[ISN] E-Vote Machine Certification Criticized

From: InfoSec News (isn@private)
Date: Mon Aug 23 2004 - 00:31:56 PDT


http://www.eweek.com/article2/0,1759,1638537,00.asp

By Bill Poovey, 
Associated Press Writer 
August 22, 2004 

HUNTSVILLE, Ala. (AP) - The three companies that certify the nation's
voting technologies operate in secrecy, and refuse to discuss flaws in
the ATM-like machines to be used by nearly one in three voters in
November.

Despite concerns over whether the so-called touchscreen machines can
be trusted, the testing companies won't say publicly if they have
encountered shoddy workmanship.

They say they are committed to secrecy in their contracts with the
voting machines' makers—even though tax money ultimately buys or
leases the machines.

"I find it grotesque that an organization charged with such a heavy
responsibility feels no obligation to explain to anyone what it is
doing," Michael Shamos, a Carnegie Mellon computer scientist and
electronic voting expert, told lawmakers in Washington, D.C.

The system for "testing and certifying voting equipment in this
country is not only broken, but is virtually nonexistent," Shamos
added.

Although up to 50 million Americans are expected to vote on
touchscreen machines on Nov. 2, federal regulators have virtually no
oversight over testing of the technology. The certification process,
in part because the voting machine companies pay for it, is described
as obsolete by those charged with overseeing it.

The testing firms - CIBER and Wyle Laboratories in Huntsville and
SysTest Labs in Denver—are also inadequately equipped, some critics
contend.

Federal regulations specify that every voting system used must be
validated by a tester. Yet it has taken more than a year to gain
approval for some election software and hardware, leading some states
to either do their own testing or order uncertified equipment.

That wouldn't be such an issue if not for troubles with touchscreens,
which were introduced broadly in a bid to modernize voting technology
after the 2000 presidential election ballot-counting fiasco in
Florida.

Failures involving touchscreens during voting this year in Georgia,
Maryland and California and other states have prompted questions about
the machines' susceptibility to tampering and software bugs.

Also in question is their viability, given the lack of paper records,
if recounts are needed in what's shaping up to be a tightly contested
presidential race. Paper records of each vote were considered a vital
component of the electronic machines used in last week's referendum in
Venezuela on whether to recall President Hugo Chavez.

Critics of reliance on touchscreen machines want not just paper
records - only Nevada among the states expects to have them installed
in its touchscreens come November—but also public scrutiny of the
software they use. The machine makers have resisted.

"Four years after the last presidential election, very little has been
done to assure the public of the accuracy and integrity of our voting
systems," Rep. Mark Udall, D-Colo., told members of a House
subcommittee in June at the same hearing at which Shamos testified.

"If there are any problems, we will spend years rebuilding the
public's confidence in our voting systems," Udall said. "We need to
squarely face the fact that there have been serious problems with
voting equipment deployed across the country in the past two years."

In Huntsville, the window blinds were closed when a reporter visited
the office suite where CIBER Inc. employees test voting machine
software. A woman who unlocked the door said no one inside could
answer questions about testing.

Shawn Southworth, a voting equipment tester at the laboratory, said in
a telephone interview that he wouldn't publicly discuss the company's
work. He referred questions to a spokeswoman at CIBER headquarters in
Greenwood Village, Colo., who never returned telephone messages.

CIBER, founded in 1974, is a public company that promotes itself as an
international systems integration consultant. Its government and
private-sector clients include the Air Force, IBM and AT&T. In 2003,
government work generated the largest percentage of the company's
total revenue, 26 percent.

Also in a sprawl of high-tech businesses that feed off Redstone
Arsenal and NASA's Marshall Space Flight Center in Huntsville is the
division of Wyle Laboratories Inc. that tests U.S. elections hardware,
including touchscreens made by market leaders Diebold Inc., Sequoia
Voting Systems Inc. and Election Systems & Software Inc.

Wyle spokesman Dan Reeder refused to provide details on how the El
Segundo, Calif.-based company, which has been vetting hardware for the
space industry since 1949 in Huntsville, tests the voting equipment.

"Our work on election machines is off-limits," Reeder said. "We just
don't discuss it." He did allow, though, that the testing includes
"environmental simulation...shake, rattle and roll."

Carolyn Goggins, a spokeswoman for SysTest Labs, the only other
federally approved election software and hardware tester, refused to
discuss the company's work.

More than a decade ago, the Federal Election Commission authorized the
National Association of State Election Directors to choose the
independent testers.

On its Web site, the association says the three testing outfits "have
neither the staff nor the time to explain the process to the public,
the news media or jurisdictions." It directs inquiries a Houston-based
nonprofit organization, the Election Center, that assists election
officials. The center's executive director, Doug Lewis, did not return
telephone messages seeking comment.

The election directors' voting systems board chairman, former New York
State elections director Thomas Wilkey, said the testers' secrecy
stems from the FEC's refusal to take the lead in choosing them and the
government's unwillingness to pay for it.

He said that left election officials no choice but to find technology
companies willing to pay.

"When we first started this program it took us over a year to find a
company that was interested, then along came Wyle, then CIBER and then
SysTest," Wilkey said of he standards developed over five years and
adopted in 1990.

"Companies that do testing in this country have not flocked to the
prospect of testing voting machines," said U.S. Election Assistance
Commission chairman DeForest Soaries Jr., now the top federal overseer
of voting technology.

A 2002 law, the Help America Vote Act, created the four-member,
bipartisan headed by Soaries to oversee a change to easier and more
secure voting.

Soaries said there should be more testers but the three firms are
"doing a fine job with what they have to work with."

Wilkey, meanwhile, predicted "big changes" in the testing process
after the November election.

But critics led by Stanford University computer science professor
David Dill say it's an outrage that the world's most powerful
democracy doesn't already have an election system so transparent its
citizens know it can be trusted.

"Suppose you had a situation where ballots were handed to a private
company that counted them behind a closed door and burned the
results," said Dill, founder of VerifiedVoting.org. "Nobody but an
idiot would accept a system like that. We've got something that is
almost as bad with electronic voting."



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/



This archive was generated by hypermail 2.1.3 : Mon Aug 23 2004 - 02:43:15 PDT