Jessica Leval and Jennifer Marsico, Research Assistants, AEI-Brookings Election Reform Project, and Clinton Reeder, Technology Support Analyst, American Enterprise Institute

December 3, 2008

The controversy surrounding the 2000 election highlighted the need for reliable methods of vote transmission. In 2002, Congress passed the Help America Vote Act (HAVA) requiring changes in voting technology. Many states responded by adopting direct recording electronic voting machines (DREs). Though DREs have eased the voting process in some ways, they have also created controversies of their own.

In New Jersey, for example, issues relating to the security of DREs have been examined by the courts. Gusciora et al. v. McGreevey et al. (2004), was brought before the Superior Court in Mercer County, New Jersey. This case focused on the training of election officials, specifically emphasizing the administrative challenges of using DREs. Though dealing with New Jersey's machines, the case highlighted an example from Florida, where, in the 2002 congressional elections, DREs lost numerous records of votes cast because poll workers failed to fix malfunctioning machines. Questions were also raised about aging election workers' ability to handle new high-tech DREs. Additionally, the case examined concerns about the security of the machines themselves. Andrew Appel, professor of computer science at Princeton University and an expert witness for the plaintiffs in Gusciora v. McGreevey, explained that records of votes were stored only in the DRE machines, which in New Jersey do not contain additional physical backups like paper printouts. The machines themselves contain memory backup systems, but do not create physical backups that are separate from the actual internal computer software.

New Jersey's DREs have clearly been plagued by a variety of security concerns. Utah, however, has managed to avoid many of these pitfalls by employing a variety of security protections and procedures to ensure votes are cast and recorded as the voters intended. Utah's DREs do, for example, produce voter verified paper trails. During the 2006 elections, Utah primarily used DieboltTS and the TSx touch screen electronic voting systems. These machines ran variants of Microsoft Windows CE and have customized hardware designed to, according to the AccuVote TSx brochure, "enable blind or visually impaired persons to vote unassisted in complete privacy," through either verbal responses that are typed into a keypad or through their high contrast screens. Additionally, once completed, ballots are printed directly from the DRE and voters can see printouts of their ballots through a clear window. Voters can then check their printouts to make sure they have indeed voted for their chosen candidates. Voters are also able to go back if necessary and correct any mistakes they may have made while using the DRE before actually casting their ballots.

In addition to these procedural steps, the machines in Utah employ a range of internal security protections. They use what is termed "triple redundant memory" to store election data; each machine uses a memory card, relies on an internal memory device, and produces a paper trail. Therefore, when people cast their votes, their votes are recorded in three separate locations - in a removable storage device, in the machine itself, and in the form of a tangible record which is kept with the DRE and cannot be changed once approved by the voter. DRE machines and memory cards can also be tracked by serial numbers, ensuring that potential hackers cannot simply remove a memory card from one of the DREs and replace it with one of their own. To successfully alter the information on a memory card, hackers would need to physically plug the card into a computer, reprogram the card and then reinsert the card into the original DRE. This entire process requires physical proximity to the DREs for prolonged periods of time.

It is relatively easy for an individual to physically tamper with a DRE in person. To protect against individuals who may attempt to alter Utah's DREs, the state requires an additional paper record each time a DRE itself, its memory card, or the voter paper trails the DREs produce change hands during transport. This chain of custody for each machine helps ensure the DREs' physical security. Memory cards and voter access cards are also protected by a security encryption key which encrypts the voter data on the memory cards and voter access cards. For hackers to succeed in altering DRE data, they would need to physically break open the DRE's door, de-encrypt the data on the memory card, change the data or insert malicious programs, re-encrypt the data on the memory card and finally re-insert the newly altered memory card. This combination of the broken seal on the DRE's door and the amount of time hackers would need to spend figuring out the encryption code would likely make such tampering apparent to poll workers.

Security threats may not pose significant problems for Utah's DREs, but they still create certain issues for disabled individuals-the very voters these machines were intended to help. According to Paula Lowry, a precinct chair and touch screen technician in Precinct 4001 in Salt Lake County, it is often difficult for poll workers to reposition the DREs to comfortable levels for individuals in wheelchairs. Poll workers are not trained to perform these adjustments. Before DREs, Utah used punch card booths with removable stands, and poll workers did receive training to adjust the height of these booths.

During the 2008 presidential election, there were few reports of major malfunctions of DREs in Utah. According to Pew's Center on the States Stateline.org staff writer, Pauline Vu, nationwide, "not everything went perfectly. There were scattered reports of voting machine malfunctions in states such as in California, Florida, Michigan, New Jersey, Pennsylvania and Virginia." But, overall, the process seemed to run relatively smoothly on Election Day 2008, thanks in part to the procedures and systems used in places like Utah.

Jessica Leval can be reached at jessica.leval@aei.org. Jennifer Marsico can be reached at jennifer.marsico@aei.org.

Viewpoint is an occasional feature analyzing various election reform issues.