Continued from "E-voting machines still vulnerable in 2008"
The Brennan Center Task Force report, though it may seem bleak initially, suggests countermeasures that substantially
"From a security point of view, if you screw up one piece of it you missed the benefit of all of it," Lazarus said.
That means paper records must be used and subjected to automatic, routine audits that compare paper results to those of the computers. The audit process must be transparent and truly random -- a chief elections officer picking random numbers isn't secure if the chief elections officer is the attacker, Lazarus pointed out. An excellent chain of custody is essential; one misstep may compromise the whole process. In addition, machines with wireless components should be banned, as they cannot be secured.
The lack of a paper trail greatly increases the risk for fraud or mistakes, Lazarus said. While the Brennan report recommends parallel testing to reduce this risk, such a measure should never be a substitute to a paper trail audit.
"The best you can do with paperless touch screen is…really still not sufficient," said Lazarus.
What slot machines can teach us about e-voting security
Election officials are very knowledgeable, but most do not have technological backgrounds that can aid in e-voting security.
"They don't need to become geeks," said Lazarus, but they should consult computer security experts.
The "think like the attacker" approach advocated by software security professionals has not caught on in the world of electronic voting. "Thinking about hypotheticals is what we need to do," Lazarus said.
Officials who oversee gambling machine security certainly prepare for the hypothetical.
"We treat the machines that are used in casinos in Nevada about a hundred times more seriously than we do election machines," Lazarus said. "In Nevada each individual machine is torn apart and inspected and rebuilt at least once a year."
Yet in the world of e-voting, inspections are limited to prototypes, said Lazarus. "The machine that you voted on was never, ever inspected."
Adopting the "anti-revolving-door" policy followed by Nevada inspectors is another safety option for election officials, Lazarus said. Nevada has safeguards in place to prevent former vendor employees from inspecting their own machines. Nothing, however, prevents a former sales representative from for an e-voting vendor from becoming an election official. A registrar in California and a county elections official in Texas previously worked in the sales departments of e-voting vendors.
Doubts about Diebold
E-voting machines from many vendors, including Premier, Sequoia, Election Systems & Software, Hart InterCivic, and UniLect have been found by the Brennan Center and other researchers to have significant vulnerabilities. Premier, however, has received the most flak. Lazarus warned that "people voting on other technologies should not be more confident," but the fraud allegations against Premier are unique.
Spoonamore, who is serving as an expert witness in the voting lawsuit King Lincoln Bronzeville Neighborhood Association v. Blackwell has asserted many times that Premiere's machines are deliberately designed for tampering.
"I design systems for a living," he said. "When you design a purpose-built system, you make decisions about what should be in it for that purpose. You do not put things in, unless you need them used."
One of the Premier machine features that concerns Spoonamore is its inclusion of negative numbers.
"The Diebold machines can take negative or positive numbers from at least -99,999 to +99,999," he said.
Spoonamore said cannot think of a legal reason for a voting machine to have this capability. "But if you need to steal votes of flip votes, the machine has to be able to process negative numbers," he explained.
Routine testing of Premiere's machines, such as that conducted by a poll worker at the beginning of an election, would ensure only that the total number of votes is zero, Spoonamore said.
"That means, given this design, you can preload a machine with -100 votes for candidate Ms. Jones and +100 votes for candidate Mr. Smith," he said.
In this case, an election worker would simply see the total number of votes at zero. "But the actual vote tally is already 200 votes in favor of Mr. Smith. So let's say 400 people use the machine that day. They actually vote: Ms. Smith 212, Mr. Jones 180, Other 8. The machine will actually output Ms. Smith 111, Mr. Jones 280, Other 8. And the original hack of loading the negative starter field has been erased in the process," Spoonamore continued.
In a 2006 interview, Spoonamore criticized Premiere (then Diebold) for refusing to allow anyone outside of its organization to conduct an audit on its e-voting machines' source code. Such reviews, Spoonamore insisted, are standard for ATMs and other sensitive machines.
Unfortunately for Diebold, it experienced two source code leaks, one in 2003 and one in 2006. Following both leaks, researchers were quick to dissect -- and condemn -- the source code. Security experts at Johns Hopkins University issued a damning report (PDF) on the 2003 source code, which concluded that Diebold's "voting system is far below even the most minimal security standards applicable in other contexts." A review of the 2006 leaked code (PDF) by security researchers at the University of California, Berkeley found the older flaws uncorrected and uncovered new ones.
E-voting in 2008
With flawed machines and inadequate security processes, what can voters expect when they cast their ballots in 2008? "I think it's going to be a huge mess," said Spoonamore. He encouraged voters to vote on paper and "refuse to use the machines."
The Brennan Center, along with Common Cause and the Verified Voting Foundation, released a 24-point "Balance Accounting Checklist" for election workers.
Lazarus has a more optimistic view of the 2008 elections. He is pushing for people to go to the polls despite e-voting risks. "One of the best forms of voter security is big voter turnout," he said.
That's because there are simply more legitimate votes. "Even if a few votes are stolen here and there, they can still get the right number overall," Lazarus said.