Imagine using an ATM that had been roundly condemned by security researchers as extremely vulnerable to serious...
attacks. This particular ATM has never been inspected, and there are lawsuits alleging that the ATM's creators have deliberately designed their machines to steal money from customers. Would you bet your money on such a machine? What about your vote?
Eric Lazarus, election security researcher and president of the consulting firm DecisionSmith, has studied enough e-voting machines to know they offer little security. Lazarus served as principal investigator for "The Machinery of Democracy: Protecting Elections in an Electronic World," a report from the Brennan Center Task Force on Voting System Security at New York University's School of Law. The task force tested the three major e-voting machine systems in use in the United States and found them all to have "significant security and reliability vulnerabilities." Issued in 2006, the report (PDF) has received a good amount of press coverage, but Lazarus says its recommended countermeasures have not been sufficiently executed.
Reports find e-voting machines extremely vulnerable
The e-voting machines examined by the task force were vulnerable to numerous attacks, including Trojan horse and denial of service exploits. These findings are consistent with those of other studies. Researchers at Princeton University scrutinized a widely used e-voting machine, Diebold's AccuVote-TS, and they concluded it was vulnerable "to a number of extremely serious attacks." The Computer Security Group at the University of California at Santa Barbara tested e-voting machines from Sequoia, another popular vendor, and uncovered major vulnerabilities that could be exploited without knowledge of the machine's source code.
While vendors generally maintain that their machines are secure, one has admitted its machines contain a critical error. In August, Diebold, now Premier Election Solutions, acknowledged that its popular e-voting machines have a logic error that causes votes to be lost. The disclosure of the error followed years of denials from Premiere, which has been extensively criticized in the media. Computer security expert Steven Spoonamore, partner at Global Strategic Partners, LLC, said Premiere is concealing other flaws.
"Remember, for years they claimed this flaw was impossible," he said. "[N]ow there is so much overwhelming evidence of multiple problems, they are conceding to one point and claiming that is the only issue."
Generally, software vendors issue bug fixes or patches for known vulnerabilities, but no such system exists for e-voting vendors.
"The massive sorts of problems that people have found in voting technology have not resulted in a massive upgrade to the technology in part, perhaps, because there isn't a process for getting those changes certified in a timely and cost-effective way," said Lazarus. Patches wouldn't necessarily be helpful.
"Just because a team of people found a few flaws and then those few flaws…got fixed that does not mean that a paperless voting machine would be a good thing to base your democracy on," continued Lazarus. There's no reason to believe that the vulnerabilities Lazarus's team found in 2006 have been corrected.
Story continues with "Countermeasures to e-voting security flaws."
Dig Deeper on Software Quality Management