Misleading Attacks on California Secretary of State Bowen’s Decision to Limit Electronic Voting

[courtesy of California Progress Report]

By Julie Millican
Media Matters for America

Summary: While reporting on California Secretary of State Debra Bowen's decision to decertify the state's electronic voting machines in light of a study that found the systems are vulnerable to security breaches, numerous media outlets attacked the study's "unrealistic" methodology or uncritically reported criticism of the study's premise, without noting the researchers' explanation for their methods.

In his August 8 Sacramento Bee column, Dan Walters criticized California Secretary of State Debra Bowen's (D) decision to decertify most of the state's electronic voting machine systems following a state-commissioned study that found the systems are vulnerable to security breaches, as Courage Campaign founder Rick Jacobs noted in a blog post at The Huffington Post critical of Walters' argument. Walters asserted that it "is not surprising" that the systems were found to be vulnerable, given the "unrealistic circumstances of the tests. Among other things, the hackers were supplied with source codes and other confidential information, and they ignored the security procedures that election officials employ." But in simply repeating this criticism, Walters and numerous media outlets that reported criticism of the study's allegedly "unrealistic" methodology -- including The Washington Post, the Associated Press, the Los Angeles Times, and the San Francisco Chronicle -- did not address the explanation given in the report itself for the conditions under which the testers worked.

After discussing "techniques" by which hackers "can discover secrets that companies and organizations wish to keep hidden" and providing examples of "organizations," such as the DVD Copyright Control Association, being "unaware of their own leaking of information," the University of California, Davis researchers who conducted the study concluded: "Thus, the statement that attackers could not replicate what red team testers do, because the red team testers have access to information that other attackers would not have, profoundly underestimates the ability and the knowledge of attackers, and profoundly overestimates the infallibility of organizations and human nature." In other words, the research was conducted under the presumption that potential hackers would have access to sensitive information relating to the machines, given hackers' proven adeptness at obtaining protected information.

According to the UC study: