Three of California's electronic voting systems -- including those used in Orange, Riverside, San Bernardino and Ventura counties -- can be easily hacked into, potentially compromising millions of votes, according to a detailed review announced Friday.
Makers of Los Angeles County's InkaVote system did not submit its equipment in time, so it wasn't included, said Secretary of State Debra Bowen, who requested the study. The three systems evaluated, used by more than two-thirds of California's counties, also had problems with accessibility requirements for disabled and non-English-speaking voters.
The findings of what some believe to be one of the most comprehensive electronic voting studies to date come as California registrars rush to prepare for the state's presidential primary election Feb. 5. Bowen must analyze the report's conclusions under pressure: Her deadline to decide which equipment to use in the primary is Aug. 3.
Over two months, dozens of experts in information technology organized by the University of California tested machines made by Diebold Election Systems, Hart InterCivic and Sequoia Voting Systems. The analysts tried to infiltrate the three systems physically and electronically, without the safeguards that voting machine vendors or counties might use.
"Under these conditions, the technology and security of all three systems could be compromised," the review said.
For example: Testers accessed the insides of Sequoia machines by prying open seals or unscrewing external screws to bypass locks. The experts connected to secure data in a Diebold machine by hacking into its Windows operating system.
Testers "were able to bypass both physical and software security in every system they tested," Bowen said. "The severity of what it means, whether counties have adapted [security] procedures already
"Our very existence as a democracy is dependent on our having voting systems that are secure, reliable and accurate."
Not all election officials agreed with the report's findings. "Right now, I don't see any smoking gun, honestly," said Stephen L. Weir, Contra Costa County's clerk-recorder and registrar of voters, and president of the California Assn. of Clerks and Election Officials. Weir criticized the review for excluding real-life security measures, such as placing a voting machine server in a secured room.
L.A. County Registrar-Recorder Conny McCormack declined to comment.
Sequoia is "very anxious to review the findings, give appropriate feedback and supply information," spokeswoman Michelle M. Shafer said. "However, we will need adequate time to dissect the reports, discuss them internally and draft our response so that we can share it, including correcting any errors and framing the report assertions in the context of an actual election environment."
Hart InterCivic offered similar criticisms of Bowen's review, saying it "demonstrates an advanced, malicious attack in a laboratory environment." The Austin-based company suggested physically securing buildings where voting machines are located as well as tightening election data delivery procedures.
Diebold also condemned the review, questioning in a letter to Bowen why no election officials were included in the testing. "We believe that when used in conjunction with proper security procedures and protocols, our voting solutions ... reduce voter errors and ensure that every vote is safe, secure and accurate," a company spokesman said in a statement.
Election watchdog groups applauded the review, with one saying it corroborated the group's own findings.
"The key thing our organization is worried about is the people working inside the system," said Bev Harris, founder of Black Box Voting, a nationwide voting watchdog group based near Seattle. "It forces the citizens to put just blind trust in officials, which is not how the government works."
Bowen will hold a public hearing on the report at 10 a.m. Monday in Sacramento. The report can be found on the secretary of state's website, www.sos.ca.gov.