On February 17, 2006, California Secretary of State Bruce McPherson granted conditional-certification to Diebold's AccuVote-TSx (AV-TSx) touch screen DRE voting system (with attached voter-verifiable paper audit trail (VVPAT)) and to their AccuVote-OS (AV-OS) precinct-based optical scan voting system. This certification is conditional on counties complying with a strict set of security procedures designed to prevent or detect any unauthorized physical access to the removable memory cards used in these systems.

These memory cards are used to store ballot definitions, report-writing procedures, and either vote counts (in the OS system) or electronic ballot images (in the TSx system). During the past several months, several reports have documented serious security vulnerabilities (e.g., the "Hursti Hack") associated with the use of these cards in the AccuVote-OS system, which enabled the results of a mock election to be altered without detection.

In the press release announcing this decision, McPherson cited the findings and recommendations of a team of computer scientists from the University of California, Berkeley who released on February 14 a detailed security analysis (commissioned by McPherson) of the Diebold's AccuBasic Interpreter software; that software is used to access the voting data and to execute the report-writing procedures, both of which are stored on the removable memory cards used by both the TSx and OS systems.

In addition to confirming the previously documented security vulnerabilities associated with the use of Diebold's AccuBasic software that resides on these memory cards, the Berkeley team discovered 16 serious bugs in AccuBasic Interpreter software contained in the OS system and 10 such bugs in the Interpreter used in the TSx system. According to the Berkeley team, these bugs "could allow an attacker to completely control the behavior of the AV-OS. An attacker could change vote totals, modify reports, change the names of candidates, change the races being voted on, or insert his own code into the running firmware of the machine."

However, the authors of the Berkeley report concluded that despite these serious security flaws in the AV-OS and AV-TSx software, "these vulnerabilities can be managed by a reasonably careful combination of short- and long-term approaches".

In the long term, they recommend that not only must the bugs in Diebold's AccuBasic Interpreter be fixed, but that this software should be significantly re-written using defensive and high assurance programming methodologies and be protected from tampering by the use of strong cryptographic methods. They further recommend that the architecture of the AV-OS and AV-TSx systems be changed so no software is stored on the removable memory cards.

In the short-term, they recommend that the risks posed by these vulnerabilities (especially for local elections) can be mitigated by strong controls over physical access to the memory cards for the AV-OS, generation of new cryptographic keys for the AV-TSx, and tight control of access to the Diebold GEMS system, which is used both to centrally tabulate votes and to initialize these removable memory cards.

In describing these short-term mitigation strategies, the Berkely authors state (emphasis added) that while such strategies may be viable for local elections, they might not provide sufficient protection in the case of statewide elections:

"While these strategies do not completely eliminate all risk, we expect they would be capable of reducing the risk to a level that is manageable for local elections in the short term. In the longer term, or for statewide elections, the risks of not fixing the vulnerabilities in the AccuBasic Interpreter become more pronounced. Larger elections, such as a statewide election, provide a greater incentive to hack the election and heighten the stakes...For statewide elections, or looking farther into the future, it would preferable to fix the vulnerabilities discussed in this report."

Despite those concerns, Secretary McPherson has elected to permit the use of both the AV-OS and AV-TSx systems for statewide elections in California this year, conditional on counties implementing the short-term mitigation strategies defined in the Berkeley report. While Secretary McPherson should be commended for commissioning that report and for at least delaying certification of these systems until that report was completed, it appears that he has applied those short-term mitigation strategies more broadly than the report's authors may have intended.

If these mitigation strategies are to have any hope of being effective, then Secretary McPherson must ensure that counties take them seriously. Unfortunately, some California counties have a history of lax compliance with prudent security procedures. For example, in San Diego County's first deployment of the AV-TSx in the March 2004 primary election, those machines were stored -- minimally "secured" with removable stickers instead of tamper-evident security seals -- in the homes of pollworkers for several weeks prior to the election. (Due to numerous system failures of the AV-TSx system in that election, it was promptly decertified in April 2004.)

This raises an important policy question: how will Secretary McPherson ensure that these short-term mitigation strategies are effectively implemented by the counties? The press release announcing conditional certification of these Diebold systems states that: "The Secretary of State reserves the right to monitor activities before, during, and after the election at any precinct or registrar of voters' office...". The Secretary must deploy sufficient staff to such locations (particularly in those counties with a history of lax compliance) to ensure that these mitigation strategies are properly carried out.

Further, Verified Voting strongly questions the wisdom of permitting counties to make new purchases of either the Diebold AV-OS or AV-TSx systems, at least until such time as Diebold has successfully implemented and obtained federal certification for the longer-term solutions recommended in the Berkeley report. It is one thing to apply interim mitigation strategies to systems that are already deployed. It is quite another to permit counties to expend public funds to purchase new systems known to have serious security flaws that can only be partially addressed via the application of mitigation strategies, especially when there are alternative, certified solutions available.

Finally, only the rigorous use of manual audits of the voter-verified paper records, as required by California law, will provide any chance of detecting and correcting voting system problems that evade other safeguards. As an added precaution, counties using conditionally-certified equipment should give serious consideration to increasing the percentage of precincts that are audited. No state should construe the Berkeley report's recommended mitigation strategies as sufficient to allow the use of these voting systems if this most critical safeguard (i.e., systematic manual audits of the voter-verified paper records) is not already in place.

Verified Voting is continuing to study the Berkeley report and Secretary McPherson's certification order and will post additional commentary and analysis later this month.