When I appeared before the U.S. House Science Committee at their May 22, 2001 Hearing on "Improving Voting Technology: The Role of Standards," among my statements was the following:
"To date, no electronic voting system has been certified to even the lowest level of the U.S. government or international computer security standards (such as the ISO Common Criteria or its predecessor, TCSEC/ITSEC), nor has any been required to comply with such. No voting system vendor has voluntarily complied with these standards (although voluntary compliance occurs within other industries, such as health care and banking), despite the fact that most have been made aware of their existence and utility in secure product development."
Over 5 years later, the above statement continues to remain true. Electronic voting systems are less secure and less reliable than any computer-based systems that are deployed in applications where auditability is mandated by law. Why this is so, is (at least in part) because of certain loopholes in the Federal Voluntary Voting System Guidelines (VVSG) that first appeared in the Federal Election Commission (FEC) document set, and were perpetuated into the FEC 2002 and EAC/HAVA 2005 sets, despite vigorous and increasing protest by the scientific and engineering community.
Certainly, Direct Recording Electronic (DRE) voting machines do not have to produce VVPATs on long, thin strips of thermal paper. The VVPAT could take the form of a Voter Verified Paper Ballot (VVPB), such as the optically scanned ballots, used by 60% of U.S. counties and an increasing number of "absentee" voters. The AutoMark is one such product that allows a full range of disability access in the private preparation of an optically scanned paper ballot that is essentially the same as those prepared manually by voters who do not require computer assistance. The Vote-PAD is a mechanical system that also allows disabled voters to privately prepare an optically scannable VVPB.
Another area of great concern involves the security vulnerabilities of computer equipment used in ballot preparation and vote tabulation. Here again, the federal agencies responsible for creating voting system guidelines have continued to perpetuate a loophole that poses a serious risk, that of the blanket exemption from inspection for Commercial-Off-The-Shelf (COTS) software and hardware. As I, and colleagues Vince Lipsio and Beth Feehan, wrote in an article to appear in the November 2006 Communications of the Association for Computing Machinery:
"This loophole is anathema to security or integrity. In other critical computer-based devices (e.g., medical electronics or aviation) COTS components may be unit tested a single time for use in multiple products, with COTS software typically integration tested and its source code required for review to ensure that it is indeed unmodified. In contrast, for voting equipment, this blanket inspection exemption persists, despite having strenuously been protested by numerous scientists, especially in the construction of guidelines authorized by the Help America Vote Act (HAVA). Nevertheless, special interests have prevailed in perpetuating this serious backdoor in the advisory documents used for the nation's voting system testing and certification programs."
Another massive security loophole that is allowed by the EAC/HAVA voting system guidelines involves the use of telecommunications devices to provide access to critical data for voter authentication, ballot definition, vote transmission, vote count, and voter lists. Although Dr. Felten has demonstrated that computer viruses can be transferred to voting equipment even when network connectivity is not present, the EAC showed an astonishing lack of discretion when it authorized that voting systems could be connected "across a broad range of technologies, including, but not limited to: wireless, microwave, public telecommunications lines, and communications routers." I informed the EAC on September 30, 2005 that "all such channels are not only highly vulnerable but provide avenues for insider as well as extensive outsider exposure to the election data and also potential access to the object code versions of the software running within the balloting and vote tabulation equipment. There is absolutely nothing in the standard that provides any real confidence or confirmation that accuracy, durability, reliability, availability, and integrity can be maintained for voting systems interfaced to telecommunications environments." This is especially true where there is no means provided whereby voters and election officials can independently verify the correctness of electronically recorded ballots and their subsequent vote totals. Regardless, the EAC has deemed that this serious connectivity risk may persist.
As flawed as the 2005 EAC standards are, they are still an improvement over the earlier FEC ones that ignored making any implementation recommendations regarding VVPATs. Since the EAC standards were also issued late, absolutely none of the $3B in HAVA funds will have been spent on "HAVA certified" equipment. Instead, these purchases were made for 2002 and even 1990 certified systems, some of which also fail to adequately satisfy the HAVA disability requirements. As early as 2003, I was publicly calling for a moratorium on all DRE purchases for these reasons. Although the EAC granted an extension for submission of the HAVA state plans, and could have (with the cooperation of Congress) similarly authorized an extension for the equipment purchases until the HAVA voting products were certified and available, this was not done. As Chairman Vernon Ehlers correctly noted in his closing remarks to this panel, and as I have also often said, it is unfortunate that the "cart was placed before the horse" in not requiring that adequate standards were fully in place before the funds were allocated. The result is that the vendors have received a cash bonanza to, in effect, move their "used cars off of the lot," so to speak. Some years down the road, when the new equipment models arrive, no HAVA funds will be left to be spent on them. Nor will any Federal funds be available to compensate communities for replacement of the malfunctioning and inadequate equipment that has, unfortunately and unwisely, been purchased under the HAVA program.
The EAC needs to immediately close the aforementioned loopholes that exist in the voting system guidelines. This can best occur if the voices of scientists (such as myself) who have made extensive contributions to the understanding and deployment of verified voting technologies, and members of the disability community who are not opposed to VVPATs, can be heard. The current exclusionary practices, especially those that display vendor influence and bias, in these official discussion forums must be ceased.
It is not too late to provide all citizens of the United States with the ability to independently verify that the ballots they cast in the 2008 Presidential election have been recorded as they intended. And it is not too late to provide all election officials with voting systems that enable efficient and proper audits of election results without the use of computers. Presently, this is only possible with paper. For now (November 2006 through 2008's election cycles), the only appropriate recommendation that can be made is to allow communities that had obtained the DRE systems to instead provide their paper-based "absentee" ballots for use by all voters, throughout the precincts. In the future, voting system vendors should be encouraged to augment such paper-based systems with additional security controls that improve the detection of ballot alteration or removal attempts. America need not fear that a return to paper-based voting will cause us to be looked upon as Luddites, rather it should focus its attention on providing the best election technology in the world. The current crop of DRE voting machines simply do not fit the bill and should be withdrawn from use.
