National Institute of Standards & Technology says e-voting machines cannot be made secure

The US National Institute of Standards & Technology (NIST) has a long history of examining voting technology dating back to Roy Saltman’s important reports highlighting the problems with punch-card ballots onwards.

At the moment NIST are working in helping to develop future voting standards for the US Election Assistance Commission.

A recent technical paper written as part of this process has been put on their site. The paper states that:

“NIST does not know how to write testable requirements to make DREs secure, and NIST’s recommendation to the [committee] is that the DRE [Direct Recording Electronic voting machine] in practical terms cannot be made secure.”

The paper takes an interesting approach to examining voting system accuracy using a concept of ‘Software-Independence in Voting Systems’. Their definition:

“A voting system is software-independent if a previously undetected change or error in its software cannot cause an undetectable change or error in an election outcome.”

I think this is a helpful concept for thinking about voting systems as it requires that a system’s accuracy can be checked, such as through a voter verifiable paper trail. As I’ve mentioned before, bolting a paper trail onto an electronic voting machine is less than ideal and creates a whole range of possible problems particularly in terms of usability. But given the situation in the US it was an understandable fix to ask for, certainly much better than having just touchscreens with no audit trail at all.

The paper identifies three readily available software-independent systems:

  1. Optical scanner using manually marked paper ballots
  2. Optical scanner using an electronic ballot marker which can produce a richer user interface for accessibility and alternative languages
  3. Electronic voting machines with a voter-verifiable paper audit trail.

I have reservations about the security of optical scanners but they have the obvious benefit of providing a voter verified ballot for recounts and audits. The authors of the paper seem to have major doubts about option 3 but put much of the debate beyond the scope of their work.

This paper is a useful contribution, their views on the problems with voting machines confirm those of the computer security community who have been working for years to make the failings of e-voting clear to all.

Read the paper [PDF]

More about this:
Brad Blog
Ed Felten
Associated Press

(via The Open Rights Group)