Election Reform and Electronic Voting Systems (DREs): Analysis of Security Issues

CRS Report for Congress
Election Reform and Electronic
Voting Systems ( DREs):
Analysis of Security Issues
November4,2003
EricA.Fischer
Senior Specialist in Science and Technology
Domestic Social Policy Division

Congressional Research Service ˜ The Library of Congress

Election Reform and Electronic V oting S ys tems
(DREs): A nalys is of Security Issues
Summary
In J u ly 2003, computer scientists fro m J ohns Hopkins and R ice U niversities
rel eased a s ecuri t y anal ys i s of soft ware purport edl y from a di rect recordi n g el ect roni c
(DRE) t ouchscreen voting m achine o f a major voting-system vendor. The study drew
public attention t o a long- s immering controversy about whether current DREs are
vulnerable t o t ampering that could i nfl u ence t h e out com e of an el ect i on.
Many innovations that have become familiar features of modern elections, s uch
as t h e s ecret bal l o t and m echani cal l ever vot i n g m achi n es, o ri gi nat ed at l east i n p art
as a way t o reduce el ect i o n fraud and abuse. C o m put er-assi st ed count i n g o f b al l o t s ,
first u sed i n t he 1960s, can be done very rapi dly and makes s ome k inds of tampering
more difficult. However, it d oes not eliminat e t he potential for fraud, and i t has
created new possibilities fo r t a m p ering t hrough m anipulation o f t he counting
software and h ardware. DREs, i ntroduced in the 1970s, are the first voting s ys tems
to be completely computerized. Touchscreen DREs are arguably t he most versatile
and u ser-friendly o f any c u r r e nt voting s ys tem. Their u se is ex pected to increase
substantially under provisions of The Help America Vote Act o f 2002 (HAVA, P.L.
107-252), especially the requirement that , b eginning in 2006, each polling p lace used
in a federal election have at least one voting machine that is fully accessi ble for
persons with disabilities.
With DREs, unlike docu m ent-ballot systems, t he voter sees only a
repres entation of t he ballot; votes are registered electronically. S ome computer
security ex perts believe that this and other feat u r es of DREs make them more
vulnerable t o t ampering than other k inds of voting s ys tems, especi ally through t he
use o f m alicious computer code. W hile th ere are some differences of opinion among
ex perts about the ex t ent and seriousness of those s ecurity concerns, t here appears t o
be an em ergi ng consensus t hat i n general , c u r r e n t D R Es do not adhere suffi ci ent l y
t o current l y accept ed s ecuri t y pri n ci pl es for com put er syst em s, especi al l y gi ven t he
central importance of voting s ys tems to the functioning of democratic government.
Ot hers caut i on, however, t hat t here are n o d em onst rat ed cases of com put er t am p eri n g
in public elections, and any m ajor changes t hat might be made to improve security
could h ave unanticipated negative effect s o f t heir own. Several p roposals h ave b een
made to improve the s ecurity of DREs and other computer-assisted voting s ys tems.
They i n clude (1) ensuring that accept ed s ecuri t y prot ocol s are fol l o wed appropri at el y,
(2) improving security standards and certification of voting s ys tems, (3) use of open-
source computer code, and (4) improvements i n verifiability and t ransparency.
Much of the current debate ha s f o c u s e d on which s uch p roposals s hould b e
implemented and t hrough what m eans — in particular, whether federal i nvolvement
i s necessary. S om e s t at es are al ready addressi ng t h ese i ssues. T h e E l ect i o n
Assistance Commission established b y HAVA will have some responsibilities
relating t o voting s ys tem s ecurity and coul d address t his controversy d irectly. S ome
observers have also proposed federal fundi ng for research and d evelopment i n t his
area, while others have proposed legi slativ e s olutions including enhancement o f t he
audit requirements under HAVA.

Contents
Background and History of the Issue ...................................2
AustralianSecret Ballot .....................................2
Mechanical LeverMachine ..................................3
Computer-AssistedCounting(PunchcardandOptical Scan) ........3
ElectronicVotingMachine ..................................3
DREs and HAVA ..........................................4
Security Concerns about DREs ...............................5
Analysis oftheProblem ............................................10
Threats .....................................................10
Kinds ofAttacksandAttackers ..............................10
AnEvolvingThreat Environment ............................11
Vulnerabilities ...............................................12
Technical Vulnerabilities ...................................12
Soci al Vulnerabilities ......................................15
Defense ....................................................16
GoalsofDefense .........................................16
Elements ofDefense ......................................18
Trade-Offs ..............................................19
Response and Recovery ........................................20
ConfidenceinDREs ..........................................21
Proposals for Resolving t he Issue ....................................22
UseCurrent Procedures ........................................22
ImproveSecurityStandardsand CertificationofVotingSystems ........23
UseOpenSourceSoftware .....................................26
Im prove Verifiab ility an d Transparency ...........................27
Voter-VerifiablePaperBallot ...............................28
Votemeter ...............................................29
Modular Voting Architecture ................................29
EncryptedVotes ..........................................30
Options That MightBeConsidered ..................................32
States ..................................................33
EAC ...................................................33
Congress ................................................33
Conclusions .....................................................35

Election Reform and Electronic Voting
Systems ( DREs): Analysis of Security
Issues
In J uly 2003, computer scientists fro m J ohns Hopkins and R ice Universities
rel eased a s ecur i t y anal ys i s of soft ware purportedly from an electronic voting
m achi n e (com m onl y cal l ed d i rect recordi n g el ect roni c, or DR E, syst em s) of a m aj or¹
voting-system vendor. The Hopkins study drew public attention t o a long-
simmering controversy about whether current DREs are vulnerable t o t ampering that
coul d i nfl u ence t h e out com e of an el ect i on. A s ignificant factor contributing t o t his
increased attention i s t he Help America Vote Act of 2002 (HAVA, P.L. 107-252),
which s ubstantially increas es the federal role in el ection administration, incl uding
federal funding of and requirements for voting s ys tems. Although HAVA retains t he
p r edominant role t hat s tate and l ocal jurisdictions have traditionally had i n t h e
administration of elections, t he Act’s requirements are ex pect ed to result in increas ed
use o f DREs, and s ome observers have ther efore called for congressional action t o
address the DRE controversy. To understand this controversy requires an
ex amination o f s everal questions about voting-system security:
^! Do DREs ex hibit genuine security vulnerabilities? If so, could t hose
vulnerabilities be ex ploited t o i nfluence an el ection?
^! To what ex tent d o current el ection administration procedures and
other s ecurity meas ures protect agai nst t hreat s t o and vulnerabilities
ofDREsystems?
^! Do those t hreat s and vulnerabilities apply t o c o m p uter-assisted
voting s ys tems other t han DREs?
^! What are t he options for ad d r es sing any t hreat s and vulnerabilities
t h at do ex i s t , and w hat are t h e rel at i v e s t rengt hs and w eaknesses o f
the d ifferent options?
To address t hose questions, t his report begins with a des cription of t he historical
and policy contex t o f t he controversy. That is followed b y an analysis o f t he issues
i n t h e b roader cont ex t o f com put er securi t y. T he nex t sect i o n d i s cusses s everal
proposals t hat h ave b een made for addressing thos e i ssues, and the l ast s ection
discusses options f or action t hat might be considered by policym akers. The report

¹ T a dayoshi K ohno, Adam Stubbl e f i e l d , Avi el D. Rubin, and Dan S. Wallach, “ Analys is
of an Electronic V oting Sys tem,” Johns Hopkins I nformation Security Institute Technical
R e port TR-2003-19, J uly 23, 2003, [http://avi rubin.com/vote/] ( called t he Hopkins s t u d y
hereinafter).

does not discuss Internet voting, which i s not likely t o b e u sed i n t he near future for
federal el ect i ons i n ot her t han m i nor ways, l argel y because of securi t y concerns.²
Th e a d m i n i s tration of elections is a complex task, and there are many fact ors
involved i n choosing and using a voting s ys tem i n addition t o s ecurity. They i nclude
fact ors s uch as reliability, propensity for voter error, usability, and cost. This report
d o e s not discuss t hose factors, but election administrators m ust consider them in
decisions about what systems t o u se and how to implement them. Also, security is
an issue for other aspect s of election administration, such as voter regi stration, which
are b eyond the s cope of this report.
Background and H istory of the I ssue
Many innovations that have becom e fa miliar features of modern elections
ori gi n at ed at l east i n p a r t a s a way t o reduce el ect i o n fraud such as t am p eri n g w i t h
ba l l o t s to change the vote count for a candidate or party. Fo r ex ample, i n m uch o f
nineteenth century America, a voter typically would pick up a paper ballot preprinted
with the n ames of candidates for one party and simply drop the form i nto t he ballot
box . There was n o n eed to actively choose i ndividu a l c a n d i d ates.³ This ticket or
prox ballot was subject to fraud in at least t wo ways . First, t he number and sequence
of ballots printed was not controlled, so it could be difficult to determine i f a ballot
box had been stuffed with ex tra ballots or if ballots had been substituted after votes
were cast. Second, an observer could d et ermine which party a voter had chosen by
watching what ballot t he voter picked up and d eposited i n t h e b a l l o t box — votes
could t herefore be bought or coerced with comparative ease.
Australian S ecret Ba llot. After a series of scandals involving vote-buying
in the 1880s, calls for reform l ed to widespread adoption o f t he Australian o r m ark-
choice ballot.⁴ Such ballots list t he names of all candidates, and t he voter marks t he
ballot t o choose a mong them. The ballots are commonly printed with unique,
consecutive s erial numbers, facilitating ballot control and thereby hel ping to prevent
ballot s tuffing and s ubstitution. All printed ballots are otherwise identical , and voters
typically fill them out in the p rivacy of a voting booth. This ballot s ecrecy makes i t
difficult for anyone else to know with certainty wha t choices a voter has m ade.
While providing improved s ecurity, t he Australian s ecret ballot did not eliminat e

² In 2000, Internet voting was offered i n pilot proj ects during primaries in Arizona and
Al a s ka. A small pilot progr am for military and overseas voters was r un for t he ge n e r a l
election by t he Federal V oting Assistance Pr oj ect (FV AP) under t he Departme nt of Defense.
FV AP is expected to repeat the effort for t he 2004 federal election. While the progr am used
the Internet t o t ransmi t ballots to local j urisdictions in a secure fashion, the ballots were then
printed and counted in the s ame way as other absentee ballots. See K evi n Coleman, Internet
Voting, CRS Report RS20639, 23 September 2003.
³ T o choose a different candidate than the one printed on t he ballot r equired crossing out
the candidate’s name and writing i n another. Some party operatives developed ballots that
made it difficult to perform write-i ns — f or example, by printing t he names i n very s mall
type and crammi ng them together on a narrow s trip of paper ( See Richard Rein h ardt,
“T apeworm T ickets and Shoulder Strikers,” Ameri c an We st 3 ( 1966): 34-41, 85-88).
⁴ S.J . Acke rman, “ T he V ote t hat Failed,” Smithsonian Maga zi ne, November 1998, 36,38.

tampering. Ballots could s till be removed, spoiled, or altered by corrupt pollworkers,
or even substituted o r s tuffed, although with greater difficulty than with prox ballots.
It al so did not eliminat e t he possibility of vote-buying or coercion, but it made them
more difficult.⁵
Mechanical Leve r Machine. One w ay t o e l i m i n at e s om e m eans o f b al l o t
tampering i s t o eliminate document ballots. T h a t became possible with the
introduction o f t he lever voting m achine i n 1892. W ith this system, a voter enters the
v o t i ng booth and sees a posted ballot with a small lever near the nam e of each
candidate or other b allot choic e . T h e v ot er chooses a candidate by moving the
appropriate lev e r. Mechanical interl ocks prevent voters from choosing m ore
candidates t han permitted for an office (such as t wo candidates for Pres ident). After
completing all choices, t he voter pulls a l arge lever t o cast t he ballot, and t he votes
are recorded by advances in mechanical c ounters i n t he machine. The l ever machine
therefore eliminates the n eed to count ballots manually. Instead, pollworkers read the
numbers recorded by the counters. Because there i s n o document b allot, recounts and
audits are limited t o review o f t otals record ed by each machine. Of course, t ampering
i s al so possi bl e wi t h l ever m achi n es. For ex am pl e, t h e m echani s m s coul d b e adj ust ed
so that the counter does not always advance w hen a particular ca ndidate is chosen.
Computer-Assist e d Counting (Punchcard a nd Optical Scan).
Another m ajor technological advance i n voting — the first use of computers t o count
votes — came with the i ntroduction o f t he punchcard s ys tem, first u sed i n 1964. The
optical -scan voting s ys tem, which also uses computers for vote-counting, was first
used in the 1980s. In both k inds of voting s ys tem, document b allots are fed into an
el ect ronic reader and t he tallies s tored i n computer memory and m edia. Tallying can
be done at either t h e p r e c i n ct o r a central location. Computer-assisted counting o f
document b allots can be done very rapidly, thus speeding t he reporting o f e l e ction
results. It i s m uch m ore efficient for counting l arge numbers of ballots than manual
tallying. It makes s ome kinds of tampering m ore difficult than with manual counting,
but it does not eliminat e t hem, and i t creat es possibilities for tampering with the
counting s oftware and hardware.
Electronic V oting Machine. DR Es (di rect recordi n g el ect roni c s ys t em s ) are
t h e f irst completely computerized voting systems. They were i ntroduced in t h e
1970s. DREs are somewhat analogous to (although m ore s ophisticated than) l ever
machines. T he voter chooses candidates from a posted ballot. D e p ending on the
equipment u sed, the b allot m ay be p r i n t e d a n d p o sted on the DRE, as i t i s with a
l ever m achi n e, or i t m ay b e d i s pl ayed on a com put er sc r e e n . V o t ers m ake t hei r
choices by pushing buttons, t ouch i n g t h e s creen, o r u si ng ot her d evi ces. T he vot er

⁵ So me observe rs have expressed c oncern t hat use of absentee ballots and other ki nds of
remote voting, such as vi a t he Inter n e t , c o mp r omise ballot s ecrecy and t herefore increase
the r isk of vote buying a nd coercion. T hey are c oncerned a bout the i mpacts t hat t he gr owing
use of absentee voting i n t he United States might have on election fraud and abuse. Others,
in contrast, believe that the r isks are small and greatly outweighed by t he benefits. For a
general discus s i o n of the benefits and disadvantages of different ki nds of voting s ys tems ,
seeEricFischer,Voting Technologies in the United States: Overvie w and Issues for
Congress, CRS Report RL30773, 21 March 2001.

submits the choices made before leaving t he booth, for ex ample by pushing a “vote”
but t on, and t he vot es are t hen recorded el ect roni cal l y.
There i s considerable variability in the des ign of DREs, but they can be
cl assified into three bas ic types. The oldes t des ign essentially mimics t he interface
of a l ever machine. The entire posted ballot i s visible at o n ce. In s t ead of moving
levers to make choices, t he v o t e r p u s hes a button n ex t t o a candidate’s name, o r
pushes o n t he name itself, triggering an underlyi ng electronic microswitch and
turning on a smal l light nex t to the choice. With the second t yp e , a b a l l ot page i s
di spl ayed o n a com put er screen, and t h e vot er uses m echani cal devi ces such as arrow
keys and buttons to make choices on a p age and t o c h a n ge b a l l ot pages. The t hird
type is similar t o t he second ex cept t hat i t has a t ouchscreen display, where t he voter
makes a choice by t o u c h i n g the n ame o f t he candidate on the computer screen and
cast s t h e b al l o t b y p ressi ng a s eparat e but t o n aft er al l choi ces have been m ade. In al l
kinds of D R E s , w hen a ballot i s cast, the votes are d irectly stored in a computer
memory device such as a removable m emor y card o r nonvolatile memory circuit. As
w i t h lever m achines, t here is no document b allot, although with a DRE each c a s t
bal l o t m ay al so be separat el y recorded.
T o u c h s c reen and o t h er DR Es usi n g com put er-style displays are arguably t he
mos t versatile and u ser-friendly o f any current voting s ys tem. Each machine can
easily be programmed t o d isplay bal l o t s i n different languages and for d ifferent
offi ces, d ependi ng on vot ers’ needs. It can also be programmed t o d isplay a voter’s
ballot choices on a s ingl e p age f o r r e v i ew before casting t he vote. It can be made
fully accessible for persons with disabilities, including visua l i m p a i r m ent.⁶ Li k e
lever m achines, i t can prevent o v e r v otes and ambiguous choices or spoilage of the
ballot from ex t raneous marks, since t here is no document b allot; but it can also notify
voters o f undervotes.⁷ No other k ind o f voting s ys tem possesses all of these features.
DREs a nd HAVA. The popularity of DREs, particularly the touchscreen⁸
vari et y, has grown i n recent years, and t heir use i s ex pect ed to increase substantially
under p rovisions of HAVA. Three p rovisions in the Act are likely t o p rovide such
an impetus. First, HAVA authoriz ed $3.65 billion over four years for replacing
punchcard and lever m achines and for maki ng o t her election administration
improvements, including meeting t he requirements o f t he Act. In FY2003, Congress
appropriated $1.48 billion for these pur p o ses (P.L. 108-7), and the Administration
requested $500 million for FY2004. Second, begi nning in 2006, HAVA requires t hat
voting s ys tems notify voters of overvotes and permit them to review thei r ballots and

⁶ Accessibility for blind persons usually involves use of an audio progr am.
⁷ An overvote occurs if a voter chooses more candidates f or an office than is permitted —
such as marking t wo candidates f or Pr esident of t he United States. An undervote occurs if
a voter chooses fewer candidates t han i s p e r mitted — most commonly, failing t o vote f or
a ny candidate for a particular office. V i rtually all overvotes are t hought to be err o r s ,
whereas undervotes are often thought to be intentional, for example if the voter does not
prefer any of t he candidates. However, undervotes can also result from voter error.
⁸ In 1980, about 1 out of every 40 voters use d DREs. By 2000, about 1 out of every 9 did
(Caltech/MIT V oting T echnology Proj ect, Voting: What Is, What Could Be, J uly 2001,
[ ht t p: / / www.vot e .cal t ech.edu/ Repor t s / i ndex.ht ml ] ( Cal t ech/ M IT st udy) ) .

correct errors before casting t heir votes.⁹ Third, the Act requires, also begi nning in
2006, t h a t each polling p lace used in a federal election h ave at l east one voting
machine t hat i s fully accessible for p e r s o n s with disabilities. DREs are t he only
m achi n es at present t hat can ful fi l l t h e acces s i b i l i t y requi rem ent . T hey can al so
eas ily meet the requirements for error p revention and correction.
Security Concerns about DREs. One t hing that distingu ishes DREs from
document ballot systems is that with DREs, t he voter does not see t he actual b allot,
but rath er a r ep res e n t ation of i t on t he face of the m achine. With few ex ceptions,
current DR Es do not provi de a t rul y i ndependent record of each i ndi vi dual b al l o t t hat
can be used in a recount to check for m achine error o r t ampering. The ballot itself
consists of redundant electronic records in t he machine’s computer memory banks,
which t he voter cannot see. This is analogous to the s ituation with mechanical lever
voting m achines, where casting t he ballot m oves counters t hat are out of view of the
voter. In a lever m achine, if the appropriate counters d o not move correctly when a
voter casts the b allot, the voter will not know, nor would an observer. Similarly, with
a DRE, i f t he mach ine reco rded a res ult i n its memory that was d ifferent from what
the voter chose, neither the voter nor an observer would know.¹⁰
The s ame i s t rue with a computeriz ed counting s ys tem when i t reads punchcards
or optical scan ballots. Even i f t he ballot i s t abulated in the p recinct and fed i nto t he
reading d evice i n t he presence of the voter, n either the voter nor the p o l l w orker
m anni ng t h e reader can see w hat i t i s recordi n g i n i t s m em o ry. H owever, w i t h such
a reader, t he ballot d o c u m ents could b e counted on another m achine o r b y h and i f
there were any question about the results.
Lever m achines also do not have an independent document b allot. That has l ed
some observers to distrust those m achines, but most who u se them appear confident
t h at t est s and ot her p rocedural safegu ards re n d er t h em suffi ci ent l y safe from
tampering. Is the s am e t rue for DREs? S ome computer ex perts t hink not, arguing
that the s oftware could be m odified in ways that could alter t he results of an el ection
and t hat w oul d b e v ery d i ffi cul t t o det ect . T hi s concern appears t o s t em l argel y from
threefactors:
^! Malicious computer code, o r malware, can often be written i n s uch
a way that it is very difficult to detect .¹¹

⁹ Howeve r, j u risdictions using hand-counted paper ballots, punchcards, or central-c ount
systems can rely instead on voter education and instruction progr ams.
¹⁰ Some ki nds of error could be detected when voter r egisters and vote t allies are reconciled
— f or example, if the t otal number of votes for an office were gr eater than the t otal number
of voters at the precinct. Howeve r , r e s o l vi n g such a problem in a way that reflects how
voters actually voted would not be straightforward.
¹¹ Malware, an elision of malicious software, includes viruses, T roj an horses, worms, logi c
bombs, a nd any other computer code that has or i s i ntended t o have harmf ul effects. T here
are various ways of hiding malware. A T roj an horse, f or example, is malware disguised as
something benign or useful. See K enneth T hompson, “Reflections on T r usting T rust,”
C o m m unications of the ACM 27 (1984): 761-763, ava i l a b l e a t
(continued...)

^! DR E s oft w are i s m oderat el y com p l ex , and i t i s g e n eral l y accept ed
that the m ore complex a piece of software is, t he more difficult it can
be to detect unauthoriz ed modifications.¹²
^! Most m anufact urers o f D R E s t reat t h eir s oftware code as proprietary
info rmation and therefore not available for public scrutiny.
Consequently, i t i s not possible for ex perts not associated with the
companies t o det ermine how vulnerable t he code is to tampering.¹³
Voting System Standa r d s a nd Ce rtification. Concerns such as those¹⁴
described above have been voiced by some ex pert s at l east s ince the 1980s. The
development o f t h e V o luntary Voting S ys t em s S t andards (VS S ) by t h e Federal
Election C ommission (FEC) i n 1990, and t he subsequent adoption o f t hose s tandards
by many states, h elped t o r e d u c e t hose concerns. T he VSS were d eveloped
specifically for computer-assisted punchcard, optical scan, and DRE voting s ys tems.
They include a chapter on security, which was s ubstantially ex panded i n t he updated¹⁵
version, released in 2002. Along with the s tandards, a voluntary t esting a nd
certification program was devel oped and administered t hrough t he National
Associ ation of S tate Election Direct ors (NASED). In this program, an independent
test authority (ITA) chosen by NASED tests voting s ys tems and certifies t hose t hat¹⁶
comply with the VSS. Testing i s done of both h ardware and software, and the
t est ed soft ware and rel at e d d o c u m e n t a t i o n i s k ept i n escrow b y t he IT A.¹⁷ If

¹¹ (...continued)
[ ht t p: / / www.acm.or g/ cl assi cs/ s ep95] . He c oncl uded t hat i t can be essent i a l l y i mpossi bl e t o
determine whether a piece of software is trustworthy by e x a mi ning its source code, no
matt e r h o w c a r e f ully. T he entire system must be evaluated, and even then it can be very
difficult to find malware. However, u s e of modern software engi neering t echniques can
mi nimi ze many problems with software design that can make softwar e vu l nerable to
malware ( see, for example, Richard C. Linger and Carmen J . T rammell, “ Cleanroom
Software Engi neering Refer e n c e M o d e l , V e rsion 1.0,” T echnical Report
CMU/SEI-96-T R-022, Nove mb er 1996, available at [ http:// www.sei.cmu.edu/pub/
documents/96.reports/pdf/tr0 22.96.pdf]). See page 12–14 of this report f or further
discussion of this issue.
¹² See page 13 f or further discussion of this issue.
¹³ See page 26 f or further discussion of this issue.
¹⁴ See, for e xample, Ronnie Dugge r, “Annals of Democracy (V oting by Computer),” The
Ne w Y orker, 7 November 1988, 40-108; Roy G. Saltman, “ Accuracy, Integrity, a nd Security
in Computerized Vote-T allying,” NBS Special Publication 500-158, August 1988.
¹⁵ See Federal Election Commi ssion, Voting Systems Performance and Test Standards, 30
April 2002, [http://www. fec.gov/ pages/vssfinal/vss.html ].
¹⁶ See NASED, “General Overview f or Getting a Voting System Qualified”, 30 September
2003, [http://www.nased.org/ IT A_process.htm] . T he program i s managed by T he Election
Cent er , [ ht t p: / / www.el ect i oncent e r .or g] . As of Sept e mber 2003, mor e t han 20 opt i cal scan
and DRE voting systems were listed as certified t hrough t his process.
¹⁷ It may also be kept by t he states (T he Election Center, “DREs and the Election Process,”
April 2003, [http:// www.election center.org/ newstuff/DREs %20and%20the%20Electio n
(continued...)

questions arise about whether t he software used in an election h as been t a m p ered
wi t h , t hat code can be com p ared t o t h e escrowed v ersi on. S yst em s t hat recei ve
NAS ED cert i fi cat i o n m ay al so need t o go t h ro u g h s t at e and l ocal cert i fi cat i o n
processes b efore b eing used by an election j urisdiction.
HAVA creates a n ew mechanism for th e d e v e l o p ment of voluntary voting
syst em st andards. It creat es t h e E l ect i o n Assi st ance C o m m i ssi on (EAC ) t o repl ace
the FEC’s Office of Election Administra tion and establishes t hree bodies under t he
EAC: a 110-member Standards Board consisting o f s tate and l ocal election o fficials,
a 37-m em b er Board o f A dvi sors represent i n g rel evan t governm ent agenci es and
associations and fields o f s cience an d t echnology, and a 1 5 -member T echnical
Guidelines Development C ommittee chaired by the Direct or of National Institute of
Standards and Technology (NIST). Th is last committ ee i s charged with making
recommendations for voluntary s tandards (called gu i delines in the Act ), to be
reviewed by the t wo boards and the EAC.¹⁸
HAVA also requires the EAC to provide for testing, certification, and
decertification o f voting s ys tems and for NIS T to be involved i n t h e selection and
monitoring of testing l aboratories. The EAC is also required t o p erform a s tudy of
issues and challenges — i ncluding the potential fo r f r a ud — associated with
electronic voting, and p eriodic s tudies to promote accurate, s ecure, and ex peditious
voting and tabulation. HAVA also provides grants for research and d evelopment o n
security and other as pect s of voting s ys tems. The voting s ys tem requirements i n t he
Act d o not speci fi cal l y m ent i o n s ecuri t y but do requi re t h at each vot i n g s ys t em
produce a p ermanent paper a u d i t document for use as t he official record for any
recount. This requirement is for t he system, not for each ballot. For ex ample, m ost
DR Es can pri n t a t al l y of vot es recorded and t herefore can m eet t h i s requi rem ent .
The Caltech/MIT Study. The p roblems i dentified after the November 2000
fe d eral election p rompted wide public concern about voting s ys tems and l ed to¹⁹
several m ajor studies wi t h recom m endat i ons, m any o f w hi ch were i n corporat ed i n

¹⁷ (...continued)
%20Process%204-2003.doc]).
¹⁸ HAV A does not direct the EAC to include any s pecific i ssues in the guidelines, although
the guidance must address t he specific voting s ys tem r equirements i n t he Act, and NIST i s
directed to provide t echnical support with respect to security, protection and prevention of
fraud, and other ma tters. However, i n t he debate on the House f loor before passage of the
conference agreement on October 10, 2002, a c olloquy ( Congressional Record, daily ed.,
148: H7842) stipulated an interpretation t h at t he guidelines specifically address t he
usability, accuracy, security, accessibility, and integr ity of voting systems.
¹⁹ Studies that specificall y a d d r essed t he security of voting s ys tems included t he
Caltech/MIT study; T he Constitution Pro j e c t , Forum on El ection Reform, Building
Consensus on Election Reform, August 2001, [http:// www.cons titutionproj ect.org/ eri/
CPReport.pdf]; T he Nationa l Commi ssion on Federal Election Reform, To Assure Pride and
Confidence in the Electoral Process, August 2001, [http:// www.reformelections.org/ data/
reports/99_full_report.php]; Na tional Conference of State Legislatures, Elections Reform
T a sk Force, VotinginAmerica,August 2001, [http://www.ncsl.org/ p r o grams /press/2001/
(continued...)

HAVA. The m ost ex t ensive ex amination o f s ecurity was p erformed by scientists at
the C alifornia Institute of Technology and the M assachusetts Institute of Technology.
Thei r report i dentified four main security st rengt h s o f t he el ect oral process t hat h as
evolved i n t he United S tates: the openness of the election process, w h i c h p ermits
observat i o n o f count i n g and ot her aspect s o f el ect i o n p rocedure; t h e d ecent ral i z at i o n
of elections and t he d i vision of labor am ong different levels of government and
different groups of people; equipment t hat produces “redundant trusted recordings ”
of v o t e s ; a n d t h e public nature and control o f t he election p rocess.²⁰ The report
e x pressed concern t hat current trends in el ect roni c vot i n g are weakeni n g t h o s e
strengths and pose s ignificant risks, but tha t p r operly d esigned and implemented
el ect ronic voting m achines can improve, rat her t han diminish, security.
The California Task Force Report. The concerns e x p ressed b y t he
Caltech/MIT study and o thers were p artially addressed b y HAVA, but as states began²¹
to acquire DREs, and the appointment o f E A C m embers was d elayed, some
observers began ex p ressi ng concerns t h at s t a t e s were purchasi n g fl awed m achi n es
with no federal m echanism i n p lace for addressing the p roblems. In response t o s uch
concerns, t he Californi a s ecretary of state established a task force t o ex amine t he²²
security of DREs and t o consider improvements. The report recommended changes
to how voting s ys tems are t es ted at t he federal, stat e, and l ocal levels, as wel l as other
changes i n s ecurity for s oftware and for v endor practices. It also recommended t he
implementation of a voter-verified audit t rail — t hat i s, a m echanism, whet her paper-
based o r electronic, that produces an indepe ndent record of a voter’s choices that the
v o t e r can veri fy before cast i n g t he bal l o t and t h at can be used as a check agai nst
tampering or m achine error. Until such a s ys tem can be implemented, t he task force
recommended t he use of “parallel m onitoring,” in which a selection of m achines are
tested while in act ual use on el ection d ay t o d e t e rm ine i f t hey are recording votes
accurately.
The Hopkins S tudy. Until recently, t he concerns raised about DRE
vulnerabilities were considered by many to be largely hypothetical. However, in
early 2003, some election-reform activists discovered²³ an open website containing

¹⁹ (...continued)
electref0801.htm] .
²⁰ Some international observers consider openness an d public control t o be i mportant
components of any voting s ys tem ( Lilian M itrou and others, “Electronic V o t i ng:
Constitutional and Legal Requirements, and T heir Technical Implications,” in Secure
Electronic Voting, ed. Dimitris Gritzalis (Boston: K l uwer, 2003), p. 43-60).
²¹ HAV A calls for a ppointme nt of me mbers by F ebruary 26, 2003. On October 3, 2003, the
White House f orwarded nominations to the Senate f or confirmation. T he nominations were
referred to the Committee on Rules and Administration, which held a hearing on the
nominations on October 28.
²² California Secretary of State Kevi n Shelley, “Ad Hoc T ouch Screen T ask Force Report,”
1 J uly 2003, [http://www. ss.ca.gov/ elections/taskforce_report.htm] (California T ask Force
report).
²³ Bev Harris, “System Integrity Flaw Di scovered at Di ebold Election Systems,” Scoop, 10
(continued...)

large numbers of files rel ating t o voting s ys tems of Diebold Election S ys t e m s , a
major voting s ys tem v endor wh i c h h ad recently won contracts with Georgi a and
Maryland to provide touchscreen DREs. Activists downloaded and posted m any o f
those files o n Internet s ites, and t he authors o f t he Hopkins study used some of those
files t o analyz e computer source code th at “appear[ ed] to correspond to a v ersion of
Diebold’s voting s ys t e m . ”²⁴ Their analysis concluded t hat t he code had s erious
security flaws t hat could permit tampering b y p ersons at various levels, i ncluding
vot ers, el ect i o n workers, Int ernet “hackers,” and even software developers. Diebold
quickly rebutted t hose claims,²⁵ argu i n g t hat t hey were b ased on m i s u n d erst andi ng
of el ect i o n p rocedures and o f t he equi pm ent within which t he software was u sed, an d
that the analysis was based on an “inadequate, i ncomplete s ample ” o f D i e b old’s
software. S ome computer scientists, while agreei ng t h at t h e code cont ai ned s ecuri t y
flaws, al so criticized the s tudy for not reflecting s tandard el ection procedures .²⁶
Shortly after t he Hopkins study was released, M aryl and Governor Robert
Ehrlich ordered that the contract with Diebold b e s uspended p ending the outcome of
an independent security analys is. That analysis,²⁷ while agreei ng with several of t he
criticisms of the Hopki n s s t udy, found that the Diebold s ys tem, as implemented in
the s tate, had serious security flaws. The report co n c l u d es overall that this voting
system, “as implemented in policy, pro cedure, and t echnology, is at high risk of
compromise” and m ade m any recommendations for improvements.²⁸ The M aryl and
State Board of Elections has d evelo p e d a plan to implement those
recommendations.²⁹
The ex t ent t o w hich the risks identified i n t he Maryland study may apply t o
other s tates or t o other DREs may be worth ex amination by s tate offici al s. In Ohio,
whi ch h as al so been consi d eri n g t he pu r c h a s e of Di ebol d DR E s, secret ary o f s t at e

²³ (...continued)
February 2003, [http://www.scoop.co.nz/mason/stories/HL0302/S00052.htm] .
²⁴ Hopkins s tudy, p. 3.
²⁵ Di ebold Election Sys tems , “Checks and balances in elections equipment a nd procedures
prevent alleged fraud scenarios,” 30 J uly 2003, 27 p., [http://www2.diebold.com/
checksandbalances.pdf] ( Diebold r ebuttal).
²⁶ Rebecca Mercuri, “Critique of ‘Analysis of an Electronic V oting Sys tem’ document,” 24
J uly 2003, [http://www.notablesoftware.com/Pape r s / c r itique.html ]; Douglas W. J ones, “The
Case of the Diebold FT P Site,” updated r egular ly, [ http://www.cs.uiowa.edu/ ~j ones/voting/
dieboldftp.html ].
²⁷ Science Applications International Cor poration ( SAIC), “Risk Assessme n t R eport:
Diebold AccuV ote-T S V oting Sys tem a nd Processes” (redacted), SAIC-6099-2003-261, 2
September 2003, [http://www.dbm.maryl and.gov/DBM%20T axonomy/ T echnology/ Policies
%20&%20Publications/State%20V oting% 20Sys tem% 20Report/
stateV otingSystemReport.html ] ( Maryland study).
²⁸ Maryland study, p. 10.
²⁹ Li nda H. Lamone, “St ate of M aryl and Diebold A c c uVote-T S V oting Sys tem Security
Action Plan” , 23 September 2003, [http://www.elections .state.md.us/pdf/voting_system_
security_action_plan.pdf].

Kenneth Bl ac k wel l has al so initiated a security eval uation of elect ronic voting
devices from four vendors.³⁰
Analys is of the P roblem
Elections are at t he heart o f t he democratic form of government, and providing
sufficient s ecurity for t hem i s t herefo r e c ritical to the p roper functioning of a
democracy. T here has b een some disagreem ent among ex perts about the s eriousness
of t h e pot ent i al s ecuri t y probl em s wi t h DR Es and, t h erefore, what i s needed t o ensure
suffi ci ent s ecuri t y. W hi l e i t i s general l y accept ed t hat t am peri ng i s possi bl e wi t h any
computer system gi ven enough time and resources, s ome ex p erts believe that current
security practices are adequate. Others believe that substantial additional s teps are
needed. To d etermine t he nature and ex t ent o f t he problem and what s olutions might
be considered requires an understanding of some ge n e r al concepts in computer
securit y, w h i ch are discussed i n t his section, al ong with thei r applicability to
computer-assisted voting s ys tems. The discussion is organiz ed along four themes:
threats, vulnerabilities, defense, and respons e and recovery after an i ncident o ccurs.
The t erm threat can be used in several d ifferent ways , but in this report i t refers
to a possible attack — what could happen. Descriptions of threats o ften include both
the nature of t he possible att a ck, those who might perpetrate it, and t he possible
consequences i f t h e at t ack i s successful . Vulnerability usually refers to a weakness
t h at an at t ack m i ght ex pl oi t — how an at t ack coul d b e accom p l i s hed. Anal ys i s of
threat s a n d vulnerabilities, when combined, can lead to an assessment of risk.
Statements of risk often combine both t he probability of a s uccessful attack and s ome³¹
measure o f its lik ely consequences. Defense refers to how a s ys tem i s p rotected
from attack. Response and recovery refer t o how, and how well, damage is mitigat ed
and repai red and information and functionality are recovered i n t h e event of a
successful at t ack.
Threats
Kinds of Attack s a nd Attackers. The b est known t yp e o f attack on a
voting s ys tem i s one t h a t c h a n ges t he vote t otals from what voters actually cast.
Historically, s uch t ampering has b een perfo rm ed by corrupt offi ci als o r p art i s ans, one
of the m ost famous ex amples being Tammany Hall in New York C ity, o f which Bo ss³²
Tweed said, “the b allots made no result; the counters m ade t he result.” Sometimes,
others who s tood to benefit from a particular ou tcome would b e i nvolved, as was
reportedly t he cas e with respect to allegations of vote-buying i n Indiana with money

³⁰ Office of J . K e n n e t h Bl ackwell, “Security Contracts Finalized For V oting Systems
Revi ews,” Press Rel e a s e, 30 September 2003, [http:// www.sos.state .oh.us/sos/news/
release/09-30-03.htm] . V endors q u a l i f i e d t o par ticipate i nclude the t hree largest voting
system firms — Diebold Election Systems, Election Systems and Softwa r e , a n d Sequoia
Voting Systems — plus Hart Intercivi c.
³¹ See Rob Buschmann, Risk Assessment i n t he President’s National Strategy for Homeland
Security, CRS Report RS21348, 31 October 2002.
³² Dugge r, “Annals of Democracy,” p. 46.

from s ome o f New York’s “robber b arons” i n t he presidential election o f 1888.³³ The
goal of such tampering would gen erally be to influence t he final vote t ally so as to
gu arant ee a p art i cul ar resul t . That coul d b e accom p l i s hed b y s everal m eans, such as
adding, d ropping, o r s witching votes. M an y o f t he features of modern voting s ys tems
— s uch as s ecret ba l l oting and the u se of observers — are design ed to thwart such
threats.
The impact of such vote t ampering depe nds on several factors. Two o f t he most
important are t he scal e of an attack and t he competitivenes s of t he contes t. An attack
woul d h ave t o h ave s uffi ci ent i m p act t o affect t h e out com e of t h e el ect i on. For t hat
to happen, scale i s critical. If t ampering im pacts only one ballot o r one voting
machine, the chances of that affect i n g t h e el ection outcome would be small. But
t am p eri n g t hat affect s m any m achi n es or t h e resul t s from several preci nct s coul d h ave
a s ubstantial impact, although i t might also be more likely t o b e d etected. The scale
of attack needed to affect the outcome of an election d epends on what proportion o f
vot ers favor each candi dat e. T he m o re cl osel y cont est ed an el ect i o n i s, t h e s m al l er
t h e d egree o f t am peri ng t h at woul d b e n ecessary t o affect t h e out com e.³⁴
W h ile atta c k s t hat added, subtracted , o r changed individual votes are o f
p a r t i c ular concern, other k inds of attacks also n eed to be considered. One type o f
at t ack m i ght gat h er i n form at i o n t hat a candi dat e coul d u se t o i n crease t he chance of
winning. For ex ample, if vote t otals from p art i cul ar preci nct s could s ecretly be made
known t o operatives for one candidate before the polls closed,³⁵ the results could be
used to adjust get-out-the-vote e f f o r t s , gi ving that candidate an unfair advantage.
Another t yp e o f attack might be used to disrupt voting. Fo r ex ample, m alware could
be used to cause voting m achines t o m a lfunction frequently. The resulting del ays
could reduce t urnout, p erhaps to the b enefit of one candidate, o r could even cause
voters t o l ose confidence in the i ntegrity of the election i n general . The latter might
be of more interest to terrorists or others with an interest in having a negative impact
on the political system generally.
An Evolvi ng Threat Envi ronment. The k inds of attacks d escribed above
are potential t hreats against any v o t i n g s ys tem. However, the growing use o f
information t echnology i n elections has h ad u n i q u e impacts o n t he threat
environment. It provides t he opportunity for n ew kinds of attacks, from n ew kinds
of attackers. As information t echnology has advanced and cyb erspace has grown, s o³⁶

too h ave t he rate and s ophistication o f cyb erattacks i n general:
³³ S.J . Acke rman, “ T he V ote t hat Failed.”
³⁴ A common prayer of election officials on election day is said to be “Please may it not be
close!”
³⁵ T his could potentially be done, f or example, if voting or counting machines in precincts
used modem connections for t ransmittal of t allies t o t he central elect i o n office, and a
tamperer could use that connection before t he polls closed to send r e s u l t s t o another
location.
³⁶ Eric Fischer, Coordinator, Understanding Cybersecurity: A CRS Workshop, CRS Online
V i deo MM70048, 21 J uly 2003.

^! The number o f reported computer-security violatio n s h a s grown
ex ponentially in the past d ecad e, from about 100 in 1989 to more
than 100,000 in the first three quarters o f 2003.³⁷
^! Potential t hreats m a y n o w come from m any s ources — amateur or
profe s s i o n al h ackers u sing the Inter net, insiders in organiz ations,
o r ga n i z ed crime, t errorists, or even foreign governments. W ith
respect t o el ect i o n t am peri ng, s om e s uch at t ackers coul d b enefi t i n
traditi o n a l w ays, but some, s uch as t errorists, might be interested
instead in disrupting elections or reducing t he confidence of voters
i n t h e el ect oral process.
^! N e w a n d more ingenious kinds of malware are constantly bei n g
invented a n d u s e d . There are now tens of thousands of known
viruses, and t he sophistication o f t ools u sed t o d evelop and u se new
ones h as i n creased.
Malware i n a voting s ys tem could be des igned t o operate in very subtle ways ,
for ex ample, d ropping or cha n gi n g votes in a s eemingl y random way t o m ake
det ect i o n m ore d i ffi cul t . Mal ware can al so be desi gn ed t o be adapt i v e — changi ng
what it does depending on the direction of t he tally. It c o u l d a lso potentially be
i n sert ed a t a n y o f a num ber o f d i fferent st ages i n t h e d evel opm ent and
implementation proces s — from t he preci nct all the way back to initial m anufact ure
— and lie in wait for t he appropriate moment.
Several other kinds o f at t ack could also be attempted i n addition t o m al ware.
Am ong t h em are el ect roni c i n t ercept i o n and t h eft o r m odi fi cat i o n o f i nform at i o n
during t ransp o r t o r t ransmission, modifi cations or additions of hardware, and
b yp a s sing system controls or misuse of authority to tamper with or collect
information on s oftware or election dat a.³⁸
Vulnerabilities
The t hreats d iscussed above, and others, are of course only h armful potentially.
Their m ere ex i stence does not in itself imply anyt hing about the likelihood that they
are a s ignificant risk i n a gen u i ne election. To be such a risk, there m ust b e
vul nerabilities in the voting system that can be exploited. For the purposes of this
report, discussion of vulnerabilities i s divided into two cat egories — technical and
social.
Technical Vulnerabilities. This cat egory i ncludes weaknesses s temming
f r o m t h e com put er code i t s el f, connect i o n t o o t h er com put ers, and t he degree o f
auditing t ransparency of t he system .
Computer Code . In the recent public debate about the s ecurity of DREs,
much of the attention has focused on t he computer code. Two significant potential

³⁷ Carnegie Mellon University, CERT Coordination Center , “ C ERT / CC St atistics,” 17
October 2003, [http:// www.cert.or g/ stats/cert_stats.html ].
³⁸ Rebecca Mercuri and Peter Neumann, “Verifi cation f or Electronic Balloting Sys tems ,”
in Secure Electronic Voting, ed. Dimitris Gritzalis, ( Boston: K l uwer, 2003), p. 31-42.

vulnerabilities rel at e t o t he use of cryptography in the s ys tem and the way the code
is design ed. C ryptography³⁹ is one of the m ost powerful t ools available for protecting
the i ntegrity of data. R obust cryptographi c p rotocols are w e l l - d e veloped and in
common use, for ex am pl e i n onl i n e f i n anci al transactions. C ryptography is important
not only i n m aking i t d ifficult for unauthorized persons to view critical information
(security), but al so in making sure that information i s not changed or s ubstituted i n
t h e p rocess o f b ei ng t ransferr e d ( v eri fi cation). This could b e a concern for DREs;
both t he Hopkins and M aryl and s tudies f ound weaknesses i n t he way encryption was
used.
The des ign of s oftware can have a s ignificant effect o n i t s vulnerability to
malware. Bo th the complex ity of the code and t he way i t i s d esigned can have an
i m p act . It i s a general p ri nci p l e of com put er securi t y t h at t h e m ore com pl ex a p i ece
of soft ware i s , t he m o r e v u l nerabl e i t i s t o at t ack. T hat i s b ecause m o re com p l ex
code wi l l have m o re pl aces t h at m al w are can be hi dden and m o re p o t e n t i al
vulnerabilities t h a t c ould be ex ploited, and i s m ore difficult to anal yz e for security
problem s. In fact , attackers oft en d i scover and ex ploit vulnerabilities t hat were
unknown t o t he developer, and m any ex p erts argue t hat i t i s impossible t o anticipate
al l possi bl e weaknesses and poi nt s o f at t ack for com pl ex soft ware. W i t h DR Es, each
m a c h i n e requi res rel at i v el y com pl ex soft ware, s i n ce i t serves as a vot er i n t erfac e ,
records the ballot choices, and tallies the votes cast on the machine.⁴⁰ The first
function requires t he most complex s oftware, es peci ally if the m achine i s t o be fully
accessible t o all voters. The code used in optical-scan and punchcard readers can be
simpler, as it performs fewer functions.
Software code that is not well-design ed from a sec u r i t y p erspective i s m ore
likely t han well-design ed code to have poi nts o f attack and weaknesses t hat could b e
ex pl oi t ed, as wel l as pl aces for m al ware t o be hi dden. However, c o d e can be
designed so as to minimize s uch vulnerabilities, and well-developed procedures have
been est abl i s hed t o accom p l i s h t hi s goal .⁴¹ These p rocedures can be applied t o both
new and legacy systems. Good design invol ves not only t he code itself, but also the
proces s by which it is developed and eval uated. DRE code has been criticized with
respect to its design,⁴² although t he proprietary nature of the s oftware h as precluded
thorough public assessment. The s ys tems may also u se commercial o ff-the-shelf
software for functions such as the operating s ys tem, and t hat s oftware could also have

³⁹ Cryptography refers to the process a nd use of methods for t he encoding or encryption of
information, such as a piece of plain or clear text, s o t hat i t cannot be deciphered, and t he
subsequent decoding or decryption of that information. Cryptogr aphic methods are used t o
help protect informa t i o n from unauthorized access ( confidentiality), prevent undetected
modification ( integr ity), to confirm i dentity (authentication), and to prevent a false denial
of identity (n onrepudiation) (National Research Council (NRC), Trust i n Cyberspace,
(Washington, DC: Nationa l Academy Press, 1999), p. 301–310).
⁴⁰ Caltech/MIT study, p. 60.
⁴¹ Linger and T rammell, “Cleanroom Softwa re Engi neering.” See also footnote 93.
⁴² Hopkins s tudy; J ones, “Diebold FT P Site.”

vulnerabilities. However, the s oftware i n t h e m ajor s ys tems in use t oday has been
eval uated and certified as m eeting VSS requi rements, including those for security.⁴³
Connection to O ther Computers. T h i s can be a vulnerability because it
provides poten t i a l avenues for attack . The most well-known attack targets are
computers with direct In ternet connections that hackers can ex ploit. Concerns about
such at t acks h ave m ade t he adopt i o n o f Int ernet voting i n public elections generally
unattractive s o far from a security perspective.⁴⁴ W h i l e a m easure o f p rot ect i o n can
be provided b y firewall p rograms and r e l ated t echnology, the s afest approach is to
en s u re that the voting system computers, incl uding not just the voting m achin es
themselves but also computers i nvolved i n b a llot generation and vote t allying, are not
connected to the Internet o r t o any other com put ers t hat are t h em sel v es connect ed t o
the Internet. This isolation i s s ometimes called “ai r-gapping.” However, an effective
air gap must include sufficient s ecurity controls for removable m edia such as floppy⁴⁵
disks, C D s , a n d t he m em o ry cards t h at are o ft en used t o t ransport d at a from t he
preci nct t o t he cent ral el ect i o n o ffi ce.⁴⁶
Vendor s and election j urisdictions generally state t hat t hey d o not transmit
el ection res u l t s from preci ncts via t he Internet , but they may t ransmit them via a
direct modem connection. However, even th i s approach can be subj ect t o at t ack vi a
the Internet, es peci ally if encryption and verification are not suffi c ient. That i s
because telephone transmission systems are themselves increasingly connected to the
Internet (as ex emplified, for ex ample, by t he increas ing use of Internet -bas ed
telephony), and computers t o which the recei ving server may b e connected, s uch as
through a local area network (LAN) , m ay have In ternet connections. In fact,
organiz ations may b e unaware of the ex t ent o f s uch connections.⁴⁷ Thi s can be even
more of an issue i f t he system uses wireless connectivity.
The way that a voter interacts with the DRE may p rovide another possible
source of connection. Fo r ex ample, with the Diebold DRE, a “smartcard”⁴⁸ is
inserted into the voting m achine t o s tart the voting proces s (some machines use other
methods, s uch as a numerical code). Th e Hopkins study claims that voters o r
pol l workers coul d p rogram t h ei r o wn sm art cards and u se t h em t o vot e repeat edl y or
to manipulat e t he voting m achine. The Diebold rebuttal rej ect ed this assertion. The
Maryland study, while not ruling out this vulnerability, s tates t hat s oftw are and

⁴³ NASED, “ V oting Sys tems T hat Are NASED Qualified,” 3 J anuary 2003,
[http://www.nased.org/ NASEDApprovedSystems1.03.pdf]. See a l s o Britain J . Williams ,
“Security in the Georgia V oting System,” 23 April 2003, available at
[ h t t p : / / www.vo t e scount .com/ geor gi a .pdf ] .
⁴⁴ See K evin Coleman, Internet Voting, CRS Report RS20639.
⁴⁵ Computer vi ruses were origi nally spread through f loppy disks.
⁴⁶ T his need applies t o any computer-assisted voting s ys tem with precinct t abulation.
⁴⁷ Fi scher , Understanding Cybersecurity Workshop.
⁴⁸ A smartcard is a card, usually about the s ize of a credit card, with an embedded computer
c h i p that can communicate with another electronic device t hat can read information f r o m
and/or wr ite it to the card.

physical controls, and the openness of the voting booth,⁴⁹ minimize t he likelihood of
exploitation.
Auditing Transparency. In current DR Es, t he act i ons t h at occur b et ween
bal l o t s creen and t he fi nal vot e t al l y are not subject to human observation. The voter
sees a v isual representation o f t he ballot o n t he com put er screen or face of t h e DR E .
W h en the voter pushes t he button t o cast t he ballot, the m a c h i n e r e c o rds t he votes
electronically. That m eans t hat a voter cannot know if the m a c h ine recorded the
choices the voter saw o n t he screen or some o t her choices, and an observer also
cannot check to see i f all ballots cast are counted correctly. The former vulnerability
al so ex i s t s wi t h a m echani cal l ever m achi n e, and t he l at t er w i t h a n o p t i cal scan or
punchcard b allot reader, but with a reader, t h e r e i s a d o cument b allot t hat can be
checked i ndependent l y. W hi l e DR Es are general l y desi gn ed t o m ake a s eparat e
recordi n g o f each bal l o t cast ,⁵⁰ this is not an independent record but rather a copy in
a different format of the i nformation s ent t o t he tallying registers.
Social Vulnerabilities. A s ignificant and increasingl y s ophisticated kind of
attack — dubbed “social engi neering” by h ackers — involves finding and ex p loiting
weaknesses i n how people i nteract with computer systems.⁵¹ S u c h soci al
vulnerabilities can include weaknesses rela ting t o policy, procedures, and personnel.
Of the 14 s peci fic risks identified i n t he Maryland study, m ost were o f t hese types.⁵²
Policy. A s ecurity policy l ays out the o v e r a l l go als and requirements for a
system and how it is implemented, i ncludi ng the t echnology itself, procedures, and
personnel.⁵³ An absent or weak policy, or even a good one, i f i t i s not implemented,
is considered a s ubstantial vulnerability. S ecurity policies of election administrat ors,

⁴⁹ Use of illegi t i ma t e s ma rtcards could be difficult with certain common election
admi nistration practices — f or example, if a pollworker, rather t h a n t h e voter, i nserts the
smartcard i nto t he DRE; if the voting booth i s not fully screened and pollworkers observe
the behavior of voters f or irregularities; and i f time limits for voting are enforced. However,
voters may l egitimately be concerned with privacy when they cast t heir votes and may t ry
to obscure the view of others, and pollworke rs, i n t he interest of protecting t he voter’s
privacy, may be reluctant t o watch closely enough t o detect attempts to use an illegitimate
card.
⁵⁰ Systems t hat c onform t o t he V SS a re required t o have t his f unction ( FEC, Voting Systems
Performance and Test Standards, Sec. 2, p. 4).
⁵¹ For example, one ki nd of attack involves s e n d i ng vi ctims email purportedly from a
legitimate f in a n c i a l o r software company and urgi ng them to vi sit a website, also
purportedly of t his company, where they are r equested to enter i n f o r mation s uch as a
username s a nd passwords for accounts. T he h a c ke r c a n then use t his i nforma tion t o t ake
control of t he vi ctim’s computer or to steal funds.
⁵² However, two of t he risks are entirely r edacted. References in this and other sections to
weaknesses f ound in Maryland’s i mplementation of t he Di ebold s ys tem are made because
this was t he only s ys tem f or which a n i ndependent analys is of such weaknesses was
available. It is not intended t o i mply in any way that Maryland or the Diebold s ys tem
exhibit more or more s erious vulner abilities t han other states or systems.
⁵³ T he SANS Institute, “A Short Primer For Developing Security Policies,” 6 October 2001,
[ ht t p: / / www.sans.or g/ r e sour ces/ pol i c i e s/ Pol i c y_Pr i mer .pdf ] .

vendors, third-party s uppliers, and t h e IT A s a r e all relevant. The M aryl and s tudy
found that the Diebold s ys tem a s implemented did not comply with the s tate’s
information s ecu r i t y p o l i c y and standards. The s tudy did not ex amine t he security
policies of Diebold or other relevant entities.
Procedure. The s ecurity policy p rovides t he basis from which procedures
such as access cont rol s are d ev e l oped. El ect i o n adm i n i s t rat i o n i s a com p l ex effort
involving vendors, ITAs, s tate and l ocal government, and pollworkers who are often
vol unt eers, as wel l as vot ers. Al so, DR E s are pot ent i al l y t arget s o f at t ack at vi rt ual l y
any point from when t hey are initially developed and manufact ured to when they are
used in the polling p lace. Consequently, s ecurity procedures are especially
important. Vul n erabilities can occur, for ex ample, i f t he controls that the
m anufact urer uses t o prevent i n s ert i o n o f m al ware are i nadequat e; i f t he anal ys es
perform ed by e v a l u a t o rs i s not suffi ci ent t o d et ect securi t y probl em s w i t h t h e
technology; if the chain of custody for software, including updates — from when i t
is certified t o when i t i s u sed i n an election — i s weak or poorly documented; or if
auditing controls are i nsufficient. As with security policy, absent or poor procedures,
or even good ones i f t h e y are not properly implemented, can create s erious⁵⁴
vulnerabilities. The M aryl and s tudy di d not ex amine v endor or IT A p ractices but
did raise several concerns with respect to the procedures used by the s tate.
Personnel. Perhaps t he most important si ngl e fact or in determining t he
vulnerability of a s ys tem i s t he people i nvolved. It is they who m ust i m p l e m ent
securi t y pol i ci es and procedures and d efend agai n st a n y at t acks. If t h ey are not
adequately skilled and trai ned, they may b e unable t o p revent, d e t e ct, and react to
securi t y breaches, and t h ey m ay t he m s e l v e s b e m ore vul nerabl e t o a “soci al
engi neeri n g” at t ack. In a d d i t i on, i t can be part i cul arl y di ffi cul t t o defend agai nst
attack by an insider, so background check s and other controls to minimize t hat risk
are especi ally important. The Maryland study po i nted out that the s tate trai ning
program for the Diebold s ys tem d id not include a s ecurity component.
Defense
Goals of Defense. It can be useful t o t h i n k o f t hree go al s o f d efense from an
at t ack on a com put er-based syst em : p rot ect i on, det ect i on, and react i on.⁵⁵ Protection
involves m aking a target difficult o r u n attractive t o attack. For ex ample, good
physi cal securi t y can prevent at t acke r s f r o m accessi ng vot i n g m achi n es i n a
warehous e. Use of encryption and authentication t echnologies can help prevent
attackers from viewing, altering, or s ubstituting election dat a when i t i s t ransferred.

⁵⁴ Some others, however, have r aised c oncerns or sugge sted improvements to ve ndor and
IT A practices (see, for example, t he Hopkins s tudy [cf. Diebold r ebuttal]; J ones, “Diebold
FT P Site”; and t he California T ask Force report).
⁵⁵ National Security Agency (NSA), “Defense in Depth: A Practical Strategy for Achievi ng
In f o r mation Assurance i n T oday’ s Highly Networked Envi ronments,” NSA Security
Recomme ndation Guide, 8 J une 2001, availabl e at [ http://nsa2.www.conxi on.com/support/
guides/sd-1.pdf]. Deterrence ma y be used by s ome a uthors i nstead of reaction.

Currently, election j u r i s d i c tions and v endors appear to rely heavily on
procedural m echani s m s for p rot ect i on.⁵⁶ These m ay i n cl ude access cont rol s ,
certification procedures , pre-election equip m ent-testing, and s o forth. S uch
procedures are an essential element of an e ffective d efense, although s ome observers
di sput e t hat t hey are suffi ci ent t o p revent t am p eri n g. Even i f t h ey are, t h ey m u st be
implemented and followed properly i f they are to ensure adequate protection.
However, in some ci rcumstances , t he time and res ources needed to follow s uch
procedures may conflict with other important goal s, such as the timely administration
of an election, forcing election o ffici als t o choose whether to risk bypassing or
modifying s ecurity procedures.⁵⁷
Detection involves i dentifyi ng that an att ack is being o r was attempted. Fo r
ex am pl e, el ect i o n observers can serve as d et ect ors o f a pot ent i al at t ack. O ne of t h e
criticisms of DREs has b een that it is a “black box ” s ys tem , an d o b s er vers cannot
detect sus p i c ious activity within the m achine.⁵⁸ One approach to addressing this
issue i s t he use of auditing. That can incl ude engi neering t he DRE s o t hat i t creat es
a l og of al l act i ons perform ed, especi al l y t hose t hat might indicate t ampering. It can
also include the creation o f an audit t rail for votes. HAVA requires s uch a trail for
the voting s ys tem, but some observers have proposed the u se of voter-verified b allots
for auditing (discussed bel ow⁵⁹). Cryptographic p ro tocols may also be useful i n
detecting attempts at tampering.⁶⁰ However, any s peci fi c m echani s m s t h at m i ght be
built into t h e t echnology itself are proprietary and t herefore not discussed i n t his
report.
R e action involves responding to a d etected a ttack in a timely and deci s i v e
manne r s o as t o p revent its success o r mitigate its effects. For ex ample, i f an
observer s ees something s uspicious dur i n g v oting o r t allying, the p rocess can be
stopped and the s ituation i nvestigated. Also, a voting m achine m ay be programmed
to shut down i f certain kinds of problems are encountered. The system might have
addi t i onal d efense m easures such as ant i v i rus soft ware.
To be most effective, the coun t e rm easure m ust be implemented before the
at t acker can do si gn i fi cant d am age. Effect i v e react i o n t herefore requi res earl y
det ect i o n o f an at t ack. G i v e n t h e l ack of t ransparency of DR E operat i ons, h eavy
reliance m ay need to be placed on t echnological countermeasures.

⁵⁶ See, for e xample, t he Diebold r ebuttal a nd the M aryl and s tudy.
⁵⁷ For example, i f a serious software problem is d i s c o ve r ed shortly before an election,
o f ficials might have to choose whether to have a vendor install a patch directly, w i t hout
havi ng it first certified t hrough IT A and state procedures.
⁵⁸ Se e s ection on a uditing t ransparency a bove, p. 15.
⁵⁹ See section on verifiability, p. 27–31.
⁶⁰ See s ection on c omputer code above, p. 13

Elements of De fe nse. It is generally accepted t hat d efense should i nvolve
a focus on three elements: personnel, technology, and operations.⁶¹ The personnel
component fo cuses o n a clear commitment to security by an organization’s
leadership, assign ment of appropriate roles and responsibilities, implementation of
physical and p ersonnel s ecurity measures to control and monitor access, training that
is a p propriate for t he level o f access and responsibility, and accountability. The
t e chnology componen t f o c u s e s o n t h e d e v e l o p m e n t , a c q u i s ition, and implementation
of hardware and s oftware. The operations component f o cuses o n policies and
procedures, i ncl udi ng such processes as cert i fi cat i on, access cont rol s , m anagem ent ,
andassessments.
A focus that is not properly b alan ced am ong t h o s e el em ent s creat es
vulnerabilities. Computer security ex perts have criticized computer-assisted voting
i n part becau se t h ey bel i eve t h at t h e s ecuri t y focus h as em phasi z ed p rocedural
safegu ards t o o h eavi l y. T he use o f o l d er, “l egacy” h ardware and soft ware
technology, and weak technology d efenses, a s w e ll as lack of training of election
personnel i n s ecurity, are among th e concerns ex perts h ave cited. The v alidity of
such concerns has b een disputed by others.⁶²
For applications where s ecurity considerations are a p riority, t echniques h ave
been developed t o engineer systems to th e appropriate level o f s ecurity corresponding
t o t h e s peci fi c n eeds for t h e appl i cat i on. S u ch syst em s are desi gn ed wi t h careful l y
specified requirements and are t horoughly revi e w ed and tested before
implementation.⁶³ Some ex perts h ave p roposed that such an approach be used in the⁶⁴
development o f voting s ys tems.
Another general principal i s t hat an eff ective d efense cannot be focused only o n
one particular l o cation but needs t o operate at all relevant points i n t he entire⁶⁵
enterprise. For voting s ys tems, t hese points would likely i nclude development
(both s oftware and hardware) b y t he manufact urer, t he cert i fi cat i o n p rocess,
acquisition of t he voting s ys t e m ( including software and h ardware updates) by the
st at e, st at e and l o cal i m p l em ent at i on, and u s e d u r i n g el ect i ons. Because of t h e
proprietary nature of vendor practices, t he d e f enses used by them could not be

⁶¹ NAS, “ De f e ns e i n De p t h.”
⁶² For example, s ee the Caltech/MIT , Hopkins, and M aryl and s tudies, t he California T ask
Force r epo r t, and J ones, “Diebold FTP Site” f or criticisms and r ecommendations for
improvements; and for alternative views, see the Diebold r ebuttal and Williams, “Georgi a
Voting System.”
⁶³ See, for example, Linger and T r amme ll, “Cleanroom Software Engi neering”; and
Syntegr a , “ Common Criteria: An Intr oduction,” 21 February 2002, available a t
[ h t t p : / / www.commoncr i t e r i a.or g/ i n t r oduct o r y_over vi ews/ CCInt r oduct i on.pdf ] .
⁶⁴ Rebecca Mercuri, “Electronic V oting,” 1 Se ptember 2003, [http://www.notablesoftware.
com/ evote.html ].
⁶⁵ NSA, “Defense in Depth.”

determined for t his report.⁶⁶ State p rocedures are m ore t ransparent in many cases but
vary from s tate to stat e.⁶⁷
Fi nally, an effective defen s e i s b a sed on t he assumption t hat attackers will
continuously attempt t o b reach the d efenses (including devising new ways t o attack)
and t hat t hey will eventually find a vulnerability to ex ploit. Therefore, a s uccessful
defense s hould b e robust, so t h at securi t y needs are m et even i f an at t ack occurs.⁶⁸
One way t o accom p l i s h t hi s i s t hrough a l a yered def ense, in which m ore t han one
defense m echani s m i s p l aced bet w een t h e at t acker and t he t arget .⁶⁹ If the outer layer
is breached, t he nex t comes i nto p lay. Each layer s hould i nclude both p rotection and
detection capability. For ex am ple, a state will use a combination of physical security
(e.g., l o ck and k ey), procedural cont rol s (e.g., who i s gi v en access t o t he syst em and
for what purpose) and auditing (a record of what was done and b y whom) t o d efend
agai nst t am pering with v o ting s ys tems. Georgia does additional validation t es ting
on software installed on m achines in a l ocal el ection j urisdiction t o ensure t hat i t i s
the s am e as t he certified s oftware.⁷⁰ Other s tates m ay have similar procedures .
Trade-Offs. The combined u se of go als and elements as discussed abov e i s
known as defense i n d epth. S uch a strategy requires bal anci ng “protection capability
and cost, performance, and operational considerations.”⁷¹ This balancing can involve
difficult questions, especi ally with regard to resource allocation. For ex ample, how
much effort should b e ex p ended i n t hreats t hat m ay have a s ignificant p robability but
a comparativel y l ow impact versus addressing those with very low probability but
very high impact? T he need to weigh s uch t rade-offs occurs throughout the s ecurity
arena. In the area of homel and s ecurity, t he number of cas ualties from a terror attack
using t he smallpox virus could b e m uch h igher t han from an attack with ex plosives,
but the l atter i s widel y considered much more likel y. Furthermore, there are many
other factors t hat m ust b e weigh ed, s uch as b al anci ng prot ect i o n agai n st t h e t hreat ,
on the one hand, against t he safety of countermeasures (such as v accines) and
disruption t o d aily life (such as screening for ex plosives) o n t he other.
Setting priorities with respect to investment in defense i n s uch cas es is far from
straightforward. This is true for election administr a t ion as well. Decisions about
what kinds of s e c u r ity to provide and how to provide it must be made in complex
circumstances. For ex ampl e, with DREs, t he pro b ability of successful tampering
occurri ng m ay b e v ery s m al l , but t h e i m p act of a s uccessful at t ack coul d b e v ery h i gh.

⁶⁶ Di e b o l d claims t hat its security procedures make insertion of malware during
development “realistically impossible” (Diebold r ebuttal, p. 6). T he California t ask f orce
report makes several r ecommendations with respect to vendor security, i ncluding requiring
backgr ound checks of progr amme rs and developers and documentation of t he custody chain
for s oftware ( p. 36).
⁶⁷ Williams, “Georgi a V oting System,” describes Georgi a’s certification procedures. T he
Maryland study made several r ecommendations for i mprovements i n s tate procedures.
⁶⁸ See, for example, Burmester and M agkos, “T oward Secure and Practical E-Elections”.
⁶⁹ NSA, “Defense in Depth.”
⁷⁰ Williams, “Georgi a V oting System.”
⁷¹ NSA, “Defense in Depth,” p. 1.

At the s am e time, current DREs arguably reduce t he risks of certain k i nds of
tampering t hat can occur with paper ballots — such as sel ectivel y s p oiling certain
ballots during counting. Many DREs a l s o have ot her h i ghl y d esi rabl e feat ures, as
discussed earlier,⁷² t h at can subst ant i al l y reduce t he num ber o f vot es l o st because of
voter error or other problem s. According t o one study, over a million of s uch “lost
votes” could h ave b ee n p r e v e n t ed during t he November 2000 presidential election
if better-designed voting t echnology h ad been used.⁷³
Al so, s ecuri t y m easures m ay h ave unant i ci p at ed i m p act s. Measures t h at m ade
voting m uch m ore difficult or complicat ed and t hereby discour a g e d voters from
participating or i ncreas ed the rat e of vot er or pollworker error would p robably not be
worth implementing. Furthermore, voting m achines are only part o f t h e el ection
administration system, and security must be integral to the whole system t o be
effective.
Response a nd Recover y
The i dea t hat n o d e f e n s e is perfect and t hat attackers t ry to find the
i m p erfect i ons m eans t hat d efenders need t o assum e t h at an at t ack wi l l at som e poi nt
be successful. Some damage will occur before the attack is detected and s topped
(assum i n g t h a t t h e a t t ack i s det ect ed — i n t he case o f vot e t am peri ng, an at t acker
woul d u sual l y prefer t h at t h e at t ack not be discovered and will make efforts t o h ide
it⁷⁴). For t his reas on, mechanisms for minimizing and recovering from dam age t hat
occurs are consi d ered desi rabl e. They are al s o d esi rabl e i n t h e event of dam age t h at
can result from s ources other t han an attack , s uch as power outages, m alfunctioning
voting m achines , or administrative problem s. For ex ample, DREs s tore vote dat a i n
redundant memory locations, i n t he event t hat one memory fails. As t he difficulties
with spoiled b allots from t he November 2000 Pr e s idential election i ndicated,⁷⁵
recovery from s ome k inds of damage may not be p o s s i b l e, and reliance m ust b e
placed on strengthening p reventive m eas ures. T hus, HAVA requires t hat voters b e
notified of overvotes before a ballot is cast and be given the opportunity to correct
errors.⁷⁶
One criticism of DREs has been that if a problem is discovered during auditing,
it is not clear what can be done to identify which votes were valid and which were
not. For ex ample, if a m achine i s s uspect ed of harboring m alware, s hould all votes

⁷² Seepage4.
⁷³ Caltech/MIT report, p. 8–9.
⁷⁴ For example, i n a statewide election, increasing t he votes f or a c a n d i date in a precinct
already voting hea vi l y f o r t hat person may be less likely t o t rigger questions than would
changi ng the vote i n a closely f ought precinct.
⁷⁵ In this case t he prob l e ms a r ose from ballot design and procedural flaws r ather t han an
attack.
⁷⁶ Howeve r, for s ys tems where t his i s not possible — such as those using document ballots
wher e vo t e s are not counted in the precinct but in a central location — an education and
instruction progr am is permitted.

from i t b e d iscarded, or would s ome b e count ed? How election o fficials answer s uch
questions will depend on state l aw, regulations, and practices.
One m echanism for recover y from s ome k inds of problems i s t he recount, i n
which ballots are count ed a second time to addres s concerns about the accuracy of
the o rigi nal count. DREs, like l ever machines, s implify recounts and reduce chances
for error i n t hem b ecause t h e re c ount s a re based on the vote tallies from the
m achi n es, rat her t han i ndi vi dual b al l o t s . H owever, p robl em s wi t h t h e m achi n es
them selves , i ncluding tampering, would p robably not be discovered t hrough a
recount.
Confidence in DREs
There appears t o be an emerging consensus a m o ng computer scientists that
current DR Es, and t o a l esser ex t ent o t h er com put er-assi st ed vot i n g s ys t em s , d o not
adhere suffi ci ent l y t o current l y accept ed s ecuri t y pri n ci pl es for com put er syst em s,
especi ally gi ven t h e central importance of voting systems to the functioning of
democratic government.⁷⁷ However, el ection administrat ors and those with related
ex pertise t end t o ex press more confidence in the s ys t e m s as they are currently
real i z ed.⁷⁸ Al s o , t he fact t h at securi t y concerns ex i s t does not i n i t s el f m ean t h at
vot i n g s ys t em s have been com p rom i s ed or are l i k el y t o b e. It does, however, s uggest
t h at t h e i ssues rai s ed n e ed t o be addressed ex p edi t i ousl y, especi al l y gi ven t he
evolving threat environment and vulnerabilities d iscussed above.
The question of confidence in computer-assisted voting s ys tems is important in
general, since voters m ust have confidence in the i ntegrity of the voting s ys tems they
use i f t hey are to trust t he outcomes of elections and t he legitimacy of governments
formed as a result o f t hem. If the concerns that have been raised about DRE s ecurity
becom e wi despread, t hat confi d ence coul d b e eroded, whether o r not those concerns
are well-founded. This potential p roblem c ould b e ex acerbated b y t wo factors. One
is the like lihood, especially gi ven t he applicable provisions of HAVA, that the u se
of DREs will incre a s e . T h e o ther is the likelihood of increasing concentration o f
market share for voting systems in a few companies.⁷⁹ H i storically, election
jurisdictions in the United S tat e s h ave used a wide diversity of voting systems
provided b y a broad array o f v endors. T h i s d i versity has b een considered an
advantage b y m any, not only i n m eeting t he di verse n eeds o f election j urisdictions,
but al so for s ecuri t y, especi al l y i n st at ewi d e and fe d e r a l e l e ct i ons where m ore
s ys t em s m ay be used. S ome ex perts believe that it is much more difficu l t t o
successfully commit widespread tampering with el ections if many different system s

⁷⁷ See t he Caltech/MIT study, t he California T as k Force report, the Hopkins s tudy, and the
Marylandstudy.
⁷⁸ See f or example Williams , “Georgi a V oting Sys tem”; T he El ection Center, “DREs.”
⁷⁹ According t o Diebold, the c ombined U.S. marke t share for t he three l argest voting system
companies — Diebold Election Sys tems , Election Sys tems and Software, and Sequoia
V oting Sys tems — i ncreased from 74% in 2000 to 89% in 2002 (Gregory Geswein, Senior
Vice Pr esident and Chief Financial Officer, Diebold, Incorporated, Untitled pr e s e n t a tion
slid es, 24 February 2003, [http://www.diebol d.com/investors/presentation/ir2003.pdf], p.

21).

n e ed t o be com p rom i s ed t h an i f onl y a few m ust b e. In any case, as t h e u s a ge o f
DR Es i n creases, t hey and t h e com pani es t h at m ake and s el l t hem m ay be subj ect ed
to increas ed public scrutiny.
Fo r t hese and o ther reasons, m any ex p erts and observers have proposed actions
t o resol v e t he cont roversy over DR E securi t y. S everal of t h ese i deas are d i s cussed
below.
Proposals for Resolving the Issue
Use Cur r e nt Pr ocedur es
S o m e observers have argu ed t h at ex i s t i n g s ecuri t y m echani s m s are s uffi ci ent t o
resolve any problems and th a t n o n e w s olutions are n ecessary, although current
procedures may n eed to be improved , as recommended b y t he Maryland study.⁸⁰
These observers argu e t hat t h e federal V oting S ys tem S tandards (VSS); NASED,
st at e, and l ocal cert i fi cat i o n p rocesses; an d v e n d o r and el ect i o n adm i n i s t rat i o n
procedures and controls, when p roperly imp l em ent ed, p rovi de suffi ci ent s ecuri t y t o
prevent t ampering. They also p o i nt to the l ack of any p roven case, despite many
accusations, o f election fraud involving computer tampering,⁸¹ an d t hat criminal
penalties p rovide a d et errent to el ection fraud.⁸² Critics s tate, i n contrast, t hat t hose
processes and proce d ures are flawed, and t hat recommended or stated security
procedures are not always followed. They also point out that the absence of a p roven
case o f t ampering does not necessarily mean that it has not been attempted, and t hat
as t h e u sa ge o f D R Es i n creases, t he pot ent i al p ayoff for t am p eri n g, and h ence t h e
pot ent i al t hreat , w i l l al so i n crease.⁸³

⁸⁰ See f or example, the Diebold r ebuttal a nd Lamone, “ Action Plan.”
⁸¹ T he occurr e n c e of voter error or machine malfunction i s s ometimes pointed to as
evidence for vote fraud, but they are not the s ame. However, both fraud and error can affect
the outcome of an election, and both need to be mi nimal t o ensure t he integr ity of the r esults.
In addition, if errors occur frequently, t hey could mask an occurrence of fraud — i f a
discrepancy i s discovered, officials might simp l y c onclude that it is another case of error
even if it is actually caused by t ampering. See also footnote 122.
⁸² Federal l aw prohibits voting more t han once ( 42 U.S . C. § 1973i(e)), vote buying a nd
selling ( 18 U.S.C. § 597, 42 U.S.C. § 1973i(c)), and procuring, casting, or tabulating
fraudulent b a l l o t s ( 42 U.S.C. § 1973gg10(2)). T he Public Integr ity Section of t he V oting
Ri ghts Di vi sion of the Department of J ustice prosecutes s uch cases.
⁸³ See, for example, Bev Harris, Black Box Voting (High Point, North Carolina: Plan Nine
Publishing, 2003), a va ilable a t [ http://www.blackboxvoting.com] .

Impr ove Security Standards and Certification of Voting
Systems
Some critics have stated t hat t he security provisions i n t h e VSS are
i n suffi ci ent ,⁸⁴ and t hat t h e i r d e v el opm ent d i d not fol l o w b est p ract i ces i n t h i s area,
as promulgated and practiced, for ex ample, by national and intern ational s tandards-
setting organizations such as the American National S tandards Institute (ANSI), t he
In t e r n a tional Organiz ation for Standardization(ISO),andNIST,whichhasbeen
involved only m argi nally in the d evel opment and implementation of t he VSS.⁸⁵ The
VSS have also been criticized for placi ng too m any constrai nts on t he development
of new t echnology t hat can address s ecurity concerns.⁸⁶ Critics also poin t o u t t h at
several o f t he problems i d e n tified b y t he Hopkins and M aryl and s tudies occurred
despite the certification by NASED that the Diebold system conforms to the VSS.
HAVA r equires changes in the p rocesses for developing standards for and
certifyi n g v o ting systems. It establishes a Technical Guidelines Development
Committee under t he new Election Assistan ce Commission to assist the EAC in the
development o f voluntary voting s ys tem guidel i n es . T h e s e gu i d el ines will essentiall y
replace the current Voluntary Voting S ys t e m S tandards (VSS), but the Act also
stipulates that the i nitial s et of gu idelines will be the m ost recently adopted version
of the VSS. The new Committee established by HAVA will be c h a i r e d b y t he
Director of NIST and will include, among others, representatives o f A N S I, the
In stitute of Electrical and Electronics Engi neers (IEEE), and NASED. IEEE has⁸⁷
alread y b egun developing new d raft voting s ys tem s tandards. These s tandards
would p resumably b e u sed t o h elp i nform t he gu ideline-development p rocess once
the EAC and its support bodies are established.
The importance of standards was reinforced with the initial adoption and
implem e n t ation of t he VSS, which l ed to significant improvements i n computer-
assi st ed vot i n g s ys t em s . S t andards are essent i al t o s ecuri t y because t h ey speci fy
measurable attributes a system n eeds t o be considered trustworthy, and t hey can⁸⁸
reduce des ign flaws. However, a particular challenge t hat arises with respect to
security standards i s t hat i t i s not possible t o anticipat e all the ways a system might
be attacked. In addition, standards can provi de adversaries with information t hey can

⁸⁴ For e xample, M ercuri and Neuma nn, “V erification,” p. 37.
⁸⁵ For s ome l e gi s l a tive history of the development of t he VSS, see Eric Fischer, Federal
V o ting Systems Standards: Congressional Deliberations, CRS Report RS2115 6 , 2 5
February2002.
⁸⁶ Fo r e x a mple, t he DRE standards assume that the voter interface and t he vote tallying
components will be in the s ame unit, which may constrain manufac t urers from f ollowing
one of t he central security-r elated recomme ndations of the Caltech/MIT report ( p. 72),
which i s t o s eparate t hose f unctions in different units.
⁸⁷ IE EE, “Standards Coordinating Committee 38 ( SCC 38): V oting Standards,” acce s s e d

8 October 2003, [http://grouper.ieee.org/ gr oups/scc38/index.htm] .

⁸⁸ NRC, Trust i n Cyberspace, p. 201, 209.

use i n s earching for vulnerabilities.⁸⁹ Therefore, sec u r i t y st andards n eed t o be
continually reeval uated as new threat s and vulnerabilities are discovered. Also, i t i s
consi d ered ri sky t o t reat adherence t o s tandards as an i ndication t hat a system is
secure.⁹⁰ The federal go v e r n m ent requi res t hat federal agenci es adhere t o a s et of
com put er-securi t y p o l i c i e s , st andards, and p ract i ces,⁹¹ but these d o not apply t o
voting s ys tems, which are under t he purview of state and local governments.
Standards can be difficult and time-consuming t o d evelop, especially under t he
com m onl y u sed consensus approach, i n whi ch st a k e h ol ders reach agreem ent o n
provisions to be included. Strengths of t hi s approach, when p roperly implemented,
are t hat t he resulting s tandards are less likel y t o contai n s ubstantial omissions, and
t h ey are m ore l i k el y t o b e accept abl e t o u se rs and o t h er st akehol ders. E ffort s t o
develop t he VS S b e g an in the 1970s, but the s tandards were not approved until
1990.⁹² The C ommon C riteria for Information Techn o l o gy S ecurity Eval uation
(ISO/IEC 15408), which is a s et of requirement s for evaluating t he security of
information t echnology, took five years t o d evelop, efforts h aving b een begu n i n
1993 and completed in 1998.⁹³ The IEEE voting s tandards p roject began i n 2001 and
has p roceeded am i d som e cont roversy, whi ch apparent l y i s not at yp i cal for s t andards
panels addressing difficult issues.⁹⁴ Given t hose c o n s iderations and t he delays in
est abl i s hi ng t h e E AC , i t i s not cl ear whet her n ew standards o r guidelines will be in
place before the HAVA voting s ys tem requirements go i nto effect in J anuary 2006;
however, HAVA requires t he Technical Gu idelines Development C ommittee t o

⁸⁹ Ibid., p. 209. Although t here are many be nefits from having a single, uniform set of
standards, that does have t he potential f or incr easing vulnerability in the sense that “…it is
easier t o mount attacks a ga i nst multiple representatives of a s ingl e s tandard than against
differing implementations of several s tandard s” (Ibid., p. 204). T his i s s omewhat a nalogous
to the vulnerabilities associated with use of a single, uniform voting system ( see above).
⁹⁰ Ibid., p. 203.
⁹¹ See Marcia Smith and others, Internet: An Ove r v i e w o f K e y Technology Policy I ssues
Affecting I ts Us e and Gr owth, CRS Report 98-67, 11 J uly 2003, p. 9-11.
⁹² T here were s everal factors i nvol ved i n t his delay. See Fischer, Federal Voting System
Standards.
⁹³ Edward Roback, Chief, Computer Security Di vi sion, National Institute of St andards and
T echnology, “Exploring Common Criteria: Can i t Ensure t hat t he Federal Government Gets
Needed Security in Software?” testimony before the House Committee on Gove rnment
Reform, Subcommittee on T echnology, Information Policy, Intergovernmental Relations and
the Census, 17 September 2003. T he notion of c riteria i s broader than t h a t o f s t a ndards
because it generally includes t hings, such as statements on how a s ys tem s hould be designed
and operated, that cannot be directly assessed by e xami ning the product ( National Research
Council, Trust i n Cyberspace, p. 199). T he Common Criteria provi de a frame work for t he
development of standard sets of requireme n t s, called profiles, to meet specific needs of
consumers a nd deve lopers, depending on the a ssurance l evel that they require (Syntegr a,
“Common Criteria”). HAV A uses t he term guidelines rather than standards or criteria and
does not define it.
⁹⁴ Farhad Manj oo, “Another cas e o f e l e c t ronic vote-tampering? ” Salon.com, 6 October

2003,

[ h t t p ://archive.salon.com/tech/feature/2003/ 09/29/voting_machine_standa r d s / i n d e x_np.h
tml]

submit its initial recommendations to the EAC within nine months of the
Committee’s appointment.⁹⁵ In any case, even a f t e r n ew st andards are approved,
t h e r e remain i ssues relating t o t esting and certification. Fo r ex ample, s houl d a l l
voting s ys tems be required t o adhere to the new gu idelines or should t hose certified
under t he VS S continue to be accepted?
The current proces s for testing and certification of voting s ys tems was i nitiated
by NASED in 1994. HAVA directs the EAC to provide for “testing, certification,
d ecert i fi cat i on, and recert i fi cat i o n o f vot i n g s ys t em h ardware and soft wa r e b y
accredited l abora t o r i e s ” (Sec. 231(a)(1)). It gi ves NIS T responsibility for
recom m endi ng and revi ewi ng testing l aborat ories.
W h ile HAVA maintains t he voluntary n ature o f adherence b y s tates t o federal
voting s ys tem s tandards a n d u s e o f certified s ys tems, m ost s tates h ave adopted the
VSS.⁹⁶ C onsequent l y, i f t he EAC d ecert i fi es vot i n g s ys t em s t h at do not m eet t h e n ew
gu idelines, m any s tates would likely rep l a c e t h ose s ys tems, p rovided t hat funding
were available t o d o s o. However , t h e m ore s tringent a s et of standards i s with
respect to security, t he more time-consuming and ex pensive i t m ay b e t o t e s t and
certify t he system (some have criticized the C ommon C riteria for this reason,
although o thers h a v e s uggested that they be applied t o voting s ys tems⁹⁷). More
secure syst em s m ay al so be m o re ex pensi v e t o m anufacture. Consequently, t here
may be economic disincent i v es for i nvestment in highly secure voting systems,
although s uch d isincentives would likely b ecome less important if pu b l i c concern
grows.
Under t he current VSS, testing i s p e r f o rmed under s pecific l aboratory t est
conditions. S uch t ests are n ecessary to determine i f t he system meets t he standards,
but some ex per t s h av e p roposed that they are not sufficient, that additional t esting
needs t o b e done under realistic conditions of use, involving actual voters, and t hat
systems s hould b e retested after use i n t he field.⁹⁸
Even if new guidelines and certificat i o n p rocedures can be developed t hat
i n cl ude st at e-of-t he-art securi t y feat ures , s ome observers believe that this will not be
suffici ent. They point to three problem s: (1) Given the time required t o devel op and
implement new voting s ys tem guidelines and t o t est and certify s ys tems under t hem,
syst em s refl ect i n g s uch gui del i n es wi l l not be i n pl ace for s everal years, whereas t h e
t h reat from cyb erat t acks i s p resent and growing. (2) Overreliance o n any one line o f
defense, such as security standards, r uns counter to the recommended u se of defense
in depth. (3) The use o f s tandards does nothing about the reduced observability and

⁹⁵ HAV A distinguishes between the guidelines (Sec.221-222), which replace the V SS, and
guidance (Sec. 311-312) for meeting t he requireme nts of t he Act. T he deadline f or adoption
of guidance for meeting voting s ys tem r equirements i s J anuary 2004.
⁹⁶ FEC, Voting Systems Performance and Test Standards: An Overview, p. 15.
⁹⁷ Re becca Mercuri has recomme nded t hat voting s ys tems be benchmarke d a t l evel 4 or
above of t he 7 l evels ( Mercuri, “Electronic V oting” ).
⁹⁸ See Caltech/MIT report, p. 72-73.

t ransparency t h at charact eri z es com put eri z ed vot i n g s ys t e m s⁹⁹ in contrast to more
traditional s ys tems, and therefore cannot sufficiently address concerns about public
confidence in the i ntegrity of computer-assisted voting. Some ex perts also believe
that certification and p r o ced u ral controls, i ncluding auditing, can never guarantee
security of a voting system.¹⁰⁰ Thi s probl em , t hey s ay, i s furt h er com p l i cat ed by t h e
need for b al l o t s ecrecy, w hi ch i s not an i ssue, for ex am p l e, i n com put eri z ed fi nanci al
transactions.
Use O pen S our ce Softw ar e
Some ex perts h ave p roposed the u se of open s ource software code for at l east
some voting s ys tem s oftware.¹⁰¹ Such code would b e available for public inspection
and undergo t horough s ecurity review, and these ex p erts argu e t hat i t would t herefore
be m o re secure because t h e open s ource revi ew process woul d b e m ore t horough and
identify m ore potential s ecurity flaws than i s possible with proprietary code.
Advocates of proprietary or cl osed source code argu e, in contrast, t hat t his approach
makes potenti al fl aw s m ore difficult to discover and therefore t o ex ploit. Even if
open s ource code is superior with respect to security (which remains unproven),
DR Es often u se commercial o ff-the-shelf (C OTS ) software (such as M icrosoft
W i ndows) that is proprietary.¹⁰²
Currently, t he code for virtually al l voting s ys tem s oftware i n t he United S tates
is closely h eld b y t he vendors, who release it only t o s elect parties, such as the ITAs,
under nondisclosure agreements. The vendors argue that the u se o f proprietary
software is important both t o p rotect their i nt ellectual p roperty rights and for s ecurity.
While secrecy can be an important security tool (sometimes called “security through
obscurity”), i t has some weaknesses. Fi rst, it is fragile, i n t hat once t his defense is
breached, t he damage cannot be repaired — t he code cannot be made s e c ret again.
Second, use o f s ecrecy limits the number o f p eople who can ex amine t he code,
thereby limiting t he scrutiny i t can receive for vulnerabilities. Bo th of these potential
weaknesses were d emonstrated by the circu mstances leading t o t he Hopkins study.
Diebold code was posted (perhaps i nadvert ently) o n an open Internet s erver; the
authors analyzed t his code and c l a i m e d t o have discovered s everal vulnerabilities
(which Diebold d isputed).

⁹⁹ Some advocates pej oratively r efer to DREs as “black-box voting” (see for example,
[http://www.blackboxvoting.com/ ]).
¹⁰⁰ See, for example, M ercuri and Neumann, “Verifiability,” p. 39.
¹⁰¹ “Open s ource software refers to a computer program whose s ourc e c o d e is made
available t o t he general public to be improved or modified as the user wishes” (J effrey W.
Seifert, Computer Software and Open S o urce I ssues: A Primer, CRS Report RL31627, 5
Nove mber 2002, p. 1). W hat i s “ open” (or “closed”) i s t h e s ource code — what
programmers actually wr ite. T his code is translated into machine code (compiled) for use
by computers t o r un the progr ams. Machine code can be translated back into source code
(decompiled). T his does not recover t he original source code but can be useful, f or example,
to hackers hoping to find vulnerabilities, or to defenders looking f or malware t hat might be
in the machine code.
¹⁰² The way COTS software is tested and used i n current DREs mi ght its e l f c r e a t e
vulnerabilities ( J ones, “Diebold FTP Site”).

S o me have proposed resolving t his i ssue b y u sing a m odular approach that
separ a t e s t he voter interface or ballot choi ce function (equivalent to marking an
optical -scan ballot) from t he vote-cas ting function (putting t he ballot i n t he optical -
scan reader).¹⁰³ The s o ftware for the l atter would b e open s ource and s tandardiz ed
and for the former p roprietary and m ore flex i ble. The reasons are t hat vote casting
is a s trai gh tforward, well-defined p roces s t hat requires h igh s ecu rity to en sure that
the voter’s actual choices are r e c o rded an d counted, whereas the voter interface is
where i nnovations can provide the greatest advances in usability and o ther benefits
for voters, and t he security requirements are not as stringent. The code used for vote
cast i n g and count i n g can be m u ch si m p l er t han t hat n eeded for t he vot er i n t erface,
making security potentially much easier t o achieve than is currently the case with
DREs, where both functions are housed within a s ingl e unit.
Impr ove Verifiability and Tr ansparency
Verifiability in elections can be thought of as consisting o f t w o co m p onents.
One i nvolves t he c a p a b ility of the voter to verify that his or her ballot was cast as
intended. This is what is usually meant by voter verifiability. The other i nvolves t he
capability to determine t hat the final t ally accurately reflects all votes as cast b y t he
voters and that it includes n o additional votes — i n o ther words, that no votes were
improperly changed, omitted, or added. This has been called results verifiability.¹⁰⁴
If all voters can obtain both voter and r esults verifiability, t hat i s known as universal
verifiability.¹⁰⁵ Roll-call voting provides robust universal v e r i fiability — voters
publicly record their votes, which are count ed in the p resence o f all voters. However,
t h i s approach sacri fi ces bal l o t s ecrecy and can be used onl y for very sm al l el ect orat es.
W h i l e ballot secrecy reduces the risk of vote selling and coerci on, it complicat es
verifiability, s ince voters cannot know direc tly if their b allots were counted as cast.
Hand-counted paper b allot s ys tems, whi ch can provide ballot s ecrecy, m ay provide
universal verifiability only under s ome v er y limited circumstances and only for very
smal l elect orat es . S uch s ys tems can provide a kind of s urrogate results verifiability,
i f observers cl osel y w at ch t h e count i n g o f b al l o t s , but even t h a t can be di ffi cul t t o
achi eve. Lever m achi n es and com put er-assi st ed vot i n g s ys t em s argu abl y ex hi bi t
neither voter n o r results verifiability, alt hough document-based s ys tems such as
optical scan and punchcards do retain the capacity for s urrogate results verifiability
if manual recounts are done in the p resence o f observers.
Some observers believe that the potential s ecurity problem s associ at ed with the
lack of transparency and observability in vote casting and counting with DR Es cannot
be resolved through t he use o f s ecurity procedures, s t and a rds, cert i fi cat i on, and
test i ng. They assert that the only reliable approach is to use ballots that voters can

¹⁰³ Caltech/MIT report, p. 60, 63. T he a uthors f urther propose t hat t hese be performed by
different machines. See the s ection on modular voting architecture, p. 29, for a description
ofthisapproach.
¹⁰⁴ See C . A n d r e w Neff and J im Adler, “V erifiable e -V oting,” 6 August 2003,
[http://www.votehere.ne t/vhti/documentation/verifiable_e-voting.pdf].
¹⁰⁵ Mike Burmester a nd Emma nouil M agkos, “T oward Secure and Practical E-Elections in
the New Er a,” i n Gritzalis, Secure Electronic Voting, p. 63-76.

verify independently of the DRE and t hat t hese bal l o t s becom e t h e o ffi ci al record for
any recounts. Others assert that voter veri fiability is a highly desirable feature but
caution about some of the proposed ways of achieving it. Still others believe t h at
there are problems with the approach that make it undesirable.
HAV A requires t hat each voting s ys tem p roduce a p aper audit record for t he
system and t h a t t h i s b e t he official record for recounts. It also requires t hat voters
have the opportunity to correct their b allots before that record is produced. However,
it does not stipulate t hat t hat rec o r d c o nsist of individual ballots or that it be
verifiable by the voter.
At least four different ways of achieving voter verifiability have been proposed.
These are discussed b elow to illustrate the range of complex ity and i ssues involved.
Vote r-Verifi able Paper Ballot. In the m ost widel y discussed m et ho d, the
DRE would p rint a p aper ballot with the vote r’s choices listed. The voter could t hen
veri fy t h at t h e b al l o t accurat el y refl ect ed t h e vot er’s choi ces as m ade on t h e D R E .
Any d i s crepanci es coul d t hen b e cal l ed t o t he at t ent i o n o f a pol l w o r ker. Once t h e¹⁰⁶
voter was s atisfied with the paper ballot, it would be deposited i n a ballot box and
k e p t i n t h e e v e nt of a recount. A sample of these b allots could also b e counted as
p a r t of a s tandard audit for comparison with the t otal count. S ome observe r s a l s o
believe that any recount using t hese paper ballots should b e p erformed by hand rather
thanmachine.
This approach has t he following potential advantages: (1) Any recount would
be based o n an i ndependent record that the voter had h ad an opp o r t unity to verify.
(2) E ach el ect i o n coul d b e audi t ed, and any si gn i fi cant d i s crepanc i e s b e t ween t h e
el ect ronic and paper t allies would t ri gger a full recount. (3) If the r ecount were
performed by hand, that would t ake advantage of t he transparency and observability
t h at can be associ at ed wi t h t h at approach. (4) The m et hod coul d h el p ensure vot er
confidence in the l egitimacy of election results, s ince voters would know that ballots
they had v erified would b e available for recounts.
The approach has also been criticized, with critics asserting t he following: (1)
It makes voting m ore complicat ed and time-consuming by requiring ex tra s teps by
the voter. (2) The u se of printers woul d s ubstantially increase both t he cost of
administering an el ection and the risk of m echanical failure of a voting m achine. (3)
It is generally accepted t hat p aper ballot sys tems cannot be made to conform t o t he

¹⁰⁶ T his could be done by the voter or by the DRE (the voter need not handle t he ballot but
could view i t t hrough a transparent pane ( see Rebecca Mercuri, “A Better Ballot Box?”
IEEE Spectrum Online, October 2002, [h ttp://www.spectrum.ieee.org/ WEBONLY/
publicfeature/oct02/evot.html ]), although t he latter approach could r aise issues about ballot
secrecy if the ballots were deposited i n t he box in the order in which voters used t he DRE
(ballots are not recorded in the order cast i n t he DRE’s memory) . T he method as usually
described does not provide voters with ballot “receipts” that they can take from t he polling
place, which would create s i gn i f i cant opport unities f or fraud and abuse, if those r eceipts
showed the c hoices the voter ma de.

HAVA accessibility requirements.¹⁰⁷ (4) S ince the m et hod is largel y untes ted, it is
not cl ear to what ex tent it would improve security in practice and w h at impact s i t
might have on voters.¹⁰⁸ (5) Hand counting of t he paper ballots would be time-
consuming and arguably more error-prone than machine counting.¹⁰⁹
V ote me te r. There i s an electronic v ersion of the above method, in which an
el ect roni c d evi ce woul d b e at t ached t o t h e DR E . T hi s votemeter would h ave a
display o n which the voter could v e r i f y c h o i ces and i t woul d record t hose choi ces
independently of the DRE. Those record s would b e u sed i n any recount and could
al so be tallied s eparat el y by an i ndependent agency — t o provide a check on possible
collusion with respect to the DREs. Advantages to such a s ys tem over a paper t rail
would b e t hat i t would not have the p robl em s o f m anual p aper recou n t s, i t coul d
provi de a fast , i ndependent , ful l audi t o f t he DR E vot e, and i t coul d b e accessi bl e t o
blind p ersons via an audi o i nput. However, i t would s till be more complex for the
vot er t h an current syst em s, and vot ers woul d n eed t o t rust t hat t he at t ached uni t was
secure.
Modular Voting Ar chitecture. A t hird way t o p ro v i d e voter verifiability
with DREs is anal o g o u s to optical scan or punchcard b alloting with precinct
counting.¹¹⁰ After a voter makes choices on the voter i n terface (such as a
touchscreen), the m achine writes t he ballot t o a memory card or other device, called
a frog, which t he voter t h e n t a k es t o another m achine t hat reads t he ballot. This
reader would b e h ighly s ecure, as d iscussed above.¹¹¹ It woul d h ave a d i s pl ay so t h at
the voter could v erify choices before cas ting t he ball o t . A reader could even b e

¹⁰⁷ F o r example, while a blind voter could use audio f eatures of the DRE to make ballo t
choices, t he voter could not verify those s elec tions with a paper ballot unless i t were printed
in Br aille. But most blind people do not r e a d Br aille (Braille Institute, “Br aille Institute
Services,” 10 October 2003, [http://www.brailleinstitute.org/ about-edu.html ]), and Braille
ballots would not provide complete ballot s ecrecy, s ince only blind people who read Br aille
would use them. A separate audio or other paperless verification device could, however, be
provided. T he U.S. Departme n t o f J u s t i c e h as issued an opinion that DREs that produce
voter-verifiable paper ballots are consistent with both HAV A a n d the Americans with
Di sabilities Act (P.L. 101-336) “so l ong as the voting s ys tem provi des a similar opportunity
for sight-i mpaired voters t o verify t heir ballots before those ballots are f inally cast” (Sheldon
Br adshaw, Deputy Assistant Attorney Gene ral, “Whethe r C e r tain Di rect Recording
El ectronic V oting Systems Comply with the Help America Vote Act and the Americans with
Di sabilities Act,” Memorandum Opinion f or the Principal Deputy Assistant Attorney
General, Civi l Rights Division, U.S. Departme nt of J ustice, 10 October 2003, available a t
[http://www.usdoj .gov/olc/drevotings ys tems .htm]).
¹⁰⁸ For example, i t would arguably be unlikely t o deter certain forms of t ampering, s uch as
those t hat would not trigge r a recount — f or exampl e , c h a n gi n g the vote by a small
percentage in precincts where t he vote was not close — and i t does not take into account the
vulnerabilities of printed ballots to various forms of election fraud.
¹⁰⁹ This is likely t o be especially true for ballots on which t he choices the voter made are
printed. T here would be no ambiguous marks or hangi ng chad for a machine t o misread.
¹¹⁰ See Caltech/MIT study, p. 58-64.
¹¹¹ Seepage27.

provided wit h an audio p rogram to allow b lind voters t o v erify choices.¹¹² The
advantages and disadvantages of this system are s imilar t o t hose for the previous two,
depending on its particular design .
Encrypte d V otes. All t hree of the above approaches essentially pro v i d e a
second, independent audit channel for the voting s ys tem. Another way of providing
verifiability uses cryp tograph i c m et hods to provide a kind of electronic
verifi cation.¹¹³ Proponents argue that a p roperly d es igned s ys tem u sing encryp ted
votes is conceptually different from t he “el ect ronic ballot box ” ex emplified by DRE
technology and that it provides for privacy, t ransparency, aud i t ability, and security
in a s uperior way t o any current approach. T his can be part of a m ore comprehensive
system that uses cryp tographic m ethods throughout the ele c t i o n p rocess — from
el ection preparation t hrough auditing of t h e res ults — t hat purports essentially to
mimic electro n i cally or even improve upon the observability and t ransparency
associated historically with manually counted paper b allot s ys tems.
There are several different possible approaches using cryptographic p rotocols.¹¹⁴
In one kind of system, t he voter, b efore casting t he vote i n t he voting booth, can see
the b allot cho ices the encrypted information will correspond to. W hen t he vote i s
cast, a r ecei pt is generated with encrypted information, which could be in any of¹¹⁵
several d ifferent forms, such as a number o r a pattern printed o n a piece of paper.
After t he election, each voter can also deter mine i f h is or her vote was counted as cast¹¹⁶
by com p ari n g t he recei pt t o post ed i nform ation. However, because t h e i nform at i o n
on t h e recei pt i s encryp t ed, no one, i ncl udi ng t h e vot er, can prove what choi ces were¹¹⁷
made. The encrypt i o n i s p erform ed wi t h a s et of encryp t i o n k eys t hat h ave b een
generated i ndependently by di fferent el ect i o n t rust ees — for ex am pl e, an el ect i o n

¹¹² However, this mi ght better be done by a t hird, i ntermediary unit t o keep the computer
code in the r eader as simple as possible.
¹¹³ One a pplication i s described in V o t e H e r e , “ V HT i ,” 25 September 2003,
[ h t t p : / / www.vo t e her e .net / p r oduct s _t ech.ht m] .
¹¹⁴ See, for e xample, Burme ister a nd Magdos, “ T owards Secure E-Elections , ” p . 6 8-71.
Most approaches appear to be based on one or both of t wo cryptogr aphic protocols,
asymmetric cryptogr aphy and homomorphic encryption (Danilo Bruschi and others, “E-V ote
and PKI’s: A Need, a Bliss or a Curse?” in Gr itzalis, Secure Electronic Voting, p. 195-209).
¹¹⁵ For e xample, t he choices could be printed in p l a i n t ext on t he receipt and, when the
voter casts the vote, be partially overprinted i n a way t hat makes the t ext unreadable but
retains characteristics t hat t he voter can use t o check later t o s ee if the vote was counted as
cast ( Davi d Chaum, “Secret-Ballot Receipts a n d T r ansparent Integrity,” unpublished
manuscript, May 2002). Alternatively, numeric codes on t he receipt can be checked against
t hose i n a codebook in the voting booth ( V oteHere, “ V HT i ,” 25 September 2003,
[ h t t p : / / www.vo t e her e .net / p r oduct s _t ech.ht m] ) .
¹¹⁶ This provides voter verifiability.
¹¹⁷ T his seemingl y paradoxical situation i s possible t hrough use of a cryptographic protocol
known a s a ze ro-knowledge proof , w i t h which i t i s possible f or one party t o prove to
another, with a very high degree of confidence (although not absolutely in the mathematical
sense), t hat i t possesses a particular piece of information, without revealing t he information
itself ( Burmeister and M agdos, “T owards Secure E-Elections,” p. 72).

administrator and representatives of each of the m ajor political parties. Votes, to be
counted, m ust b e d ecryp ted, which i s accomplished b y each trustee applyi ng his o r
her k ey, and shuffling t he votes before sending them to the n ex t t r u s t ee.¹¹⁸
Information rel at ed to the encryption i s also posted t hat m akes it possible for a t rustee
or a m ember o f t he public to audit and authenticate t he election.¹¹⁹ If a t r u s t e e ( o r
anyone el se) attempts to change, omit, or add any ballot, that will be detect ed in the
audi t , because t h e changes wi l l show up as i nval i d , j ust as s om eone t ryi ng t o m odi fy
an encryp ted financial transaction will be discovered. At least one proposed system
al so permits auditing by observers during t he course of the election.
Proponents o f t his approach claim t ha t t he capabilities o f c h e cking t he vote
before and after casting t he ballot while maintaining ballot s ecrecy, along with the
high probability of detecting any tampering t hrough public audi t i ng, m eans t hat,
unl i k e wi t h DR Es, i t i s not necessary for vot ers o r el ect i o n o r p art y offi ci al s t o t rust
the voting m achines to produce t he correct tallies. In this sense, the encrypted-vote
system is even more transparent t han p ap e r ballots that are h and-counted in the
p r e s e n ce of observers. It i s m uch closer i n t ransparency t o a roll-call vote, but i t
retains b allot s ecrecy. P roponents also b elieve that use o f t his approach could reduce
the costs of elections by reducing t he need for physi c a l s e c u r ity, t esting, and o ther
activities. They al so stat e t hat t he integrity of the s ys tem i s not dependent o n t he
secrecy of t h e encrypt i o n k eys, al t h o u gh p ri vacy m i ght be com p rom i s ed i f al l k eys
were broken o r s tolen o r all trustees colluded.
If successful , t he approach coul d address m any o f t he securi t y i ssues wi t h DR Es
that this report discusses. However, it does not ye t a p p e a r to have been
independently evaluated and therefore could h ave currently unknown d isadvantages
and vulnerabilities. Also, i t i s not cl ear that it would have t he same potential positive
i m p act on vot er confi d ence as paper-based vot er veri fi cat i o n m i ght . T hat i s b ecause
a voter who does not understand the t echnology b ehind t he system — and few voters
are likely t o — m a y h a v e n o greater basis for confidence in the correspondence
bet w een t h e encrypt ed recei pt and t he choi ces t h e v o t e r m ade t h an i s current l y t h e
case with DREs. S ome p roponents, however, believe that those concepts are s imple
enough t hat t hey can be taught in secondary school.¹²⁰
If the s ys tem relies o n p rinters at each voting booth, that raises issues similar t o
those with respect to printers for vot er-v erifiable paper ballots. S imilarly, the
verifiability feat ure i ncreas es the co m plex ity of the voting proces s for voters, with
unknown consequences. In addition, it is not cl ear to what ex tent valid ballots could
be recovered i n t he event t hat t ampering was found or malfunction o ccurred. Fi nally,
some critics question whether encryp ted receipts are in fact unable t o s how a voter’s
choices. P roponents argue that these con cerns are either unlikely t o b e a p roblem in
practice o r are relativel y eas y t o address.

¹¹⁸ This is called a mix-net approach (Ibid., p. 68).
¹¹⁹ This provides results verifiability.
¹²⁰ Davi d Chaum, t elephone conversation with author, 14 October 2003.

Options That M ight Be Considered
The s everal methods proposed to address t he verifiability issue — ranging from
pri n t i n g p aper bal l o t s t o new el ect roni c w ays o f vot i n g — each have di fferent
strengths and weaknesses, making it difficult to determine at p resent whether any of
these approaches should b e adopted. At t he same time, m any observers would agree
that finding ways to increas e t he verifiability and t ransparency of elect ronic voting
is desirable. DRE t echnology i s clearly evolving fairly rapidly and has not yet
b e come settled, as witnessed by t he diversity of available devices and fea t u res i n¹²¹
comparison to other kin d s o f v oting systems. This environment m ay promote
developing improved s ecurity and o ther desirable p roperties o f t he technology. At
the sam e time, as j urisdictions continue to adopt DR Es in res pons e to HAVA and
ot her fact ors, pressures t o resol ve securi t y i ssues qui ckl y m ay i ncrease.
W h ile a d efense-in-depth approach woul d appear to be generally desirable for
addressing sec u r ity questions with DREs, as discussed above, any attempt t o
implement such an approach needs t o t ak e i nto account potential p roblems t hat can
be associ at ed with making substantial changes in the way an el ection i s administered.
For ex ample, when a voting s ys tem i s replaced in a j u r i s d i c t ion, the p roportion o f
residual votes and problem s administering the election may actually increas e i nitially,
a t least i n p art b ecause neither voters nor pollworkers are familiar with th e n e w
system. In addition, there are no proven c a s e s of tampering with DREs or other
computer-assisted voting s ys tems in public el ections.¹²² For t hese and o t h er reasons,
some observers argu e t hat any changes t o current technology and procedures should
be increm ental. Others, however, s tate that gi ven t he evolving threat e n v i r o nment
and t he concerns t h at have been i d ent i fi ed, an i n crem ent al approach i s not suffi ci ent
to prevent undetected tampering that could change the outcome of an election.
Policym akers will need to weigh s uch differences in determining what i f any actions
to take in response t o t his s et of issues.
Three general approaches are d i s cussed b el ow for addressi ng t h e i ssues rai s ed
in this report. Fi rst, action could be l eft t o s tate and l ocal jurisdictions that administer
elections. S econd, the EAC could address t he issues. Third, C ongress could t ake any

¹²¹ As with many unsettled t echnologies, some problems have accompanied t he evolution
of this technology. For e xample, t he Caltech/MIT study found that j urisdiction using DREs
had a surprisingly large r ate of residual votes (overvotes, undervotes, and spoiled ballots).
T here have also been reports of some problems encountered in j urisdictions recently
acquiring the t echnology ( see f or example K im Zetter, “Did E-V ote Firm Patch Election?”
Wi r e d N e w s , 13 October 2003, [http://www.wi red.com/news/politics/

0,1283,60563,00.html ]).

¹²² According t o a recent r eport, “the incidence of election fraud in the United States i s l ow
and…has had a minimal impact on electoral outcomes” (Lori M innite and David Callahan,
“Securing the V ote: An Analys is of Election Fraud,” D ‘ mo s , 2003, [http://www.demos-
usa.org/ demos/pubs/Securing_T he_Vote.pdf]). However, there are documented cases of
problems with DREs and othe r c o mputer-assisted voting t echnology t hat have r esulted i n
votes being lost, at l east t emporarily. For a compilation of cases, with sources, see Harris,
Black Box Voting, p. 16–55. It could not be determined to what exte n t s u c h p r o b l ems go
unreported, whether t he options discussed i n t his r eport would r educe t hem, or if other kinds
of voting s ys tems would e xhibit f ewer problems.

of several possible actions. These approaches and options, which are not mutually
ex cl usi v e, are d i s cussed i n t urn b el ow.
States. Elections are admin i s t e red by state and l ocal governments, with the
federal government pl a yi n g a circumscribed role. Although t hat role was
substantially enhanced with the enactment of HAVA, the l aw stipulates that methods
of imp l e m e n t at ion of its requirements are to be left to the discretion of t he stat es
(Sec. 305). S tates m ay therefore address t he se issues individually, as, for ex ample,¹²³
California, Maryland, and Ohio h ave already b e e n doing. The availability of
federal funding under HAVA to improve election administration b y s tate and l ocal
governments, as well as the creation of an i ndependent federal agency whose purpose
is to assist those governments i n election administration, should improve the ability
of those governments t o ensure t he security of el ect i ons. Leavi n g act i o n t o t he st at es
would allow t hem t o react to the i ssues in a timely fashion and in ways that are m ost
responsive t o t heir i n d i v i d u a l circumstances and could l ead to a v ariety of options
bei n g t est ed b y d i fferent st at es, m aki n g i t easi er t o d et erm i n e w hi ch approaches work
best. However, t his approach might a l s o lead to a p atchwork of responses, which
could b e challenging for vendors t o m eet an d could l ead to some states being m ore
vulnerable t o t ampering than others.
EAC. The Election Assistance Commission created by HAVA will have some
responsibilities t o p rovide gu idance and t o p erform studies and r esearch specifically
relating t o t he security of voting s ys tems. Its work in this area will involve NIST and
others with ex perience in computer security. The EAC and its supporting boards and
commi t t e e s may p rovide an effective v e nue for addressing fundamental questions
regardi n g v o t i n g s ys t em s ecuri t y and h el pi ng st at es m eet t h ei r n eeds and
responsibilities i n t h i s regard as well as i ssu es relating t o voter confidence in the
security of DREs. One option would be t hat t he EAC could p erform an independent
security review of current DREs. This might be especially useful if it could b e done
in cooperation with a s el ect ion o f s tates ex h ibiting a range o f s ecurity policies and
procedures. H o w e v er, t o address t he issue, the EAC must first form t he relevant
boards and committees, and any s tudy would require a s ignificant amount of time to
complete. T he EAC m ay not, t herefore, b e able t o resolve the controversy b ef ore
states need to make decisions about which kinds of voting s ys tems to acquire.
C ongress. Among the possible actions that Congress might consider a r e
hearings , funding to address t h e c o n t roversy, and revisions to HAVA. Congress
could choose t o hold h earings on the i s s u e for several purposes, s uch as clarifying
issues and options, p r o v i d i n g gu idance to the EAC, o r ex p loring funding and
legi slative options. It could also use other m eans, such as l egi sl at i v e report l angu age
or direct communica t i o n from congressional l eaders, to encourage t he EAC t o
address t he controversy i n an ex p edited m anner.
Given t he range o f p roposals for addressing DRE s ecurity issues, and the
uncertainties associated with those p r oposals, Congress might also consider
supporting research and d evelopment (R&D) in this area t o identify t he most
appropriate solutions. In t he past, economic incentives for private investment in such

¹²³ See discussion on page s 8–10 and e lsewhere.

R &D h ave b een weak, gi v en t h e s m al l , fragm ent ed n at ure o f t he m arket for vot i n g
systems and the relatively l ow demand for sophisticated security for t hose s ys tems.
W ith the funding for n ew voting s ys tems that HAVA provides, the evolving threat
environment, and o ther factors, that situation m ay be changi ng. HAVA also
a u t hori z ed grant s for R &D t o i m p rove securi t y and o t h er aspect s o f v o t i n g
technology (Sec. 271), but Congress has not appropriated funds specifically for t hat
program. Presumably, t he EAC could use some of its gen e r a l o p erating funds for
such work, o r C ongress could appropriate funds specifically for it.
S everal options for revising HAVA might b e considered for a legi slative
response t o t he controversy:¹²⁴
^! A s p ecific s ecurity provision could b e added t o t he voting s ys tem
requirements, stipulating, for e x a m p le, t hat voting s ys tems must
adhere t o security requirements for federal computer systems as
r e q u i r ed under current law,¹²⁵ or requirements o r a mechanism t o
develop t hem t hat i s s pecified in the p rovision.
^! The voting s ys tem audit requirement in the Act could be revised to
require a voter-verifiable p ap e r ballot¹²⁶ or some other s ys tem of
voter verifiability.
^! Voting s ys tems could be required t o u se open-source software.
^! The A ct coul d s peci fy a s ecuri t y revi ew and cert i fi cat i o n p rocess for
al l voting systems.
^! The A ct coul d s peci fy t h at ex pert s i n s ecuri t y be represent ed o n t he
Technical Guidelines Development C ommittee.
^! The EAC could b e d irected to provide security consultation s ervices
to stat e and local jurisdictions.
^! The d eadl i n es for m eet i n g rel evant requi rem ent s, s u ch as for
accessibility of voting s ys tems, could b e d elayed pending resolution
of the controversy.
^! Federal funding could b e p rovided for upgrades o r replacements for
DREs purch a s e d under HAVA if they are s hown s ubsequently to
have si gn i fi cant s ecuri t y defect s.
Some of t h e above options would t hemsel ves b e controversial, as discussed
earlier i n t his report with respect to voter verifiability and use of open s ource
so f t w a r e . In addition, creating additional requirements would further increase t he

¹²⁴ T hese are provided for i nformation pur poses only. CRS does not take positions on or
advocate l egislative and policy proposals.
¹²⁵ Releva nt laws include the Comp u t e r Security Act ( P.L. 100-235), t he Paperwork
Reduction Act (P.L. 104-13), t he Clinge r-Cohen Act (P.L. 104-106), a nd the Federal
Information Security Manage me nt Act ( P.L. 107-296).
¹²⁶ H.R. 2239 (Holt), t he Voter Confidence and Increased Accessibility Act of 2003,
includes t his r equi r e ment, with a separate paperless system available f or voters with
disabilities. It would also r equire s “ ma n u al mandatory surprise recounts” in 0.5% of
election j urisdictions, r equire the use of open-source software in voting machines, prohibit
the u s e o f wi r e less communications by voting systems, and require that all voting system
hardware and software be certified by accredited l aboratories.

federal role i n election administrati on, which m ay be opposed by those who believe
that it should b e l eft t o t he states as much as possible. Options that would s trengt hen
the ability of the EAC t o h e lp addres s t his controversy m ay them selves be less
controversial but might not lead to a timely resolution of t he issues . D el ays i n
meeting HAVA r e q u i r ements are also likel y t o b e controversial, and, some would
argu e, may not be necessary if the controversy can be resolved before 2006. Fi nally,
additional funding authoriz ation and appropriations may b e d ifficult to enact in a
constrained budget environment.
Conclusions
The purpose o f t his report h as been to ex plain t he controversy about the s ecurity
of DREs and t o l ay out the i ssues raised and options for addressing them. The report
does n o t a t t e mpt t o resolve the controversy. However, some conclusions can be
drawn with respect to the questions as ked at t he begi nning of the report.
^! Do DREs ex hibit genuine security vulnerabilities? If so, could t hose
vulnerabilities be ex ploited t o i nfluence an el ection?
Given t h e worsening t hreat environmen t for information t echnology and the
fi ndi ngs o f s everal st udi es and anal yses d i s cussed i n t his report, at least s ome current
DREs cl early ex hibit s ecurity vulnerabilities. Those vulnerabilities pose potential but
not demonstrated risks t o t he integrity of el ect i ons, i n t hat n o p roven cases ex i s t
involving tampering with DREs. Observers differ i n t heir views about whether t hese
potential risks are s ignificant enough t hat t hey n eed to be addressed u r g e n t l y o r
whether t hey can be addressed i ncrementally.
^! To what ex t ent do current el ec t i o n adm i n i s t rat i o n p rocedures and
other s ecurity meas ures protect agai nst t hreat s t o and vulnerabilities
ofDREsystems?
The answer t o t his question i s a central point of contention i n t he controversy,
with vendors a n d e l e c t i o n a d m i n i s t r a t o r s g e n e r a l l y c l a iming t hat current meas ures are
suffici ent and certain other experts, m ost notably many computer scientists, and some
activists cl aiming t hat t hey are not. These differences of opinion appear to be based
in part on differences in philosophical perspective. Proponents o f approaches such
as voter verifiability believe that electi ons should rely for security o n openness,
transparency, and observability of the entire election process, and t hat currently too
much trust i s p laced in the b ehavior and capabilities o f v endors, election o f f i c i a l s,
and o ther involved p arties. Many election administrators and vendors, and s ome
other observers, b elieve that the v iews of such proponents are based o n
misunderstandings of how voting s ys tems wo rk and how elections are administered.
They al so bel i eve t h at approaches such as a vot er-veri fi abl e p aper bal l o t woul d not
be of net b enefit to the p roper fu n c t i oning of elections. R esolution o f s uch
fundamental differences may require — i f i t i s i n fac t a chievable — that those o n
both s ides of this controversy d evelop better understanding of the b ases for t he views
of the o ther side. Finding an effective s olution m ay be easier i f concerned computer
scientists understand in detail how elections are run (perhaps b y w o r k i n g d irectly

with administrat ors) and i f election admini s t rat ors und e rst and cyb ersecuri t y m o re
cl early (perhaps by working with computer scientists).
In any case, as i ndi cat ed by som e of t h e s tudies discussed i n t his report,
sign ificant improvements i n t he secu ri t y o f DREs may b e found through careful
analys is of current systems and how they are implemented and administered, without
requiring voter verifiability or other s ub s t an t i al changes. However, such
improvements i n current systems are not likely t o address t he fundamental concerns
raised by proponents o f voter verifiability.
^! Do those t hreat s and vulnerabilities apply t o computer-as s i sted
voting s ys tems other t han DREs?
The potential t hreat s and vulnerabilities associ at ed with DREs are s ubstantially
greater than those associated with punch card o r optica l s c an readers, both b ecause
DR Es are m ore com pl ex and b ecause t h ey have no i ndependent records o f t he vot es
cast . However, docum ent -bal l o t readers are potentially subject to malware t hat could
affect t h e count , t o vul nerabi l ities associ at ed wi t h connec t i o n t o o t h er com put ers, and
som e ot her k i nds o f t a m p eri n g. Therefore, t h e s ecuri t y of syst em s u si ng readers
might also benefit from s ome o f t he same kinds of a p p r o a ches that have been
proposed for DREs, s u c h a s improvement s t o current security policies and
p r o cedures, u se of modern software engi neering t echniques, and u se of stron g
cryptographic protocols.
^! W h at are t he options for addressing any t hreats and vulnera b i l i ties
t h at do ex i s t , and w hat are t h e rel at i v e s t rengt hs and w eaknesses o f
the d ifferent options?
The report d iscusses s even proposals for addressing the s ecur ity issues raised
about DREs. They i nclude using current procedures and s ecurity mechanisms, with
improvements as n ecessary; improving standards for the d ev e l o p m ent and
certification of voting s ys tems; using open-source software for voting s ys tems; and
several m ethods to improve the transparency and verifiab ility of elections, i ncluding
vot er-veri f i e d p aper bal l o t s and an el ect roni c v ersi on of t h at approach, u se of
modular electronic voting architecture t hat p h ysically separates t he voter interface
from t he casting and counting functions; and a s ys tem t hat u ses cryptographic
protocols t o p ermit voters t o v erify t hat t heir ballots were cast as i ntended and that
no votes were improperly changed, o mitted, or added. These p roposals v ary i n ease
of implementation, the degree t o which they have been tested in application, and t he
level of contention about both t heir ability to resolve t he controversy and their overall
desirability.
Most of the public debate has centered around w h e t h e r t o rely o n current
procedures and m echanisms or adopt voter-verifiable p aper ballots. However, t hese
are clearly not the only options, and the d ebate might benefit from fuller
consideration o f o t h er possibilities such as t hose d iscussed above. In addition,
several o f t he proposals d iscussed are not mutually ex clusive, and a resolution o f t he
controversy m ay involve elem ents of several p roposals.

Three policy approaches, which are also not mutually ex cl usive, were discussed.
The m atter could be l eft t o state and l ocal governments, which administer elections;
som e st at es have al ready t aken act i on. The n ewl y form ed EAC coul d address t he
is s u es through its convening power an d responsibilities i n t he development o f
voluntary guidelines for and certification o f voting s ys tems. C ongress could d ecide
to use hearings or other m e c h a nisms to provide guidance on the i ssues, or i t might
deci de that a l egislative s olution i s necessary. S everal legi slative options ex ist,
ranging from funding f o r r e s e arch o n t he issue t o adding requirements o n DRE
security to HAVA. The b enefits and d isadvantages of these approaches depend on
many fact o r s , an d a legi slative solution m ay become more attractive i f t he
controversy cannot be resolved through o ther means.