mail," Bowen said. "Last November , somewhere between two-thirds and three-quarters of California voters cast their ballots on paper, either in an optical scan system at the polling place, or on an absentee ballot which is mailed in, and which, of necessity, has to be on paper."
At the time the counties bought them, the e-voting systems in question were all certified by California and the federal government. Bowen said she took a new look at the systems because state law requires the secretary of state to periodically review voting systems for defects, obsolescence or other factors that might make them unacceptable.
Bowen said her concerns about e-voting stem from ongoing debates -- dating back to the 2000 presidential election -- about the reliability and security of various voting methods. She highlighted numerous incidents where DRE systems left thousands of votes uncounted.
Take the precinct in North Carolina where the voting server was configured to hold up to 3,200 votes, and more than 7,000 people voted there, she said. "That meant 4,000-some people were completely disenfranchised."
Bowen also pointed out documented security flaws in e-voting machines -- for example, the use of identical keys to lock the memory card doors on all systems in a product line. "Researchers at Princeton last fall discovered, using one of the Diebold systems, that a hotel minibar key or an office filing cabinet key would unlock the voting machine. And it's the same key for every piece of equipment," she said.
Some county officials have questioned the process used to evaluate the DRE machines. "The secretary of state, first of all, never contacted election officials. They were not part of the process," said Paul McIntosh, executive director of the California State Association of Counties.
Moreover, McIntosh said, the secretary's office gave the researchers information about the machines and their software that real hackers would need to unearth on their own. And researchers had ample time to work with the machines.
"Somebody said it was tantamount to giving the inmates the key to the jail and putting the correctional officers on break, and then saying the jail is unsafe," McIntosh said.
"When the secretary did her review, she did it under the worst-case scenario model, without any defenses," Weir said. "From most registrars' perspectives, the true test wasn't given." Such a test would consider not only safeguards built into the machines, but also safeguards that election officials put around the machines, he said.
Bowen termed this sort of criticism "naive," given the ingenuity of many hackers. And, she said, researchers didn't always need inside knowledge to violate the systems. "In the Sequoia system, for example, the testers were able to create an exploit that allowed them not only to change the results of an election, but to hide their tracks, without having any access to the source code or any knowledge of the password."
According to one security expert, California's effort to pinpoint security flaws and demand that they are fixed is beside the point. Writing in Wired magazine last August, Bruce Schneier said that while the University of California tests represented a laudable effort, no matter how many security flaws one may patch in an IT system, more will inevitably appear.
"Insecurity is the norm," wrote Schneier. The real solution is security assurance, a series of processes that build security in from the ground up and maintain it throughout the life cycle of the system.
It's true, Weir agreed, the best way to provide security in voting systems is to layer it in. "Believe me, we get that." But HAVA required election officials to provide machines that disabled voters can use and machines that offer "second-chance" voting -- the opportunity to correct an apparent error, such as unintentionally marking two candidates for the same office. Counties had to meet those requirements with technology that was already on the market.
"We'd love second-generation stuff," Weir said. But given the time it takes to develop new systems, get them through the permitting process and bring them to market, better-designed technology probably won't become available until 2014, he said.
For Bowen, the bottom line is that she'll have to certify the results of elections in California in 2008. "When I certify elections," she said, "I want to be able to say to voters, 'I am certain that these are the results of the election that was just conducted in California.'"
Contributing Writer Merrill Douglas is based in upstate New York. She specializes in applications of information technology.