California's decision to restrict e-voting systems creates a quandary.
Debra Bowen doesn't hate electronic voting. In fact, California's secretary of state anticipates a time when she can whip out a BlackBerry or iPhone to cast her ballot if she's out of her home district on Election Day.
"But we're not there yet," Bowen said. And there lies the reason why this August, Bowen placed restrictions on the use of certain e-voting machines that left election officials in many counties scrambling to figure out how to hold California's presidential primary on Feb. 5, 2008.
Last spring, Bowen commissioned a team of experts assembled by the University of California to review many of the voting systems previously certified for use in California. As a result of this two-month assessment, Bowen decertified all the systems and then recertified them for use under certain conditions.
For all of the machines, Bowen's office will require election officials to implement stronger security and post-election auditing procedures. Counties may continue to use direct recording electronic (DRE) systems from Hart InterCivic for general voting, as long as they comply with the stiffer security and auditing requirements. But counties may only use DRE systems from Diebold Election Systems and Sequoia Voting Systems to conduct early voting and provide one machine per polling place for disability access.
The ruling hits hardest in 21 of California's 58 counties that have been using the Diebold or Sequoia DRE system for all Election Day voting, said Stephen Weir, president of the California Association of Clerks and Election Officials (CACEO) and clerk of Contra Costa County.
"The impact on counties is that there's precious little time to put any Plan B into effect," Weir said. Most likely, counties will use their DRE machines to make voting accessible to disabled citizens, he said. However, they'll probably have to revert to using paper ballots for most in-person voting in February.
They can then tally votes in one of two ways: run all ballots through the centrally located optical scanning systems they currently use to count absentee ballots, or buy new scanning systems to count votes at the precinct level.
The Cost of Conversion
The total cost to the 21 counties for converting from DRE to optical scanning will depend on which strategy they choose. If they stick with their centrally located scanners, costs will total about $18 million, Weir said. But adding paper ballots to the absentee ballots the counties already run through their central scanners will slow the counting process, he said. "It's going to take much longer to get a sense of what Election Day looked like for those counties that aren't able to scramble and get a precinct-based system."
Adding lots of new scanners, though, will raise costs considerably. "If you're going to put a precinct-based scanner in all of those 10,000 polling places that are losing their DREs as their main voting, if you train the poll workers and do all the things you have to do, my estimate was about $66 million," Weir said.
Some counties can cover this cost with money they received through California's Voting Modernization Bond Act of 2002, Bowen said. Some still have federal money provided through the Help America Vote Act (HAVA). But a few have depleted both sets of funds. "We'll have to work with the counties, as Florida had to do, and New Mexico, to figure out the best way to handle the financial impact of the problem."
In addition, provisions in their contracts with voting system vendors, which require the vendors to provide certified election equipment, protect some counties, Bowen said. If the technology is decertified, the vendor must replace it with another voting system that the county is allowed to use.
California's liberal vote-by-mail policies also should soften the impact of the decertifications. "Close to half of our voters are now voting by
mail," Bowen said. "Last November , somewhere between two-thirds and three-quarters of California voters cast their ballots on paper, either in an optical scan system at the polling place, or on an absentee ballot which is mailed in, and which, of necessity, has to be on paper."
At the time the counties bought them, the e-voting systems in question were all certified by California and the federal government. Bowen said she took a new look at the systems because state law requires the secretary of state to periodically review voting systems for defects, obsolescence or other factors that might make them unacceptable.
Bowen said her concerns about e-voting stem from ongoing debates -- dating back to the 2000 presidential election -- about the reliability and security of various voting methods. She highlighted numerous incidents where DRE systems left thousands of votes uncounted.
Take the precinct in North Carolina where the voting server was configured to hold up to 3,200 votes, and more than 7,000 people voted there, she said. "That meant 4,000-some people were completely disenfranchised."
Bowen also pointed out documented security flaws in e-voting machines -- for example, the use of identical keys to lock the memory card doors on all systems in a product line. "Researchers at Princeton last fall discovered, using one of the Diebold systems, that a hotel minibar key or an office filing cabinet key would unlock the voting machine. And it's the same key for every piece of equipment," she said.
Some county officials have questioned the process used to evaluate the DRE machines. "The secretary of state, first of all, never contacted election officials. They were not part of the process," said Paul McIntosh, executive director of the California State Association of Counties.
Moreover, McIntosh said, the secretary's office gave the researchers information about the machines and their software that real hackers would need to unearth on their own. And researchers had ample time to work with the machines.
"Somebody said it was tantamount to giving the inmates the key to the jail and putting the correctional officers on break, and then saying the jail is unsafe," McIntosh said.
"When the secretary did her review, she did it under the worst-case scenario model, without any defenses," Weir said. "From most registrars' perspectives, the true test wasn't given." Such a test would consider not only safeguards built into the machines, but also safeguards that election officials put around the machines, he said.
Bowen termed this sort of criticism "naive," given the ingenuity of many hackers. And, she said, researchers didn't always need inside knowledge to violate the systems. "In the Sequoia system, for example, the testers were able to create an exploit that allowed them not only to change the results of an election, but to hide their tracks, without having any access to the source code or any knowledge of the password."
According to one security expert, California's effort to pinpoint security flaws and demand that they are fixed is beside the point. Writing in Wired magazine last August, Bruce Schneier said that while the University of California tests represented a laudable effort, no matter how many security flaws one may patch in an IT system, more will inevitably appear.
"Insecurity is the norm," wrote Schneier. The real solution is security assurance, a series of processes that build security in from the ground up and maintain it throughout the life cycle of the system.
It's true, Weir agreed, the best way to provide security in voting systems is to layer it in. "Believe me, we get that." But HAVA required election officials to provide machines that disabled voters can use and machines that offer "second-chance" voting -- the opportunity to correct an apparent error, such as unintentionally marking two candidates for the same office. Counties had to meet those requirements with technology that was already on the market.
"We'd love second-generation stuff," Weir said. But given the time it takes to develop new systems, get them through the permitting process and bring them to market, better-designed technology probably won't become available until 2014, he said.
For Bowen, the bottom line is that she'll have to certify the results of elections in California in 2008. "When I certify elections," she said, "I want to be able to say to voters, 'I am certain that these are the results of the election that was just conducted in California.'"
Contributing Writer Merrill Douglas is based in upstate New York. She specializes in applications of information technology.