Yesterday morning, I was a guest on NPR's Diane Rehm show. The topic of discussion was a recent report by the NYU Brennan Center on the security of electronic voting machines. One of the other guests was Linda Lamone, administrator of elections in my own state of Maryland.
I was struck by something that Lamone said. According to her, one thing wrong with the Brennan report was that it could reduce public confidence in the outcome of the election. She has criticized my studies of electronic voting systems for the same reasons. This is an attitude that I cannot comprehend. Is it really her goal to fool people into having confidence in election machinery that is actually vulnerable to undetectable, widespread fraud?
Not too long ago, a Finnish computer security expert named Harri Hursti published a report that demonstrated extremely serious flaws in the Diebold electronic voting machine. These flaws were so serious that many of us in the security community did not reveal the details to the public because we were worried that someone would actually be able to easily carry out an attack that would compromise the upcoming election. Many states, including Maryland, use machines that are vulnerable to this attack. It turns out that Diebold actually implemented a "feature" that led to the security vulnerability on purpose. What they did was make it trivial for anyone to "upgrade" the voting machine software and operating system by simply inserting a flash memory card with new software on it into the machine. It doesn't take much imagination to see how this could lead to the compromise of an entire precinct with just moments of access to only one of the machines.
I know for a fact that Linda Lamone is aware of this vulnerability. And yet, on national radio, she criticised the Brennan center for producing a study that would have the effect of "lowering the public's confidence in elections." Well, as far as I'm concerned, if Lamone is going to insist on using machines that she knows are flawed, and that have been proven to be vulnerable, then she is the one responsible for "lowering the public's confidence in elections." It is our duty and obligation to inform the public, and if that means that the results of the election come into question, then let's just remember not to blame the messenger. Instead, blame the vendors, blame the election officials who bought them despite seven independent studies that have found security flaws in the machines, and blame the certification process that passed them.