In 2006, a group of computer hackers reprogrammed a Dutch electronic voting machine to play chess. The Dutch government subsequently imposed a moratorium on the use of electronic voting machines. In 2009, German Federal Constitutional Court ruled the country's electronic voting systems unreliable to the point that their use was deemed unconstitutional. In June, Ireland paid a metal recycling company €70,267 to dismantle and recycle the country's €55 million worth of electronic voting machines.
In the United States, as many as 35% of this year's general election votes will be cast on electronic voting machines that, "in terms of effort required to compromise the systems, are in the same ballpark as the Irish voting machines," according to Dan Wallach, a professor in Rice University's Department of Computer Science and a computer systems security specialist. "The current voting machines were designed with insufficient attention to computer security."
This week, stories appeared in several prominent publications, including The Washington Post and the Atlantic, documenting concern about electronic voting in general, and, in particular, a possible Mitt Romney link to voting machines used in Ohio. In brief, Solamere Capital, a private-equity firm run by Tagg Romney, one of the candidate's sons, invests in HIG Capital, a private-equity firm whose principals include former Romney colleagues and current Romney fundraisers. Last year, HIG made what it terms a "significant" investment in Austin-based voting machine company Hart InterCivic.
Hart machines are used in two counties in Ohio: Williams County, which has 25,000 of the state's eight million registered voters, and Hamilton County, with 565,000 registered voters.
Is there reason for worry?
Tim Burke, chairman of both the Hamilton County Democratic Party and the board of elections, told the Cincinnati Enquirer, "There's absolutely nothing to it. Nothing. I'm very satisfied with the equipment and have total confidence in the machines. Accuracy simply is not a question."
Hamilton County elections board deputy director Sally Krisel told me, "We have not had any problems, and we don't foresee any problems."
Still, there may be reason for concern about the systems in general. In 2007, Ohio convened a team of 23 computer scientists, security specialists and other election equipment experts to review the state's electronic voting systems. According to their report, "Evaluation and Validation of Election-Related Equipment, Standards and Testing" (EVEREST), "The systems uniformly failed to adequately address important threats against election data and processes. Central among these is a failure to adequately defend an election from insiders, to prevent virally infected software from compromising entire precincts and counties, and to ensure cast votes are appropriately protected and accurately counted."
With regard to machines produced by Austin-based Hart InterCivic, EVEREST concluded, "Our evaluation suggests that the Hart system lacks the technical protections necessary to guarantee a trustworthy election under operational conditions."
Among the system's problems, per the report, are these failures:
Failure to protect election from malicious insiders: The protections in the Hart system that are intended to prevent election officials, poll workers, and vendor representatives from using dangerous features or modifying election data are circumventable. Attackers with access to the system can quickly recover critical system passwords, extract cryptographic keys, and reproduce security hardware. These artifacts are the "keys to the kingdom" that can be used to forge election data and compromise nearly all of the Hart election equipment.
Failure to effectively protect election data integrity: Virtually every ballot, vote, election result, and audit log is forgeable or otherwise manipulatable by an attacker with even brief access to the voting systems.
Failure to provide trustworthy auditing: The auditing capabilities of the Hart system are limited. Those features that are provided are vulnerable to a broad range of attacks that can corrupt or erase logs of election activities. This severely limits the ability of election officials to detect and diagnose attacks.
These finding were consistent with other evaluations, such as California's Top-to-Bottom Review. EVEREST uses some 70 single-spaced pages to get into specifics about the Hart system's susceptibilities. (You can read the full report here.)
Why do these systems remain in place?
According to a Hamilton County Board of Elections official statement, "Our equipment has been tested, through recounts and audits, and been proven to be highly accurate." This claim echoes perhaps the majority of election officials' sentiments.
Krisel told me matter-of-factly, "We have no issues with our systems."
Wallach cited costs as well as a lack of appreciably better systems on the market.
What can be done?
Giovanni Vigna, a University of California in Santa Barbara computer scientist and one of the EVEREST principals, told me, "Unfortunately there is no simple answer."
Los Angeles County, so dissatisfied with the current marketplace that it still uses its decades-old "Ink-a-Vote" punch-card system, is actively seeking alternatives and may commission a custom machine. Also the state of California is experimenting with a variety of new auditing technologies. Still, the consensus among experts is that significant change to the process is a matter of years away.
For the time being, says Jonathan Simon, director of the Election Defense Alliance, "Take the Hart machines out of service; there is a clear conflict of interest." He also suggests "hand counting those jurisdictions, at the very least for the federal races. Then--by extension since none of the electronic equipment...allows the observable vote counting essential to a legitimate election--hand count all jurisdictions. It's not that hard."
Wallach added what he calls The Election Official's Prayer: "Please let this election not be close."