[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

California seeks to improve electronic-voting security



-----Original Message----- 
From: California Secretary of State, Kevin Shelley
[mailto:casosshelley@xxxxxxxxx] 
Sent: Friday, February 06, 2004 6:16 PM 
Subject: Greetings from the California Secretary of
State 

February 6, 2004 

Dear Friend: 

Attached for your information are a press release
detailing a directive I issued yesterday to all
counties concerning the security of our state's voting
systems and a news article from today's San Jose
Mercury News. Given the importance of this matter and
the proximity of the March Primary Election I want to
keep you informed of all the steps my office is taking
to protect the integrity of the voting process and
ensure the smooth conduct of elections in California.
To view a copy of my directive or see additional
information on key topics please visit my website at
http://myvotecounts.ca.gov/ 

Best wishes, 

Kevin 


********** 


FOR IMMEDIATE RELEASE 
February 6, 2004 

Secretary of State Kevin Shelley Issues Security
Directive on Electronic Voting 

Shelley Directs Counties to Put Security Measures in
Place for March Primary 

SACRAMENTO, CA - California Secretary of State Kevin
Shelley today ordered county elections officials to
implement additional security measures for the March
2, 2004 primary to protect voters against problems
that could arise from the use of new computerized
voting machines. 

Last year, Shelley directed that all electronic voting
systems certified for use in California produce an
accessible voter verified paper trail so voters can
check the accuracy of the machines and verify that
their vote has been recorded properly. While the
technology to accomplish this is presently being
developed, Shelley's interim measures are intended to
address some of the concerns raised in recent studies,
which have pointed to security issues with touchscreen
systems. 

"The right to vote is the cornerstone of our American
democracy. Voters must have confidence that their vote
will be counted as it is cast," said Shelley. 

"New technologies create new challenges, and our
highest priority is to meet those challenges so that
voting machines are accurate and secure," Shelley
said. "These security enhancements provide our voters
additional confidence that votes cast during the March
2 election will be accurately counted." 

In addition to requiring these additional measures,
Shelley also called for Diebold, a manufacturer of
touchscreen systems used in California counties, to
provide his office with the "source code" of software
being used in the Diebold systems. The source code
will be reviewed by independent experts selected by
the Secretary of State. 

In 2003, Diebold, without authorization, installed
untested software on machines in at least four
counties. The Secretary of State's investigation into
Diebold's conduct is ongoing. Shelley has demanded
that Diebold provide documents related to the
investigation no later than February 15, 2004. 

"Election vendors should be much more aggressive in
providing security measures than they have been up to
now. Since they haven't, I am directing the counties
to implement the following that are designed to
prevent tampering with electronic voting systems." 

These measures include: 

· State testing of randomly selected voting machines
in every county on election day. These tests, called
"parallel monitoring," will be designed, conducted and
recorded by independent experts. California is the
first state to implement this requirement, which has
been recommended by voting security experts; 

· Requiring that counties retain images of each ballot
cast, not merely vote totals; 

· Posting the results of voting on each voting machine
at each precinct for public viewing at the conclusion
of voting; 

· Prohibiting the use of any wireless devices,
including cellular telephones, in connection with
electronic voting; 

· Requiring that electronic voting machines operate as
"stand alone" systems at all times, not connected to
the internet; 

· Requiring additional security measures when
telephone lines are used to report vote totals at the
conclusion of voting; and 

· Requiring that each county and each voting machine
manufacturer prepare a voting equipment security plan,
to be reviewed by state officials. 


********** 


California seeks to improve electronic-voting security


By Elise Ackerman 
Mercury News 

California Secretary of State Kevin Shelley on
Thursday announced measures to improve election
security in the wake of a report describing how votes
can be easily manipulated by hacking into an
electronic voting system used across California. 

One in four California voters, including those in
Alameda County, are expected to cast ballots in next
month's presidential primary on electronic voting
systems made by Diebold Election Systems. Last week,
computer scientists hired by the state of Maryland to
hack its Diebold voting system announced they had
successfully changed vote tallies on touch-screen
voting machines, altered ballots and seized control of
a central vote-counting computer. 

The report, which was prepared by Raba Technologies
for the Maryland legislature, comes on the heels of an
audit of California Diebold systems conducted by
Shelley's office in December. That study found Diebold
had installed unapproved software in 17 California
counties in violation of state law. ``Clearly, Diebold
needs to get its house in order or it will not be
allowed to continue to do business in California,''
said Shelley spokesman Doug Stone. 

Diebold representative David Bear said Thursday that
the integrity of next month's election was not at
risk. ``I think it's important to reflect that the
Maryland Department of Legislative Services concluded
based on the Raba report that the election could be
held successfully without any changes to the Diebold
software,'' he said. ``They went on to say the
software accurately counts votes cast.'' 

Shelley is not asking for changes to Diebold's
software, but he called on the company to turn over
its software code so it could be evaluated by
independent experts chosen by the state. Shelley also
is requiring random state testing of all electronic
voting systems on election day to ensure ballots are
accurately recorded. 

As an additional safeguard, Shelley is ordering
counties to post election results from each
touch-screen machine at each precinct after the polls
close and to disconnect the machines from the
Internet. Voting-equipment companies must prepare a
voting security plan for review by the state. 

Six California counties use Diebold Election Systems'
touch-screen voting machines and vote-counting
software. Another 13 counties use Diebold
vote-counting software to tally paper ballots read by
an optical scanner. 

Local elections officials in California have been slow
to react to the Raba report. 

Only one county registrar of 14 who responded to
inquiries said she planned to implement specific steps
recommended by the computer scientists to correct
serious security flaws. When contacted by the Mercury
News, registrars in only three counties said they had
read the report. 

Connie McCormack, the registrar of Los Angeles County,
the state's largest county, said she did not read the
report. But McCormack said Diebold had assured her the
report referred to an older version of its software,
and that a newer version was more secure. 

Elaine Ginnold, assistant registrar of Alameda County,
said she also had not read the Raba report but she
believed ``the new software is going to have the
security recommendations.'' 

Raba report author Michael Wertheimer, a former senior
technical director of the National Security Agency,
said his team tested the most recent version of the
Diebold software. ``I can honestly say the problems we
are describing will not be addressed in any immediate
update,'' Wertheimer said. 

Kim Alexander, president of California Voter
Foundation, a Davis-based election watchdog group,
said registrars are too dependent on voting-equipment
companies to assure voting security and too dismissive
of the concerns that have been raised by computer
scientists over the past year. 

``The vendors who are in the business of profiting off
the sale of voting systems do not have a vested
interest in being forthcoming about security
glitches,'' Alexander said. 

The Raba report does credit Diebold with fixing two
security problems highlighted in previous reviews of
its software. But the report warns that enough
security holes remain to cause ``moderate to severe
disruption in an election.'' 

Raba researchers described their attacks on both the
touch screen machines and a separate computer that
runs a voting-counting software. They said they
altered voting cards used with the touch screens to
vote multiple times. By plugging a keyboard into the
touch-screen, a researcher modified ballots and
altered election results. Although sensitive areas are
the touch screens are locked, a member of the team
picked a lock in approximately 10 seconds. 

The Raba team also was able to seize control of the
vote-counting computer by downloading malicious code
from the Internet. Wertheimer said the key problem is
that Diebold had not applied 15 security patches to
the Microsoft operating system that is the foundation
for the program. 

Raba consultants recommended election officials
immediately install the security patches and limit
outside connections to the vote-counting computer.
Counties with both optical-scan and touch-screen
voting systems can send election results from polling
stations to the central office by modem or hand carry
memory cartridges. 

``I agree with many of the recommendations of Raba,''
said Kathy Williams, registrar of rural Plumas County.
Williams said she has already put adhesive labels on
her touch screens as a substitute for tamper tape. 

Joe Holland, registrar of Santa Barbara County, said
he had already hired an outside security firm to make
an assessment and that he personally disconnected the
vote-counting computer from the Internet. 

Dero Forslund, registrar of Trinity County and Lindsey
McWilliams, elections manager of Humboldt County, said
they would notice if someone tampered with the central
vote-counting computer, because precinct results are
delivered by hand and routinely double checked. They
also said they routinely conduct hand counts of paper
ballots whenever they notice discrepancies between the
number of people who sign into a polling station and
the number of votes that are cast. 

http://www.mercurynews.com/mld/mercurynews/news/7885748.htm?template=contentModules/printstory.jsp



__________________________________
Do you Yahoo!?
Yahoo! Finance: Get your refund fast by filing online.
http://taxes.yahoo.com/filing.html