State: E-voting open to hacking
North County Times (2007-07-27) Chris Bagley
This Page: http://www.copswiki.org/Common/M111
Media Link: http://www.nctimes.com/articles/2007/07/28/news/californian/23_19_227_27_07.txt
More Info: Election Integrity
By: CHRIS BAGLEY - Staff Writer
Voting machines used in Riverside and numerous other California counties are vulnerable to manipulation by politically motivated hackers, according to computer scientists who examined the machines at the behest of the state's chief elections official.
A team of computer scientists hacked into the Edge II touch-screen systems used in Riverside and a dozen other counties, according to a report released Friday. The report laid out eight ways the system could be infected by rogue software capable of changing votes, including seven ways the team said it had successfully tested this summer on the actual Edge II systems manufactured by Sequoia Voting Systems.
The report, produced by two UC Santa Barbara computer scientists, paralleled scientists' reports on other electronic voting systems, which were released Friday by Secretary of State Debra Bowen.
In a conference call with reporters, Bowen said she expected to issue new guidelines for voting machines by the end of next week. Bowen plans to recertify, decertify or require modifications to each voting system after reviewing the security reports, which she said she herself received only Friday. Bowen plans a public hearing Monday to get feedback from county-level elections officials and voting-machine manufacturers.
"These reports are only one piece of the decision-making process on what we should do," Bowen said. "My duty is to determine whether any of the flaws are so great that they cannot be offset" by individual counties' security procedures.
The computer experts conducted the tests over a period of several weeks in conditions that weren't necessarily similar to what most voters and elections workers encounter.
But the scenarios described in the Sequoia report were also plausible. In four of the eight scenarios, an outside hacker infects the computer system with software code that causes individual votes to record incorrectly. Voting the full ballot and examining the printed paper receipts can help voters correct such "mistakes," but when a voter does so, the code can temporarily switch off to avoid detection, according to the report.
Another scenario described a junior elections employee being able to infect an entire Sequoia system with software that would change votes and other election data in large numbers.
A Sequoia official declined to comment, saying that company representatives hadn't observed the testing process or had time to fully digest the report, which they also received Friday. A Riverside County elections official said Bowen had pledged to provide Sequoia and other manufacturers with detailed technical versions of the reports by Monday.
Riverside County supervisors have asserted that the 3,700 Edge II machines used at the polls are secure as used by county elections staff and that any system is open to fraud in the absence of oversight. Several have repeated that assertion since an advisory panel recommended that the county abandon touch-screen systems, which it led California in adopting in 1999 and 2000. Supervisors now plan to decide the issue in September.
Supervisor Jeff Stone, a particularly vocal defender of the Edge II, repeated his previous stance Friday after the reports' release.
"Any system, electronic, paper or manual, is subject to fraud in the appropriate environment," Stone said.
Tom Courbat, a Murrieta resident who has frequently criticized Riverside County's use of the Edge II, said Stone misses the point.
"There are five ways to throw a paper-ballot election and 120 ways to throw an electronic election," Courbat said.
Registrar of Voters Barbara Dunmore echoed Stone's confidence, noting that the reports didn't necessarily describe real-world conditions. No such hacking attempts have been documented in actual elections, either in Riverside County or elsewhere, Dunmore and Stone have frequently noted.
As chief of the Senate Elections Committee in 2005 and 2006, Bowen, a Democrat from Redondo Beach, authored several pieces of legislation intended to make the voting process more secure. She was elected secretary of state in November after promising closer oversight of voting systems.
Soon after taking office in January, she announced her intentions to test the machines extensively, saying they had been certified without sufficient examination.
Federal law requires all states' voting systems to be certified by private-sector testing labs, but Bowen and skeptical citizens groups have argued that the labs are beholden to the manufacturers that fund the process.
Courbat praised the results as independent of the manufacturers' influence, saying they publicly validated conclusions that multiple computer scientists had already reached. He predicted that Bowen would disallow all touch-screen systems next week after reviewing the reports.
"It is encouraging to know that there is a way to prove that these systems are not impenetrable," Courbat said.
The report on the Sequoia system that includes the Edge II terminals is at www.tinyurl.com/2a6oza. Contact staff writer Chris Bagley at (951) 676-4315, Ext. 2615, or firstname.lastname@example.org