Is Ohio voting software vulnerable to fraud? Court to hear Election Day case

A local candidate says a crucial piece of Ohio vote-tallying software was not properly vetted by the state and could be hacked. A judge will hear the case on Election Day and decide whether to grant an injunction against use of the software Tuesday.

A federal lawsuit filed Monday in Columbus, Ohio, charges the secretary of state's office with illegally installing untested software on voting systems in dozens of counties – a step that creates a digital “back door,” which someone wishing to alter vote totals might be able to exploit.

With Ohio seen as perhaps the most pivotal state in the presidential election, it is being closely watched for the slightest sign of irregularities.

The suit seeks a temporary injunction to prevent the state from using the software in Tuesday's election. A hearing is scheduled for 10 a.m. in the US District Court for the southern district of Ohio, eastern division. If granted, an injunction could prevent Ohio votes from being formatted by the new software and sent to the office of Secretary of State Jon Husted (R) after polls close.     

The suit alleges that the secretary of state's office used a legal loophole to install software on electronic voting systems in 39 counties across the state without having it checked by the Ohio Board of Voting Machine Examiners, the state's technical board charged with reviewing elections software. State officials say they have followed federal guidelines and that the equipment is secure.

The software is installed on the central vote-tabulation machines in the counties. It is designed to make the process of tabulating votes faster and more accurate. Previously, reports generated by counties' tabulation systems would have to be entered by hand. The new software formats the reports so they can be more easily uploaded into the secretary of state's election system, says Matt McClellan, a spokesman for the Ohio secretary of state's office.

If the software was not properly vetted, though, it could be vulnerable to tampering, the suit alleges. In an affadavit supporting the filing, James March, an expert witness on voting machines, testifies that the 28-page contract between the state and the firm that sells the software describes in detail the requirements for the software – showing that a third-party could gain access to county vote totals.

Election Systems & Software, Inc. "installed a 'back door' into such hardware and software that enables persons who are not under the supervision and control of defendant Husted, and who are not under the supervision and control of Ohio’s boards of elections, to access the recording and tabulation of votes using facilities not under the control of defendant Husted or Ohio’s boards of elections," the federal complaint maintains.

A "back door" is a secret way of entering software or a network – sometimes left by the designing company so that it can go back later and make updates – but is also vulnerable to hackers.

Robert Fitrakis, the Green Party candidate for Congress who filed the suit, alleges that the secretary of state's office eluded the examining board's scrutiny by deeming the software "experimental," because last-minute fixes under that moniker do not require certification and testing. Mr. Fitrakis says the ES&S contract was leaked to FreePress.org, of which he is editor.

"We have a law in Ohio that requires a review of any change or addition to equipment or software in the election process by a publicly accountable board," says Clifford Arnebeck, attorney for Fitrakis. "That didn't happen here. It's only because this copy of the contract was leaked to Free Press that we know about it."

Secretary of state spokesman Mr. McClellan, however, maintains that the software is benign and not required by law to be reviewed because it does not access or tally any votes, but only formats them for transmission to the secretary of state's office. 

"It's a ridiculous lawsuit," he says. "We've not made any software patch, update, or change to the tabulation system these counties are using. We haven't touched them."

Additionally, he says, a federal agency told his office that no review was needed.

"We reached out to the Federal Election Assistance Commission, which has to approve any software or voting equipment that's going to be used," he adds. "They said this didn't meet the criteria needed for certification [by the state board] – that it was fine, there were no issues with it, because we're not changing the system."

But Mr. March, a Pima County, Ariz. electronic-voting machine expert, in his affadavit argues that the software "would have full contact with the central tabulator database on both a read and write basis, while running on the same computer as where the 'master vote records' are stored."

Under this approach, he adds, a case of accidental damage to critical election data is a possibility – and "deliberate tampering of that data using uncertified, untested software would be child's play."