Election Reform and Electronic Voting Systems (DREs): Analysis of Security Issues
CRS Report for Congress
Election Reform and Electronic
Voting Systems ( DREs):
Analysis of Security Issues
Senior Specialist in Science and Technology
Domestic Social Policy Division
Congressional Research Service ˜ The Library of Congress
Election Reform and Electronic V oting S ys tems
(DREs): A nalys is of Security Issues
In J u ly 2003, computer scientists fro m J ohns Hopkins and R ice U niversities
rel eased a s ecuri t y anal ys i s of soft ware purport edl y from a di rect recordi n g el ect roni c
(DRE) t ouchscreen voting m achine o f a major voting-system vendor. The study drew
public attention t o a long- s immering controversy about whether current DREs are
vulnerable t o t ampering that could i nfl u ence t h e out com e of an el ect i on.
Many innovations that have become familiar features of modern elections, s uch
as t h e s ecret bal l o t and m echani cal l ever vot i n g m achi n es, o ri gi nat ed at l east i n p art
as a way t o reduce el ect i o n fraud and abuse. C o m put er-assi st ed count i n g o f b al l o t s ,
first u sed i n t he 1960s, can be done very rapi dly and makes s ome k inds of tampering
more difficult. However, it d oes not eliminat e t he potential for fraud, and i t has
created new possibilities fo r t a m p ering t hrough m anipulation o f t he counting
software and h ardware. DREs, i ntroduced in the 1970s, are the first voting s ys tems
to be completely computerized. Touchscreen DREs are arguably t he most versatile
and u ser-friendly o f any c u r r e nt voting s ys tem. Their u se is ex pected to increase
substantially under provisions of The Help America Vote Act o f 2002 (HAVA, P.L.
107-252), especially the requirement that , b eginning in 2006, each polling p lace used
in a federal election have at least one voting machine that is fully accessi ble for
persons with disabilities.
With DREs, unlike docu m ent-ballot systems, t he voter sees only a
repres entation of t he ballot; votes are registered electronically. S ome computer
security ex perts believe that this and other feat u r es of DREs make them more
vulnerable t o t ampering than other k inds of voting s ys tems, especi ally through t he
use o f m alicious computer code. W hile th ere are some differences of opinion among
ex perts about the ex t ent and seriousness of those s ecurity concerns, t here appears t o
be an em ergi ng consensus t hat i n general , c u r r e n t D R Es do not adhere suffi ci ent l y
t o current l y accept ed s ecuri t y pri n ci pl es for com put er syst em s, especi al l y gi ven t he
central importance of voting s ys tems to the functioning of democratic government.
Ot hers caut i on, however, t hat t here are n o d em onst rat ed cases of com put er t am p eri n g
in public elections, and any m ajor changes t hat might be made to improve security
could h ave unanticipated negative effect s o f t heir own. Several p roposals h ave b een
made to improve the s ecurity of DREs and other computer-assisted voting s ys tems.
They i n clude (1) ensuring that accept ed s ecuri t y prot ocol s are fol l o wed appropri at el y,
(2) improving security standards and certification of voting s ys tems, (3) use of open-
source computer code, and (4) improvements i n verifiability and t ransparency.
Much of the current debate ha s f o c u s e d on which s uch p roposals s hould b e
implemented and t hrough what m eans — in particular, whether federal i nvolvement
i s necessary. S om e s t at es are al ready addressi ng t h ese i ssues. T h e E l ect i o n
Assistance Commission established b y HAVA will have some responsibilities
relating t o voting s ys tem s ecurity and coul d address t his controversy d irectly. S ome
observers have also proposed federal fundi ng for research and d evelopment i n t his
area, while others have proposed legi slativ e s olutions including enhancement o f t he
audit requirements under HAVA.
Background and History of the Issue ...................................2
AustralianSecret Ballot .....................................2
Mechanical LeverMachine ..................................3
Computer-AssistedCounting(PunchcardandOptical Scan) ........3
DREs and HAVA ..........................................4
Security Concerns about DREs ...............................5
Analysis oftheProblem ............................................10
Kinds ofAttacksandAttackers ..............................10
AnEvolvingThreat Environment ............................11
Technical Vulnerabilities ...................................12
Soci al Vulnerabilities ......................................15
Elements ofDefense ......................................18
Response and Recovery ........................................20
Proposals for Resolving t he Issue ....................................22
UseCurrent Procedures ........................................22
ImproveSecurityStandardsand CertificationofVotingSystems ........23
Im prove Verifiab ility an d Transparency ...........................27
Modular Voting Architecture ................................29
Options That MightBeConsidered ..................................32
Election Reform and Electronic Voting
Systems ( DREs): Analysis of Security
In J uly 2003, computer scientists fro m J ohns Hopkins and R ice Universities
rel eased a s ecur i t y anal ys i s of soft ware purportedly from an electronic voting
m achi n e (com m onl y cal l ed d i rect recordi n g el ect roni c, or DR E, syst em s) of a m aj or1
voting-system vendor. The Hopkins study drew public attention t o a long-
simmering controversy about whether current DREs are vulnerable t o t ampering that
coul d i nfl u ence t h e out com e of an el ect i on. A s ignificant factor contributing t o t his
increased attention i s t he Help America Vote Act of 2002 (HAVA, P.L. 107-252),
which s ubstantially increas es the federal role in el ection administration, incl uding
federal funding of and requirements for voting s ys tems. Although HAVA retains t he
p r edominant role t hat s tate and l ocal jurisdictions have traditionally had i n t h e
administration of elections, t he Act’s requirements are ex pect ed to result in increas ed
use o f DREs, and s ome observers have ther efore called for congressional action t o
address the DRE controversy. To understand this controversy requires an
ex amination o f s everal questions about voting-system security:
! Do DREs ex hibit genuine security vulnerabilities? If so, could t hose
vulnerabilities be ex ploited t o i nfluence an el ection?
! To what ex tent d o current el ection administration procedures and
other s ecurity meas ures protect agai nst t hreat s t o and vulnerabilities
! Do those t hreat s and vulnerabilities apply t o c o m p uter-assisted
voting s ys tems other t han DREs?
! What are t he options for ad d r es sing any t hreat s and vulnerabilities
t h at do ex i s t , and w hat are t h e rel at i v e s t rengt hs and w eaknesses o f
the d ifferent options?
To address t hose questions, t his report begins with a des cription of t he historical
and policy contex t o f t he controversy. That is followed b y an analysis o f t he issues
i n t h e b roader cont ex t o f com put er securi t y. T he nex t sect i o n d i s cusses s everal
proposals t hat h ave b een made for addressing thos e i ssues, and the l ast s ection
discusses options f or action t hat might be considered by policym akers. The report
1 T a dayoshi K ohno, Adam Stubbl e f i e l d , Avi el D. Rubin, and Dan S. Wallach, “ Analys is
of an Electronic V oting Sys tem,” Johns Hopkins I nformation Security Institute Technical
R e port TR-2003-19, J uly 23, 2003, [http://avi rubin.com/vote/] ( called t he Hopkins s t u d y
does not discuss Internet voting, which i s not likely t o b e u sed i n t he near future for
federal el ect i ons i n ot her t han m i nor ways, l argel y because of securi t y concerns. 2
Th e a d m i n i s tration of elections is a complex task, and there are many fact ors
involved i n choosing and using a voting s ys tem i n addition t o s ecurity. They i nclude
fact ors s uch as reliability, propensity for voter error, usability, and cost. This report
d o e s not discuss t hose factors, but election administrators m ust consider them in
decisions about what systems t o u se and how to implement them. Also, security is
an issue for other aspect s of election administration, such as voter regi stration, which
are b eyond the s cope of this report.
Background and H istory of the I ssue
Many innovations that have becom e fa miliar features of modern elections
ori gi n at ed at l east i n p a r t a s a way t o reduce el ect i o n fraud such as t am p eri n g w i t h
ba l l o t s to change the vote count for a candidate or party. Fo r ex ample, i n m uch o f
nineteenth century America, a voter typically would pick up a paper ballot preprinted
with the n ames of candidates for one party and simply drop the form i nto t he ballot
box . There was n o n eed to actively choose i ndividu a l c a n d i d ates. 3 This ticket or
prox ballot was subject to fraud in at least t wo ways . First, t he number and sequence
of ballots printed was not controlled, so it could be difficult to determine i f a ballot
box had been stuffed with ex tra ballots or if ballots had been substituted after votes
were cast. Second, an observer could d et ermine which party a voter had chosen by
watching what ballot t he voter picked up and d eposited i n t h e b a l l o t box — votes
could t herefore be bought or coerced with comparative ease.
Australian S ecret Ba llot. After a series of scandals involving vote-buying
in the 1880s, calls for reform l ed to widespread adoption o f t he Australian o r m ark-
choice ballot. 4 Such ballots list t he names of all candidates, and t he voter marks t he
ballot t o choose a mong them. The ballots are commonly printed with unique,
consecutive s erial numbers, facilitating ballot control and thereby hel ping to prevent
ballot s tuffing and s ubstitution. All printed ballots are otherwise identical , and voters
typically fill them out in the p rivacy of a voting booth. This ballot s ecrecy makes i t
difficult for anyone else to know with certainty wha t choices a voter has m ade.
While providing improved s ecurity, t he Australian s ecret ballot did not eliminat e
2 In 2000, Internet voting was offered i n pilot proj ects during primaries in Arizona and
Al a s ka. A small pilot progr am for military and overseas voters was r un for t he ge n e r a l
election by t he Federal V oting Assistance Pr oj ect (FV AP) under t he Departme nt of Defense.
FV AP is expected to repeat the effort for t he 2004 federal election. While the progr am used
the Internet t o t ransmi t ballots to local j urisdictions in a secure fashion, the ballots were then
printed and counted in the s ame way as other absentee ballots. See K evi n Coleman, Internet
Voting, CRS Report RS20639, 23 September 2003.
3 T o choose a different candidate than the one printed on t he ballot r equired crossing out
the candidate’s name and writing i n another. Some party operatives developed ballots that
made it difficult to perform write-i ns — f or example, by printing t he names i n very s mall
type and crammi ng them together on a narrow s trip of paper ( See Richard Rein h ardt,
“T apeworm T ickets and Shoulder Strikers,” Ameri c an We st 3 ( 1966): 34-41, 85-88).
4 S.J . Acke rman, “ T he V ote t hat Failed,” Smithsonian Maga zi ne, November 1998, 36,38.
tampering. Ballots could s till be removed, spoiled, or altered by corrupt pollworkers,
or even substituted o r s tuffed, although with greater difficulty than with prox ballots.
It al so did not eliminat e t he possibility of vote-buying or coercion, but it made them
more difficult. 5
Mechanical Leve r Machine. One w ay t o e l i m i n at e s om e m eans o f b al l o t
tampering i s t o eliminate document ballots. T h a t became possible with the
introduction o f t he lever voting m achine i n 1892. W ith this system, a voter enters the
v o t i ng booth and sees a posted ballot with a small lever near the nam e of each
candidate or other b allot choic e . T h e v ot er chooses a candidate by moving the
appropriate lev e r. Mechanical interl ocks prevent voters from choosing m ore
candidates t han permitted for an office (such as t wo candidates for Pres ident). After
completing all choices, t he voter pulls a l arge lever t o cast t he ballot, and t he votes
are recorded by advances in mechanical c ounters i n t he machine. The l ever machine
therefore eliminates the n eed to count ballots manually. Instead, pollworkers read the
numbers recorded by the counters. Because there i s n o document b allot, recounts and
audits are limited t o review o f t otals record ed by each machine. Of course, t ampering
i s al so possi bl e wi t h l ever m achi n es. For ex am pl e, t h e m echani s m s coul d b e adj ust ed
so that the counter does not always advance w hen a particular ca ndidate is chosen.
Computer-Assist e d Counting (Punchcard a nd Optical Scan).
Another m ajor technological advance i n voting — the first use of computers t o count
votes — came with the i ntroduction o f t he punchcard s ys tem, first u sed i n 1964. The
optical -scan voting s ys tem, which also uses computers for vote-counting, was first
used in the 1980s. In both k inds of voting s ys tem, document b allots are fed into an
el ect ronic reader and t he tallies s tored i n computer memory and m edia. Tallying can
be done at either t h e p r e c i n ct o r a central location. Computer-assisted counting o f
document b allots can be done very rapidly, thus speeding t he reporting o f e l e ction
results. It i s m uch m ore efficient for counting l arge numbers of ballots than manual
tallying. It makes s ome kinds of tampering m ore difficult than with manual counting,
but it does not eliminat e t hem, and i t creat es possibilities for tampering with the
counting s oftware and hardware.
Electronic V oting Machine. DR Es (di rect recordi n g el ect roni c s ys t em s ) are
t h e f irst completely computerized voting systems. They were i ntroduced in t h e
1970s. DREs are somewhat analogous to (although m ore s ophisticated than) l ever
machines. T he voter chooses candidates from a posted ballot. D e p ending on the
equipment u sed, the b allot m ay be p r i n t e d a n d p o sted on the DRE, as i t i s with a
l ever m achi n e, or i t m ay b e d i s pl ayed on a com put er sc r e e n . V o t ers m ake t hei r
choices by pushing buttons, t ouch i n g t h e s creen, o r u si ng ot her d evi ces. T he vot er
5 So me observe rs have expressed c oncern t hat use of absentee ballots and other ki nds of
remote voting, such as vi a t he Inter n e t , c o mp r omise ballot s ecrecy and t herefore increase
the r isk of vote buying a nd coercion. T hey are c oncerned a bout the i mpacts t hat t he gr owing
use of absentee voting i n t he United States might have on election fraud and abuse. Others,
in contrast, believe that the r isks are small and greatly outweighed by t he benefits. For a
general discus s i o n of the benefits and disadvantages of different ki nds of voting s ys tems ,
seeEricFischer,Voting Technologies in the United States: Overvie w and Issues for
Congress, CRS Report RL30773, 21 March 2001.
submits the choices made before leaving t he booth, for ex ample by pushing a “vote”
but t on, and t he vot es are t hen recorded el ect roni cal l y.
There i s considerable variability in the des ign of DREs, but they can be
cl assified into three bas ic types. The oldes t des ign essentially mimics t he interface
of a l ever machine. The entire posted ballot i s visible at o n ce. In s t ead of moving
levers to make choices, t he v o t e r p u s hes a button n ex t t o a candidate’s name, o r
pushes o n t he name itself, triggering an underlyi ng electronic microswitch and
turning on a smal l light nex t to the choice. With the second t yp e , a b a l l ot page i s
di spl ayed o n a com put er screen, and t h e vot er uses m echani cal devi ces such as arrow
keys and buttons to make choices on a p age and t o c h a n ge b a l l ot pages. The t hird
type is similar t o t he second ex cept t hat i t has a t ouchscreen display, where t he voter
makes a choice by t o u c h i n g the n ame o f t he candidate on the computer screen and
cast s t h e b al l o t b y p ressi ng a s eparat e but t o n aft er al l choi ces have been m ade. In al l
kinds of D R E s , w hen a ballot i s cast, the votes are d irectly stored in a computer
memory device such as a removable m emor y card o r nonvolatile memory circuit. As
w i t h lever m achines, t here is no document b allot, although with a DRE each c a s t
bal l o t m ay al so be separat el y recorded.
T o u c h s c reen and o t h er DR Es usi n g com put er-style displays are arguably t he
mos t versatile and u ser-friendly o f any current voting s ys tem. Each machine can
easily be programmed t o d isplay bal l o t s i n different languages and for d ifferent
offi ces, d ependi ng on vot ers’ needs. It can also be programmed t o d isplay a voter’s
ballot choices on a s ingl e p age f o r r e v i ew before casting t he vote. It can be made
fully accessible for persons with disabilities, including visua l i m p a i r m ent.6 Li k e
lever m achines, i t can prevent o v e r v otes and ambiguous choices or spoilage of the
ballot from ex t raneous marks, since t here is no document b allot; but it can also notify
voters o f undervotes. 7 No other k ind o f voting s ys tem possesses all of these features.
DREs a nd HAVA. The popularity of DREs, particularly the touchscreen8
vari et y, has grown i n recent years, and t heir use i s ex pect ed to increase substantially
under p rovisions of HAVA. Three p rovisions in the Act are likely t o p rovide such
an impetus. First, HAVA authoriz ed $3.65 billion over four years for replacing
punchcard and lever m achines and for maki ng o t her election administration
improvements, including meeting t he requirements o f t he Act. In FY2003, Congress
appropriated $1.48 billion for these pur p o ses (P.L. 108-7), and the Administration
requested $500 million for FY2004. Second, begi nning in 2006, HAVA requires t hat
voting s ys tems notify voters of overvotes and permit them to review thei r ballots and
6 Accessibility for blind persons usually involves use of an audio progr am.
7 An overvote occurs if a voter chooses more candidates f or an office than is permitted —
such as marking t wo candidates f or Pr esident of t he United States. An undervote occurs if
a voter chooses fewer candidates t han i s p e r mitted — most commonly, failing t o vote f or
a ny candidate for a particular office. V i rtually all overvotes are t hought to be err o r s ,
whereas undervotes are often thought to be intentional, for example if the voter does not
prefer any of t he candidates. However, undervotes can also result from voter error.
8 In 1980, about 1 out of every 40 voters use d DREs. By 2000, about 1 out of every 9 did
(Caltech/MIT V oting T echnology Proj ect, Voting: What Is, What Could Be, J uly 2001,
[ ht t p: / / www.vot e .cal t ech.edu/ Repor t s / i ndex.ht ml ] ( Cal t ech/ M IT st udy) ) .
correct errors before casting t heir votes. 9 Third, the Act requires, also begi nning in
2006, t h a t each polling p lace used in a federal election h ave at l east one voting
machine t hat i s fully accessible for p e r s o n s with disabilities. DREs are t he only
m achi n es at present t hat can ful fi l l t h e acces s i b i l i t y requi rem ent . T hey can al so
eas ily meet the requirements for error p revention and correction.
Security Concerns about DREs. One t hing that distingu ishes DREs from
document ballot systems is that with DREs, t he voter does not see t he actual b allot,
but rath er a r ep res e n t ation of i t on t he face of the m achine. With few ex ceptions,
current DR Es do not provi de a t rul y i ndependent record of each i ndi vi dual b al l o t t hat
can be used in a recount to check for m achine error o r t ampering. The ballot itself
consists of redundant electronic records in t he machine’s computer memory banks,
which t he voter cannot see. This is analogous to the s ituation with mechanical lever
voting m achines, where casting t he ballot m oves counters t hat are out of view of the
voter. In a lever m achine, if the appropriate counters d o not move correctly when a
voter casts the b allot, the voter will not know, nor would an observer. Similarly, with
a DRE, i f t he mach ine reco rded a res ult i n its memory that was d ifferent from what
the voter chose, neither the voter nor an observer would know. 10
The s ame i s t rue with a computeriz ed counting s ys tem when i t reads punchcards
or optical scan ballots. Even i f t he ballot i s t abulated in the p recinct and fed i nto t he
reading d evice i n t he presence of the voter, n either the voter nor the p o l l w orker
m anni ng t h e reader can see w hat i t i s recordi n g i n i t s m em o ry. H owever, w i t h such
a reader, t he ballot d o c u m ents could b e counted on another m achine o r b y h and i f
there were any question about the results.
Lever m achines also do not have an independent document b allot. That has l ed
some observers to distrust those m achines, but most who u se them appear confident
t h at t est s and ot her p rocedural safegu ards re n d er t h em suffi ci ent l y safe from
tampering. Is the s am e t rue for DREs? S ome computer ex perts t hink not, arguing
that the s oftware could be m odified in ways that could alter t he results of an el ection
and t hat w oul d b e v ery d i ffi cul t t o det ect . T hi s concern appears t o s t em l argel y from
! Malicious computer code, o r malware, can often be written i n s uch
a way that it is very difficult to detect .11
9 Howeve r, j u risdictions using hand-counted paper ballots, punchcards, or central-c ount
systems can rely instead on voter education and instruction progr ams.
10 Some ki nds of error could be detected when voter r egisters and vote t allies are reconciled
— f or example, if the t otal number of votes for an office were gr eater than the t otal number
of voters at the precinct. Howeve r , r e s o l vi n g such a problem in a way that reflects how
voters actually voted would not be straightforward.
11 Malware, an elision of malicious software, includes viruses, T roj an horses, worms, logi c
bombs, a nd any other computer code that has or i s i ntended t o have harmf ul effects. T here
are various ways of hiding malware. A T roj an horse, f or example, is malware disguised as
something benign or useful. See K enneth T hompson, “Reflections on T r usting T rust,”
C o m m unications of the ACM 27 (1984): 761-763, ava i l a b l e a t
! DR E s oft w are i s m oderat el y com p l ex , and i t i s g e n eral l y accept ed
that the m ore complex a piece of software is, t he more difficult it can
be to detect unauthoriz ed modifications. 12
! Most m anufact urers o f D R E s t reat t h eir s oftware code as proprietary
info rmation and therefore not available for public scrutiny.
Consequently, i t i s not possible for ex perts not associated with the
companies t o det ermine how vulnerable t he code is to tampering. 13
Voting System Standa r d s a nd Ce rtification. Concerns such as those14
described above have been voiced by some ex pert s at l east s ince the 1980s. The
development o f t h e V o luntary Voting S ys t em s S t andards (VS S ) by t h e Federal
Election C ommission (FEC) i n 1990, and t he subsequent adoption o f t hose s tandards
by many states, h elped t o r e d u c e t hose concerns. T he VSS were d eveloped
specifically for computer-assisted punchcard, optical scan, and DRE voting s ys tems.
They include a chapter on security, which was s ubstantially ex panded i n t he updated15
version, released in 2002. Along with the s tandards, a voluntary t esting a nd
certification program was devel oped and administered t hrough t he National
Associ ation of S tate Election Direct ors (NASED). In this program, an independent
test authority (ITA) chosen by NASED tests voting s ys tems and certifies t hose t hat16
comply with the VSS. Testing i s done of both h ardware and software, and the
t est ed soft ware and rel at e d d o c u m e n t a t i o n i s k ept i n escrow b y t he IT A. 17 If
[ ht t p: / / www.acm.or g/ cl assi cs/ s ep95] . He c oncl uded t hat i t can be essent i a l l y i mpossi bl e t o
determine whether a piece of software is trustworthy by e x a mi ning its source code, no
matt e r h o w c a r e f ully. T he entire system must be evaluated, and even then it can be very
difficult to find malware. However, u s e of modern software engi neering t echniques can
mi nimi ze many problems with software design that can make softwar e vu l nerable to
malware ( see, for example, Richard C. Linger and Carmen J . T rammell, “ Cleanroom
Software Engi neering Refer e n c e M o d e l , V e rsion 1.0,” T echnical Report
CMU/SEI-96-T R-022, Nove mb er 1996, available at [ http:// www.sei.cmu.edu/pub/
documents/96.reports/pdf/tr0 22.96.pdf]). See page 12–14 of this report f or further
discussion of this issue.
12 See page 13 f or further discussion of this issue.
13 See page 26 f or further discussion of this issue.
14 See, for e xample, Ronnie Dugge r, “Annals of Democracy (V oting by Computer),” The
Ne w Y orker, 7 November 1988, 40-108; Roy G. Saltman, “ Accuracy, Integrity, a nd Security
in Computerized Vote-T allying,” NBS Special Publication 500-158, August 1988.
15 See Federal Election Commi ssion, Voting Systems Performance and Test Standards, 30
April 2002, [http://www. fec.gov/ pages/vssfinal/vss.html ].
16 See NASED, “General Overview f or Getting a Voting System Qualified”, 30 September
2003, [http://www.nased.org/ IT A_process.htm] . T he program i s managed by T he Election
Cent er , [ ht t p: / / www.el ect i oncent e r .or g] . As of Sept e mber 2003, mor e t han 20 opt i cal scan
and DRE voting systems were listed as certified t hrough t his process.
17 It may also be kept by t he states (T he Election Center, “DREs and the Election Process,”
April 2003, [http:// www.election center.org/ newstuff/DREs %20and%20the%20Electio n
questions arise about whether t he software used in an election h as been t a m p ered
wi t h , t hat code can be com p ared t o t h e escrowed v ersi on. S yst em s t hat recei ve
NAS ED cert i fi cat i o n m ay al so need t o go t h ro u g h s t at e and l ocal cert i fi cat i o n
processes b efore b eing used by an election j urisdiction.
HAVA creates a n ew mechanism for th e d e v e l o p ment of voluntary voting
syst em st andards. It creat es t h e E l ect i o n Assi st ance C o m m i ssi on (EAC ) t o repl ace
the FEC’s Office of Election Administra tion and establishes t hree bodies under t he
EAC: a 110-member Standards Board consisting o f s tate and l ocal election o fficials,
a 37-m em b er Board o f A dvi sors represent i n g rel evan t governm ent agenci es and
associations and fields o f s cience an d t echnology, and a 1 5 -member T echnical
Guidelines Development C ommittee chaired by the Direct or of National Institute of
Standards and Technology (NIST). Th is last committ ee i s charged with making
recommendations for voluntary s tandards (called gu i delines in the Act ), to be
reviewed by the t wo boards and the EAC. 18
HAVA also requires the EAC to provide for testing, certification, and
decertification o f voting s ys tems and for NIS T to be involved i n t h e selection and
monitoring of testing l aboratories. The EAC is also required t o p erform a s tudy of
issues and challenges — i ncluding the potential fo r f r a ud — associated with
electronic voting, and p eriodic s tudies to promote accurate, s ecure, and ex peditious
voting and tabulation. HAVA also provides grants for research and d evelopment o n
security and other as pect s of voting s ys tems. The voting s ys tem requirements i n t he
Act d o not speci fi cal l y m ent i o n s ecuri t y but do requi re t h at each vot i n g s ys t em
produce a p ermanent paper a u d i t document for use as t he official record for any
recount. This requirement is for t he system, not for each ballot. For ex ample, m ost
DR Es can pri n t a t al l y of vot es recorded and t herefore can m eet t h i s requi rem ent .
The Caltech/MIT Study. The p roblems i dentified after the November 2000
fe d eral election p rompted wide public concern about voting s ys tems and l ed to19
several m ajor studies wi t h recom m endat i ons, m any o f w hi ch were i n corporat ed i n
18 HAV A does not direct the EAC to include any s pecific i ssues in the guidelines, although
the guidance must address t he specific voting s ys tem r equirements i n t he Act, and NIST i s
directed to provide t echnical support with respect to security, protection and prevention of
fraud, and other ma tters. However, i n t he debate on the House f loor before passage of the
conference agreement on October 10, 2002, a c olloquy ( Congressional Record, daily ed.,
148: H7842) stipulated an interpretation t h at t he guidelines specifically address t he
usability, accuracy, security, accessibility, and integr ity of voting systems.
19 Studies that specificall y a d d r essed t he security of voting s ys tems included t he
Caltech/MIT study; T he Constitution Pro j e c t , Forum on El ection Reform, Building
Consensus on Election Reform, August 2001, [http:// www.cons titutionproj ect.org/ eri/
CPReport.pdf]; T he Nationa l Commi ssion on Federal Election Reform, To Assure Pride and
Confidence in the Electoral Process, August 2001, [http:// www.reformelections.org/ data/
reports/99_full_report.php]; Na tional Conference of State Legislatures, Elections Reform
T a sk Force, VotinginAmerica,August 2001, [http://www.ncsl.org/ p r o grams /press/2001/
HAVA. The m ost ex t ensive ex amination o f s ecurity was p erformed by scientists at
the C alifornia Institute of Technology and the M assachusetts Institute of Technology.
Thei r report i dentified four main security st rengt h s o f t he el ect oral process t hat h as
evolved i n t he United S tates: the openness of the election process, w h i c h p ermits
observat i o n o f count i n g and ot her aspect s o f el ect i o n p rocedure; t h e d ecent ral i z at i o n
of elections and t he d i vision of labor am ong different levels of government and
different groups of people; equipment t hat produces “redundant trusted recordings ”
of v o t e s ; a n d t h e public nature and control o f t he election p rocess.20 The report
e x pressed concern t hat current trends in el ect roni c vot i n g are weakeni n g t h o s e
strengths and pose s ignificant risks, but tha t p r operly d esigned and implemented
el ect ronic voting m achines can improve, rat her t han diminish, security.
The California Task Force Report. The concerns e x p ressed b y t he
Caltech/MIT study and o thers were p artially addressed b y HAVA, but as states began21
to acquire DREs, and the appointment o f E A C m embers was d elayed, some
observers began ex p ressi ng concerns t h at s t a t e s were purchasi n g fl awed m achi n es
with no federal m echanism i n p lace for addressing the p roblems. In response t o s uch
concerns, t he Californi a s ecretary of state established a task force t o ex amine t he22
security of DREs and t o consider improvements. The report recommended changes
to how voting s ys tems are t es ted at t he federal, stat e, and l ocal levels, as wel l as other
changes i n s ecurity for s oftware and for v endor practices. It also recommended t he
implementation of a voter-verified audit t rail — t hat i s, a m echanism, whet her paper-
based o r electronic, that produces an indepe ndent record of a voter’s choices that the
v o t e r can veri fy before cast i n g t he bal l o t and t h at can be used as a check agai nst
tampering or m achine error. Until such a s ys tem can be implemented, t he task force
recommended t he use of “parallel m onitoring,” in which a selection of m achines are
tested while in act ual use on el ection d ay t o d e t e rm ine i f t hey are recording votes
The Hopkins S tudy. Until recently, t he concerns raised about DRE
vulnerabilities were considered by many to be largely hypothetical. However, in
early 2003, some election-reform activists discovered 23 an open website containing
20 Some international observers consider openness an d public control t o be i mportant
components of any voting s ys tem ( Lilian M itrou and others, “Electronic V o t i ng:
Constitutional and Legal Requirements, and T heir Technical Implications,” in Secure
Electronic Voting, ed. Dimitris Gritzalis (Boston: K l uwer, 2003), p. 43-60).
21 HAV A calls for a ppointme nt of me mbers by F ebruary 26, 2003. On October 3, 2003, the
White House f orwarded nominations to the Senate f or confirmation. T he nominations were
referred to the Committee on Rules and Administration, which held a hearing on the
nominations on October 28.
22 California Secretary of State Kevi n Shelley, “Ad Hoc T ouch Screen T ask Force Report,”
1 J uly 2003, [http://www. ss.ca.gov/ elections/taskforce_report.htm] (California T ask Force
23 Bev Harris, “System Integrity Flaw Di scovered at Di ebold Election Systems,” Scoop, 10
large numbers of files rel ating t o voting s ys tems of Diebold Election S ys t e m s , a
major voting s ys tem v endor wh i c h h ad recently won contracts with Georgi a and
Maryland to provide touchscreen DREs. Activists downloaded and posted m any o f
those files o n Internet s ites, and t he authors o f t he Hopkins study used some of those
files t o analyz e computer source code th at “appear[ ed] to correspond to a v ersion of
Diebold’s voting s ys t e m . ” 24 Their analysis concluded t hat t he code had s erious
security flaws t hat could permit tampering b y p ersons at various levels, i ncluding
vot ers, el ect i o n workers, Int ernet “hackers,” and even software developers. Diebold
quickly rebutted t hose claims,25 argu i n g t hat t hey were b ased on m i s u n d erst andi ng
of el ect i o n p rocedures and o f t he equi pm ent within which t he software was u sed, an d
that the analysis was based on an “inadequate, i ncomplete s ample ” o f D i e b old’s
software. S ome computer scientists, while agreei ng t h at t h e code cont ai ned s ecuri t y
flaws, al so criticized the s tudy for not reflecting s tandard el ection procedures . 26
Shortly after t he Hopkins study was released, M aryl and Governor Robert
Ehrlich ordered that the contract with Diebold b e s uspended p ending the outcome of
an independent security analys is. That analysis,27 while agreei ng with several of t he
criticisms of the Hopki n s s t udy, found that the Diebold s ys tem, as implemented in
the s tate, had serious security flaws. The report co n c l u d es overall that this voting
system, “as implemented in policy, pro cedure, and t echnology, is at high risk of
compromise” and m ade m any recommendations for improvements.28 The M aryl and
State Board of Elections has d evelo p e d a plan to implement those
The ex t ent t o w hich the risks identified i n t he Maryland study may apply t o
other s tates or t o other DREs may be worth ex amination by s tate offici al s. In Ohio,
whi ch h as al so been consi d eri n g t he pu r c h a s e of Di ebol d DR E s, secret ary o f s t at e
February 2003, [http://www.scoop.co.nz/mason/stories/HL0302/S00052.htm] .
24 Hopkins s tudy, p. 3.
25 Di ebold Election Sys tems , “Checks and balances in elections equipment a nd procedures
prevent alleged fraud scenarios,” 30 J uly 2003, 27 p., [http://www2.diebold.com/
checksandbalances.pdf] ( Diebold r ebuttal).
26 Rebecca Mercuri, “Critique of ‘Analysis of an Electronic V oting Sys tem’ document,” 24
J uly 2003, [http://www.notablesoftware.com/Pape r s / c r itique.html ]; Douglas W. J ones, “The
Case of the Diebold FT P Site,” updated r egular ly, [ http://www.cs.uiowa.edu/ ~j ones/voting/
27 Science Applications International Cor poration ( SAIC), “Risk Assessme n t R eport:
Diebold AccuV ote-T S V oting Sys tem a nd Processes” (redacted), SAIC-6099-2003-261, 2
September 2003, [http://www.dbm.maryl and.gov/DBM%20T axonomy/ T echnology/ Policies
%20&%20Publications/State%20V oting% 20Sys tem% 20Report/
stateV otingSystemReport.html ] ( Maryland study).
28 Maryland study, p. 10.
29 Li nda H. Lamone, “St ate of M aryl and Diebold A c c uVote-T S V oting Sys tem Security
Action Plan” , 23 September 2003, [http://www.elections .state.md.us/pdf/voting_system_
Kenneth Bl ac k wel l has al so initiated a security eval uation of elect ronic voting
devices from four vendors. 30
Analys is of the P roblem
Elections are at t he heart o f t he democratic form of government, and providing
sufficient s ecurity for t hem i s t herefo r e c ritical to the p roper functioning of a
democracy. T here has b een some disagreem ent among ex perts about the s eriousness
of t h e pot ent i al s ecuri t y probl em s wi t h DR Es and, t h erefore, what i s needed t o ensure
suffi ci ent s ecuri t y. W hi l e i t i s general l y accept ed t hat t am peri ng i s possi bl e wi t h any
computer system gi ven enough time and resources, s ome ex p erts believe that current
security practices are adequate. Others believe that substantial additional s teps are
needed. To d etermine t he nature and ex t ent o f t he problem and what s olutions might
be considered requires an understanding of some ge n e r al concepts in computer
securit y, w h i ch are discussed i n t his section, al ong with thei r applicability to
computer-assisted voting s ys tems. The discussion is organiz ed along four themes:
threats, vulnerabilities, defense, and respons e and recovery after an i ncident o ccurs.
The t erm threat can be used in several d ifferent ways , but in this report i t refers
to a possible attack — what could happen. Descriptions of threats o ften include both
the nature of t he possible att a ck, those who might perpetrate it, and t he possible
consequences i f t h e at t ack i s successful . Vulnerability usually refers to a weakness
t h at an at t ack m i ght ex pl oi t — how an at t ack coul d b e accom p l i s hed. Anal ys i s of
threat s a n d vulnerabilities, when combined, can lead to an assessment of risk.
Statements of risk often combine both t he probability of a s uccessful attack and s ome31
measure o f its lik ely consequences. Defense refers to how a s ys tem i s p rotected
from attack. Response and recovery refer t o how, and how well, damage is mitigat ed
and repai red and information and functionality are recovered i n t h e event of a
successful at t ack.
Kinds of Attack s a nd Attackers. The b est known t yp e o f attack on a
voting s ys tem i s one t h a t c h a n ges t he vote t otals from what voters actually cast.
Historically, s uch t ampering has b een perfo rm ed by corrupt offi ci als o r p art i s ans, one
of the m ost famous ex amples being Tammany Hall in New York C ity, o f which Bo ss32
Tweed said, “the b allots made no result; the counters m ade t he result.” Sometimes,
others who s tood to benefit from a particular ou tcome would b e i nvolved, as was
reportedly t he cas e with respect to allegations of vote-buying i n Indiana with money
30 Office of J . K e n n e t h Bl ackwell, “Security Contracts Finalized For V oting Systems
Revi ews,” Press Rel e a s e, 30 September 2003, [http:// www.sos.state .oh.us/sos/news/
release/09-30-03.htm] . V endors q u a l i f i e d t o par ticipate i nclude the t hree largest voting
system firms — Diebold Election Systems, Election Systems and Softwa r e , a n d Sequoia
Voting Systems — plus Hart Intercivi c.
31 See Rob Buschmann, Risk Assessment i n t he President’s National Strategy for Homeland
Security, CRS Report RS21348, 31 October 2002.
32 Dugge r, “Annals of Democracy,” p. 46.
from s ome o f New York’s “robber b arons” i n t he presidential election o f 1888. 33 The
goal of such tampering would gen erally be to influence t he final vote t ally so as to
gu arant ee a p art i cul ar resul t . That coul d b e accom p l i s hed b y s everal m eans, such as
adding, d ropping, o r s witching votes. M an y o f t he features of modern voting s ys tems
— s uch as s ecret ba l l oting and the u se of observers — are design ed to thwart such
The impact of such vote t ampering depe nds on several factors. Two o f t he most
important are t he scal e of an attack and t he competitivenes s of t he contes t. An attack
woul d h ave t o h ave s uffi ci ent i m p act t o affect t h e out com e of t h e el ect i on. For t hat
to happen, scale i s critical. If t ampering im pacts only one ballot o r one voting
machine, the chances of that affect i n g t h e el ection outcome would be small. But
t am p eri n g t hat affect s m any m achi n es or t h e resul t s from several preci nct s coul d h ave
a s ubstantial impact, although i t might also be more likely t o b e d etected. The scale
of attack needed to affect the outcome of an election d epends on what proportion o f
vot ers favor each candi dat e. T he m o re cl osel y cont est ed an el ect i o n i s, t h e s m al l er
t h e d egree o f t am peri ng t h at woul d b e n ecessary t o affect t h e out com e. 34
W h ile atta c k s t hat added, subtracted , o r changed individual votes are o f
p a r t i c ular concern, other k inds of attacks also n eed to be considered. One type o f
at t ack m i ght gat h er i n form at i o n t hat a candi dat e coul d u se t o i n crease t he chance of
winning. For ex ample, if vote t otals from p art i cul ar preci nct s could s ecretly be made
known t o operatives for one candidate before the polls closed, 35 the results could be
used to adjust get-out-the-vote e f f o r t s , gi ving that candidate an unfair advantage.
Another t yp e o f attack might be used to disrupt voting. Fo r ex ample, m alware could
be used to cause voting m achines t o m a lfunction frequently. The resulting del ays
could reduce t urnout, p erhaps to the b enefit of one candidate, o r could even cause
voters t o l ose confidence in the i ntegrity of the election i n general . The latter might
be of more interest to terrorists or others with an interest in having a negative impact
on the political system generally.
An Evolvi ng Threat Envi ronment. The k inds of attacks d escribed above
are potential t hreats against any v o t i n g s ys tem. However, the growing use o f
information t echnology i n elections has h ad u n i q u e impacts o n t he threat
environment. It provides t he opportunity for n ew kinds of attacks, from n ew kinds
of attackers. As information t echnology has advanced and cyb erspace has grown, s o36
too h ave t he rate and s ophistication o f cyb erattacks i n general:
33 S.J . Acke rman, “ T he V ote t hat Failed.”
34 A common prayer of election officials on election day is said to be “Please may it not be
35 T his could potentially be done, f or example, if voting or counting machines in precincts
used modem connections for t ransmittal of t allies t o t he central elect i o n office, and a
tamperer could use that connection before t he polls closed to send r e s u l t s t o another
36 Eric Fischer, Coordinator, Understanding Cybersecurity: A CRS Workshop, CRS Online
V i deo MM70048, 21 J uly 2003.
! The number o f reported computer-security violatio n s h a s grown
ex ponentially in the past d ecad e, from about 100 in 1989 to more
than 100,000 in the first three quarters o f 2003. 37
! Potential t hreats m a y n o w come from m any s ources — amateur or
profe s s i o n al h ackers u sing the Inter net, insiders in organiz ations,
o r ga n i z ed crime, t errorists, or even foreign governments. W ith
respect t o el ect i o n t am peri ng, s om e s uch at t ackers coul d b enefi t i n
traditi o n a l w ays, but some, s uch as t errorists, might be interested
instead in disrupting elections or reducing t he confidence of voters
i n t h e el ect oral process.
! N e w a n d more ingenious kinds of malware are constantly bei n g
invented a n d u s e d . There are now tens of thousands of known
viruses, and t he sophistication o f t ools u sed t o d evelop and u se new
ones h as i n creased.
Malware i n a voting s ys tem could be des igned t o operate in very subtle ways ,
for ex ample, d ropping or cha n gi n g votes in a s eemingl y random way t o m ake
det ect i o n m ore d i ffi cul t . Mal ware can al so be desi gn ed t o be adapt i v e — changi ng
what it does depending on the direction of t he tally. It c o u l d a lso potentially be
i n sert ed a t a n y o f a num ber o f d i fferent st ages i n t h e d evel opm ent and
implementation proces s — from t he preci nct all the way back to initial m anufact ure
— and lie in wait for t he appropriate moment.
Several other kinds o f at t ack could also be attempted i n addition t o m al ware.
Am ong t h em are el ect roni c i n t ercept i o n and t h eft o r m odi fi cat i o n o f i nform at i o n
during t ransp o r t o r t ransmission, modifi cations or additions of hardware, and
b yp a s sing system controls or misuse of authority to tamper with or collect
information on s oftware or election dat a.38
The t hreats d iscussed above, and others, are of course only h armful potentially.
Their m ere ex i stence does not in itself imply anyt hing about the likelihood that they
are a s ignificant risk i n a gen u i ne election. To be such a risk, there m ust b e
vul nerabilities in the voting system that can be exploited. For the purposes of this
report, discussion of vulnerabilities i s divided into two cat egories — technical and
Technical Vulnerabilities. This cat egory i ncludes weaknesses s temming
f r o m t h e com put er code i t s el f, connect i o n t o o t h er com put ers, and t he degree o f
auditing t ransparency of t he system .
Computer Code . In the recent public debate about the s ecurity of DREs,
much of the attention has focused on t he computer code. Two significant potential
37 Carnegie Mellon University, CERT Coordination Center , “ C ERT / CC St atistics,” 17
October 2003, [http:// www.cert.or g/ stats/cert_stats.html ].
38 Rebecca Mercuri and Peter Neumann, “Verifi cation f or Electronic Balloting Sys tems ,”
in Secure Electronic Voting, ed. Dimitris Gritzalis, ( Boston: K l uwer, 2003), p. 31-42.
vulnerabilities rel at e t o t he use of cryptography in the s ys tem and the way the code
is design ed. C ryptography39 is one of the m ost powerful t ools available for protecting
the i ntegrity of data. R obust cryptographi c p rotocols are w e l l - d e veloped and in
common use, for ex am pl e i n onl i n e f i n anci al transactions. C ryptography is important
not only i n m aking i t d ifficult for unauthorized persons to view critical information
(security), but al so in making sure that information i s not changed or s ubstituted i n
t h e p rocess o f b ei ng t ransferr e d ( v eri fi cation). This could b e a concern for DREs;
both t he Hopkins and M aryl and s tudies f ound weaknesses i n t he way encryption was
The des ign of s oftware can have a s ignificant effect o n i t s vulnerability to
malware. Bo th the complex ity of the code and t he way i t i s d esigned can have an
i m p act . It i s a general p ri nci p l e of com put er securi t y t h at t h e m ore com pl ex a p i ece
of soft ware i s , t he m o r e v u l nerabl e i t i s t o at t ack. T hat i s b ecause m o re com p l ex
code wi l l have m o re pl aces t h at m al w are can be hi dden and m o re p o t e n t i al
vulnerabilities t h a t c ould be ex ploited, and i s m ore difficult to anal yz e for security
problem s. In fact , attackers oft en d i scover and ex ploit vulnerabilities t hat were
unknown t o t he developer, and m any ex p erts argue t hat i t i s impossible t o anticipate
al l possi bl e weaknesses and poi nt s o f at t ack for com pl ex soft ware. W i t h DR Es, each
m a c h i n e requi res rel at i v el y com pl ex soft ware, s i n ce i t serves as a vot er i n t erfac e ,
records the ballot choices, and tallies the votes cast on the machine.40 The first
function requires t he most complex s oftware, es peci ally if the m achine i s t o be fully
accessible t o all voters. The code used in optical-scan and punchcard readers can be
simpler, as it performs fewer functions.
Software code that is not well-design ed from a sec u r i t y p erspective i s m ore
likely t han well-design ed code to have poi nts o f attack and weaknesses t hat could b e
ex pl oi t ed, as wel l as pl aces for m al ware t o be hi dden. However, c o d e can be
designed so as to minimize s uch vulnerabilities, and well-developed procedures have
been est abl i s hed t o accom p l i s h t hi s goal . 41 These p rocedures can be applied t o both
new and legacy systems. Good design invol ves not only t he code itself, but also the
proces s by which it is developed and eval uated. DRE code has been criticized with
respect to its design, 42 although t he proprietary nature of the s oftware h as precluded
thorough public assessment. The s ys tems may also u se commercial o ff-the-shelf
software for functions such as the operating s ys tem, and t hat s oftware could also have
39 Cryptography refers to the process a nd use of methods for t he encoding or encryption of
information, such as a piece of plain or clear text, s o t hat i t cannot be deciphered, and t he
subsequent decoding or decryption of that information. Cryptogr aphic methods are used t o
help protect informa t i o n from unauthorized access ( confidentiality), prevent undetected
modification ( integr ity), to confirm i dentity (authentication), and to prevent a false denial
of identity (n onrepudiation) (National Research Council (NRC), Trust i n Cyberspace,
(Washington, DC: Nationa l Academy Press, 1999), p. 301–310).
40 Caltech/MIT study, p. 60.
41 Linger and T rammell, “Cleanroom Softwa re Engi neering.” See also footnote 93.
42 Hopkins s tudy; J ones, “Diebold FT P Site.”
vulnerabilities. However, the s oftware i n t h e m ajor s ys tems in use t oday has been
eval uated and certified as m eeting VSS requi rements, including those for security.43
Connection to O ther Computers. T h i s can be a vulnerability because it
provides poten t i a l avenues for attack . The most well-known attack targets are
computers with direct In ternet connections that hackers can ex ploit. Concerns about
such at t acks h ave m ade t he adopt i o n o f Int ernet voting i n public elections generally
unattractive s o far from a security perspective.44 W h i l e a m easure o f p rot ect i o n can
be provided b y firewall p rograms and r e l ated t echnology, the s afest approach is to
en s u re that the voting system computers, incl uding not just the voting m achin es
themselves but also computers i nvolved i n b a llot generation and vote t allying, are not
connected to the Internet o r t o any other com put ers t hat are t h em sel v es connect ed t o
the Internet. This isolation i s s ometimes called “ai r-gapping.” However, an effective
air gap must include sufficient s ecurity controls for removable m edia such as floppy45
disks, C D s , a n d t he m em o ry cards t h at are o ft en used t o t ransport d at a from t he
preci nct t o t he cent ral el ect i o n o ffi ce. 46
Vendor s and election j urisdictions generally state t hat t hey d o not transmit
el ection res u l t s from preci ncts via t he Internet , but they may t ransmit them via a
direct modem connection. However, even th i s approach can be subj ect t o at t ack vi a
the Internet, es peci ally if encryption and verification are not suffi c ient. That i s
because telephone transmission systems are themselves increasingly connected to the
Internet (as ex emplified, for ex ample, by t he increas ing use of Internet -bas ed
telephony), and computers t o which the recei ving server may b e connected, s uch as
through a local area network (LAN) , m ay have In ternet connections. In fact,
organiz ations may b e unaware of the ex t ent o f s uch connections. 47 Thi s can be even
more of an issue i f t he system uses wireless connectivity.
The way that a voter interacts with the DRE may p rovide another possible
source of connection. Fo r ex ample, with the Diebold DRE, a “smartcard”48 is
inserted into the voting m achine t o s tart the voting proces s (some machines use other
methods, s uch as a numerical code). Th e Hopkins study claims that voters o r
pol l workers coul d p rogram t h ei r o wn sm art cards and u se t h em t o vot e repeat edl y or
to manipulat e t he voting m achine. The Diebold rebuttal rej ect ed this assertion. The
Maryland study, while not ruling out this vulnerability, s tates t hat s oftw are and
43 NASED, “ V oting Sys tems T hat Are NASED Qualified,” 3 J anuary 2003,
[http://www.nased.org/ NASEDApprovedSystems1.03.pdf]. See a l s o Britain J . Williams ,
“Security in the Georgia V oting System,” 23 April 2003, available at
[ h t t p : / / www.vo t e scount .com/ geor gi a .pdf ] .
44 See K evin Coleman, Internet Voting, CRS Report RS20639.
45 Computer vi ruses were origi nally spread through f loppy disks.
46 T his need applies t o any computer-assisted voting s ys tem with precinct t abulation.
47 Fi scher , Understanding Cybersecurity Workshop.
48 A smartcard is a card, usually about the s ize of a credit card, with an embedded computer
c h i p that can communicate with another electronic device t hat can read information f r o m
and/or wr ite it to the card.
physical controls, and the openness of the voting booth, 49 minimize t he likelihood of
Auditing Transparency. In current DR Es, t he act i ons t h at occur b et ween
bal l o t s creen and t he fi nal vot e t al l y are not subject to human observation. The voter
sees a v isual representation o f t he ballot o n t he com put er screen or face of t h e DR E .
W h en the voter pushes t he button t o cast t he ballot, the m a c h i n e r e c o rds t he votes
electronically. That m eans t hat a voter cannot know if the m a c h ine recorded the
choices the voter saw o n t he screen or some o t her choices, and an observer also
cannot check to see i f all ballots cast are counted correctly. The former vulnerability
al so ex i s t s wi t h a m echani cal l ever m achi n e, and t he l at t er w i t h a n o p t i cal scan or
punchcard b allot reader, but with a reader, t h e r e i s a d o cument b allot t hat can be
checked i ndependent l y. W hi l e DR Es are general l y desi gn ed t o m ake a s eparat e
recordi n g o f each bal l o t cast , 50 this is not an independent record but rather a copy in
a different format of the i nformation s ent t o t he tallying registers.
Social Vulnerabilities. A s ignificant and increasingl y s ophisticated kind of
attack — dubbed “social engi neering” by h ackers — involves finding and ex p loiting
weaknesses i n how people i nteract with computer systems. 51 S u c h soci al
vulnerabilities can include weaknesses rela ting t o policy, procedures, and personnel.
Of the 14 s peci fic risks identified i n t he Maryland study, m ost were o f t hese types.52
Policy. A s ecurity policy l ays out the o v e r a l l go als and requirements for a
system and how it is implemented, i ncludi ng the t echnology itself, procedures, and
personnel.53 An absent or weak policy, or even a good one, i f i t i s not implemented,
is considered a s ubstantial vulnerability. S ecurity policies of election administrat ors,
49 Use of illegi t i ma t e s ma rtcards could be difficult with certain common election
admi nistration practices — f or example, if a pollworker, rather t h a n t h e voter, i nserts the
smartcard i nto t he DRE; if the voting booth i s not fully screened and pollworkers observe
the behavior of voters f or irregularities; and i f time limits for voting are enforced. However,
voters may l egitimately be concerned with privacy when they cast t heir votes and may t ry
to obscure the view of others, and pollworke rs, i n t he interest of protecting t he voter’s
privacy, may be reluctant t o watch closely enough t o detect attempts to use an illegitimate
50 Systems t hat c onform t o t he V SS a re required t o have t his f unction ( FEC, Voting Systems
Performance and Test Standards, Sec. 2, p. 4).
51 For example, one ki nd of attack involves s e n d i ng vi ctims email purportedly from a
legitimate f in a n c i a l o r software company and urgi ng them to vi sit a website, also
purportedly of t his company, where they are r equested to enter i n f o r mation s uch as a
username s a nd passwords for accounts. T he h a c ke r c a n then use t his i nforma tion t o t ake
control of t he vi ctim’s computer or to steal funds.
52 However, two of t he risks are entirely r edacted. References in this and other sections to
weaknesses f ound in Maryland’s i mplementation of t he Di ebold s ys tem are made because
this was t he only s ys tem f or which a n i ndependent analys is of such weaknesses was
available. It is not intended t o i mply in any way that Maryland or the Diebold s ys tem
exhibit more or more s erious vulner abilities t han other states or systems.
53 T he SANS Institute, “A Short Primer For Developing Security Policies,” 6 October 2001,
[ ht t p: / / www.sans.or g/ r e sour ces/ pol i c i e s/ Pol i c y_Pr i mer .pdf ] .
vendors, third-party s uppliers, and t h e IT A s a r e all relevant. The M aryl and s tudy
found that the Diebold s ys tem a s implemented did not comply with the s tate’s
information s ecu r i t y p o l i c y and standards. The s tudy did not ex amine t he security
policies of Diebold or other relevant entities.
Procedure. The s ecurity policy p rovides t he basis from which procedures
such as access cont rol s are d ev e l oped. El ect i o n adm i n i s t rat i o n i s a com p l ex effort
involving vendors, ITAs, s tate and l ocal government, and pollworkers who are often
vol unt eers, as wel l as vot ers. Al so, DR E s are pot ent i al l y t arget s o f at t ack at vi rt ual l y
any point from when t hey are initially developed and manufact ured to when they are
used in the polling p lace. Consequently, s ecurity procedures are especially
important. Vul n erabilities can occur, for ex ample, i f t he controls that the
m anufact urer uses t o prevent i n s ert i o n o f m al ware are i nadequat e; i f t he anal ys es
perform ed by e v a l u a t o rs i s not suffi ci ent t o d et ect securi t y probl em s w i t h t h e
technology; if the chain of custody for software, including updates — from when i t
is certified t o when i t i s u sed i n an election — i s weak or poorly documented; or if
auditing controls are i nsufficient. As with security policy, absent or poor procedures,
or even good ones i f t h e y are not properly implemented, can create s erious54
vulnerabilities. The M aryl and s tudy di d not ex amine v endor or IT A p ractices but
did raise several concerns with respect to the procedures used by the s tate.
Personnel. Perhaps t he most important si ngl e fact or in determining t he
vulnerability of a s ys tem i s t he people i nvolved. It is they who m ust i m p l e m ent
securi t y pol i ci es and procedures and d efend agai n st a n y at t acks. If t h ey are not
adequately skilled and trai ned, they may b e unable t o p revent, d e t e ct, and react to
securi t y breaches, and t h ey m ay t he m s e l v e s b e m ore vul nerabl e t o a “soci al
engi neeri n g” at t ack. In a d d i t i on, i t can be part i cul arl y di ffi cul t t o defend agai nst
attack by an insider, so background check s and other controls to minimize t hat risk
are especi ally important. The Maryland study po i nted out that the s tate trai ning
program for the Diebold s ys tem d id not include a s ecurity component.
Goals of Defense. It can be useful t o t h i n k o f t hree go al s o f d efense from an
at t ack on a com put er-based syst em : p rot ect i on, det ect i on, and react i on.55 Protection
involves m aking a target difficult o r u n attractive t o attack. For ex ample, good
physi cal securi t y can prevent at t acke r s f r o m accessi ng vot i n g m achi n es i n a
warehous e. Use of encryption and authentication t echnologies can help prevent
attackers from viewing, altering, or s ubstituting election dat a when i t i s t ransferred.
54 Some others, however, have r aised c oncerns or sugge sted improvements to ve ndor and
IT A practices (see, for example, t he Hopkins s tudy [cf. Diebold r ebuttal]; J ones, “Diebold
FT P Site”; and t he California T ask Force report).
55 National Security Agency (NSA), “Defense in Depth: A Practical Strategy for Achievi ng
In f o r mation Assurance i n T oday’ s Highly Networked Envi ronments,” NSA Security
Recomme ndation Guide, 8 J une 2001, availabl e at [ http://nsa2.www.conxi on.com/support/
guides/sd-1.pdf]. Deterrence ma y be used by s ome a uthors i nstead of reaction.
Currently, election j u r i s d i c tions and v endors appear to rely heavily on
procedural m echani s m s for p rot ect i on. 56 These m ay i n cl ude access cont rol s ,
certification procedures , pre-election equip m ent-testing, and s o forth. S uch
procedures are an essential element of an e ffective d efense, although s ome observers
di sput e t hat t hey are suffi ci ent t o p revent t am p eri n g. Even i f t h ey are, t h ey m u st be
implemented and followed properly i f they are to ensure adequate protection.
However, in some ci rcumstances , t he time and res ources needed to follow s uch
procedures may conflict with other important goal s, such as the timely administration
of an election, forcing election o ffici als t o choose whether to risk bypassing or
modifying s ecurity procedures. 57
Detection involves i dentifyi ng that an att ack is being o r was attempted. Fo r
ex am pl e, el ect i o n observers can serve as d et ect ors o f a pot ent i al at t ack. O ne of t h e
criticisms of DREs has b een that it is a “black box ” s ys tem , an d o b s er vers cannot
detect sus p i c ious activity within the m achine.58 One approach to addressing this
issue i s t he use of auditing. That can incl ude engi neering t he DRE s o t hat i t creat es
a l og of al l act i ons perform ed, especi al l y t hose t hat might indicate t ampering. It can
also include the creation o f an audit t rail for votes. HAVA requires s uch a trail for
the voting s ys tem, but some observers have proposed the u se of voter-verified b allots
for auditing (discussed bel ow59). Cryptographic p ro tocols may also be useful i n
detecting attempts at tampering.60 However, any s peci fi c m echani s m s t h at m i ght be
built into t h e t echnology itself are proprietary and t herefore not discussed i n t his
R e action involves responding to a d etected a ttack in a timely and deci s i v e
manne r s o as t o p revent its success o r mitigate its effects. For ex ample, i f an
observer s ees something s uspicious dur i n g v oting o r t allying, the p rocess can be
stopped and the s ituation i nvestigated. Also, a voting m achine m ay be programmed
to shut down i f certain kinds of problems are encountered. The system might have
addi t i onal d efense m easures such as ant i v i rus soft ware.
To be most effective, the coun t e rm easure m ust be implemented before the
at t acker can do si gn i fi cant d am age. Effect i v e react i o n t herefore requi res earl y
det ect i o n o f an at t ack. G i v e n t h e l ack of t ransparency of DR E operat i ons, h eavy
reliance m ay need to be placed on t echnological countermeasures.
56 See, for e xample, t he Diebold r ebuttal a nd the M aryl and s tudy.
57 For example, i f a serious software problem is d i s c o ve r ed shortly before an election,
o f ficials might have to choose whether to have a vendor install a patch directly, w i t hout
havi ng it first certified t hrough IT A and state procedures.
58 Se e s ection on a uditing t ransparency a bove, p. 15.
59 See section on verifiability, p. 27–31.
60 See s ection on c omputer code above, p. 13
Elements of De fe nse. It is generally accepted t hat d efense should i nvolve
a focus on three elements: personnel, technology, and operations.61 The personnel
component fo cuses o n a clear commitment to security by an organization’s
leadership, assign ment of appropriate roles and responsibilities, implementation of
physical and p ersonnel s ecurity measures to control and monitor access, training that
is a p propriate for t he level o f access and responsibility, and accountability. The
t e chnology componen t f o c u s e s o n t h e d e v e l o p m e n t , a c q u i s ition, and implementation
of hardware and s oftware. The operations component f o cuses o n policies and
procedures, i ncl udi ng such processes as cert i fi cat i on, access cont rol s , m anagem ent ,
A focus that is not properly b alan ced am ong t h o s e el em ent s creat es
vulnerabilities. Computer security ex perts have criticized computer-assisted voting
i n part becau se t h ey bel i eve t h at t h e s ecuri t y focus h as em phasi z ed p rocedural
safegu ards t o o h eavi l y. T he use o f o l d er, “l egacy” h ardware and soft ware
technology, and weak technology d efenses, a s w e ll as lack of training of election
personnel i n s ecurity, are among th e concerns ex perts h ave cited. The v alidity of
such concerns has b een disputed by others. 62
For applications where s ecurity considerations are a p riority, t echniques h ave
been developed t o engineer systems to th e appropriate level o f s ecurity corresponding
t o t h e s peci fi c n eeds for t h e appl i cat i on. S u ch syst em s are desi gn ed wi t h careful l y
specified requirements and are t horoughly revi e w ed and tested before
implementation.63 Some ex perts h ave p roposed that such an approach be used in the64
development o f voting s ys tems.
Another general principal i s t hat an eff ective d efense cannot be focused only o n
one particular l o cation but needs t o operate at all relevant points i n t he entire65
enterprise. For voting s ys tems, t hese points would likely i nclude development
(both s oftware and hardware) b y t he manufact urer, t he cert i fi cat i o n p rocess,
acquisition of t he voting s ys t e m ( including software and h ardware updates) by the
st at e, st at e and l o cal i m p l em ent at i on, and u s e d u r i n g el ect i ons. Because of t h e
proprietary nature of vendor practices, t he d e f enses used by them could not be
61 NAS, “ De f e ns e i n De p t h.”
62 For example, s ee the Caltech/MIT , Hopkins, and M aryl and s tudies, t he California T ask
Force r epo r t, and J ones, “Diebold FTP Site” f or criticisms and r ecommendations for
improvements; and for alternative views, see the Diebold r ebuttal and Williams, “Georgi a
63 See, for example, Linger and T r amme ll, “Cleanroom Software Engi neering”; and
Syntegr a , “ Common Criteria: An Intr oduction,” 21 February 2002, available a t
[ h t t p : / / www.commoncr i t e r i a.or g/ i n t r oduct o r y_over vi ews/ CCInt r oduct i on.pdf ] .
64 Rebecca Mercuri, “Electronic V oting,” 1 Se ptember 2003, [http://www.notablesoftware.
com/ evote.html ].
65 NSA, “Defense in Depth.”
determined for t his report. 66 State p rocedures are m ore t ransparent in many cases but
vary from s tate to stat e.67
Fi nally, an effective defen s e i s b a sed on t he assumption t hat attackers will
continuously attempt t o b reach the d efenses (including devising new ways t o attack)
and t hat t hey will eventually find a vulnerability to ex ploit. Therefore, a s uccessful
defense s hould b e robust, so t h at securi t y needs are m et even i f an at t ack occurs. 68
One way t o accom p l i s h t hi s i s t hrough a l a yered def ense, in which m ore t han one
defense m echani s m i s p l aced bet w een t h e at t acker and t he t arget . 69 If the outer layer
is breached, t he nex t comes i nto p lay. Each layer s hould i nclude both p rotection and
detection capability. For ex am ple, a state will use a combination of physical security
(e.g., l o ck and k ey), procedural cont rol s (e.g., who i s gi v en access t o t he syst em and
for what purpose) and auditing (a record of what was done and b y whom) t o d efend
agai nst t am pering with v o ting s ys tems. Georgia does additional validation t es ting
on software installed on m achines in a l ocal el ection j urisdiction t o ensure t hat i t i s
the s am e as t he certified s oftware.70 Other s tates m ay have similar procedures .
Trade-Offs. The combined u se of go als and elements as discussed abov e i s
known as defense i n d epth. S uch a strategy requires bal anci ng “protection capability
and cost, performance, and operational considerations.” 71 This balancing can involve
difficult questions, especi ally with regard to resource allocation. For ex ample, how
much effort should b e ex p ended i n t hreats t hat m ay have a s ignificant p robability but
a comparativel y l ow impact versus addressing those with very low probability but
very high impact? T he need to weigh s uch t rade-offs occurs throughout the s ecurity
arena. In the area of homel and s ecurity, t he number of cas ualties from a terror attack
using t he smallpox virus could b e m uch h igher t han from an attack with ex plosives,
but the l atter i s widel y considered much more likel y. Furthermore, there are many
other factors t hat m ust b e weigh ed, s uch as b al anci ng prot ect i o n agai n st t h e t hreat ,
on the one hand, against t he safety of countermeasures (such as v accines) and
disruption t o d aily life (such as screening for ex plosives) o n t he other.
Setting priorities with respect to investment in defense i n s uch cas es is far from
straightforward. This is true for election administr a t ion as well. Decisions about
what kinds of s e c u r ity to provide and how to provide it must be made in complex
circumstances. For ex ampl e, with DREs, t he pro b ability of successful tampering
occurri ng m ay b e v ery s m al l , but t h e i m p act of a s uccessful at t ack coul d b e v ery h i gh.
66 Di e b o l d claims t hat its security procedures make insertion of malware during
development “realistically impossible” (Diebold r ebuttal, p. 6). T he California t ask f orce
report makes several r ecommendations with respect to vendor security, i ncluding requiring
backgr ound checks of progr amme rs and developers and documentation of t he custody chain
for s oftware ( p. 36).
67 Williams, “Georgi a V oting System,” describes Georgi a’s certification procedures. T he
Maryland study made several r ecommendations for i mprovements i n s tate procedures.
68 See, for example, Burmester and M agkos, “T oward Secure and Practical E-Elections”.
69 NSA, “Defense in Depth.”
70 Williams, “Georgi a V oting System.”
71 NSA, “Defense in Depth,” p. 1.
At the s am e time, current DREs arguably reduce t he risks of certain k i nds of
tampering t hat can occur with paper ballots — such as sel ectivel y s p oiling certain
ballots during counting. Many DREs a l s o have ot her h i ghl y d esi rabl e feat ures, as
discussed earlier, 72 t h at can subst ant i al l y reduce t he num ber o f vot es l o st because of
voter error or other problem s. According t o one study, over a million of s uch “lost
votes” could h ave b ee n p r e v e n t ed during t he November 2000 presidential election
if better-designed voting t echnology h ad been used. 73
Al so, s ecuri t y m easures m ay h ave unant i ci p at ed i m p act s. Measures t h at m ade
voting m uch m ore difficult or complicat ed and t hereby discour a g e d voters from
participating or i ncreas ed the rat e of vot er or pollworker error would p robably not be
worth implementing. Furthermore, voting m achines are only part o f t h e el ection
administration system, and security must be integral to the whole system t o be
Response a nd Recover y
The i dea t hat n o d e f e n s e is perfect and t hat attackers t ry to find the
i m p erfect i ons m eans t hat d efenders need t o assum e t h at an at t ack wi l l at som e poi nt
be successful. Some damage will occur before the attack is detected and s topped
(assum i n g t h a t t h e a t t ack i s det ect ed — i n t he case o f vot e t am peri ng, an at t acker
woul d u sual l y prefer t h at t h e at t ack not be discovered and will make efforts t o h ide
it 74). For t his reas on, mechanisms for minimizing and recovering from dam age t hat
occurs are consi d ered desi rabl e. They are al s o d esi rabl e i n t h e event of dam age t h at
can result from s ources other t han an attack , s uch as power outages, m alfunctioning
voting m achines , or administrative problem s. For ex ample, DREs s tore vote dat a i n
redundant memory locations, i n t he event t hat one memory fails. As t he difficulties
with spoiled b allots from t he November 2000 Pr e s idential election i ndicated,75
recovery from s ome k inds of damage may not be p o s s i b l e, and reliance m ust b e
placed on strengthening p reventive m eas ures. T hus, HAVA requires t hat voters b e
notified of overvotes before a ballot is cast and be given the opportunity to correct
One criticism of DREs has been that if a problem is discovered during auditing,
it is not clear what can be done to identify which votes were valid and which were
not. For ex ample, if a m achine i s s uspect ed of harboring m alware, s hould all votes
73 Caltech/MIT report, p. 8–9.
74 For example, i n a statewide election, increasing t he votes f or a c a n d i date in a precinct
already voting hea vi l y f o r t hat person may be less likely t o t rigger questions than would
changi ng the vote i n a closely f ought precinct.
75 In this case t he prob l e ms a r ose from ballot design and procedural flaws r ather t han an
76 Howeve r, for s ys tems where t his i s not possible — such as those using document ballots
wher e vo t e s are not counted in the precinct but in a central location — an education and
instruction progr am is permitted.
from i t b e d iscarded, or would s ome b e count ed? How election o fficials answer s uch
questions will depend on state l aw, regulations, and practices.
One m echanism for recover y from s ome k inds of problems i s t he recount, i n
which ballots are count ed a second time to addres s concerns about the accuracy of
the o rigi nal count. DREs, like l ever machines, s implify recounts and reduce chances
for error i n t hem b ecause t h e re c ount s a re based on the vote tallies from the
m achi n es, rat her t han i ndi vi dual b al l o t s . H owever, p robl em s wi t h t h e m achi n es
them selves , i ncluding tampering, would p robably not be discovered t hrough a
Confidence in DREs
There appears t o be an emerging consensus a m o ng computer scientists that
current DR Es, and t o a l esser ex t ent o t h er com put er-assi st ed vot i n g s ys t em s , d o not
adhere suffi ci ent l y t o current l y accept ed s ecuri t y pri n ci pl es for com put er syst em s,
especi ally gi ven t h e central importance of voting systems to the functioning of
democratic government.77 However, el ection administrat ors and those with related
ex pertise t end t o ex press more confidence in the s ys t e m s as they are currently
real i z ed. 78 Al s o , t he fact t h at securi t y concerns ex i s t does not i n i t s el f m ean t h at
vot i n g s ys t em s have been com p rom i s ed or are l i k el y t o b e. It does, however, s uggest
t h at t h e i ssues rai s ed n e ed t o be addressed ex p edi t i ousl y, especi al l y gi ven t he
evolving threat environment and vulnerabilities d iscussed above.
The question of confidence in computer-assisted voting s ys tems is important in
general, since voters m ust have confidence in the i ntegrity of the voting s ys tems they
use i f t hey are to trust t he outcomes of elections and t he legitimacy of governments
formed as a result o f t hem. If the concerns that have been raised about DRE s ecurity
becom e wi despread, t hat confi d ence coul d b e eroded, whether o r not those concerns
are well-founded. This potential p roblem c ould b e ex acerbated b y t wo factors. One
is the like lihood, especially gi ven t he applicable provisions of HAVA, that the u se
of DREs will incre a s e . T h e o ther is the likelihood of increasing concentration o f
market share for voting systems in a few companies. 79 H i storically, election
jurisdictions in the United S tat e s h ave used a wide diversity of voting systems
provided b y a broad array o f v endors. T h i s d i versity has b een considered an
advantage b y m any, not only i n m eeting t he di verse n eeds o f election j urisdictions,
but al so for s ecuri t y, especi al l y i n st at ewi d e and fe d e r a l e l e ct i ons where m ore
s ys t em s m ay be used. S ome ex perts believe that it is much more difficu l t t o
successfully commit widespread tampering with el ections if many different system s
77 See t he Caltech/MIT study, t he California T as k Force report, the Hopkins s tudy, and the
78 See f or example Williams , “Georgi a V oting Sys tem”; T he El ection Center, “DREs.”
79 According t o Diebold, the c ombined U.S. marke t share for t he three l argest voting system
companies — Diebold Election Sys tems , Election Sys tems and Software, and Sequoia
V oting Sys tems — i ncreased from 74% in 2000 to 89% in 2002 (Gregory Geswein, Senior
Vice Pr esident and Chief Financial Officer, Diebold, Incorporated, Untitled pr e s e n t a tion
slid es, 24 February 2003, [http://www.diebol d.com/investors/presentation/ir2003.pdf], p.
n e ed t o be com p rom i s ed t h an i f onl y a few m ust b e. In any case, as t h e u s a ge o f
DR Es i n creases, t hey and t h e com pani es t h at m ake and s el l t hem m ay be subj ect ed
to increas ed public scrutiny.
Fo r t hese and o ther reasons, m any ex p erts and observers have proposed actions
t o resol v e t he cont roversy over DR E securi t y. S everal of t h ese i deas are d i s cussed
Proposals for Resolving the Issue
Use Cur r e nt Pr ocedur es
S o m e observers have argu ed t h at ex i s t i n g s ecuri t y m echani s m s are s uffi ci ent t o
resolve any problems and th a t n o n e w s olutions are n ecessary, although current
procedures may n eed to be improved , as recommended b y t he Maryland study.80
These observers argu e t hat t h e federal V oting S ys tem S tandards (VSS); NASED,
st at e, and l ocal cert i fi cat i o n p rocesses; an d v e n d o r and el ect i o n adm i n i s t rat i o n
procedures and controls, when p roperly imp l em ent ed, p rovi de suffi ci ent s ecuri t y t o
prevent t ampering. They also p o i nt to the l ack of any p roven case, despite many
accusations, o f election fraud involving computer tampering, 81 an d t hat criminal
penalties p rovide a d et errent to el ection fraud. 82 Critics s tate, i n contrast, t hat t hose
processes and proce d ures are flawed, and t hat recommended or stated security
procedures are not always followed. They also point out that the absence of a p roven
case o f t ampering does not necessarily mean that it has not been attempted, and t hat
as t h e u sa ge o f D R Es i n creases, t he pot ent i al p ayoff for t am p eri n g, and h ence t h e
pot ent i al t hreat , w i l l al so i n crease. 83
80 See f or example, the Diebold r ebuttal a nd Lamone, “ Action Plan.”
81 T he occurr e n c e of voter error or machine malfunction i s s ometimes pointed to as
evidence for vote fraud, but they are not the s ame. However, both fraud and error can affect
the outcome of an election, and both need to be mi nimal t o ensure t he integr ity of the r esults.
In addition, if errors occur frequently, t hey could mask an occurrence of fraud — i f a
discrepancy i s discovered, officials might simp l y c onclude that it is another case of error
even if it is actually caused by t ampering. See also footnote 122.
82 Federal l aw prohibits voting more t han once ( 42 U.S . C. § 1973i(e)), vote buying a nd
selling ( 18 U.S.C. § 597, 42 U.S.C. § 1973i(c)), and procuring, casting, or tabulating
fraudulent b a l l o t s ( 42 U.S.C. § 1973gg10(2)). T he Public Integr ity Section of t he V oting
Ri ghts Di vi sion of the Department of J ustice prosecutes s uch cases.
83 See, for example, Bev Harris, Black Box Voting (High Point, North Carolina: Plan Nine
Publishing, 2003), a va ilable a t [ http://www.blackboxvoting.com] .
Impr ove Security Standards and Certification of Voting
Some critics have stated t hat t he security provisions i n t h e VSS are
i n suffi ci ent , 84 and t hat t h e i r d e v el opm ent d i d not fol l o w b est p ract i ces i n t h i s area,
as promulgated and practiced, for ex ample, by national and intern ational s tandards-
setting organizations such as the American National S tandards Institute (ANSI), t he
In t e r n a tional Organiz ation for Standardization(ISO),andNIST,whichhasbeen
involved only m argi nally in the d evel opment and implementation of t he VSS.85 The
VSS have also been criticized for placi ng too m any constrai nts on t he development
of new t echnology t hat can address s ecurity concerns.86 Critics also poin t o u t t h at
several o f t he problems i d e n tified b y t he Hopkins and M aryl and s tudies occurred
despite the certification by NASED that the Diebold system conforms to the VSS.
HAVA r equires changes in the p rocesses for developing standards for and
certifyi n g v o ting systems. It establishes a Technical Guidelines Development
Committee under t he new Election Assistan ce Commission to assist the EAC in the
development o f voluntary voting s ys tem guidel i n es . T h e s e gu i d el ines will essentiall y
replace the current Voluntary Voting S ys t e m S tandards (VSS), but the Act also
stipulates that the i nitial s et of gu idelines will be the m ost recently adopted version
of the VSS. The new Committee established by HAVA will be c h a i r e d b y t he
Director of NIST and will include, among others, representatives o f A N S I, the
In stitute of Electrical and Electronics Engi neers (IEEE), and NASED. IEEE has87
alread y b egun developing new d raft voting s ys tem s tandards. These s tandards
would p resumably b e u sed t o h elp i nform t he gu ideline-development p rocess once
the EAC and its support bodies are established.
The importance of standards was reinforced with the initial adoption and
implem e n t ation of t he VSS, which l ed to significant improvements i n computer-
assi st ed vot i n g s ys t em s . S t andards are essent i al t o s ecuri t y because t h ey speci fy
measurable attributes a system n eeds t o be considered trustworthy, and t hey can88
reduce des ign flaws. However, a particular challenge t hat arises with respect to
security standards i s t hat i t i s not possible t o anticipat e all the ways a system might
be attacked. In addition, standards can provi de adversaries with information t hey can
84 For e xample, M ercuri and Neuma nn, “V erification,” p. 37.
85 For s ome l e gi s l a tive history of the development of t he VSS, see Eric Fischer, Federal
V o ting Systems Standards: Congressional Deliberations, CRS Report RS2115 6 , 2 5
86 Fo r e x a mple, t he DRE standards assume that the voter interface and t he vote tallying
components will be in the s ame unit, which may constrain manufac t urers from f ollowing
one of t he central security-r elated recomme ndations of the Caltech/MIT report ( p. 72),
which i s t o s eparate t hose f unctions in different units.
87 IE EE, “Standards Coordinating Committee 38 ( SCC 38): V oting Standards,” acce s s e d
88 NRC, Trust i n Cyberspace, p. 201, 209.
use i n s earching for vulnerabilities. 89 Therefore, sec u r i t y st andards n eed t o be
continually reeval uated as new threat s and vulnerabilities are discovered. Also, i t i s
consi d ered ri sky t o t reat adherence t o s tandards as an i ndication t hat a system is
secure. 90 The federal go v e r n m ent requi res t hat federal agenci es adhere t o a s et of
com put er-securi t y p o l i c i e s , st andards, and p ract i ces,91 but these d o not apply t o
voting s ys tems, which are under t he purview of state and local governments.
Standards can be difficult and time-consuming t o d evelop, especially under t he
com m onl y u sed consensus approach, i n whi ch st a k e h ol ders reach agreem ent o n
provisions to be included. Strengths of t hi s approach, when p roperly implemented,
are t hat t he resulting s tandards are less likel y t o contai n s ubstantial omissions, and
t h ey are m ore l i k el y t o b e accept abl e t o u se rs and o t h er st akehol ders. E ffort s t o
develop t he VS S b e g an in the 1970s, but the s tandards were not approved until
1990.92 The C ommon C riteria for Information Techn o l o gy S ecurity Eval uation
(ISO/IEC 15408), which is a s et of requirement s for evaluating t he security of
information t echnology, took five years t o d evelop, efforts h aving b een begu n i n
1993 and completed in 1998. 93 The IEEE voting s tandards p roject began i n 2001 and
has p roceeded am i d som e cont roversy, whi ch apparent l y i s not at yp i cal for s t andards
panels addressing difficult issues.94 Given t hose c o n s iderations and t he delays in
est abl i s hi ng t h e E AC , i t i s not cl ear whet her n ew standards o r guidelines will be in
place before the HAVA voting s ys tem requirements go i nto effect in J anuary 2006;
however, HAVA requires t he Technical Gu idelines Development C ommittee t o
89 Ibid., p. 209. Although t here are many be nefits from having a single, uniform set of
standards, that does have t he potential f or incr easing vulnerability in the sense that “…it is
easier t o mount attacks a ga i nst multiple representatives of a s ingl e s tandard than against
differing implementations of several s tandard s” (Ibid., p. 204). T his i s s omewhat a nalogous
to the vulnerabilities associated with use of a single, uniform voting system ( see above).
90 Ibid., p. 203.
91 See Marcia Smith and others, Internet: An Ove r v i e w o f K e y Technology Policy I ssues
Affecting I ts Us e and Gr owth, CRS Report 98-67, 11 J uly 2003, p. 9-11.
92 T here were s everal factors i nvol ved i n t his delay. See Fischer, Federal Voting System
93 Edward Roback, Chief, Computer Security Di vi sion, National Institute of St andards and
T echnology, “Exploring Common Criteria: Can i t Ensure t hat t he Federal Government Gets
Needed Security in Software?” testimony before the House Committee on Gove rnment
Reform, Subcommittee on T echnology, Information Policy, Intergovernmental Relations and
the Census, 17 September 2003. T he notion of c riteria i s broader than t h a t o f s t a ndards
because it generally includes t hings, such as statements on how a s ys tem s hould be designed
and operated, that cannot be directly assessed by e xami ning the product ( National Research
Council, Trust i n Cyberspace, p. 199). T he Common Criteria provi de a frame work for t he
development of standard sets of requireme n t s, called profiles, to meet specific needs of
consumers a nd deve lopers, depending on the a ssurance l evel that they require (Syntegr a,
“Common Criteria”). HAV A uses t he term guidelines rather than standards or criteria and
does not define it.
94 Farhad Manj oo, “Another cas e o f e l e c t ronic vote-tampering? ” Salon.com, 6 October
[ h t t p ://archive.salon.com/tech/feature/2003/ 09/29/voting_machine_standa r d s / i n d e x_np.h
submit its initial recommendations to the EAC within nine months of the
Committee’s appointment.95 In any case, even a f t e r n ew st andards are approved,
t h e r e remain i ssues relating t o t esting and certification. Fo r ex ample, s houl d a l l
voting s ys tems be required t o adhere to the new gu idelines or should t hose certified
under t he VS S continue to be accepted?
The current proces s for testing and certification of voting s ys tems was i nitiated
by NASED in 1994. HAVA directs the EAC to provide for “testing, certification,
d ecert i fi cat i on, and recert i fi cat i o n o f vot i n g s ys t em h ardware and soft wa r e b y
accredited l abora t o r i e s ” (Sec. 231(a)(1)). It gi ves NIS T responsibility for
recom m endi ng and revi ewi ng testing l aborat ories.
W h ile HAVA maintains t he voluntary n ature o f adherence b y s tates t o federal
voting s ys tem s tandards a n d u s e o f certified s ys tems, m ost s tates h ave adopted the
VSS.96 C onsequent l y, i f t he EAC d ecert i fi es vot i n g s ys t em s t h at do not m eet t h e n ew
gu idelines, m any s tates would likely rep l a c e t h ose s ys tems, p rovided t hat funding
were available t o d o s o. However , t h e m ore s tringent a s et of standards i s with
respect to security, t he more time-consuming and ex pensive i t m ay b e t o t e s t and
certify t he system (some have criticized the C ommon C riteria for this reason,
although o thers h a v e s uggested that they be applied t o voting s ys tems 97). More
secure syst em s m ay al so be m o re ex pensi v e t o m anufacture. Consequently, t here
may be economic disincent i v es for i nvestment in highly secure voting systems,
although s uch d isincentives would likely b ecome less important if pu b l i c concern
Under t he current VSS, testing i s p e r f o rmed under s pecific l aboratory t est
conditions. S uch t ests are n ecessary to determine i f t he system meets t he standards,
but some ex per t s h av e p roposed that they are not sufficient, that additional t esting
needs t o b e done under realistic conditions of use, involving actual voters, and t hat
systems s hould b e retested after use i n t he field. 98
Even if new guidelines and certificat i o n p rocedures can be developed t hat
i n cl ude st at e-of-t he-art securi t y feat ures , s ome observers believe that this will not be
suffici ent. They point to three problem s: (1) Given the time required t o devel op and
implement new voting s ys tem guidelines and t o t est and certify s ys tems under t hem,
syst em s refl ect i n g s uch gui del i n es wi l l not be i n pl ace for s everal years, whereas t h e
t h reat from cyb erat t acks i s p resent and growing. (2) Overreliance o n any one line o f
defense, such as security standards, r uns counter to the recommended u se of defense
in depth. (3) The use o f s tandards does nothing about the reduced observability and
95 HAV A distinguishes between the guidelines (Sec.221-222), which replace the V SS, and
guidance (Sec. 311-312) for meeting t he requireme nts of t he Act. T he deadline f or adoption
of guidance for meeting voting s ys tem r equirements i s J anuary 2004.
96 FEC, Voting Systems Performance and Test Standards: An Overview, p. 15.
97 Re becca Mercuri has recomme nded t hat voting s ys tems be benchmarke d a t l evel 4 or
above of t he 7 l evels ( Mercuri, “Electronic V oting” ).
98 See Caltech/MIT report, p. 72-73.
t ransparency t h at charact eri z es com put eri z ed vot i n g s ys t e m s 99 in contrast to more
traditional s ys tems, and therefore cannot sufficiently address concerns about public
confidence in the i ntegrity of computer-assisted voting. Some ex perts also believe
that certification and p r o ced u ral controls, i ncluding auditing, can never guarantee
security of a voting system.100 Thi s probl em , t hey s ay, i s furt h er com p l i cat ed by t h e
need for b al l o t s ecrecy, w hi ch i s not an i ssue, for ex am p l e, i n com put eri z ed fi nanci al
Use O pen S our ce Softw ar e
Some ex perts h ave p roposed the u se of open s ource software code for at l east
some voting s ys tem s oftware.101 Such code would b e available for public inspection
and undergo t horough s ecurity review, and these ex p erts argu e t hat i t would t herefore
be m o re secure because t h e open s ource revi ew process woul d b e m ore t horough and
identify m ore potential s ecurity flaws than i s possible with proprietary code.
Advocates of proprietary or cl osed source code argu e, in contrast, t hat t his approach
makes potenti al fl aw s m ore difficult to discover and therefore t o ex ploit. Even if
open s ource code is superior with respect to security (which remains unproven),
DR Es often u se commercial o ff-the-shelf (C OTS ) software (such as M icrosoft
W i ndows) that is proprietary. 102
Currently, t he code for virtually al l voting s ys tem s oftware i n t he United S tates
is closely h eld b y t he vendors, who release it only t o s elect parties, such as the ITAs,
under nondisclosure agreements. The vendors argue that the u se o f proprietary
software is important both t o p rotect their i nt ellectual p roperty rights and for s ecurity.
While secrecy can be an important security tool (sometimes called “security through
obscurity”), i t has some weaknesses. Fi rst, it is fragile, i n t hat once t his defense is
breached, t he damage cannot be repaired — t he code cannot be made s e c ret again.
Second, use o f s ecrecy limits the number o f p eople who can ex amine t he code,
thereby limiting t he scrutiny i t can receive for vulnerabilities. Bo th of these potential
weaknesses were d emonstrated by the circu mstances leading t o t he Hopkins study.
Diebold code was posted (perhaps i nadvert ently) o n an open Internet s erver; the
authors analyzed t his code and c l a i m e d t o have discovered s everal vulnerabilities
(which Diebold d isputed).
99 Some advocates pej oratively r efer to DREs as “black-box voting” (see for example,
100 See, for example, M ercuri and Neumann, “Verifiability,” p. 39.
101 “Open s ource software refers to a computer program whose s ourc e c o d e is made
available t o t he general public to be improved or modified as the user wishes” (J effrey W.
Seifert, Computer Software and Open S o urce I ssues: A Primer, CRS Report RL31627, 5
Nove mber 2002, p. 1). W hat i s “ open” (or “closed”) i s t h e s ource code — what
programmers actually wr ite. T his code is translated into machine code (compiled) for use
by computers t o r un the progr ams. Machine code can be translated back into source code
(decompiled). T his does not recover t he original source code but can be useful, f or example,
to hackers hoping to find vulnerabilities, or to defenders looking f or malware t hat might be
in the machine code.
102 The way COTS software is tested and used i n current DREs mi ght its e l f c r e a t e
vulnerabilities ( J ones, “Diebold FTP Site”).
S o me have proposed resolving t his i ssue b y u sing a m odular approach that
separ a t e s t he voter interface or ballot choi ce function (equivalent to marking an
optical -scan ballot) from t he vote-cas ting function (putting t he ballot i n t he optical -
scan reader). 103 The s o ftware for the l atter would b e open s ource and s tandardiz ed
and for the former p roprietary and m ore flex i ble. The reasons are t hat vote casting
is a s trai gh tforward, well-defined p roces s t hat requires h igh s ecu rity to en sure that
the voter’s actual choices are r e c o rded an d counted, whereas the voter interface is
where i nnovations can provide the greatest advances in usability and o ther benefits
for voters, and t he security requirements are not as stringent. The code used for vote
cast i n g and count i n g can be m u ch si m p l er t han t hat n eeded for t he vot er i n t erface,
making security potentially much easier t o achieve than is currently the case with
DREs, where both functions are housed within a s ingl e unit.
Impr ove Verifiability and Tr ansparency
Verifiability in elections can be thought of as consisting o f t w o co m p onents.
One i nvolves t he c a p a b ility of the voter to verify that his or her ballot was cast as
intended. This is what is usually meant by voter verifiability. The other i nvolves t he
capability to determine t hat the final t ally accurately reflects all votes as cast b y t he
voters and that it includes n o additional votes — i n o ther words, that no votes were
improperly changed, omitted, or added. This has been called results verifiability.104
If all voters can obtain both voter and r esults verifiability, t hat i s known as universal
verifiability. 105 Roll-call voting provides robust universal v e r i fiability — voters
publicly record their votes, which are count ed in the p resence o f all voters. However,
t h i s approach sacri fi ces bal l o t s ecrecy and can be used onl y for very sm al l el ect orat es.
W h i l e ballot secrecy reduces the risk of vote selling and coerci on, it complicat es
verifiability, s ince voters cannot know direc tly if their b allots were counted as cast.
Hand-counted paper b allot s ys tems, whi ch can provide ballot s ecrecy, m ay provide
universal verifiability only under s ome v er y limited circumstances and only for very
smal l elect orat es . S uch s ys tems can provide a kind of s urrogate results verifiability,
i f observers cl osel y w at ch t h e count i n g o f b al l o t s , but even t h a t can be di ffi cul t t o
achi eve. Lever m achi n es and com put er-assi st ed vot i n g s ys t em s argu abl y ex hi bi t
neither voter n o r results verifiability, alt hough document-based s ys tems such as
optical scan and punchcards do retain the capacity for s urrogate results verifiability
if manual recounts are done in the p resence o f observers.
Some observers believe that the potential s ecurity problem s associ at ed with the
lack of transparency and observability in vote casting and counting with DR Es cannot
be resolved through t he use o f s ecurity procedures, s t and a rds, cert i fi cat i on, and
test i ng. They assert that the only reliable approach is to use ballots that voters can
103 Caltech/MIT report, p. 60, 63. T he a uthors f urther propose t hat t hese be performed by
different machines. See the s ection on modular voting architecture, p. 29, for a description
104 See C . A n d r e w Neff and J im Adler, “V erifiable e -V oting,” 6 August 2003,
105 Mike Burmester a nd Emma nouil M agkos, “T oward Secure and Practical E-Elections in
the New Er a,” i n Gritzalis, Secure Electronic Voting, p. 63-76.
verify independently of the DRE and t hat t hese bal l o t s becom e t h e o ffi ci al record for
any recounts. Others assert that voter veri fiability is a highly desirable feature but
caution about some of the proposed ways of achieving it. Still others believe t h at
there are problems with the approach that make it undesirable.
HAV A requires t hat each voting s ys tem p roduce a p aper audit record for t he
system and t h a t t h i s b e t he official record for recounts. It also requires t hat voters
have the opportunity to correct their b allots before that record is produced. However,
it does not stipulate t hat t hat rec o r d c o nsist of individual ballots or that it be
verifiable by the voter.
At least four different ways of achieving voter verifiability have been proposed.
These are discussed b elow to illustrate the range of complex ity and i ssues involved.
Vote r-Verifi able Paper Ballot. In the m ost widel y discussed m et ho d, the
DRE would p rint a p aper ballot with the vote r’s choices listed. The voter could t hen
veri fy t h at t h e b al l o t accurat el y refl ect ed t h e vot er’s choi ces as m ade on t h e D R E .
Any d i s crepanci es coul d t hen b e cal l ed t o t he at t ent i o n o f a pol l w o r ker. Once t h e106
voter was s atisfied with the paper ballot, it would be deposited i n a ballot box and
k e p t i n t h e e v e nt of a recount. A sample of these b allots could also b e counted as
p a r t of a s tandard audit for comparison with the t otal count. S ome observe r s a l s o
believe that any recount using t hese paper ballots should b e p erformed by hand rather
This approach has t he following potential advantages: (1) Any recount would
be based o n an i ndependent record that the voter had h ad an opp o r t unity to verify.
(2) E ach el ect i o n coul d b e audi t ed, and any si gn i fi cant d i s crepanc i e s b e t ween t h e
el ect ronic and paper t allies would t ri gger a full recount. (3) If the r ecount were
performed by hand, that would t ake advantage of t he transparency and observability
t h at can be associ at ed wi t h t h at approach. (4) The m et hod coul d h el p ensure vot er
confidence in the l egitimacy of election results, s ince voters would know that ballots
they had v erified would b e available for recounts.
The approach has also been criticized, with critics asserting t he following: (1)
It makes voting m ore complicat ed and time-consuming by requiring ex tra s teps by
the voter. (2) The u se of printers woul d s ubstantially increase both t he cost of
administering an el ection and the risk of m echanical failure of a voting m achine. (3)
It is generally accepted t hat p aper ballot sys tems cannot be made to conform t o t he
106 T his could be done by the voter or by the DRE (the voter need not handle t he ballot but
could view i t t hrough a transparent pane ( see Rebecca Mercuri, “A Better Ballot Box?”
IEEE Spectrum Online, October 2002, [h ttp://www.spectrum.ieee.org/ WEBONLY/
publicfeature/oct02/evot.html ]), although t he latter approach could r aise issues about ballot
secrecy if the ballots were deposited i n t he box in the order in which voters used t he DRE
(ballots are not recorded in the order cast i n t he DRE’s memory) . T he method as usually
described does not provide voters with ballot “receipts” that they can take from t he polling
place, which would create s i gn i f i cant opport unities f or fraud and abuse, if those r eceipts
showed the c hoices the voter ma de.
HAVA accessibility requirements.107 (4) S ince the m et hod is largel y untes ted, it is
not cl ear to what ex tent it would improve security in practice and w h at impact s i t
might have on voters.108 (5) Hand counting of t he paper ballots would be time-
consuming and arguably more error-prone than machine counting. 109
V ote me te r. There i s an electronic v ersion of the above method, in which an
el ect roni c d evi ce woul d b e at t ached t o t h e DR E . T hi s votemeter would h ave a
display o n which the voter could v e r i f y c h o i ces and i t woul d record t hose choi ces
independently of the DRE. Those record s would b e u sed i n any recount and could
al so be tallied s eparat el y by an i ndependent agency — t o provide a check on possible
collusion with respect to the DREs. Advantages to such a s ys tem over a paper t rail
would b e t hat i t would not have the p robl em s o f m anual p aper recou n t s, i t coul d
provi de a fast , i ndependent , ful l audi t o f t he DR E vot e, and i t coul d b e accessi bl e t o
blind p ersons via an audi o i nput. However, i t would s till be more complex for the
vot er t h an current syst em s, and vot ers woul d n eed t o t rust t hat t he at t ached uni t was
Modular Voting Ar chitecture. A t hird way t o p ro v i d e voter verifiability
with DREs is anal o g o u s to optical scan or punchcard b alloting with precinct
counting. 110 After a voter makes choices on the voter i n terface (such as a
touchscreen), the m achine writes t he ballot t o a memory card or other device, called
a frog, which t he voter t h e n t a k es t o another m achine t hat reads t he ballot. This
reader would b e h ighly s ecure, as d iscussed above. 111 It woul d h ave a d i s pl ay so t h at
the voter could v erify choices before cas ting t he ball o t . A reader could even b e
107 F o r example, while a blind voter could use audio f eatures of the DRE to make ballo t
choices, t he voter could not verify those s elec tions with a paper ballot unless i t were printed
in Br aille. But most blind people do not r e a d Br aille (Braille Institute, “Br aille Institute
Services,” 10 October 2003, [http://www.brailleinstitute.org/ about-edu.html ]), and Braille
ballots would not provide complete ballot s ecrecy, s ince only blind people who read Br aille
would use them. A separate audio or other paperless verification device could, however, be
provided. T he U.S. Departme n t o f J u s t i c e h as issued an opinion that DREs that produce
voter-verifiable paper ballots are consistent with both HAV A a n d the Americans with
Di sabilities Act (P.L. 101-336) “so l ong as the voting s ys tem provi des a similar opportunity
for sight-i mpaired voters t o verify t heir ballots before those ballots are f inally cast” (Sheldon
Br adshaw, Deputy Assistant Attorney Gene ral, “Whethe r C e r tain Di rect Recording
El ectronic V oting Systems Comply with the Help America Vote Act and the Americans with
Di sabilities Act,” Memorandum Opinion f or the Principal Deputy Assistant Attorney
General, Civi l Rights Division, U.S. Departme nt of J ustice, 10 October 2003, available a t
[http://www.usdoj .gov/olc/drevotings ys tems .htm]).
108 For example, i t would arguably be unlikely t o deter certain forms of t ampering, s uch as
those t hat would not trigge r a recount — f or exampl e , c h a n gi n g the vote by a small
percentage in precincts where t he vote was not close — and i t does not take into account the
vulnerabilities of printed ballots to various forms of election fraud.
109 This is likely t o be especially true for ballots on which t he choices the voter made are
printed. T here would be no ambiguous marks or hangi ng chad for a machine t o misread.
110 See Caltech/MIT study, p. 58-64.
provided wit h an audio p rogram to allow b lind voters t o v erify choices.112 The
advantages and disadvantages of this system are s imilar t o t hose for the previous two,
depending on its particular design .
Encrypte d V otes. All t hree of the above approaches essentially pro v i d e a
second, independent audit channel for the voting s ys tem. Another way of providing
verifiability uses cryp tograph i c m et hods to provide a kind of electronic
verifi cation. 113 Proponents argue that a p roperly d es igned s ys tem u sing encryp ted
votes is conceptually different from t he “el ect ronic ballot box ” ex emplified by DRE
technology and that it provides for privacy, t ransparency, aud i t ability, and security
in a s uperior way t o any current approach. T his can be part of a m ore comprehensive
system that uses cryp tographic m ethods throughout the ele c t i o n p rocess — from
el ection preparation t hrough auditing of t h e res ults — t hat purports essentially to
mimic electro n i cally or even improve upon the observability and t ransparency
associated historically with manually counted paper b allot s ys tems.
There are several different possible approaches using cryptographic p rotocols.114
In one kind of system, t he voter, b efore casting t he vote i n t he voting booth, can see
the b allot cho ices the encrypted information will correspond to. W hen t he vote i s
cast, a r ecei pt is generated with encrypted information, which could be in any of115
several d ifferent forms, such as a number o r a pattern printed o n a piece of paper.
After t he election, each voter can also deter mine i f h is or her vote was counted as cast116
by com p ari n g t he recei pt t o post ed i nform ation. However, because t h e i nform at i o n
on t h e recei pt i s encryp t ed, no one, i ncl udi ng t h e vot er, can prove what choi ces were117
made. The encrypt i o n i s p erform ed wi t h a s et of encryp t i o n k eys t hat h ave b een
generated i ndependently by di fferent el ect i o n t rust ees — for ex am pl e, an el ect i o n
112 However, this mi ght better be done by a t hird, i ntermediary unit t o keep the computer
code in the r eader as simple as possible.
113 One a pplication i s described in V o t e H e r e , “ V HT i ,” 25 September 2003,
[ h t t p : / / www.vo t e her e .net / p r oduct s _t ech.ht m] .
114 See, for e xample, Burme ister a nd Magdos, “ T owards Secure E-Elections , ” p . 6 8-71.
Most approaches appear to be based on one or both of t wo cryptogr aphic protocols,
asymmetric cryptogr aphy and homomorphic encryption (Danilo Bruschi and others, “E-V ote
and PKI’s: A Need, a Bliss or a Curse?” in Gr itzalis, Secure Electronic Voting, p. 195-209).
115 For e xample, t he choices could be printed in p l a i n t ext on t he receipt and, when the
voter casts the vote, be partially overprinted i n a way t hat makes the t ext unreadable but
retains characteristics t hat t he voter can use t o check later t o s ee if the vote was counted as
cast ( Davi d Chaum, “Secret-Ballot Receipts a n d T r ansparent Integrity,” unpublished
manuscript, May 2002). Alternatively, numeric codes on t he receipt can be checked against
t hose i n a codebook in the voting booth ( V oteHere, “ V HT i ,” 25 September 2003,
[ h t t p : / / www.vo t e her e .net / p r oduct s _t ech.ht m] ) .
116 This provides voter verifiability.
117 T his seemingl y paradoxical situation i s possible t hrough use of a cryptographic protocol
known a s a ze ro-knowledge proof , w i t h which i t i s possible f or one party t o prove to
another, with a very high degree of confidence (although not absolutely in the mathematical
sense), t hat i t possesses a particular piece of information, without revealing t he information
itself ( Burmeister and M agdos, “T owards Secure E-Elections,” p. 72).
administrator and representatives of each of the m ajor political parties. Votes, to be
counted, m ust b e d ecryp ted, which i s accomplished b y each trustee applyi ng his o r
her k ey, and shuffling t he votes before sending them to the n ex t t r u s t ee. 118
Information rel at ed to the encryption i s also posted t hat m akes it possible for a t rustee
or a m ember o f t he public to audit and authenticate t he election.119 If a t r u s t e e ( o r
anyone el se) attempts to change, omit, or add any ballot, that will be detect ed in the
audi t , because t h e changes wi l l show up as i nval i d , j ust as s om eone t ryi ng t o m odi fy
an encryp ted financial transaction will be discovered. At least one proposed system
al so permits auditing by observers during t he course of the election.
Proponents o f t his approach claim t ha t t he capabilities o f c h e cking t he vote
before and after casting t he ballot while maintaining ballot s ecrecy, along with the
high probability of detecting any tampering t hrough public audi t i ng, m eans t hat,
unl i k e wi t h DR Es, i t i s not necessary for vot ers o r el ect i o n o r p art y offi ci al s t o t rust
the voting m achines to produce t he correct tallies. In this sense, the encrypted-vote
system is even more transparent t han p ap e r ballots that are h and-counted in the
p r e s e n ce of observers. It i s m uch closer i n t ransparency t o a roll-call vote, but i t
retains b allot s ecrecy. P roponents also b elieve that use o f t his approach could reduce
the costs of elections by reducing t he need for physi c a l s e c u r ity, t esting, and o ther
activities. They al so stat e t hat t he integrity of the s ys tem i s not dependent o n t he
secrecy of t h e encrypt i o n k eys, al t h o u gh p ri vacy m i ght be com p rom i s ed i f al l k eys
were broken o r s tolen o r all trustees colluded.
If successful , t he approach coul d address m any o f t he securi t y i ssues wi t h DR Es
that this report discusses. However, it does not ye t a p p e a r to have been
independently evaluated and therefore could h ave currently unknown d isadvantages
and vulnerabilities. Also, i t i s not cl ear that it would have t he same potential positive
i m p act on vot er confi d ence as paper-based vot er veri fi cat i o n m i ght . T hat i s b ecause
a voter who does not understand the t echnology b ehind t he system — and few voters
are likely t o — m a y h a v e n o greater basis for confidence in the correspondence
bet w een t h e encrypt ed recei pt and t he choi ces t h e v o t e r m ade t h an i s current l y t h e
case with DREs. S ome p roponents, however, believe that those concepts are s imple
enough t hat t hey can be taught in secondary school.120
If the s ys tem relies o n p rinters at each voting booth, that raises issues similar t o
those with respect to printers for vot er-v erifiable paper ballots. S imilarly, the
verifiability feat ure i ncreas es the co m plex ity of the voting proces s for voters, with
unknown consequences. In addition, it is not cl ear to what ex tent valid ballots could
be recovered i n t he event t hat t ampering was found or malfunction o ccurred. Fi nally,
some critics question whether encryp ted receipts are in fact unable t o s how a voter’s
choices. P roponents argue that these con cerns are either unlikely t o b e a p roblem in
practice o r are relativel y eas y t o address.
118 This is called a mix-net approach (Ibid., p. 68).
119 This provides results verifiability.
120 Davi d Chaum, t elephone conversation with author, 14 October 2003.
Options That M ight Be Considered
The s everal methods proposed to address t he verifiability issue — ranging from
pri n t i n g p aper bal l o t s t o new el ect roni c w ays o f vot i n g — each have di fferent
strengths and weaknesses, making it difficult to determine at p resent whether any of
these approaches should b e adopted. At t he same time, m any observers would agree
that finding ways to increas e t he verifiability and t ransparency of elect ronic voting
is desirable. DRE t echnology i s clearly evolving fairly rapidly and has not yet
b e come settled, as witnessed by t he diversity of available devices and fea t u res i n121
comparison to other kin d s o f v oting systems. This environment m ay promote
developing improved s ecurity and o ther desirable p roperties o f t he technology. At
the sam e time, as j urisdictions continue to adopt DR Es in res pons e to HAVA and
ot her fact ors, pressures t o resol ve securi t y i ssues qui ckl y m ay i ncrease.
W h ile a d efense-in-depth approach woul d appear to be generally desirable for
addressing sec u r ity questions with DREs, as discussed above, any attempt t o
implement such an approach needs t o t ak e i nto account potential p roblems t hat can
be associ at ed with making substantial changes in the way an el ection i s administered.
For ex ample, when a voting s ys tem i s replaced in a j u r i s d i c t ion, the p roportion o f
residual votes and problem s administering the election may actually increas e i nitially,
a t least i n p art b ecause neither voters nor pollworkers are familiar with th e n e w
system. In addition, there are no proven c a s e s of tampering with DREs or other
computer-assisted voting s ys tems in public el ections.122 For t hese and o t h er reasons,
some observers argu e t hat any changes t o current technology and procedures should
be increm ental. Others, however, s tate that gi ven t he evolving threat e n v i r o nment
and t he concerns t h at have been i d ent i fi ed, an i n crem ent al approach i s not suffi ci ent
to prevent undetected tampering that could change the outcome of an election.
Policym akers will need to weigh s uch differences in determining what i f any actions
to take in response t o t his s et of issues.
Three general approaches are d i s cussed b el ow for addressi ng t h e i ssues rai s ed
in this report. Fi rst, action could be l eft t o s tate and l ocal jurisdictions that administer
elections. S econd, the EAC could address t he issues. Third, C ongress could t ake any
121 As with many unsettled t echnologies, some problems have accompanied t he evolution
of this technology. For e xample, t he Caltech/MIT study found that j urisdiction using DREs
had a surprisingly large r ate of residual votes (overvotes, undervotes, and spoiled ballots).
T here have also been reports of some problems encountered in j urisdictions recently
acquiring the t echnology ( see f or example K im Zetter, “Did E-V ote Firm Patch Election?”
Wi r e d N e w s , 13 October 2003, [http://www.wi red.com/news/politics/
122 According t o a recent r eport, “the incidence of election fraud in the United States i s l ow
and…has had a minimal impact on electoral outcomes” (Lori M innite and David Callahan,
“Securing the V ote: An Analys is of Election Fraud,” D ‘ mo s , 2003, [http://www.demos-
usa.org/ demos/pubs/Securing_T he_Vote.pdf]). However, there are documented cases of
problems with DREs and othe r c o mputer-assisted voting t echnology t hat have r esulted i n
votes being lost, at l east t emporarily. For a compilation of cases, with sources, see Harris,
Black Box Voting, p. 16–55. It could not be determined to what exte n t s u c h p r o b l ems go
unreported, whether t he options discussed i n t his r eport would r educe t hem, or if other kinds
of voting s ys tems would e xhibit f ewer problems.
of several possible actions. These approaches and options, which are not mutually
ex cl usi v e, are d i s cussed i n t urn b el ow.
States. Elections are admin i s t e red by state and l ocal governments, with the
federal government pl a yi n g a circumscribed role. Although t hat role was
substantially enhanced with the enactment of HAVA, the l aw stipulates that methods
of imp l e m e n t at ion of its requirements are to be left to the discretion of t he stat es
(Sec. 305). S tates m ay therefore address t he se issues individually, as, for ex ample,123
California, Maryland, and Ohio h ave already b e e n doing. The availability of
federal funding under HAVA to improve election administration b y s tate and l ocal
governments, as well as the creation of an i ndependent federal agency whose purpose
is to assist those governments i n election administration, should improve the ability
of those governments t o ensure t he security of el ect i ons. Leavi n g act i o n t o t he st at es
would allow t hem t o react to the i ssues in a timely fashion and in ways that are m ost
responsive t o t heir i n d i v i d u a l circumstances and could l ead to a v ariety of options
bei n g t est ed b y d i fferent st at es, m aki n g i t easi er t o d et erm i n e w hi ch approaches work
best. However, t his approach might a l s o lead to a p atchwork of responses, which
could b e challenging for vendors t o m eet an d could l ead to some states being m ore
vulnerable t o t ampering than others.
EAC. The Election Assistance Commission created by HAVA will have some
responsibilities t o p rovide gu idance and t o p erform studies and r esearch specifically
relating t o t he security of voting s ys tems. Its work in this area will involve NIST and
others with ex perience in computer security. The EAC and its supporting boards and
commi t t e e s may p rovide an effective v e nue for addressing fundamental questions
regardi n g v o t i n g s ys t em s ecuri t y and h el pi ng st at es m eet t h ei r n eeds and
responsibilities i n t h i s regard as well as i ssu es relating t o voter confidence in the
security of DREs. One option would be t hat t he EAC could p erform an independent
security review of current DREs. This might be especially useful if it could b e done
in cooperation with a s el ect ion o f s tates ex h ibiting a range o f s ecurity policies and
procedures. H o w e v er, t o address t he issue, the EAC must first form t he relevant
boards and committees, and any s tudy would require a s ignificant amount of time to
complete. T he EAC m ay not, t herefore, b e able t o resolve the controversy b ef ore
states need to make decisions about which kinds of voting s ys tems to acquire.
C ongress. Among the possible actions that Congress might consider a r e
hearings , funding to address t h e c o n t roversy, and revisions to HAVA. Congress
could choose t o hold h earings on the i s s u e for several purposes, s uch as clarifying
issues and options, p r o v i d i n g gu idance to the EAC, o r ex p loring funding and
legi slative options. It could also use other m eans, such as l egi sl at i v e report l angu age
or direct communica t i o n from congressional l eaders, to encourage t he EAC t o
address t he controversy i n an ex p edited m anner.
Given t he range o f p roposals for addressing DRE s ecurity issues, and the
uncertainties associated with those p r oposals, Congress might also consider
supporting research and d evelopment (R&D) in this area t o identify t he most
appropriate solutions. In t he past, economic incentives for private investment in such
123 See discussion on page s 8–10 and e lsewhere.
R &D h ave b een weak, gi v en t h e s m al l , fragm ent ed n at ure o f t he m arket for vot i n g
systems and the relatively l ow demand for sophisticated security for t hose s ys tems.
W ith the funding for n ew voting s ys tems that HAVA provides, the evolving threat
environment, and o ther factors, that situation m ay be changi ng. HAVA also
a u t hori z ed grant s for R &D t o i m p rove securi t y and o t h er aspect s o f v o t i n g
technology (Sec. 271), but Congress has not appropriated funds specifically for t hat
program. Presumably, t he EAC could use some of its gen e r a l o p erating funds for
such work, o r C ongress could appropriate funds specifically for it.
S everal options for revising HAVA might b e considered for a legi slative
response t o t he controversy: 124
! A s p ecific s ecurity provision could b e added t o t he voting s ys tem
requirements, stipulating, for e x a m p le, t hat voting s ys tems must
adhere t o security requirements for federal computer systems as
r e q u i r ed under current law, 125 or requirements o r a mechanism t o
develop t hem t hat i s s pecified in the p rovision.
! The voting s ys tem audit requirement in the Act could be revised to
require a voter-verifiable p ap e r ballot 126 or some other s ys tem of
! Voting s ys tems could be required t o u se open-source software.
! The A ct coul d s peci fy a s ecuri t y revi ew and cert i fi cat i o n p rocess for
al l voting systems.
! The A ct coul d s peci fy t h at ex pert s i n s ecuri t y be represent ed o n t he
Technical Guidelines Development C ommittee.
! The EAC could b e d irected to provide security consultation s ervices
to stat e and local jurisdictions.
! The d eadl i n es for m eet i n g rel evant requi rem ent s, s u ch as for
accessibility of voting s ys tems, could b e d elayed pending resolution
of the controversy.
! Federal funding could b e p rovided for upgrades o r replacements for
DREs purch a s e d under HAVA if they are s hown s ubsequently to
have si gn i fi cant s ecuri t y defect s.
Some of t h e above options would t hemsel ves b e controversial, as discussed
earlier i n t his report with respect to voter verifiability and use of open s ource
so f t w a r e . In addition, creating additional requirements would further increase t he
124 T hese are provided for i nformation pur poses only. CRS does not take positions on or
advocate l egislative and policy proposals.
125 Releva nt laws include the Comp u t e r Security Act ( P.L. 100-235), t he Paperwork
Reduction Act (P.L. 104-13), t he Clinge r-Cohen Act (P.L. 104-106), a nd the Federal
Information Security Manage me nt Act ( P.L. 107-296).
126 H.R. 2239 (Holt), t he Voter Confidence and Increased Accessibility Act of 2003,
includes t his r equi r e ment, with a separate paperless system available f or voters with
disabilities. It would also r equire s “ ma n u al mandatory surprise recounts” in 0.5% of
election j urisdictions, r equire the use of open-source software in voting machines, prohibit
the u s e o f wi r e less communications by voting systems, and require that all voting system
hardware and software be certified by accredited l aboratories.
federal role i n election administrati on, which m ay be opposed by those who believe
that it should b e l eft t o t he states as much as possible. Options that would s trengt hen
the ability of the EAC t o h e lp addres s t his controversy m ay them selves be less
controversial but might not lead to a timely resolution of t he issues . D el ays i n
meeting HAVA r e q u i r ements are also likel y t o b e controversial, and, some would
argu e, may not be necessary if the controversy can be resolved before 2006. Fi nally,
additional funding authoriz ation and appropriations may b e d ifficult to enact in a
constrained budget environment.
The purpose o f t his report h as been to ex plain t he controversy about the s ecurity
of DREs and t o l ay out the i ssues raised and options for addressing them. The report
does n o t a t t e mpt t o resolve the controversy. However, some conclusions can be
drawn with respect to the questions as ked at t he begi nning of the report.
! Do DREs ex hibit genuine security vulnerabilities? If so, could t hose
vulnerabilities be ex ploited t o i nfluence an el ection?
Given t h e worsening t hreat environmen t for information t echnology and the
fi ndi ngs o f s everal st udi es and anal yses d i s cussed i n t his report, at least s ome current
DREs cl early ex hibit s ecurity vulnerabilities. Those vulnerabilities pose potential but
not demonstrated risks t o t he integrity of el ect i ons, i n t hat n o p roven cases ex i s t
involving tampering with DREs. Observers differ i n t heir views about whether t hese
potential risks are s ignificant enough t hat t hey n eed to be addressed u r g e n t l y o r
whether t hey can be addressed i ncrementally.
! To what ex t ent do current el ec t i o n adm i n i s t rat i o n p rocedures and
other s ecurity meas ures protect agai nst t hreat s t o and vulnerabilities
The answer t o t his question i s a central point of contention i n t he controversy,
with vendors a n d e l e c t i o n a d m i n i s t r a t o r s g e n e r a l l y c l a iming t hat current meas ures are
suffici ent and certain other experts, m ost notably many computer scientists, and some
activists cl aiming t hat t hey are not. These differences of opinion appear to be based
in part on differences in philosophical perspective. Proponents o f approaches such
as voter verifiability believe that electi ons should rely for security o n openness,
transparency, and observability of the entire election process, and t hat currently too
much trust i s p laced in the b ehavior and capabilities o f v endors, election o f f i c i a l s,
and o ther involved p arties. Many election administrators and vendors, and s ome
other observers, b elieve that the v iews of such proponents are based o n
misunderstandings of how voting s ys tems wo rk and how elections are administered.
They al so bel i eve t h at approaches such as a vot er-veri fi abl e p aper bal l o t woul d not
be of net b enefit to the p roper fu n c t i oning of elections. R esolution o f s uch
fundamental differences may require — i f i t i s i n fac t a chievable — that those o n
both s ides of this controversy d evelop better understanding of the b ases for t he views
of the o ther side. Finding an effective s olution m ay be easier i f concerned computer
scientists understand in detail how elections are run (perhaps b y w o r k i n g d irectly
with administrat ors) and i f election admini s t rat ors und e rst and cyb ersecuri t y m o re
cl early (perhaps by working with computer scientists).
In any case, as i ndi cat ed by som e of t h e s tudies discussed i n t his report,
sign ificant improvements i n t he secu ri t y o f DREs may b e found through careful
analys is of current systems and how they are implemented and administered, without
requiring voter verifiability or other s ub s t an t i al changes. However, such
improvements i n current systems are not likely t o address t he fundamental concerns
raised by proponents o f voter verifiability.
! Do those t hreat s and vulnerabilities apply t o computer-as s i sted
voting s ys tems other t han DREs?
The potential t hreat s and vulnerabilities associ at ed with DREs are s ubstantially
greater than those associated with punch card o r optica l s c an readers, both b ecause
DR Es are m ore com pl ex and b ecause t h ey have no i ndependent records o f t he vot es
cast . However, docum ent -bal l o t readers are potentially subject to malware t hat could
affect t h e count , t o vul nerabi l ities associ at ed wi t h connec t i o n t o o t h er com put ers, and
som e ot her k i nds o f t a m p eri n g. Therefore, t h e s ecuri t y of syst em s u si ng readers
might also benefit from s ome o f t he same kinds of a p p r o a ches that have been
proposed for DREs, s u c h a s improvement s t o current security policies and
p r o cedures, u se of modern software engi neering t echniques, and u se of stron g
! W h at are t he options for addressing any t hreats and vulnera b i l i ties
t h at do ex i s t , and w hat are t h e rel at i v e s t rengt hs and w eaknesses o f
the d ifferent options?
The report d iscusses s even proposals for addressing the s ecur ity issues raised
about DREs. They i nclude using current procedures and s ecurity mechanisms, with
improvements as n ecessary; improving standards for the d ev e l o p m ent and
certification of voting s ys tems; using open-source software for voting s ys tems; and
several m ethods to improve the transparency and verifiab ility of elections, i ncluding
vot er-veri f i e d p aper bal l o t s and an el ect roni c v ersi on of t h at approach, u se of
modular electronic voting architecture t hat p h ysically separates t he voter interface
from t he casting and counting functions; and a s ys tem t hat u ses cryptographic
protocols t o p ermit voters t o v erify t hat t heir ballots were cast as i ntended and that
no votes were improperly changed, o mitted, or added. These p roposals v ary i n ease
of implementation, the degree t o which they have been tested in application, and t he
level of contention about both t heir ability to resolve t he controversy and their overall
Most of the public debate has centered around w h e t h e r t o rely o n current
procedures and m echanisms or adopt voter-verifiable p aper ballots. However, t hese
are clearly not the only options, and the d ebate might benefit from fuller
consideration o f o t h er possibilities such as t hose d iscussed above. In addition,
several o f t he proposals d iscussed are not mutually ex clusive, and a resolution o f t he
controversy m ay involve elem ents of several p roposals.
Three policy approaches, which are also not mutually ex cl usive, were discussed.
The m atter could be l eft t o state and l ocal governments, which administer elections;
som e st at es have al ready t aken act i on. The n ewl y form ed EAC coul d address t he
is s u es through its convening power an d responsibilities i n t he development o f
voluntary guidelines for and certification o f voting s ys tems. C ongress could d ecide
to use hearings or other m e c h a nisms to provide guidance on the i ssues, or i t might
deci de that a l egislative s olution i s necessary. S everal legi slative options ex ist,
ranging from funding f o r r e s e arch o n t he issue t o adding requirements o n DRE
security to HAVA. The b enefits and d isadvantages of these approaches depend on
many fact o r s , an d a legi slative solution m ay become more attractive i f t he
controversy cannot be resolved through o ther means.