Last updated on: 10/7/2008 | Author:

Do Electronic Voting Machines Store Votes Securely?

PRO (yes)


Diebold Election Systems, Inc. released a pamphlet titled “Industry Leading Security” available on the company’s website accessed Apr. 13, 2006 which detailed the various security features present in their electronic voting systems. The pamphlet included the following description of methods to safeguard cast votes:

“Once a ballot is cast, a voter’s selections are immediately encrypted and stored in two separate locations within the unit to provide redundancy…Encrypted cast ballot information is stored on a secured, removable memory card and on internal ‘flash’ memory within the touch screen voting station. Non-volatile memory is used to ensure cast ballot information is retained, even if standard and backup power sources are interrupted…

Should a memory card become inoperable for some reason, the cast ballot information can be securely retrieved/downloaded from the encrypted, redundant ‘flash’ memory within the voting station.”

Apr. 13, 2006


Ted Selker, PhD, Director at the California Institute of Technology (Caltech) and the Massachusetts Institute of Technology (MIT) Voting Technology Project, in his Apr. 2004 paper “Security Vulnerabilities and Problems with VVPT,” wrote:

“Concerns about security of the collection and counting process have always been important. Computers offer the first technology that can easily make copies of information in different forms for archival preservation. Electronic voting machines of today keep records of the votes on disk, removable physical media in memories and, as a final count, on a paper scroll. These multiple records can improve voting machines’ immunity to problems.”

Apr. 2004


Michael Shamos, PhD, JD, Distinguished Career Professor of Computer Science at Carnegie Mellon University, in his paper “Paper v. Electronic Voting Records – An Assessment,” published in the Proceedings of the 14th ACM Conference on Computers, Freedom and Privacy in Apr. 2004, stated:

“With DRE [direct recording electronic voting] systems, the ballot images representing individual voters’ choices are stored both in the machine on which they were cast in redundant memories and also in removable modules that can be transported. All of these memories are cryptographically linked so substitutions and cracking are not feasible. A manipulation of the central count computer would not be to any avail since the totals produced there would not correspond to the canvass of individual precincts.”

Apr. 2004


Election Systems and Software, Inc. (ES&S), a manufacturer of electronic voting machines, has a Frequently Asked Questions section of their website (accessed Oct. 7, 2008), which included the following entry:

“The iVotronic [a model of electronic voting machine] has three independent but redundant memory chips to ensure that no votes will ever be lost or altered. Accuracy of the system can be verified for each terminal through current electronic ballot records already stored within the terminals and with random audits of polling locations.”

Oct. 7, 2008


Sequoia Voting Systems’ website included a Product Description section (accessed Oct. 7, 2008), which described the following feature of their electronic voting machine model Edge2Plus:

“The electronic recording of votes combined with the VVPAT [voter verified paper audit trail] reduces ballot errors… Cast votes are stored in multiple locations in each voting machine to guarantee accuracy and ensure that there are numerous ways to retrieve and audit records under any circumstance.”

Oct. 7, 2008

CON (no)


Edward W. Felten, PhD, Professor of Computer Science and Public Affairs at Princeton University, Ariel J. Feldman, PhD candidate at Princeton University, and J. Alex Halderman, PhD candidate at Princeton University, in a Sep. 13, 2006 study titled “Security Analysis of the Diebold AccuVote-TS Voting Machine,” offered the following:

“Since any attacks that significantly alter the total number of votes cast can be detected by election officials, our demonstration software steals votes at random from other candidates in the same race and giving [sic] them to the favored candidate…

Election results (i.e., the record of votes cast) are stored in files that can be modified by any program running on the voting machine. For the currently running election, the primary copy of the election results is stored on the memory card… and a backup copy is stored in the machine’s on-board flash memory… Our software works by directly modifying both of these files… Since our software runs invisibly in the background, ordinary users… would not notice its presence…

Several of the machine’s supposed security features do not impede this attack… the fact that election results are stored redundantly in two locations is not an impediment because the vote-stealing software can modify both copies. Finally… the fact that the election results are encrypted does not foil this attack.”

Sep. 13, 2006


The Government Accountability Office (GAO) 2005 report titled “Elections: Federal Efforts to Improve Security and Reliability of Electronic Voting Systems Are Under Way, But Key Activities Need to Be Completed,” stated:

“Some electronic voting systems provided weak system security controls over key components, including electronic storage of ballots…

Regarding key software components, several evaluations demonstrated that election management systems did not encrypt the data files containing cast votes to protect them from being viewed or modified. Evaluations also showed that, in some cases, other computer programs could access these cast vote files and alter them without the system recording this action in its audit logs.”



Doug Jones, PhD, Associate Professor of Computer Science at the University of Iowa, in “The Evaluation of Voting Technology,” a chapter in the 2003 book Secure Electronic Voting, wrote:

“For over a decade, all direct recording electronic machines have been required to contain redundant storage, but this redundant storage is not an independent record of the votes, because it is created by the same software that created the original record. As a result, [the multiple files] are of limited use…to check the correctness of the software.”



Aviel Rubin, PhD, Technical Director of the Johns Hopkins University Information Security Institute, in his 2003 technical report “Analysis of an Electronic Voting System” (Johns Hopkins University Information Security Institute Technical Paper TR-2003-19, July 23, 2003), stated:

“Both the vote records and the audit logs are encrypted and checksummed before being written to the storage device. Unfortunately, neither the encrypting nor the checksumming is done with established, secure techniques…

Because of the poor cryptography, an attacker with access to this file [of voting records] would be able to generate or change as many votes as he or she pleased. Furthermore, the adversary’s modified votes would be indistinguishable from the true votes cast on the terminal…This attack leaves no evidence that an attack was ever mounted.”

July 23, 2003


Barbara Simons, PhD, Computer Scientist and Former President of the Association for Computing Machinery (ACM) in her Oct. 2004 ACM Queue paper titled “Electronic Voting Systems: The Good, The Bad, and The Stupid,” wrote:

“More recently ES&S [Election Systems and Software, Inc.] has been in the news because a software bug had corrupted the audit log and vote image report in ES&S machines used in Miami-Dade and many other parts of the country…

On July 27, 2004 the Miami-Dade Election Reform Coalition announced that audit data they had requested revealed that computer crashes had deleted all the election results from the September 2002 gubernatorial race in Miami-Dade, as well as from several more recent municipal elections. It appeared no back-ups had been made.”

Oct. 2004