Friday, July 22, 2005 | On June 1, 2005, I received a consumer alert from It indicated that when the Diebold optical scan voting machines in Leon County, Fla., were tested, they were “hacked” (altered) in three different ways. The complete report is at

I had been aware of the hacking problem, as well as other problems, with the touch-screen voting systems from Diebold and that the state of California had decertified such machines. San Diego County has spent about $31 million on such touch-screen systems, which still have yet to be certified. The contract specified a printer be associated with the touch-screen systems and that hasn’t occurred either.

My opinion is that all of these machines should be subject to a product return because the system design could lead to vote manipulation, which means that votes would not be counted accurately. But I had thought that the optical scan voting machines were secure. What really disturbed me in reading the report was that the machines could be hacked by one person and that such vulnerabilities had not been caught by those entrusted with certifying such machines. So I decided to investigate what occurs with getting a voting machine certified.

When Congress passed the Help America Vote Act, it didn’t provide funds for testing the electronic voting machines. Instead, there are three private companies – whose main business is with the defense industry – that are paid by the vendors of this equipment to test them. Those companies will not divulge what steps or procedures are used for the testing, and they indicate that all inquires are to be directed to the Election Assistance Commission via the National Association of State Election Directors.

Even though their testing and certification processes are unable to be known, the laws in most states require electronic voting machines be certified before use in an election. California is one of those states. And both the Secretary of State’s office and the San Diego County Registrar of Voters are also supposed to be ascertaining the capabilities and functioning of these electronic voting machines.

Yet, despite all of the bureaucracy, these Diebold machines could be hacked by one person.

So what does HAVA say about this? Well, nothing. The only “standards” are those issued by the Federal Election Commission or the state’s election laws. It’s worth pointing out that the entire standards program is voluntary and nothing binds the Secretaries of State.

Well, what does HAVA say? The facts are that:

So, given the obvious failing of the Independent Testing Authority and NASED to catch this computer security issue with the Diebold optical scanning machines used in San Diego County, whose responsibility is it?

According to NASED, “certification” of a voting system is done at the state level and is a process between the vendor and the specific state where the system is to be sold. Obviously, both the Secretary of State’s office and the County Registrar of Voters office missed this system vulnerability.

Which leads to the question: Who is doing the certification at the state and county level? A task force was convened by Secretary of State Kevin Shelley – when he was in office – who recommended that the state create a Technical Oversight Committee. See

However, there is just one individual, Steve Freeman, doing such work at this time. Regarding the AccuVote-OS v.1.96.4 system used in San Diego County, the Secretary of State’s office documentation indicates that “certification testing” was done at the Diebold office in Coppell, Texas.

The testing, which was done from July 19 to July 22, 2004, noted system errors with specific .abo files. (An .abo file is the file format used to communicate between system components.) Wyle Laboratories was the only independent testing authority used. But the NASED indicates that the only companies approved to do software testing are Ciber and Systest, not Wyle.

NASED and ITA released their report on May 30, 2003 – more than a year before the California evaluation. The report indicated that multiple security issues existed, including the serial port used for uploading of “official” results.

The California evaluator, Steve Freeman, indicated that for this system:

1. The .abo files that are obsolete or inappropriate must be physically deleted by Diebold.

The Secretary of State’s record of the actual certification indicates that only number five on the above list of the evaluator’s recommendations was addressed.

I was unable to determine whom, if anyone, at the Registrar of Voters is tasked with testing or certifying the voting machines.

Additionally, the state’s procedures report indicates that the memory cards – the component that can be hacked by one person without any trace – do not come within the purview of Elections Code 17301-17306. This means that the results tabulated on the memory cards do not have to be retained for the 22-month period associated with other voting records. This is contrary to the U.S. Department of Justice findings.

Moreover, the above referenced system is certified to the FEC standards of 1990, not the 2002 FEC standards.

Because San Diego is having an election on July 26, and elected officials have fiduciary responsibilities to the voters who entrust them with running the government efficiently, I provided all county supervisors and all candidates for mayor with the report showing how the machines can be hacked. The County Registrar’s office was aware of the report and refused my request to examine the systems here in San Diego even though election officials are fiduciaries of the citizens, and should exercise their duties in such a manner as to increase voter understanding of and confidence in the election process. Only Jim Bell and Donna Frye responded to my provisioning of the report.

So, on July 26, unless you use a paper ballot, you can’t be sure that your vote will be your vote.

Bruce Sims is a 25-year computer professional, a consumer/community activist and member of and

Leave a comment

We expect all commenters to be constructive and civil. We reserve the right to delete comments without explanation. You are welcome to flag comments to us. You are welcome to submit an opinion piece for our editors to review.

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.