September 13, 2004
E-voting machines both unreliable and 'hackable,' warns Purdue expert
Electronic polling machines could result in many votes being miscounted, lost or stolen, says a Purdue University computer scientist.
|
As much as 40 percent of all votes this fall will be cast on a Direct Recording Electronic polling machine. But according to computer security expert Eugene Spafford, it is easy to hack some DRE machines to alter the tally – and the problems do not end there.
"The software used in these machines has generally not been developed with sufficient rigor to keep returns accurate, and the testing and auditing of DREs is inadequate," says Spafford, professor of computer science and director of Purdue's Center for Education and Research in Information Assurance and Security (CERIAS). "While these machines have been deployed with the worthy goal of making voting both simpler and more accurate, problems with their security and reliability could potentially compromise this year's election."
Electronic voting, or e-voting, machines have obvious advantages for a country the size of the United States. If used correctly, DRE machines can help minimize voter error and some types of fraud. They also could assist some physically impaired voters who might have difficulty using conventional booths. But Spafford said the risks outweighed the potential benefits.
"Currently, the potential danger from fraud, abuse and failure is unacceptably high," he says. "DRE type machines do not have independent audit trails. In other words, if there is question on a vote, there is no real way to recount the ballots. Although vendors claim that a vote can be recounted, all that can really happen is that the final totals can be reread – there is no way to count the individual votes."
Spafford, who also is one of 25 members of the U.S. President's Information Technology Advisory Committee, recommends that the machines be modified before the election to protect against fraud.
"DRE machines should keep paper records that can be checked in case of a recount, and some should be randomly audited to ensure that the DRE results are correct," he says. "Vendors should also be required to disclose their code to independent auditors and the public to check for accuracy and tampering."
CONTACT: Spafford, (765) 494-7825, spaf@cerias.purdue.edu
To the News Service home page