop random testing procedures to detect malicious code or bugs in e-voting software. Create and follow standardized procedures for responding to security threats and incidents. You get the idea. But it's a little alarming that the panel had to make these recommendations to fill an existing procedural gap.

To be fair, the chief recommendation of the panel isn't so obvious, and following it is essential to the success of any e-voting system. According to the report, each jurisdiction that plans to use an e-voting system should hire a well-qualified independent security group to evaluate the system's potential for failure and vulnerability to attack. The outside security team should be free of ties to systems vendors and be given unlimited access to software code and configuration information.

This is precisely the right approach to both harden the defenses of DRE voting systems and put to rest some of the public's basic fears about vote tampering. If an expert outsider can take a hard look at the code on a Diebold voting system, fewer citizens will be worried about, say, whether Diebold Chairman Walden O'Dell's support of President Bush (he's a big fundraiser for Bush's campaign) might have influenced the system's design.

But most jurisdictions haven't put any of the recommendations in place, and it's too late to get it all done by November, as has been pointed out by a chorus of security experts [QuickLink 47931].

The headlong rush to e-voting grew out of demands for reform following the chaos of the 2000 presidential election. The $4 billion allocated by the federal government to enact those reforms got the attention of vendors that were eager to make a big sale. It's time to slow down, even if it means shelving e-voting until 2008.

Setting up a parallel paper trail for voters within an e-voting system, as some have suggested (including Computerworld's Sharon Machlis see QuickLink 47905), is not the answer. That would be cumbersome, threaten the secrecy of the ballot and still leave the system open to tampering. Which is why a federal judge's decision last week to uphold California's decertification of DRE systems until vendors provide voter-verifiable paper audit trails and other security improvements [QuickLink 48022] isn't enough.

In four years, processes could be in place that force transparency on all vendors of e-voting systems. The use of blind-signature encryption protocols could preserve secret balloting while giving voters a means to verify election results. There's not much upside in using e-voting systems for the election that's less than four months away, and the risks are enormous.

If you thought pregnant chads in the 2000 election were bad, wait until you see what a determined hacker could do to the democratic process this fall. That is, of course, if we're lucky enough to detect the attack.