University of Iowa Professor, E-Voting Expert Calls on Company to Publicly Release Information to Back Up Response
Charges 'No Third Party Security Analyses' Have Ever 'Found Their System to be Secure'
By Brad Friedman on 9/15/2006, 3:19pm PT  

Noted University of Iowa computer scientist and e-voting expert, Douglas W. Jones, posted a reponse via email this morning to Diebold's official reply to Princeton University's recent report, detailing the ease with which Diebold's AccuVote touch-screen voting machine may have a virus inserted into its system.

Such malicious code, the first-of-its-kind report details, could flip votes, steal an election and replicate itself from one voting machine to the next. The dirty deed could be done by a single individual with about a minute's worth of unsupervised access to a single machine or memory card, and could be designed to be undetectable to either voters or elections officials.

The mainstream media appears to have finally found this issue fit to report, after all our years of covering it here. There has been a good deal of MSM coverage over the last two days, since The BRAD BLOG broke the full story, both here and in shorter form over at Salon; some of it has --- no surprise --- been better than others. We'll have more on that hopefully later this evening.

In the meantime, Diebold released their predictably misleading and disingenuous response late Wednesday evening. To which Jones replied via email this morning. This is his response...

Princeton Study of Diebold Voting Machines:
http://itpolicy.princeton.edu/voting/
Diebold Election Systems Response
http://releases.usnewswi.../GetRelease.asp?id=72390

Diebold says:

A virus was introduced to a machine that is never attached to a network.

This response dodges the question, expressing a complete misunderstanding of the nature of viruses by implying that viruses are irrelevant if there is no network. First, viruses originally emerged as a threat in the era of the Apple ][ personal computer, where they were spread on floppy disks that were hand carried between machines. What matters, clearly, is the presence of communication, not wires. Communication by hand carried disks, or PCMCIA cards, creates an environment in which the possibility of viruses is worthy of investigation.

The current generation AccuVote-TS software - software that is used today on AccuVote-TS units in the United States - has the most advanced security features, including Advanced Encryption Standard 128 bit data encryption, Digitally Signed memory card data, Secure Socket Layer (SSL) data encryption for transmitted results, dynamic passwords, and more.

Diebold has not released to the public sufficient information to allow an assessment of the competence with which these measures were applied. As a result, we cannot determine whether these are applied in an effective way, or whether they are as ineffective as the use of DES was back in 1997.

In addition to this extensive security, the report all but ignores physical security and election procedures. Every local jurisdiction secures its voting machines - every voting machine, not just electronic machines. Electronic machines are secured with security tape and numbered security seals that would reveal any sign of tampering.

See Avi Rubin's report. See the report from Cleveland [PDF] on the frequency with which these measures were used effectively. See Ed Felton's comments on the denial of service attack that security seals offer. I commented on the same with regard to the ES&S iVotronic in my comments on the pre-election tests in Miami [PDF] [see page 13 and 24-25] in 2004.

If you take seals seriously, you must inventory seal numbers at the time applied and insist on recording the seal numbers at the time they are broken. Auditors must routinely check that these records are properly maintained, and any seal found broken should disqualify the machine it is attached to. Jurisdictions don't do this, and the seals being used are so flimsy that if they did, someone could shut down a polling place by careful use of their thumbnail. In sum, the use of seals, as it is being done now, is about cosmetics, not about security.

Secure voting equipment, proper procedures and adequate testing assure an accurate voting process that has been confirmed through numerous, stringent accuracy tests and third party security analysis.

Diebold owes the public a list of the third party security analyses that have found their system to be secure. None of the analyses I'm aware of drew positive conclusions. Certainly the redacted SAIC study, [ed note: The redacted SAIC report was originally posted here on Maryland's website, but now appears to be gone. So it's really redacted at this point apparently. The preceding link is to the Exec Summary of its findings instead] and the Compuware study [PDF], and the Raba study [PDF] all found major flaws. I've spoken with authors of the Raba study who were livid about the way Diebold lobbied them during the writing of their report to soften the wording, and then misrepresented the results in their public relations campaign that followed. The SAIC study is still not available in unredacted form. Does this mean that it still documents weaknesses that have yet to be corrected?

Every voter in every local jurisdiction that uses the AccuVote-TS should feel secure knowing that their vote will count on Election Day.

Indeed. I agree completely. They should feel secure. Or at least, that is what we owe them. I wish we could follow through on that promise.

Doug Jones
jones@cs.uiowa.edu