Hanging chad's legacy

Old bugs in new voting technology a worry for states

Monday, November 10, 2003

BY KEVIN COUGHLIN
Star-Ledger Staff

In 1990, before the Web went World Wide, "online" was where people stood at banks.

Technology has come a long way since. But as New Jersey and other states prepare to buy thousands of computerized voting machines for next year's presidential election, experts say one thing hasn't changed. Most of the machines are certified to technical standards set almost 14 years ago.

That means elections could be vulnerable to security breaches nobody anticipated in those ancient times, some computer scientists contend.

It's hard to know for sure, they say, because the federal testing process for these "touch screen" machines is secretive, the agencies that oversee the process are in flux, and machine vendors seldom let the public study their software.

Although the Federal Election Commission d the standards last year, most electronic machines sold over the next year probably will meet only 1990 guidelines, the FEC's Brian Hancock said.

"It's an extremely complicated process," he said.

And it may grow more complex.

Aiming to avoid the Florida punch card mess of 2000, the Help America Vote Act last year earmarked $3.9 billion for new machines and other reforms. The law, known by its acronym HAVA, calls for a technical committee to examine standards and certification of voting machines, with the National Institute of Standards and Technology playing a lead role.

But the institute has not yet received any funds for the task, the agency's Allan Eustis said.

And months of political foot-dragging are being blamed for delaying the start of the new commission charged with overseeing the reforms. Those delays make it highly unlikely the testing system will get revamped by next November, officials said.

Yet Maryland recently opted to pay $56 million for electronic voting machines from Diebold Inc., despite security concerns. New Jersey and Connecticut are among states pondering similar purchases using HAVA money.

"The government is dispensing money for new machines before resolving standards issues," said Douglas Jones, a computer scientist from the University of Iowa.

The industry insists touch-screen machines which cost upward of $3,500 apiece and offer multiple languages and audio for the blind are superior to other voting methods.

Just because some machines conform to 1990 standards, "It doesn't mean they are bad," said R. Doug Lewis of the National Association of State Election Directors.

"What you're talking about is a major shift in the way American elections are conducted," Lewis said of HAVA. "As a result, there is some messiness to it."

Until last month, Lewis' association assisted the Federal Election Commission by overseeing three independent labs that test voting software and hardware for reliability and accuracy.

Representatives of Wyle Laboratories and CIBER Inc. of Huntsville, Ala., and SysTest Labs LLC of Denver, Colo., declined to be interviewed, citing proprietary issues.

Federal oversight now sits with the Election Assistance Commission, a body stuck in neutral for months for political reasons. All four commissioners including former New Jersey Secretary of State DeForest Soaries await Senate confirmation any day.

Lewis said the labs have started testing machines under the 2002 standards. But, he said, these more stringent standards apply only to new vendors, or to recently upgraded portions of previously qualified systems.

Computer expert Rebecca Mercuri blasted the 2002 standards as "hopelessly vague" and said they exempt most commercial software.

Facing next year's elections with machines rated for 1990 is "like buying a Chevy truck with 1990 emission equipment," said Mercuri, a Harvard fellow from Lawrenceville.

Adding to the confusion is the fact that elections are local matters; federal standards are largely voluntary but states can't ignore them if they want federal funding.

Mercuri said vendors use nondisclosure agreements to thwart scrutiny of their software. In Palm Beach County, Fla., home of the hanging chad, a losing council candidate from Boca Raton was puzzled by poor results in his home district last year. He sued to test Sequoia electronic voting machines. But a judge said no; the tests might reveal trade secrets, recounted Mercuri, a consultant in the case.

"You've got a secret machine," said Mercuri, "and you can't get access to it even after an election to see if it's working right."

William Kingman of Sequoia Voting Systems said only a massive conspiracy could compromise the company's machines. "You could do that with paper ballots now," he said.

Americans trust proprietary software to run jetliners; voting machine software should be no different, said Harris Miller, president of the Information Technology Association of America.

While ironclad security is impossible, Lewis said, "you can make it highly improbable for anyone ... to get away with" electronic ballot tampering.

Still, he defended existing standards.

"The security is as good as we can make it at this point," Lewis said. "We may not have understood everything, but we're working to understand it. Just because somebody has jumped in and cried foul doesn't mean there is a foul."