Is Transmitting Votes from Individual Polling Stations to the Central Tabulation Center a Secure Process?
Diebold Election Systems, Inc. released a paper titled “Checks and Balances in Elections Equipment and Procedures Prevent Alleged Fraud Scenarios” on July 30, 2003 on its website as a direct response to the Aviel Rubin et al. paper “Analysis of an Electronic Voting System.” The Diebold article stated:
“It is unlikely for an adversary to tamper with unofficial election results uploaded after polls close [electronically transmitted results are not deemed ‘official’ results]. In any case, such an attack would be both detected and resolved without the loss of election result integrity…
The system does not upload results over the Internet. No ISP [internet service provider] is involved in the uploading of unofficial results. The unofficial results are sent over a private point-to-point connection between the polling place (or another location) and election central. It would be difficult for an attacker to intercept and modify an analog modem connection, even by contravening federal wiretapping laws. Even in the event that such an attack could occur, the attacker would at best modify ‘unofficial’ election results.”July 30, 2003
Dana DeBeauvoir, Travis County (Texas) Clerk, submitted a paper titled “Prevention of Attack, Not Detection After the Fact: A Note on Risk Assessment and Risk Mitigation” in conjunction with her public testimony before the U.S. Election Assistance Commission on May 4, 2004, which stated:
“If there is no external communications pathway, then there is no risk of hacking, or gaining unauthorized entry into the tabulation system. Texas requires the use of closed systems. Most counties do not use modem transfer or only do so from substations, not directly from the polling place. If modem transfer is used, it must be a secured landline with one-time, one-way traffic. The telephone number must be prescribed in advance. It is possible to detect attempts to enter a modem line. Also, the Counting Station should still accept surrender and delivery of the physical medium and compare the tally and number of votes cast on the medium to the modemed [sic] results.”May 4, 2004
The Maryland State Board of Elections released a report on July 22, 2004 titled “Progress Report: Department of Legislative Services’ Trusted Agent Report on Diebold AccuVote-TS Voting System” as a follow-up to the RABA Technologies report Trusted Agent Report: Diebold AccuVote-TS Voting System. The Maryland State Board of Elections report stated:
“At each stage of tabulation, multiple checks and balances are performed by the Election Judges and county Election Officials.
If unofficial election night results are modemed, the following controls have been implemented [to ensure security]:
July 22, 2004
- Modem access is enabled only when the uploads are expected (i.e., election night).
- Modems are disengaged once uploads are completed.
- Strong authentication and encryption protocols are used.
- The LBEs [local board of elections] that use modems on election night have been instructed by SBE [state board of elections] to re-read 100% of the PC memory cards and compare the unofficial results received by modem with the count produced by the PC memory cards.”
The U.S. Government Accountability Office (GAO), in a Mar. 7, 2007 report entitled, “Testimony Before the Subcommittee on Financial Services and General Government, Committee on Appropriations, House of Representatives, Elections, All Levels of Government Are Needed to Address Electronic Voting System Challenges,” stated:
“Computer security experts have raised concerns… about voting system standards that are not sufficient to address the weaknesses inherent in telecommunications and networking services. Specifically, vendors often use COTS [commercial off-the-shelf] software in their electronic voting systems, including operating systems… Regarding telecommunications and networking services, selected computer security experts believe that relying on any use of telecommunications or networking services, including wireless communications, exposes electronic voting systems to risks that make it difficult to adequately ensure their security and reliability—even with safeguards such as encryption and digital signatures in place.”Mar. 7, 2007
The National Academy of Science’s 2005 report “Asking the Right Questions About Electronic Voting,” stated:
“Manual handling of the [vote total] numbers and the use of computer-readable media for recording the vote totals both raise issues of physical custody of the ledger or media in transport to the tabulation authority. For example, if precautions are not taken, an adversary could substitute a CD-ROM prewritten with the appropriate vote totals for the CD-ROM taken from a specific voting station.
Direct transmission of vote totals over a wired or wireless network renders the transmission vulnerable to spoofing attacks, in which the receiving computer is tricked into accepting numbers from an unauthorized source; or the transmission could be intercepted, modified, and played back.”2005
RABA Technologies, at the request of the State of Maryland, prepared a Jan. 20, 2004 report titled “Trusted Agent Report: Diebold AccuVote-TS Voting System,” which stated:
“The procedure by which precincts upload votes to their LBE [local board of elections] is vulnerable to a ‘man-in-the-middle’ attack. This is a result of an incomplete implementation of the Secure Sockets Layer [an encrypted protocol that securely transmits data across a network] protocol. Specifically, the [security assessment] team demonstrated how a laptop could act as a GEMS [Diebold’s Global Election Management System] server. If one could convince the precinct judge to dial into an attacker’s laptop then the laptop would not only receive the election results, it would be able to acquire the name and password to access the GEMS server. With this name and password in hand, the attacker could upload modified results to the GEMS server – all in real time. A more subtle attack might involve modifying the settings in the Accu Vote-TS terminal to redirect outbound phone calls to the attacker’s computer, or actually gaining access to the phone switch at either the precinct or the LBE.”Jan. 20, 2004
Tova Andrea Wang, JD, Democracy Fellow at The Century Foundation, in her May 26, 2004 paper “Understanding the Debate Over Electronic Voting Machines,” available on the Reform Elections website, wrote:
“DREs are vulnerable to interference during transmission of results. Although election results usually are not transmitted from precincts via the Internet, they may be transmitted via a direct modem connection. Since telephone transmission systems themselves increasingly are connected to the Internet, computer may be connected to the receiving server through an Internet connection. Some say that a hacker could intercept an encrypted call from a precinct to the receiving server and call in fraudulent results.”May 26, 2004