Schneier on Security
A blog covering security and security technology.
« A Song: Facial Recognition Technology Blues |
| The League of Women Voters Supports Voter-Verifiable Paper Trails »
July 5, 2006
Brennan Center Report on Security of Voting Systems
I have been participating in the Brennan Center's Task Force on Voting Security. Last week we released a report on the security of voting systems.
From the Executive Summary:
In 2005, the Brennan Center convened a Task Force of internationally renowned government, academic, and private-sector scientists, voting machine experts and security professionals to conduct the nation's first systematic analysis of security vulnerabilities in the three most commonly purchased electronic voting systems. The Task Force spent more than a year conducting its analysis and drafting this report. During this time, the methodology, analysis, and text were extensively peer reviewed by the National Institute of Standards and Technology ("NIST").
The Task Force examined security threats to the technologies used in Direct Recording Electronic voting systems ("DREs"), DREs with a voter verified auditable paper trail ("DREs w/ VVPT") and Precinct Count Optical Scan ("PCOS") systems. The analysis assumes that appropriate physical security and accounting procedures are all in place.
Three fundamental points emerge from the threat analysis in the Security Report:
- All three voting systems have significant security and reliability vulnerabilities, which pose a real danger to the integrity of national, state, and local elections.
- The most troubling vulnerabilities of each system can be substantially remedied if proper countermeasures are implemented at the state and local level.
- Few jurisdictions have implemented any of the key countermeasures that could make the least difficult attacks against voting systems much more difficult to execute successfully.
There are a number of steps that jurisdictions can take to address the vulnerabilities identified in the Security Report and make their voting systems significantly more secure. We recommend adoption of the following security measures:
- Conduct automatic routine audits comparing voter verified paper records to the electronic record following every election. A voter verified paper record accompanied by a solid automatic routine audit of those records can go a long way toward making the least difficult attacks much more difficult.
- Perform "parallel testing" (selection of voting machines at random and testing them as realistically as possible on Election Day.) For paperless DREs, in particular, parallel testing will help jurisdictions detect software-based attacks, as well as subtle software bugs that may not be discovered during inspection and other testing.
- Ban use of voting machines with wireless components. All three voting systems are more vulnerable to attack if they have wireless components.
- Use a transparent and random selection process for all auditing procedures. For any auditing to be effective (and to ensure that the public is confident in
such procedures), jurisdictions must develop and implement transparent and random selection procedures.
- Ensure decentralized programming and voting system administration. Where a single entity, such as a vendor or state or national consultant, performs key tasks for multiple jurisdictions, attacks against statewide elections become easier.
- Institute clear and effective procedures for addressing evidence of fraud or error. Both automatic routine audits and parallel testing are of questionable security value without effective procedures for action where evidence of machine malfunction and/or fraud is discovered. Detection of fraud without an appropriate response will not prevent attacks from succeeding.
The report is long, but I think it's worth reading. If you're short on time, though, at least read the Executive Summary.
The report has generated some press. Unfortunately, the news articles recycle some of the lame points that Diebold continues to make in the face of this kind of analysis:
Voting machine vendors have dismissed many of the concerns, saying they are theoretical and do not reflect the real-life experience of running elections, such as how machines are kept in a secure environment.
"It just isn't the piece of equipment," said David Bear, a spokesman for Diebold Election Systems, one of the country's largest vendors. "It's all the elements of an election environment that make for a secure election."
"This report is based on speculation rather than an examination of the record. To date, voting systems have not been successfully attacked in a live election," said Bob Cohen, a spokesman for the Election Technology Council, a voting machine vendors' trade group. "The purported vulnerabilities presented in this study, while interesting in theory, would be extremely difficult to exploit."
I wish The Washington Post found someone to point out that there have been many, many irregularities with electronic voting machines over the years, and the lack of convincing evidence of fraud is exactly the problem with their no-audit-possible systems. Or that the "it's all theoretical" argument is the same on that software vendors used to use to discredit security vulnerabilities before the full-disclosure movement forced them to admit that their software had problems.
Posted on July 5, 2006 at 6:12 AM
• 28 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
The only people who have the power to fix the problems have the problems to thank for putting them into power. Fixing means their political suicide; keeping the system broken means their political survival.
It's simple and straightforward.
@roy: almost all government positions involve (job) suicide as a reward for success. Thats why the british still have a guy standing at Dover with binoculars looking for Napoleon, and a guy standing next to him with binoculars looking for Hitler.
One problem with the study is that while it looks at each class of voting machine, it does not specifically say which attacks may work against a given machine. In my jursidiction (Travis County (Austin), Texas), we use the Hart eSlate machines, without a paper trail. The County Clerk here is steadfastly opposed to including a paper trail, saying that it will cause more problems than it is worth, and that her machines are just fine without it, thank you.
And, of course, since changing course might involve spending more money, the Commissioners' Court here is loathe to do anything as well.
I guess until we have an election demonstrably stolen by these devices, we are stuck with them...
Again, the question is externalities, the price for failure of the machines is born by the voters for the losing party, who are by definition not empowered to do anything about it.
It amazes me that Diebold can build a rock-solid well audited ATM machine which rarely malfunctions, and yet can't do the same, or even employ the same technologies, in their voting machines. They just aren't motivated. Maybe NIST can generate a standard.
"It is difficult to get a man to understand something when his salary depends upon his not understanding it."
-- Upton Sinclair
@IndustryInsider writes that state election officials appear surprised at
the expectation that election-related programs and activities ought to be
subject to rigorous security procedures and audits.
The odd thing is, these same officials are generally quite diligent when it
comes to the management of funds. State money is carefully tracked, and if
some state employee improperly makes makes off with even petty cash, in the
natural order of things this will be discovered because of the accounting
procedures designed to prevent it.
Perhaps we ought to somehow place monetary value on votes. If each
accurately-counted and authenticated vote were worth $10 to the state
(say), and the *loss* of such a vote cost the state real money, and the
genration of fake votes were regarded as legally equivalent to currency
forgery, then perhaps state officials might undergo the gestalt switch that
would allow them to regard the election system as worthy of high-grade security.
"It amazes me that Diebold can build a rock-solid well audited ATM machine which rarely malfunctions, and yet can't do the same, or even employ the same technologies, in their voting machines."
Dave: Is that a bald assertion or from personal knowledge? I have a guy sitting next to me, who used to work on ATMs for a living who would disagree with you. Granted, his information is 10 years old...
They're talking about this on NPR right now. The "we don't need to change anything" voice was mostly arguing that voter confidence is high, ergo everything is just fine.
This pretty much took my voter confidence out behind the barn and shot it, but then I read this blog.... Maybe others out there would be impressed by a 10 ton vault door they never close or lock.
Lawrence Norden of the Brennan Center was on Diane Rehm's radio show on WAMU (Washington, D.C.) this morning to discuss the report, along with Avi Rubin and a few other guests. An audio stream will be available later today from this URL:
@David: Great Quote from Sinclair
Thank you for your work on this Bruce. With all the focus we, as a nation, are putting on securing ourselves from terrorist attacks, we are ignoring several key areas where our nation's core values are being challenged. The consolidation of power in the Executive branch (possibly upsetting the "checks and balance" system which was the true genius decision of America's founders), the movement of legal enforcement from state level to federal level, and paperless electronic voting are among the biggest issues the nation is largely ignoring.
I often feel powerless to influence the course our nation is taking, but I am comforted to see someone of your stature working on this issue.
Quotes like the one you included, "This report is based on speculation rather than an examination of the record. To date, voting systems have not been successfully attacked in a live election," show the ignorance of those currently involved in developing and deploying these electronic systems. Ignoring the ease with which elections could be manipulated, hacking the election would be the crown jewel in any hacker's list of achievements. I always remind myself of the greatest hack of all time from none other than Ken Thompson: http://www.acm.org/classics/sep95/
In fact, we should credit whomever titled the Washington Post article:
" A Single Person Could Swing an Election "
In retrospect the summary on the Brennan report should have opened with a much simpler and clearer statement. Something like:
" With current voting systems, a single person in the wrong place could change votes and swing an election. We cannot be certain that past elections have not been corrupted. We can do better. "
While not offering nearly as many syllables per word, the meaning is clearer. :)
In my perfect world, I would have the same audit rules for voting machines as are used for slot machines in Nevada. Severe audit procedures and inspection with actual legal authority. Of course it will never happen. This is a game that is rigged to favor the house.
if these recommendations were implemented, people like the former ceo of diebold would be robbed of their ability to keep promises to deliver states, e.g., ohio, to the candidate of their choice. that's almost like disenfranchisement.
Why invent a time machine to go back and change the past, when you can hack a vote and change the future?
(And this is assuming that the source code is "impartial").
But we have nothing to worry, right? I mean, no American would stoop to stealing another person's vote, right? Pah! Rubbish! We're better than that.
C'mon folks...wake up. Smell the toast...that's your vote too.
Bruce, keep up the good work with this project, and imbue your peers with the importance of their mission.
There are few things more sacred in this land that a single vote.
I am just sorry we cant stick with the punched-card system we had for the last (40?) years. Cheap (nevermind already paid for). Reliable. Effective. Easy to use. Portable. The only real posibility for fraud at the precinct is putting out false labels, which could be easily countered by publishing the official ones in the newspaper ahead of time.
The system was as verifiable as anything can be. And recounts involve the exact same media as "firstcounts".
But you cant use a pencil if a wordprocessor would be almost as good and only cost 7,000x more, so I guess thats progress.
There is an actual case of fraud under investigation in The Netherlands. At the last municipal elections the person manning the (Nedap, not Diebold) voting machine got a whole lot more votes than expected based on results in other precincts.
Unfortunately, these machines are totally closed (this is required by law) and do not produce a paper trail, so that checking this was not easy. The government asked the people who voted there to tell them (again!) who they voted for, and will check that against the electronic results.
The case is mentioned in the latest newsletter of Dutch digital rights organisation Bits of Freedom (http://www.bof.nl/nieuwsbrief/nieuwsbrief_2006_14.html). I haven't been able to find any English language sources unfortunately.
"I guess until we have an election demonstrably stolen by these devices, we are stuck with them..."
How would we know an election was stolen?
Well, if somebody hacked the system and made Bugs Bunny sweep 10,000% of the vote -- 100 times the number of registered voters -- that would cinch it. But as long only registered candidates appeared in the results and the figures weren't too far out of whack, nobody could prove there was any funny business.
P.S. Am I the only one who knows who Donald Segretti was? Imagine his ilk loose in the computer age. Think of hacking experts turning script kiddies loose with re-electioneering software.
There is already very clear evidence of massive fraud in electronic vote counting. Exit poll results in both 2000 and 2004 are significantly different than official election results. The difference is highly pronounced in key states such as Flordia and Ohio. This is as close to a smoking gun as one can get with non-auditable DREs.
Furthermore, the biggest problem with electronic voting equipment isn't the technology but rather with conflicts of interest. Several equipment providers have very close ties to the Republican party and also to Christian reconstructionist (pro-theocracy) groups that have a dubious committment to democracy. Anyone who doesn't spare at least a thought to questioning the impartiality of Diebold equipment after the Diebold CEO's famous statement that he was 'committed to helping Ohio deliver its electoral votes to the President' really needs their head examined.
Has anyone given any thoughts to the legalities in case fraud is detected after the event. What happens? Is the election annulled and the nation declared leaderless.
There are probalby some tricky problems here.
I hope all people who plan to commit any kind of fraud admit it up front on nationwide TV. Dont suppose you could be putting politically oriented spion on something? Nope, he has to have meant he was going to steal the election, good thing you guys are smart enough to have seen through his non-subterfuge. Good catch. Put your tinfoil hat back on.
The evidence of vote manipulation in 2000 and 2004 is incontravertable to anyone who can read and isn't part of the cool-aid chugging 30 percent. The only one here peddling partisan bullshit is you.
>> Tom Jefferson - Dem-Rep
>> Johnny Adams - Federalists
This whole story has me completely confused. I know it is a big political issue in the US and I just don't get it. In Canada, All the ballots are pencil on paper and they are counted by hand. We get the results in about the same time as the US does. There are sometimes judicial recounts, but they seldom move very many counts. Why have ANY kind of machine?
Vote fraud and election manipulation is rarely confined to one technique or method.
In the past elections (2000,2004) the attacks on the voting process ranged from Jerrymandering (the Texas violation found in the recent Supreme Court decision) to registration barriers (wrong paper weight of registration in Ohio) to Secretary of State manipulation of voter lists:( Ohio, Minnesota, Florida), to fradulent registrars that throw away opponents registrations:( New Mexico, Ohio), to intimidation of voters (Minnesota Indian reservations) to depriving voters of means of voting (shortages of machines or ballots at precinct voting stations) to manipulation of absentee ballots (fixing incomplete ballots or throwing away opponent ballots) to changing precinct locations to confuse voters, to not counting provisional ballots (very few were cast in Minnesota vs hundreds of thousands cast and not counted in Ohio, New Mexico, Florida.) And then having the vote on a Tuesday, a work day when people are not able to take time to vote between 7am and early evening when child care, work and family obligations are at a peak. Add some attacks of your own here.
Finally there is manipulation of voter count using the electronic scanner and DRE. The manipulation of elections is not just one set of attacks against electronic voting but is an attack on voting at all levels in the entire voting process spanning a much greater interval of time than just the day of the vote.
So to continue....
Vote manipulation is easier when participation is smaller. A smaller set of manipulations must happen in the smaller participation set to affect the outcome.
Since the 1960s voting rights and 1970's when voter ages were lowered to 18 and same day registration and motor-voter registrations were implemented in a few states there has been no movement to widen participation in elections. Instead, barriers to registration and HAVA have created methods to supress turnout.
Audits as mentioned in the report are fine, but when only white rich men can vote what will the audited result be?
Universal registration and a work holiday with daycare to vote would change the affects of attempted manipulation by increasing the set of voters and making manipulation more difficult.
Johnny Quest> And then having the vote on a Tuesday, a work day when people are not able...
While there are disadvantages, having the vote on a weekday has the advantage of maintaining a religious agnosticism in the voting process. Doing it on Saturday or Sunday would have people going to the polls fresh out of temple or church service; that might create its own bias in that officiators at those respective services would find it tempting to advise their constituents how to vote.
that study is badly flawed. it says in "attacking a voting computer with VVPAT" (page 65) that the fraudsters might get away with it because voters might believe they pressed the wrong button:
" ... believe
she had accidentally pressed the wrong candidate the first time. In any
event, it might make her less likely to tell anyone that the machine made a
this ignores the obvious case, that the voting machine shows "Adams" on
paper and "Jefferson" on the display at the same time making it easy to prove the manipulation to an election official. after this happened once, the machine is out of business and goes straight to the FBI, the fraudsters can be prosecuted quickly.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.