Home

Issues

Resources

Index

USA

California

Alameda

SF

Systems

Diebold

ES&S

Hart

InkaVote

Sequoia

Open Source

Alternatives

Diebold/Premier Executive Summary

www.sos.state.oh.us/sos/info/EVEREST/14-AcademicFinalEVERESTReport.pdf

"The study included in this part of the EVEREST report evaluates the ability of the Premier voting system to guarantee a trustworthy election. The review team was provided access to the Premier source code and election equipment. The reviewers studied these materials in order to identify any security issues that can be exploited to affect an election. As part of that analysis, the reviewers were asked to identify best practices that may limit or neutralize the impact of discovered issues.

Our analysis suggests that the Premier system lacks the technical protections necessary to guarantee a trustworthy election under operational conditions. Flaws in the system’s design, development, and processes lead to a broad spectrum of issues that undermine the voting system’s security and reliability. The resulting vulnerabilities are exploitable by an attacker, often easily so, under election conditions. These vulnerabilities are the result of the following failures of the Premier system’s design or implementation:

• Failure to effectively protect vote integrity and privacy

  Numerous vulnerabilities allow an attacker to modify or replace ballot definitions, to change, miscount, or discard completed votes, or to corrupt the tally processes. Further issues expose voter choices and can lead to voter coercion and vote selling.

• Failure to protect election from malicious insiders

  The Premier system does not provide adequate protections to ensure election officials, poll workers, or vendor representatives do not manipulate the system or its data. These attacks are often invisible after the fact, and therefore misuse is difficult or impossible to uncover later.

• Failure to validate and protect software

  The Premier system makes only limited and often ineffective attempts to validate the software running within system. Thus, an attacker may exploit software and replace it with their own with little fear of detection. Further, the recommended means of installing and upgrading software is frequently highly dangerous.

• Failure to provide trustworthy auditing

  The auditing capabilities of the Premier system are limited. Those features that are provided are vulnerable to a broad range of attacks that can corrupt or erase logs of election activities. This severely limits the ability of election officials to detect and diagnose attacks. Moreover, because the auditing features are generally unreliable, recovery from an attack may in practice be enormously difficult or impossible.

• Failure to follow standard software and security engineering practices

  A root cause of the security and reliability issues present in the system is the visible lack of sound software and security engineering practices. Examples of poor or unsafe coding practices, unclear or undefined security goals, technology misuse, and poor maintenance are pervasive. This general lack of quality leads to a buggy, unstable, and exploitable system.

We found the Premier software to be unstable. Frequent crashes, system lock-ups, and unexplained errors were commonplace in our experiments. Stability problems were acute in the GEMS server, where failures occurred during normal use and under limited loads.

Our findings are consistent with those of previous studies. When taken as a whole, this and previous studies highlight a central point of concern: there is a demonstrative lack of improvement in the security of elections conducted using the Premier system. Initial reviews of the Premier system were undertaken as early as 2001. After six years of reviews and many new software and hardware upgrades, reviewers not only continue to find the same and similar problems as reported earlier, but continue to uncover new serious issues. Thus, the only reasonable conclusion that one can draw is the engineering approaches undertaken by Premier to eliminate previous problems and avoid new ones are failing.

The flaws in the Premier system place the security of an election almost entirely on physical procedures. Our analysis suggests that when those practices are not uniformly followed, it will be difficult to know when attacks occur. Even when the attacks are identified, it is unlikely that the resulting damage can be easily contained and the public’s belief in the accuracy and fairness of the election restored.

The review team feels strongly that the continued issues of security and quality are the result of deep systemic flaws. Thus, we agree with previous analyses and observe that the safest avenue to trustworthy elections is to reengineer the Premier system to be secure by design."

Nobody, and no machine, should be counting American votes in secret.