02:00 AM Dec. 16, 2003 PT
GAITHERSBURG, Maryland The National Institute of Standards and Technology, or NIST, the keepers of the atomic clock and the official arbiters of time in the United States, will attempt to restore trust and confidence in voting systems.
That was the institute's announcement last week when it convened a conference in Gaithersburg, Maryland, to gather input from election officials, secretaries of state, voting-machine makers, computer security professionals and voting activists about how to address voters' lagging confidence in election systems particularly in electronic voting systems.
What might have been a contentious gathering, considering the ongoing disputes over electronic voting, turned out to be fairly tame. The discussion pitted critics of e-voting systems who want machines to produce an auditable paper trail, against those who call such talk alarmist and even harmful to the democratic process. But the proceedings progressed calmly, unlike a recent meeting of the Association for Computing Machinery.
At that meeting in Denver, Jim Dickson of the American Association of People with Disabilities disrupted proceedings with a group of demonstrators who chanted about civil liberties and denounced proponents of a voter-verifiable paper audit trail, angering members of the audience who shouted back at them.
At the NIST conference, Dickson and other speakers were given time to air their concerns.
Dickson, a strong opponent of voter-verified paper trails, which are printed slips generated after a person uses a computerized voting machine, said blind voters wouldn't be able to read the paper receipts. Voting-machine makers, however, say text-to-speech software and a set of earphones would allow visually impaired voters to know what's on their receipts.
Diebold, one of three top voting-machine makers, kept a low profile at the NIST conference and did not have a table exhibiting its products in a vendor area set up for manufacturers.
Diebold touch-screen voting machines have been drawing scrutiny in recent months, after two reports found that the technology had "a high risk of compromise." The company was also involved in a lawsuit after it sent more than a dozen cease-and-desist letters to voting activists who posted internal employee e-mails belonging to the company on the Internet. The company later withdrew its threats.
Coinciding with the NIST conference was the Senate's long-awaited confirmation of two final commissioners of the four-member Election Assistance Commission, which is overseeing the implementation of the Help America Vote Act. Under HAVA, states must upgrade outdated voting systems with the help of $3.8 billion in federal funding.
The delay in confirmation caused frustration among election officials who have been under pressure to purchase new systems under tight deadlines while facing charges that the machines in question are insecure.
The EAC will oversee the work of developing voting-systems standards with NIST providing assistance under the auspices of the Commerce Department.
The standards would establish requirements for voting systems and features, such as a voter-verifiable paper trail. But standards would be voluntary. Voting-machine makers would not be forced to follow them.
Rebecca Mercuri, an expert on electronic voting machines and a research fellow at Harvard's Kennedy School of Government, cautioned that while standards can be used to improve voting technologies, they can also inadvertently favor some vendors' products over others. She said this could have a negative effect on the security and innovation of voting systems, if the solutions of only a few vendors are encouraged.
Mercuri was among a group of computer scientists speaking at the conference about concerns with current e-voting systems.
Numerous computer scientists and security experts have expressed concerns that paperless voting machines don't produce vote tallies that can be independently audited. They also say trade-secret protections on the voting software prevent inspections of the code by third parties.
Critics also argue against a loophole in the certification process of voting machines that allows makers to use off-the-shelf software that doesn't have to be certified. According to voting-system guidelines set by the Federal Election Commission, if a company uses off-the-shelf software in its voting system, the source code for that software does not have to undergo independent review as long as the manufacturer declares that it has not been altered.
Speaking at the conference, Mercuri noted that the standards under which systems have been certified are woefully inadequate.
"There are also no requirements for e-voting ballot displays, so that computer ballots can be constructed to give advantage to some candidates over others," she added.
She added that current guidelines for certifying voting systems "fail to provide an adequate vehicle for election officials to assure the public of the integrity of computer-based elections."
Yet election officials purchasing new systems are not fully aware of these facts, she said, and have deployed machines without understanding the technological risks.
Mercuri said there was also no guarantee that systems currently being purchased by states would comply with the new NIST guidelines when they're formulated.
David Dill, a Stanford computer science professor, said the burden of proof should not be on critics to prove that systems are insecure but on voting-machine makers and election officials to prove that they are secure. He said there was little evidence that paperless machines are safe, although there was plenty of evidence to indicate that they are not.
Dill, an advocate of providing a voter-verifiable paper audit trail, said that election results must be routinely audited. He said officials should be able to independently reconstruct election results from original records verified by the voter rather than from electronic records that are not backed up by paper.
Dill likened the process of voting on an unauditable machine to dictating a vote to a man behind a curtain who wrote it down. The voter has no way of knowing whether the scribe recorded the vote accurately. And once the voter leaves the polling place, there's no way to determine if the ballot has been changed.
"We don't have a little man inside the DRE (direct-recording-electronic software) taking our dictation, but we have a lot of people who have had the chance to touch that software and possibly change it, including the people who wrote it," Dill said.
Avid Rubin, a computer science professor at Johns Hopkins University who wrote the first report on the insecurities of the Diebold voting systems, talked about the risks of insider threats.
"It's easy to hide code in large software packages," he said, adding that it was virtually impossible to detect backdoors or Trojan horse programs that could be ed in software to subvert an election.
Many election officials took issue with suggestions that voting systems are insecure, saying that procedures for keeping machines physically secure assured the integrity of elections.
But Rubin said, "Good procedures, even if they're perfect and are followed, are still no excuse for deploying machines that are insecure."
Rubin also said the subversion of an election could just as easily come from an insider. He cited the case of a Nevada gaming control-board employee who ed malicious code on gaming machines to pay out jackpots. The code was placed into a testing unit, which was put on slot machines to test whether they were functioning properly.
When the device was placed on the machines, the malicious code copied itself onto them. If someone ed coins into the machine in a particular sequence, the machine paid a jackpot. The employee got away with the scheme for a number of years.
Rubin said that a motivated insider with knowledge and access to voting systems would be hard to thwart.
While computer scientists continue to press for tighter election security requirements, there is no indication when NIST might complete its voting-system guidelines.