GAO Report Finds Flaws in Electronic Voting

Friday 21 October 2005



Rep.
Waxman led twelve members of Congress today in releasing a new GAO
report that found security and reliability flaws in the electronic
voting process.



In a
joint press release, Rep. Waxman said, “The GAO report indicates that
we need to get serious and act quickly to improve the security of
electronic voting machines. The report makes clear that there is a lack
of transparency and accountability in electronic voting systems – from
the day that contracts are signed with manufacturers to the counting of
electronic votes on Election Day. State and local officials are
spending a great deal of money on machines without concrete proof that
they are secure and reliable.”



The GAO
report found flaws in security, access, and hardware controls, as well
as weak security management practices by voting machine vendors. The
report identified multiple examples of actual operational failures in
real elections and found that while national initiatives to improve the
security and reliability of electronic voting systems are underway, “it
is unclear when these initiatives will be available to assist state and
local election authorities.”



Rep. Waxman also released a fact sheet summarizing the report's key findings.



Fact Sheet



Overall Findings



In
October 2005, the Government Accountability Office released a
comprehensive analysis of the concerns raised by the increasing use of
electronic voting machines.



Overall,
GAO found that “significant concerns about the security and reliability
of electronic voting systems” have been raised (p. 22).



GAO
indicated that “some of these concerns have been realized and have
caused problems with recent elections, resulting in the loss and
miscount of votes” (p. 23).



According
to GAO, “election officials, computer security experts, citizen
advocacy groups, and others have raised significant concerns about the
security and reliability of electronic voting systems, citing instances
of weak security controls, system design flaws, inadequate system
version control, inadequate security testing, incorrect system
configuration, poor security management, and vague or incomplete
standards, among other issues. … The security and reliability
concerns raised in recent reports merit the focused attention of
federal, state, and local authorities responsible for election
administration” (p. 22-23).



Specific Problems Identified by GAO



Based on
reports from election experts, GAO compiled numerous examples of
problems with electronic voting systems. These included:



Flaws in System Security Controls



Examples
of problems reported by GAO include (1) computer systems that fail to
encrypt data files containing cast votes, allowing them to be viewed or
modified without detection by internal auditing systems; (2) systems
that could allow individuals to alter ballot definition files so that
votes cast for one candidate are counted for another; and (3) weak
controls that allowed the alteration of memory cards used in optical
scan machines, potentially impacting election results. GAO concluded
that “these weaknesses could damage the integrity of ballots, votes,
and voting system software by allowing unauthorized modifications (p.
25).



Flaws in Access Controls



Examples
of problems reported by GAO include (1) the failure to password-protect
files and functions; (2) the use of easily guessed passwords or
identical passwords for numerous systems built by the same
manufacturer; and (3) the failure to secure memory cards used to secure
voting systems, potentially allowing individuals to vote multiple
times, change vote totals, or produce false election reports.



According
to GAO, “in the event of lax supervision, the … flaws could allow
unauthorized personnel to disrupt operations or modify data and
programs that are crucial to the accuracy and integrity of the voting
process” (p. 26).



Flaws in Physical Hardware Controls



In
addition to identifying flaws in software and access controls, GAO
identified basic problems with the physical hardware of electronic
voting machines. Example of problems reported by GAO included locks
that could be easily picked or were all controlled by the same keys,
and unprotected switches used to turn machines on and off that could
easily be used to disrupt the voting process (p. 27).



Weak Security Management Practices by Voting Machine Vendors



Experts
contacted by GAO reported a number of concerns about the practices of
voting machine vendors, including the failure to conduct background
checks on programmers and system developers, the lack of internal
security protocols during software development, and the failure to
establish clear chain of custody procedures for handling and
transporting software (p. 29).



Actual Examples of Voting System Failure



GAO found multiple examples of actual operational failures in real elections. These examples include the following incidents:



In
California, a county presented voters with an incorrect electronic
ballot, meaning they could not vote in certain races (p. 29).



In
Pennsylvania, a county made a ballot error on an electronic voting
system that resulted in the county's undervote percentage reaching 80%
in some precincts (p. 29-30).



In North
Carolina, electronic voting machines continued to accept votes after
their memories were full, causing over 4,000 votes to be lost (p. 31).



In
Florida, a county reported that touch screens took up to an hour to
activate and had to be activated sequentially, resulting in long delays
(p. 31).


Current Federal Standards and Initiatives Are Ineffective and Are Unlikely to Provide Solutions in a Timely Fashion



GAO
reported that voluntary standards for electronic voting, adopted in
2002 by the Federal Election Commission, have been criticized for
containing vague and incomplete security provisions, inadequate
provisions for commercial products and networks, and inadequate
documentation requirements (pp. 32-33).



GAO
further reported that “security experts and some election officials
have expressed concern that tests currently performed by independent
testing authorities and state and local election officials do not
adequately assess electronic voting system security and reliability,”
and that “these concerns are amplified by what some perceive as a lack
of transparency in the testing process” (p. 34). The GAO report
indicated that national initiatives to improve voting system security
and reliability of electronic voting systems (such as updated standards
from the Election Assistance Commission; federal accreditation of
independent testing laboratories; and certification of voting systems
to national standards) are underway, but ” a majority of these efforts
either lack specific plans for implementation in time to affect the
2006 general election or are not expected to be completed until after
the 2006 election” (p. 43). As a result, GAO found that “it is unclear
when these initiatives will be available to assist state and local
election officials” (p. 43). According to GAO, “Until these efforts are
completed, there is a risk that many state and local jurisdictions will
rely on voting systems that were not developed, acquired, tested,
operated, or managed in accordance with rigorous security and
reliability standards – potentially affecting the reliability of future
elections and voter confidence in the accuracy of the vote count” (p.
53).



(Source)


View the full report here.