GovernmentExecutive.com

Critics and supporters of a new Pentagon-funded online voting system are digging in their heels in the debate over whether it should be scrapped over concerns that it's vulnerable to error and tampering. Now, a new dispute has developed not over the substance of the criticism, but the fact that it was aired at all.

On Jan. 20, a group of four computer scientists issued a report outlining potential information security risks associated with the Defense Department's Secure Electronic Registration and Voting Experiment (SERVE). The department plans to use the remote Internet voting system to allow some military personnel and U.S. civilians living abroad to vote electronically in the upcoming presidential election. But because of the security risks, the experts recommended that officials halt the voting experiment.

The Pentagon invited the report's authors, several of whom are well-known skeptics of electronic voting machines and Internet-based voting, to critique SERVE's technological design. But it now appears that Defense officials, as well as the contractors building SERVE, never expected the experts to publicly release a report on security concerns in advance of a fuller study of the program.

The computer experts said that running the SERVE software online makes it vulnerable to attacks by worms, viruses and other kinds of hacking. The scientists posted their findings at http://www.servesecurityreport.org.

Quickly, though, lobbyists for the information technology industry, Pentagon officials and executives of the company leading SERVE's construction dismissed the experts' warnings as a "minority report," because they were not crafted by the full panel of 10 experts reviewing the voting system.

Avi Rubin, one of the report's authors, said that SERVE officials were well aware of the publicly skeptical stance he and others had taken with respect to the security and integrity of online voting systems. Rubin, an associate professor of computer science at Johns Hopkins University, and three other experts met twice to discuss their concerns, and decided between those two meetings to release a report focused solely on the security risks they perceived, said Barbara Simons, a co-author and a member of the Association for Computing Machinery. The other six SERVE reviewers didn't contribute to the final report because it focused on areas outside their expertise, Rubin and Simons said.

The Pentagon immediately distanced itself from the findings, saying, through a spokesman, that officials were confident in the security features that had been built into SERVE, and that they still planned to use it.

An executive with Accenture, which leads the team of SERVE designers, said the experts evaluated SERVE as if it were a full-fledged system serving a potential voter pool of 6 million Americans overseas. That was misleading, because the project will probably involve no more than 100,000 volunteers, an essentially controlled environment of test subjects, said Meg McLaughlin, president of Accenture's eDemocracy Services unit.

Last week, Accenture released a number of "inaccuracies" contained in the SERVE report, which they said hadn't been corrected before the report was released publicly. The experts only corrected the contested points and issued a final report after giving draft copies to some members of the media, McLaughlin said.

But Simons countered, "That's absolutely not correct." A draft copy was released exclusively to The New York Times before the group issued its final report, Simons said, but she noted that a final, corrected copy also was released, after Defense officials and Accenture noted which points they wanted changed.

The corrected report is online today, and is the version that several news outlets used in their reporting. The Times story, in fact, ran in the newspaper two days after Simons' group posted the updated report. The Washington Post and The Los Angeles Times published similar stories the same day.

It now appears that SERVE officials were eager from the beginning to keep the security experts' findings under wraps. Defense officials asked the group to sign a non-disclosure agreement, stipulating that they wouldn't discuss their opinions publicly, Rubin and Simon said. The group refused, and the department ultimately agreed to allow them to review SERVE without promising to stay silent.

While the war of words has heated up, the debate over SERVE's risks remains. For their part, the critics say that the Internet is so lacking in security that no online voting system can ever be immune from attacks.

McLaughlin doesn't disagree. But she points out that mail-in absentee ballots can be tampered with, too, that the online system allows users to double-check their ballots before submitting them, and that election officials on the receiving end can also recheck the ballots against master records the company will maintain at a physically and electronically secure facility.

McLaughlin said the SERVE project would proceed as planned. The small group of overseas voters will participate in the general election for president in November, and she said those from the seven states participating in the project may be able to vote online in their primaries, as well.

Rubin said he doesn't expect the Pentagon will ask for his input on SERVE in the future.

"It's pretty much out of our hands," he said, adding that, based on his history of speaking out against such projects, "I wonder why they even invited me."

COMMENTS

• Too bad such hysteria is associated with this issue. Mr. Rumsfeld's new DOD develops and proves in a new electronic voting system & then it is sold to the American sheeple. Next thing you know, no more hanging chads, just American citizens that dare to speak out! Dang, sounds like the outline of a good paperback! GovExec.com reader Posted February 3, 2004 3:16 PM
• How dare they question George the Third's ability to get more illegal votes! Security of the system is no reason to stop the use of a new age voting system that anyone can hack into and increase the vote for George! After all the DoD in its great wisdom has hired Accenture to develop this most sensitive system. Remember that Accenture was part of Auther Andersen before that company went out of business because it thought that Enron was a picture of truth in its financial statements and business structure! Could Accenture have an ethical problem as well because they know that they get big big bucks from this project! I think we need an independent evaluation of this system before it is allowed to be used. Also remember that this Ptresident didn't get the majority of votes in the last election and he must do everything he can to assure there is no question about the next voting outcome. GovExec.com reader Posted February 3, 2004 6:48 AM