Explore Harvard's Nieman network Nieman Fellowships Nieman Lab Nieman Reports Nieman Storyboard

Following up on an important GAO report on electronic voting

ASK THIS | November 28, 2005

A recent GAO Report on electronic voting systems points to a number of security and reliability problems in electronic voting. Many of these problems can only be remedied by system vendors and state and local election officials. What steps are your state and local election officials taking in response to the report?

By Lawrence Norden



Questions for your state and local election officials raised by the Government Accountability Office Report: Federal Efforts to Improve Security and Reliability of Electronic Voting Systems Are Under Way, but Key Activities Need to Be Completed.


Q.  In September 2005, the GAO issued a report noting significant security and reliability problems in current voting systems.  What specific steps has your jurisdiction taken to address these problems?  What steps are they committed to taking in order to deal with these problems before the November 2006 and 2008 elections?


Q.  Precisely what resources do election officials need in order to address the voting systems concerns described in the GAO report?  Do they need better funding, technical support, training for staff, or changes in laws and regulations in order to address these concerns? Will they be submitting requests for resources needed? Will they share those requests?


Q.  What kind of security review was/will be done before purchasing new voting machines in your jurisdiction?


Q.  Does your state/county retain independent experts to assess the security and reliability of their voting systems, procedures and physical plant?


Q.  Do election officials have any way of regularly and effectively checking that software in their voting systems is certified and has not been altered or substituted?  If so, what do they do to ensure this, and how often do they do it?


Q.  What kind of security training do election officials and poll workers in your jurisdiction receive?  What kind of security certification must contractors and employees have? 


Q.  The GAO has identified several studies which show specific design flaws in electronic voting systems that threaten the integrity of elections.  Are your state and/or local election officials in discussions with vendors about fixing these flaws before the November 2008 election?


Much of the current debate over voting machine security and reliability has centered on the type of machines jurisdictions purchase.  Should it be Precinct Count Optical Scans, in which the voter fills in her choices by marking the ovals of a paper ballot with a pen, and then scans the ballot through an electronic machine?  Or should it be the Direct Recording Electronic Machine (“DRE”), which allows the voter to pick candidates by touching a screen or buttons on an electronic machine?  If the jurisdiction picks DREs, should it purchase machines that have a voter verified paper trail, or not?


Security experts, vendors and election officials will provide different answers to these questions.  But all should agree that, no matter which voting system is purchased, it will be vulnerable to serious security and reliability problems unless proper precautions are taken.


The GAO report identified a substantial number of security and reliability problems related to electronic voting systems, and it made clear that many of these problems can only be addressed by state and local governments and/or voting machine vendors.  One of the most important issues raised by the report is what steps state and local election officials will take in advance of the 2006 and 2008 elections to ensure the integrity of their voting systems.


The GAO report recommends that “[e]lection officials should focus on the security issues related to electronic voting equipment before purchasing or implementing voting systems.”  (p. 41).  It specifically recommends that in soliciting bids for voting machines, election officials demand proposals that include security requirements and evaluation and test procedures. (Id.).  The GAO report further recommends that election officials “should review lessons learned from recent elections and implement relevant mitigation steps to address known security weaknesses.”  (Id.).


But the sheer number of the concerns identified by the GAO report could easily overwhelm anyone, particularly someone without expertise in security issues related to electronic voting.   The wise jurisdiction (regardless of whether the electronic voting system has been, or is about to be purchased) will hire independent security experts to review the reliability and security of current or prospective electronic voting systems.  Specifically, such a review should cover the problem areas identified by the GAO report, including: (a) hardware and software design of the machines; (b) hardware/firmware and software configuration; (c) testing and certification of voting machines and software; (d) election procedures; and (e) security management. 


The need for election officials and/or consultants with security and technical expertise becomes apparent when reviewing the specifics in the GAO report.  Among other things, the GAO report identifies instances where “local jurisdictions misconfigured their electronic voting systems,” leading to voters being unable to vote in certain races, or having their cast votes lost. (p. 29).  As the GAO report notes, past Election Day system failures in California, North Carolina, Pennsylvania, Florida and Ohio have already caused thousands of voters to be disenfranchised.  (p.31).  The root cause of each of these failures was not always known.  However, having independent assessments by professionals with expert-level security and technical qualifications should make such mishaps less likely in the future.


Such technologists should also take steps to ensure that voting software installed at the local level has been qualified at the national and state levels.  The GAO report highlights the danger that unreliable or uncertified versions of software could end up on voting systems.  It notes that, in separate instance in California and Indiana, “state officials found that two different vendors have violated regulations and state law by installing uncertified software on voting systems.”  (p.37). 

Jurisdictions that have recently purchased, or are in the process of purchasing, electronic voting machines should be aware of the specific machine design problems identified in the GAO report.  Among other problems, the GAO noted that several examinations have shown that cast ballots and ballot definition files in many voting systems can be modified without leaving any record in the voting system’s audit logs.  It also noted that supervisor functions are often protected with weak or easily guessed passwords, and that these weak safeguards could be exploited in attacks against the integrity of elections.  Similarly, in many cases, the poor physical design of the hardware leaves it susceptible to attacks or accidental mishaps that could result in the loss of many votes. Voting machine vendors are responsible to election officials and the public to ensure that these and other vulnerabilities identified in the GAO report are remedied as soon as possible.

GAO Report

Voting - What Is, What Could Be
July 2001 report from the Caltech-MIT Voting Technology Project

Immediate Steps To Avoid Lost Votes
Recommendations from the Caltech-MIT Voting Technology Project.

On Verifying The Vote And Auditing Elections
Statement from the Caltech-MIT Voting Technology Project

Safeguarding the Vote
From the League of Women Voters

Recommendations for improving voting systems
From the Brennan Center

The perils of paperless e-voting
Stanford Professor David Dill on Niemanwatchdog.org

Questions about vote counting
Basic questions from Niemanwatchdog.org

Will your vote be counted?
Bev Harris on Niemanwatchdog.org

The NiemanWatchdog.org website is no longer being updated. Watchdog stories have a new home in Nieman Reports.