October 21, 2005


Rep. Waxman led twelve members of Congress today in releasing a new
GAO report that found security and reliability flaws in the
electronic voting process.

In a joint press release, Rep. Waxman said, "The GAO report indicates
that we need to get serious and act quickly to improve the security of
electronic voting machines. The report makes clear that there is a
lack of transparency and accountability in electronic voting systems -
from the day that contracts are signed with manufacturers to the
counting of electronic votes on Election Day. State and local
officials are spending a great deal of money on machines without
concrete proof that they are secure and reliable."

The GAO report found flaws in security, access, and hardware controls,
as well as weak security management practices by voting machine
vendors. The report identified multiple examples of actual operational
failures in real elections and found that while national initiatives
to improve the security and reliability of electronic voting systems
are underway, "it is unclear when these initiatives will be available
to assist state and local election authorities."

Rep. Waxman also released a fact sheet summarizing the report's key

Fact Sheet

Overall Findings

In October 2005, the Government Accountability Office released a
comprehensive analysis of the concerns raised by the increasing use of
electronic voting machines.

Overall, GAO found that "significant concerns about the security and
reliability of electronic voting systems" have been raised (p. 22).

GAO indicated that "some of these concerns have been realized and have
caused problems with recent elections, resulting in the loss and
miscount of votes" (p. 23).

According to GAO, "election officials, computer security experts,
citizen advocacy groups, and others have raised significant concerns
about the security and reliability of electronic voting systems,
citing instances of weak security controls, system design flaws,
inadequate system version control, inadequate security testing,
incorrect system configuration, poor security management, and vague or
incomplete standards, among other issues.... The security and
reliability concerns raised in recent reports merit the focused
attention of federal, state, and local authorities responsible for
election administration" (p. 22-23).

Specific Problems Identified by GAO

Based on reports from election experts, GAO compiled numerous examples
of problems with electronic voting systems. These included:

Flaws in System Security Controls

Examples of problems reported by GAO include (1) computer systems that
fail to encrypt data files containing cast votes, allowing them to be
viewed or modified without detection by internal auditing systems; (2)
systems that could allow individuals to alter ballot definition files
so that votes cast for one candidate are counted for another; and (3)
weak controls that allowed the alteration of memory cards used in
optical scan machines, potentially impacting election results. GAO
concluded that "these weaknesses could damage the integrity of
ballots, votes, and voting system software by allowing unauthorized
modifications (p. 25).

Flaws in Access Controls

Examples of problems reported by GAO include (1) the failure to
password-protect files and functions; (2) the use of easily guessed
passwords or identical passwords for numerous systems built by the
same manufacturer; and (3) the failure to secure memory cards used to
secure voting systems, potentially allowing individuals to vote
multiple times, change vote totals, or produce false election reports.

According to GAO, "in the event of lax supervision, the... flaws
could allow unauthorized personnel to disrupt operations or modify
data and programs that are crucial to the accuracy and integrity of
the voting process" (p. 26).

Flaws in Physical Hardware Controls

In addition to identifying flaws in software and access controls, GAO
identified basic problems with the physical hardware of electronic
voting machines. Example of problems reported by GAO included locks
that could be easily picked or were all controlled by the same keys,
and unprotected switches used to turn machines on and off that could
easily be used to disrupt the voting process (p. 27).

Weak Security Management Practices by Voting Machine Vendors

Experts contacted by GAO reported a number of concerns about the
practices of voting machine vendors, including the failure to conduct
background checks on programmers and system developers, the lack of
internal security protocols during software development, and the
failure to establish clear chain of custody procedures for handling
and transporting software (p. 29).

Actual Examples of Voting System Failure

GAO found multiple examples of actual operational failures in real
elections. These examples include the following incidents:

In California, a county presented voters with an incorrect electronic
ballot, meaning they could not vote in certain races (p. 29).

In Pennsylvania, a county made a ballot error on an electronic voting
system that resulted in the county's undervote percentage reaching 80%
in some precincts (p. 29-30).

In North Carolina, electronic voting machines continued to accept
votes after their memories were full, causing over 4,000 votes to be
lost (p. 31).

In Florida, a county reported that touch screens took up to an hour to
activate and had to be activated sequentially, resulting in long
delays (p. 31).
Current Federal Standards and Initiatives Are Ineffective and Are
Unlikely to Provide Solutions in a Timely Fashion

GAO reported that voluntary standards for electronic voting, adopted
in 2002 by the Federal Election Commission, have been criticized for
containing vague and incomplete security provisions, inadequate
provisions for commercial products and networks, and inadequate
documentation requirements (pp. 32-33).

GAO further reported that "security experts and some election
officials have expressed concern that tests currently performed by
independent testing authorities and state and local election officials
do not adequately assess electronic voting system security and
reliability," and that "these concerns are amplified by what some
perceive as a lack of transparency in the testing process" (p. 34).
The GAO report indicated that national initiatives to improve voting
system security and reliability of electronic voting systems (such as
updated standards from the Election Assistance Commission; federal
accreditation of independent testing laboratories; and certification
of voting systems to national standards) are underway, but " a
majority of these efforts either lack specific plans for
implementation in time to affect the 2006 general election or are not
expected to be completed until after the 2006 election" (p. 43). As a
result, GAO found that "it is unclear when these initiatives will be
available to assist state and local election officials" (p. 43).
According to GAO, "Until these efforts are completed, there is a risk
that many state and local jurisdictions will rely on voting systems
that were not developed, acquired, tested, operated, or managed in
accordance with rigorous security and reliability standards -
potentially affecting the reliability of future elections and voter
confidence in the accuracy of the vote count" (p. 53).


GAO made several recommendations, primarily aimed at the federal
Election Assistance Commission (p. 53). GAO recommended that the EAC

Collaborate with appropriate technical experts to define specific
tasks, outcomes, milestones, and resource needs required to improve
voting system standards;

Expeditiously establish documented policies, criteria, and procedures
for certifying voting systems; and

Improve support for state and local officials via improved information
dissemination information on voting machine software, the problems and
vulnerabilities of voting machines, and the "best practices" used by
state and local officials to ensure the security of electronic voting

View the full GAO report here.