August 5, 2003 By Emily Montandon
HAVA's mandate to replace outdated voting equipment caused a shift toward direct record electronic (DRE) voting machines, such as touchscreen machines, where voters directly cast their votes into electronic memory. Some say there is no way to ensure the voting machines are bug-free or have not been tampered with.
"The nightmare scenario is that the voter votes, confirms the vote, and then the vote is recorded internally in the machine differently than the voter intended," said Stanford computer science Professor David Dill. "I don't think there is any technological basis for somebody to assure us that can't happen."
HAVA required that voting machines produce a paper record of each vote and that each voter be able to confirm their vote before casting it. But HAVA does not specifically require that the voter verify the paper record.
"Right now the voter verified [requirement] is one thing; the paper record might represent something else. So there is an audit gap," said Dill. If votes are changed or lost due to system errors or tampering, a printout at the end of the day will reflect erroneous vote tallies, he explained. "Because of ballot secrecy, once the voter leaves the voting booth, there is no one who can make sure that voter's vote is consistent with what was actually recorded inside the machine. The voter can't do it. Election officials can't do it. The vendor can't even do it."
New legislation -- H.R. 2239, the Voter Confidence and Increased Accessibility Act of 2003 -- would require a voter-verified paper trail. The measure was introduced in the U.S. House of Representatives in May to amend HAVA, but some contend the bill causes more problems than it would solve.
Besides the paper-trail requirement, the bill mandates surprise recounts in 0.5 percent of jurisdictions and a verification system that separates the vote generation function from that of vote casting for those with visual impairments. The measure also would ban wireless technology in voting machines and require source code be made available for inspection by any citizen.
The recent press surrounding Johns Hopkins University and Rice University researchers who claim Diebold Election Systems' code may have fatal security flaws could bring this point to life because it is unclear whether the code examined by researchers was ever used in an election.
If vendors were required to expose their source code, voters wouldn't be left guessing about its quality, but exposing the code without precautions could prove disastrous, said Dill. "The code is probably full of security holes, because the companies are depending on secrecy so heavily."
But security for electronic voting devices shouldn't depend on secrecy of their source code, added Dill, regardless of the legislation. Even if the design is kept secret, he argued, the system should be secure even if the design were exposed.
At least one voting system manufacturer said exposing source code would not trigger security concerns. John Groh, senior vice president of strategic alliances for Election Systems & Software (ES&S), said his firm would make open source code as secure as its current system if the law were to pass.
However, there may be confusion over just how far the bill's source code requirement could stretch, and broadly distributing the source code could be an invitation for problems, according to Groh.
"You do not want that in the election industry," he said. "Where people can take something and modify it. That is exactly where somebody
You may use or reference this story with attribution and a link to