Why VVPAT Is not Enough
The primary finding is that in a "sleepover" situation where the TSx DRE is sent home with the poll worker days or in the case of San Diego weeks ahead of time, it is possible to alter the ballot definitions of the DRE. The alteration would create the behavior where the votes for two candidates are exchanged. Thus, the voter touches the screen next to name of John Smith, the screen lights up the selection for John Smith, the voter verifiable paper audit trail prints the name John Smith, but, none the less, the invisible electronic ballot accrues the vote to Pocahontas. Similarly, voters intending to vote for Pocahontas would have the votes accrue to John Smith. This is a straight up exchange of votes between two candidates.
The report also mentions how to suppress the display of a given candidate.
The need tools for either of these exploits are:
- 1) a laptop with a PCMCIA card reader,
- 3) The desire to "take one for the team" and commit a felony to further your candidate.
It must be stressed this all was discovered with nothing more than access to the DRE machine. There was no access to any information an election official would not normally have or any information which a determined citizen could not find out during a DRE sleep over prior to an election.
The take away here is that if you can poison the well, the computer programming and/or configuration files in the DRE, everything which proceeds from the DRE is potentially corrupted as well. You end up with consistent election records, but not accurate election records.