Expert testimony on quality of current voting machines
[edit] Dr. Professor Avi Rubin
Testimony of Dr. Aviel D. Rubin to U.S. Federal Election Assistance Commission, on Electronic Voting Systems, May 2004:
(Witness credentials: Professor of Computer Science, Technical Director of the Information Security Institute at Johns Hopkins University, served on SERVE security peer review group for Dept. of Defense, member of National Committee on Voting Integrity, Secure Systems Research Department at AT&T (cryptography, computer and internet security) [66], 2004 election judge in local county)
There is no way for voters to verify that their votes were recorded correctly.
There is no way to publicly count the votes.
In the case of a controversial election, meaningful recounts are impossible.
With respect to the Diebold Accuvote TS and TSx, we found gross design and programming errors, as outlined in our attached report. The current certification process resulted in these machines being approved for use and being used in elections.
We do not know if the machines from other vendors are as bad as the Diebold ones because they have not made their systems available for analysis.
"On the spectrum of terrible to very good, we are sitting at terrible. Not only have the vendors not implemented security safeguards that are possible, they have not even correctly implemented the ones that are easy. If I had more time I would debunk the myth of the security of the so-called triple redundancy in the Diebold machines. I would explain the limitations of logic and accuracy testing in an adversarial setting, I would explain how easy it would be for a malicious programmer to rig the election with today's DREs [voting machines], and I would describe the seriousness of the security flaws that we and others have found in the Diebold machines. These are all things that I could have done and would have been happy to do, before anybody started purchasing and using these DREs. But nobody asked."
"Since our study came out, three other major studies ... all cited serious security vulnerabilities in DREs. RABA, which is closely allied with the National Security Agency, called for a "pervasive rewrite" of Diebold's code. Yet, the vendors, and many election officials ... continue to insist that the machines are perfectly secure. I cannot fathom the basis for their claims. I do not know of a single computer security expert who would testify that these machines are secure. I personally know dozens of computer security experts who would testify that they are not." (Source: [67])
[edit] Dr. Professor Rebecca Mercuri
Dr. Rebecca Mercuri (Assistant Professor of Computer Science, Bryn Mawr College, referred to by some as "the leading independent expert on electronic voting technology") reports that:
"No electronic voting system has been certified to even the lowest level of the U.S. government or international computer security standards such as the ISO Common Criteria, nor are they required to comply with such standards. Thus, no current electronic voting system is secure by the U.S. government's own standards.".
"...any programmer can write code that displays one thing on a screen, records something else, and prints yet another result." There is "no known way" to ensure that this is not happening inside of a voting system.
Summary [68] Dr Mercuri topical website [69]
[edit] Hopkins, SAIC and RABA (from Concerned individuals vs.Maryland State Board of Elections) (litigation)
Maryland evaluated touch-screen voting machines from Diebold. Litigation has since commenced by Maryland citizens against the state for ignoring unanimous concerns from all three studies they commissioned. (Source: court papers filed):
"After ... evaluating the maturity of this new technology, the Procurement Review Committee instead declined to endorse any of the vendors because of security and reliability concerns ... "
The Governor and the Maryland General Assembly then ordered multiple independent assessments of the Diebold electronic voting system to confirm this. Both confirmed the seriousness of the security vulnerabilities. The [SAIC] Report "... found 328 security weakness ... 26 of which were deemed critical, and as a result concluded that the Maryland elections were at 'high risk of compromise' " The RABA Report, a further independent reassessment of both Hopkins and SAIC, "confirmed the results of the earlier studies and ... [also] questioned whether Diebold had the technical expertise to accomplish this task. "
Vulnerabilities found by Hopkins:
Voters can easily program their own smartcards to simulate the behavior of valid smartcards used in the election. With such homebrew cards, a voter can cast multiple ballots without leaving any trace. A voter can also perform actions that normally require administrative privileges, including viewing partial results and terminating the election early. Similar undesirable modifications could be made by malevolent poll workers (or janitorial staff) with access to the voting terminals before the start of an election.
The protocols used when the voting terminals communicate with their home base, both to fetch election configuration information and to report final election results, do not use cryptographic techniques to authenticate either end of the connection nor do they check the integrity of the data in transit. Given that these voting terminals could potentially communicate over insecure phone lines or even wireless Internet connections, even unsophisticated attackers can perform untraceable 'man-in-the-middle' attacks.
There is no evidence of any change-control process that might restrict a developer's ability to insert arbitrary patches to the code. Absent such processes, a malevolent developer could easily make changes to the code that would create vulnerabilities to be later exploited on Election Day.