Following the 2000 presidential election debacle, Georgia became the first of 37 states to adopt electronic touch-screen voting machines — perhaps a little too quickly, according to André Luiz Moura dos Santos, an assistant professor at the College of Computing and a researcher specializing in computer systems and security at the Georgia Tech Information Security Center.

"The government gave a big incentive for states to acquire these machines," says dos Santos, referring to several billion dollars Congress allocated in 2001 for the purchase of new electronic voting equipment. Likewise, manufacturers were motivated to "rush these machines out the door to make a sale, and they didn’t pay the necessary attention to security."

Washington, D.C.-based Election Data Services projects that nearly half — 50 million — of all voters this fall will pick their candidates electronically.

Touch-screen voting configurations, produced by Diebold, Sequoia Voting Systems, Electronic Systems & Software and other vendors, are known as direct recording electronic systems, meaning that paper is eliminated from the voting process. Ohio-based Diebold is far and away the industry leader, which also makes it a high-profile target for critics.

In Georgia, which employs a $54 million Diebold system that includes 19,000 touch-screen terminals, voters show identification and complete a form before being given a smart card to insert into the terminal. The card calls up the ballot, the voter selects the candidates and touches a button to record the selections, and the smart card is ejected. The voter drops the card into a box so it can be reprogrammed by poll attendants and used again. After the polls close, vote totals are uploaded to county servers, and from there to a state computer.

The basic concern of dos Santos and many other computer scientists around the country is that software flaws at different points in the process could be exploited by individuals or groups intent upon altering the outcome of an election.

Georgia Secretary of State Cathy Cox takes issue with e-voting critics, noting that the Georgia system has earned "national and state certification" and that before a decision was made to acquire the Diebold system, it underwent a series of independent qualification and certification tests to analyze design, accuracy, security and durability. The equipment was also evaluated for the complexity of its installation and use, and to ensure that votes were recorded and tallied correctly under simulated election conditions, Cox says.

"The security of our voting system is paramount," Cox adds. "Extensive measures are taken to protect the voting system from fraud. During testing the function of each program module is determined and each module is examined to ensure that there is no ‘hidden’ code. When the software is approved, various electronic signatures are recorded to verify that the original code has not been altered.

Despite Cox’s assurances, dos Santos’ concerns echo those of many other university computer scientists. In a widely publicized study by Johns Hopkins University released in July of last year, researchers examined what was purported to be Diebold’s e-voting source code, which had been posted surreptitiously on the Internet.

Voters, without any insider privileges, "can cast unlimited votes without being detected by any mechanisms within the voting terminal software," a Johns Hopkins analysis says.

In an official response, Diebold said, "It is also important to note that the clinical research focused almost solely on software code and overlooked the total system of software, hardware, services and poll worker training that have made Diebold electronic voting systems so effective in real-world implementation."

Stung by the harsh criticism levied by Johns Hopkins, Maryland officials commissioned Science Applications International Corp. to audit the Diebold system. That report produced findings similar to those of the Hopkins research team, prompting Maryland election officials to commission yet another study prior to the March primary, this time by Raba Technologies.

The Raba report concluded that the Diebold machines accurately counted votes but the process could be compromised.

Diebold’s operating system runs Microsoft Windows, well-known to hackers, and while the company has responded to criticism by adding security patches to its program, that kind of Band-Aid approach is a poor substitute for software designed from the ground up with voting security in mind, dos Santos says.

While Georgia’s system could be retrofitted with printers, says Cox, the reintroduction of paper would cause more problems than it solves.

"Throughout Georgia history, a majority of election fraud cases have involved paper," she notes, "and the addition of paper receipts would simply reintroduce these problems to our state."

Paper receipts do not guarantee greater security or accuracy, according to Cox.

In fact, dos Santos’ research in secure Internet systems portends a day when the act of voting can be done from any online computer, securely and privately.

Until then, or until serious security gaps in existing electronic voting systems are researched and addressed, according to dos Santos, "there’s a risk of compromising the most important act of citizenship — voting."

Lest dos Santos appear to exaggerate the risk, the Georgia Tech professor, who works extensively with online security issues for financial institutions, is asked if a bank would accept the level of security presently offered by electronic voting systems.

"No way," he replies.

©2004 Georgia Tech Alumni Association