California Secretary of State Debra Bowen Friday recertified certain brands of electronic-voting machines for use in 2008 elections after requiring vendors to add security features to “protect the integrity of the vote”.
Following a “top-to-bottom” review of California voting machines completed July 27, Bowen officially decertified three voting systems deemed inadequate, then recertified them with a number of conditions added.
California, like other US states, has sought to modernise voting with touch-screen machines and other technology. Voting accuracy was brought into question after the 2000 presidential election, which was disputed owing to, among other things, how votes were counted on manual punch card ballots in Florida. The US Congress passed the Help America Vote Act in 2002, which provides federal funds to states to convert from manual to electronic voting and imposes other regulations.
The secretary of state's office regulates how elections are conducted in the state.
The California review was conducted by computer science and cryptography experts at the University of California with a mandate to study the hardware, software, documentation and source code of voting machines.
California moved up the date of its presidential primary election to Febuary 5, 2008, from June, so that the state’s 15.7 million registered voters could have an influence on the presidential nominations. That added to the urgency of recertifying voting machines. Bowen announced her decision Friday 3 August at 11:45 p.m., Pacific Daylight Time, only 15 minutes before a state deadline.
The state recertified voting systems from Diebold Election Systems, Hart InterCivic and Sequoia Voting Systems.
But because the review revealed significant security flaws, the state imposed new security measures on the vendors: reinstallation of all firmware and software in machines; disabling access to unused ports on the machines; hardening servers; prohibiting wireless connections between voting machines and servers; and other measures.
Researchers attempted to hack into voting machines to see how they would respond and found vulnerabilities in each of them.
In Diebold machines, “we were able to discover attacks for the Diebold system that could compromise the accuracy, secrecy, and availability of the voting systems”, the report stated.
Hart software and devices “appear to be susceptible to a variety of attacks which would allow an attacker to gain control,” the report said, while it was found that attacks on Sequoia machines “can be carried out without any knowledge of the source code”.
The vendors issued statements criticizing how the review was conducted. Researchers were given “unfettered access to all technical documentation and source code information,” said Hart InterCivic. Sequoia called the test “a helpful theoretical exercise”, but said the procedures were “unrealistic”. Diebold expressed similar concerns.
The state is limiting the use of those vendors' direct recording electronic (DRE) machines to one per polling place or for early voting. In California, voters can cast their ballots in person several days before election day. The state has recertified other models from those vendors using older optical scan technology.
Another vendor, Election Systems & Software, whose system is used only in Los Angeles County, did not submit its system in time for review. It will be reviewed separately before it is certified.
At least two-thirds of California voters in November 2006 elections cast paper absentee ballots sent in by mail, Bowen noted.