Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Lolcat with Squid |
| U.S. Army Installing Apple Computers »
January 5, 2008
New York Times Magazine on Electronic Voting Machines
Posted on January 5, 2008 at 8:35 AM
• 30 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Thanks for the link..
Just completed reading the "National Security for the Twenty-First Century"....
Thank for that link too.
Ever wonder why ATM machines with touch screen and rinky dinky printers have no problems recording your transactions reliably?
You get what you pay for .. and am sure the bank doesn't have 70+ year old part-timer managing the operations of their ATM machines.
So we can establish a few things :
if you don't put paper in a machine or the printer jams and you don't notice or can't notice .. it doesn't mean technology is evil .. it just means you are not the person who should have been (wo)manning the machine.
Using windows CE in some machine is an immensely stupid decision.
Using removable memory card is/was a super dumb idea.
But I am very sure election officials knew of all these issues when the purchased these machines; The blame lies with the political hacks who wrote the specifications and approved the purchases. Vendors job is to build what you want for the cheapest price. The beauty of this arrangement is that vendors know they have chance to version 2..3..4 of these machines :-)
Le'ts all repeat .. our politicians are bloody baffoons and crooks and they fill up the state/county/city position with incompetent relatives and political hacks causing untold damage to every thing.
BTW that Princeton genius Mr. Felten should be given a Nobel prize for stupidity -- "Computers crash and we don't know why " is the most asinine statement to be credited to a "real" person.
I like optical scan machines. They're simple, you get a paper trail by definition, and it's hard to screw up. But I think that the world really does need a good electronic voting machine. It will be difficult to do *correctly*, but It must be done. It should be open-source at every step, and designed from the hardware up to be as simple and secure as possible. Here's what I've been pondering for the past few years, ever since electronic voting has become a hot topic:
* Build a smartcard into the device (physically soldered to the motherboard). Use it to sign every single vote. Emboss the public key's fingerprint into the frame of the device so you can see it when you vote and display it on startup so the poll worker must compare it to the one printed on the device. The fingerprint should be tracked through the whole process to ensure that every vote was made on an authorized device.
* When someone votes, they are given a card of paper (like an optical ballot). It should have a serial number as a barcode or similar at the top. The user feeds the card into the bottom of the device. As they vote, their choices are printed onto the card. When they're finished, their choices and the serial number from the ballot are padded, signed (but not encrypted), and stored on the memory card. A digest of this "blob" is printed along with the voting machine's fingerprint at the bottom of the ballot, and the ballot is ejected out of the top. The ballot is placed in a box as they leave, and serves as their paper record. The vote blob itself could also be printed in a high-density barcode (e.g. QRcode) at the bottom of the ballot for rapid counting in cases where a card is lost but the machine was not otherwise distrusted.
* The same memory card that holds the votes also holds the "vote definition", e.g. who is being voted on. These definitions are grouped by locality and signed by the respective authority, so that a county could add candidates without re-signing the state's definitions and therefore introducing a weakness. On startup, along with the machine's fingerprint, the fingerprints of each of these signatures and all of the voting data under them are displayed; these are checked against data from the involved voting authorities both for a valid fingerprint and to ensure that, for example, no senators are in the local section. Once the poll worker approves the set of voting definitions, the voting machine should sign the definitions to make it difficult to pretend a different set was used after the fact.
* The software could be built very easily using GTK sitting directly on top of X, and a nice high-contrast theme and high-DPI fonts. A cryptographically-signed "OS" card would also serve well here, with a separately sealed compartment that is checked by the state authority before and after the election to ensure it has not been tampered with.
Some problems I can see already:
* There's no obvious way to deal with the wrong vote being printed - once the user gets their ballot back the vote's already been recorded, and allowing votes to be nullified afterwards is flawed because the only way to know that it hasn't been abused by someone with access to the box is by comparing the number of nullifications across counties.
* Poll workers probably aren't going to look very closely at the fingerprints when the machines start up. Some attempt should be made at making the comparison easier, e.g. coloring sets of octets based on the first few bits in each to make it more obvious when there's a mismatch (red-red-blue-green looks much more different from red-blue-green-black than a series of hex digits from another).
* Voters definitely aren't going to look at the fingerprint, so that mechanism shouldn't be relied on so much as available should the user know what it means.
Anyhow, I'm sure my ideas are full of holes (but that's why I'm posting them), partly because I have a tendency to throw crypto at anything that moves, but I definitely think we should not give up on electronic voting machines just because some corporate cheapskates can't do it right the first time.
You say: "But I think that the world really does need a good electronic voting machine. It will be difficult to do *correctly*, but It must be done."
But you never make an argument for this need or why it must be done.
This topic has been covered many times, but we're striving for a set of goals. Among them are accuracy, voter confidence, simplicity, inability to tie a vote to a voter, immunity from a voter to be subject to external pressure, and speed of tallying.
I think we would agree that for a functioning democracy, accuracy and voter confidence would need to be among the most important goals. And we could probably compromise quite a bit on speed, provided it weren't too slow.
And of course some of these goals aren't binary. There are degrees of speed, degrees of simplicity, etc.
And some goals seem to be aligned against one another. For example, if, to increase confidence, we allow the voter to leave the polling station with a receipt of some sort, so s/he can later verify that their vote was counted correctly, then that receipt can be used to sell one's vote or to allow someone with the ability to pressure the voter (abusive spouse, boss, trade union) to insure the voter voted in a particular way.
Ron Rivest has proposed a triple ballot to allow someone to leave with a receipt that is immune from this pressure. However, it moves away from simplicity.
My point, however, is that one cannot simply say that we *need* electronic voting. One has to make an argument that explicitly deals with the goals of a voting system, how the electronic voting machine fits in with these goals, and why it would be better than non-electronic alternatives.
The optical scan systems in which the ballot can be checked for over- and under-votes is a nice compromise, I think. The biggest challenge with them is that they're difficult or impossible for people with some disabilities to use.
I think two, possibly three, things are driving the desire for electronic voting.
1) Speed of count. Once upon a time we were quite content with a few days before we knew the definitive result of an election. In these days of 24 hour instant news coverage we're just to impatient to wait. There's no *necessity* for such rapid results but the "need for speed" idea just seems to have infected all of society.
2) It's not modern unless it has a computer in it. Just that, a desire for a pointless appearance of modernity whether or not it has any actual useful function.
3) A desire to improve voter turnouts by enabling remote voting. Voter turnouts are consistently falling year on year in the western democracies. When less than 50% of the population aren't voting, the appearance of democracy that the west likes to uphold crumbles. People aren't voting because they feel disenfranchised. They believe that their choice is to vote for one liar or for another liar, weathervanes the lot of them, signposts none. The powers that be, believe that if they can make voting in an election at least as easy as voting for the next reality-TV ünter-star then they might scrape enough votes that the existing political setup isn't blatantly discredited as the sham of democracy that it is.
My cynical 0.02 euros.
The quality of the writing is pretty piss-poor for the New York Times, but it's still a good article.
All the "theoretical" attacks on computerized voting machines that security researchers have come up with are more than enough reason to toss the things out, and yet they have a myriad of issues above and beyond those. The design of these machines is criminally bad, and I mean "criminally" in the strictest sense possible (why have no criminal, or even civil, suits resulted over this?).
You suggest voting machines were possibly introduced to improve voter turnout, implying that they would help voters feel less disenfranchised. Of course, they've had quite the opposite effect (computer crashes are a new and wonderful way of disenfranchising voters).
So either the people in the highest levels of US government are impressively stupid and did not see this coming, or this was a desired result of switching to touch-screen machines.
It's more than a little scary to see how far democracy has been eroded in the US.
one other reason to use electronic machines is the accessability to disabled voters.
I however am registered permenent absentee.
Some e-voting vulnerabilities have been largely overlooked. An attacker  might, for example, reorder the ballot or delete candidates from it, or make it easier to select certain candidates, or (as implied by Eam, above) selectively delay or deny service. Since none of these attacks create differences between e.g., electronic records and paper "receipts," comparison audits (if any) will not catch them. They can be caught only by rigorous parallel testing in each and every election. And the probability of officials doing that is just about nil.
Except for a tiny number of disabled voters, computational vote casting wastes our money and unnecessarily compromises our elections' security. The overwhelming majority of voters should use hand-marked paper ballots. These should be counted in the precinct in which they were cast, either by hand or by tabulators backed by statistically-supported hand audits. Machine assistance should be reserved only for those who need it to vote independently. We must not continue to allow the accessibility tail to wag the security and transparency dogs.
 E.g, a vendor insider.
I physically counted votes at several of the many Swiss elections and referendums. Quick, simple and reliable with accountablility and auditablity all the way up the line!
I have worked intensively with computers for over 25 years and have more and more come to the conclusion that paper is the only way.
When society catches up, so that communications and legal transactions are legally and routinely done electronically, we might like to rethink the above assertion.
"The earliest critiques of digital voting booths came from the fringe — disgruntled citizens and scared-senseless computer geeks"
Don't you love being on the fringe, merely by virtue of not being ignorant?
Another of the advantages of digital voting machines is the ease with which they handle multiple languages. I'm not sure how many we have to handle in California, but I think it includes English, Spanish, Vietnamese and Korean, possibly Chinese and Cambodian.
Very interesting, well-researched article by Clive Thompson. While reading it, it occurred to me there might be a third alternative that avoids the problems of existing voting technologies:
PROPOSAL FOR BETTER VOTING TECHNOLOGY
The two major types of voting technologies in current use are electronic and paper-based. The significant problems with electronic voting machines are well-documented and not likely to be solved in the near-term. Paper-based ballots are a proven method, but with some drawbacks such as being time-consuming to count, ambiguity with optical markings, hanging chads, form design, etc.
It might be profitable to consider a third alternative. In particular, I would like to propose the following simple solution:
1. Physical coin-shaped markers made from plastic, similar to those used in casinos, with the following features:
1.1. A “candidate number��? (from 1 to N, where N represents the number of candidates in the given election) embossed on both sides of the marker, in large, easy-to-read type.
1.2. The Braille version of the candidate number embossed on both sides of the marker.
1.3. The entire marker colored to match the candidate number (different color for each of the N candidates).
1.4. Universally unique EPC barcode on both sides of the marker.
1.5. Embedded RFID tag.
2. Ballot box for collecting markers, with narrow slit in top to receive coin-shaped markers, and a transparent plastic section at the back, to enable easy inspection by election officers ahead of the election, to ensure the boxes aren’t pre-stuffed with markers. The transparent section is at the back, so voters don’t see, and are not influenced by, the markers cast by earlier voters.
3. Marker dispenser, with N different marker types, with the lever or other mechanical release mechanism for each marker type clearly and distinctly placed under the name of the corresponding candidate, whose name (Latin and Braille characters) and photo are marked with the same color and number (Arabic and Braille characters) as the corresponding marker. The voter looks at (or feels, if blind) the name and photo of the candidate they want to vote for, presses the corresponding lever to release the appropriate marker, and places the marker in the slot in the ballot box.
The markers can be counted in multiple different ways:
1. Instantly by electronic totaling of the RFID tags.
2. Quickly by barcode scanners.
3. Less quickly (but still faster than conventional paper ballots) by hand.
Advantages of this solution:
1. Not subject to computer bugs or hackers at any point (except in the RFID and barcode counters, both of which can be avoided or audited by hand counting).
2. Instantaneous vote totaling by RFID counters.
3. Multiple, independent counting methods, one of which (hand counting) is not subject to technological failure or manipulation.
4. Extremely low error rate (no ambiguous voter forms, hanging chads, computer bugs, etc.).
5. Voter confidence (clear, unambiguous, intuitive voting and counting process).
6. Election officer confidence (minimal, non-technological training required).
7. Accessible and unambiguous for blind voters.
8. Complete voter anonymity.
9. Instant tracking of and accounting for the markers through RFID counters, helping to protect against theft of or tampering with markers.
10. Easy and quick to implement.
11. Very cheap system, cheaper than paper-based and electronic systems. The markers, marker dispensers, and ballot boxes can all be reused in future elections, and can be manufactured by existing casino equipment suppliers, who already have an established track record of quality and security compliance enforced by the competitive, profit-driven casino industry and casino regulators.
12. Extensively proven track record in high-stakes casinos around the world.
The above proposal is a quick first draft, written up in a few minutes after I read the New York Times article by Clive Thompson which Bruce linked to above. So there are likely overlooked issues. I’d be curious what other readers think of its potential advantages and disadvantages.
"Another of the advantages of digital voting machines is the ease with which they handle multiple languages. I'm not sure how many we have to handle in California, but I think it includes English, Spanish, Vietnamese and Korean, possibly Chinese and Cambodian."
Don't you have to be a U.S. citizen to be eligible to vote? And doesn't the process of acquiring U.S. citizenship include a test of competency in the English language?
In Australia we still vote on paper. In most cases the vote for the House of Representatives has from 3 to >12 candidates which you vote for in a preferential fashion (number the votes 1-12, numbering all boxes in sequence, otherwise the vote is 'informal'). The sorting and counting is done by mark one eyeball with scrutineers from all the parties ensuring that everything is done according to the rules. Most seats are decided 2-4 hours after the polls close. Some have to wait for postal votes and absentee votes to be counted. A few seats in the last election, 5 out of 150 had to wait about two weeks for a final count, recount and re-recount. But in almost all cases the government is decided by 10 o'clock on the night of the election. All counts handled manually - no computers involved.
The senate is a different kettle of fish with the result decided by quotas. There are 6 senators to be decided from a field of many (50-120). You can either number the whole field or tick a particular party preference - the voting paper is often 1 metre long. The vote counting system is quite complex, but again done by hand, and, presumably, calculator.
See http://www.abc.net.au/elections/federal/2004/... for a 'simple' explanation!
However the bottom line is that it is all done on paper, and, provided that the physical security of the ballot papers is good, the votes can be checked and rechecked as needed. Voter registration is ticked at the time of voting and the registers are designed to be scanned to check that everyone has voted (yes, voting is compulsory, and is managed and monitored by a federal entity)
I know that we are just a country of 21 million people (and therefore only about 12 million voters) but the election results are available extremely quickly and are rarely challenged. If they are, there is always a physical record to check.
No computers - no hidden variables....
"Another of the advantages of digital voting machines is the ease with which they handle multiple languages. I'm not sure how many we have to handle in California, but I think it includes English, Spanish, Vietnamese and Korean, possibly Chinese and Cambodian."
Overlooking for a moment the real need for this: just print a translated template in the corresponding language. Voters have to choose for names which are the same in all languages or yes/no for a proposition (translatable in the template). You don't really need support for a foreign language on the ballot. And if you do it's easy to translate ballots. How do they do it when they need support at DMV, water bill, etc?
So simple, we requested absentee ballets for the upcoming primary in South Carolina. We have already voted and returned our ballet.
Remember, vote early, vote often.
P.S. These are permanent ink check marks on a paper ballet. Works for me.
P.S.S. Everyone should request an absentee ballet from their voting district.
It's really disappointing when the media refers to security professionals and computer scientists as "disgruntled citizens and scared-senseless computer geeks." This belittles those that should be respected as having expert insight into the emerging problems of the Digital Age.
Being a regular reader of your blog, I checked my feed reader specifically to see if you'd written about this article as soon as I finished it. I was disappointed that many of the more serious concerns of computer scientists (and the security industry) were given far less attention than the political wrangling, but the article started off on the wrong foot, IMO. This comment really set me off:
"The earliest critiques of digital voting booths came from the fringe - disgruntled citizens and scared-senseless computer geeks..."
The failure of government and society to listen to the subject matter experts on this topic is the single biggest contributor to the quagmire we're in with digital voting. The longer our political system and fellow citizens regard legitimate science as "tinfoil hat pontificating," the more likely we are to continue to run into these sort of problems with technology. The computer science and information security communities have been voicing the same concerns about e-voting machines from the very beginning, and now it turns out all of our concerns have been justified. For Mr. Thompson to consider these concerns as the mere rantings of "scared senseless computer geeks" even in retrospect completely illegitimates those concerns that he's now reporting on.
"And doesn't the process of acquiring U.S. citizenship include a test of competency in the English language?"
Yes; they have to be at least as competent as the President.
Sir, I do not know what is the price one has o pay for actually hacking and erasing all the votes through several of these so called intruments of vote gathering. Of course no ne wants to take blame, but having just wasted close to 1.7 trillion dollar on idiot George Bush, I think some smar Princeton/Harvard/Stanford grad should take these matter in his "own hand". Actually, poor contries have better record keeping than USA. So, you are right on the spot but after a 1.7trillion dolar damage to the economy.
I too was disturbed at the depiction of computer scientists as "geeks" at the fringe. Like most computer scientists, my alarm bells were ringing loudly when the government pushed for electronic voting. Oh well, major computer projects are run by people who can barely find the right mouse button two out of three times and we all know how those turn out.
I don't know the answer to this problem, but if a valid, unassailable vote is the desired outcome then there's no way we can be confident in the outcome of a close 2008 US election.
I believe that electronic voting is a hard problem when all the aspects of it are considered. If a true and correct vote is required (and, frankly, I am not convinced either major US political party really wants that) then the problem should be viewed as important as, say, the mission critical avionics running on a commercial passenger jet in flight. If we are willing to expend the $$$ to create this kind of system, then I think something can be built that will inspire the confidence of the people who are experts in the area.
Thought of the group on
Ka-Ping Yee's PhD thesis on electronic voting.
BTW: to those who has expressed the opinion that absentee voting is "the answer", have you all considered how easy it is for your future overlords to know how _you_ voted, so as to more easily "streamline the electorate"?
@ Johann Gevers
> 8. Complete voter anonymity.
Far from it.
Your setup makes it trivial to discover how someone votes, remotely. You merely monitor him for remotely for the presence of RFID tags on his way to the ballot box, and also on his way from the ballot box. The RFID tag which disappeared is his vote. This flaw cannot be solved by putting the ballot box with the marker dispensers in a secret/shielded area, because then any voter can stuff the box however he feels like. A similar attack where the ballot box itself is constantly monitored for RFID tags might be solved by having the ballot box be a Faraday cage (still wouldn't protect against a recording detector inside the box whose results could be correlated afterwards with the know arrival times of the voters).
In addition, the transparent window is a second "feature" which would enable (albeit in a much more detectable way) the determination of how someone votes (set up a small camera to monitor what color tokens fall down). This could be solved by providing opaque envelopes for the ballot tokens.
I have the feeling that because tokens would be more expensive than paper ballots the system would be more vulnerable to a denial-of-service-like attack where lots of people come at the opening hour of the elections and each one walks off with as many tokens for a particular candidate as they can manage, so that that the polling place will run out of tokens for that candidate eventually.
The RFID tag feature is not essential to this proposal, and can be eliminated while retaining virtually all the advantages (except instant vote totalling). Very fast vote counting could instead be done by barcode readers that read the EPC codes on the tokens. (Incidentally, the universally unique EPC code on each token is intended to aid accounting for the tokens and help prevent theft and other manipulation.)
The transparent section of the ballot box is not an essential feature of this proposal either. Instead of a transparent side window, the (opaque) boxes could simply be opened, inspected, and resealed by election officers before the election opens.
The denial-of-service attack you describe is probably unlikely, but one way to defend against such attacks would be to design the token dispenser to only release one voting token after insertion of a special (unmarked) "payment token", only one of which is issued to each voter at the election venue. If the voter makes a mistake (releases the wrong voting token) or changes his/her mind before placing the voting token into the ballot box, s/he could then simply release the wanted token by "paying" with the unwanted token.
I beleive there is an underlying common factor in "the push for electronic voting", the UK ID card scheme etc. etc.
Most big busineses have got wise to the mjor IT consutancies (you know who they are!) and treat all proposals from them with the suspicion they deserve.
So these consultants need to find a new more gullable audience to direct thier powerpoints and expense accounts and timesheets at.
And who could possibly be more gullible than a politition?
As an elected councillor, I'm pretty sure that a fast count is actually undesirable. It took a day to count the votes after my election, and that seems about right. It gives people plenty of time to scrutinise the process, and adjust psychologically to electoral success or failure.
An electronic count would be instantaneous, and no more desirable than the "Golden Goal" in football (soccer).
If only the problems weren't so predictable.
I am not a computer geek by any stretch of the imagination and yet I accurately predicted most of the problems as soon as my district proposed moving to electronic voting. Off the top of my head, mind you - not even after extensive thought.
@sooth_sayer: W what makes voting different than ATMs, credit cards, and other transactions is the requirement of anonymity. I can cross-check my credit card bill against my receipts, my ATM deposits against my checkbook, and so on, providing another layer of protection against error. None of these options are available for voting. (The article points this down, near the end.)
I am bemused about how touch-screen voting became the expected standard. Yes, it was heavily marketed, but so were other systems.
How does Estonia manage its electronic and online voting?
In the UK, we have a highly advanced system based on "pieces of paper", "pencils", and "boxes". Results are available the same evening.
@george at January 6, 2008 10:13 AM: "Everyone should request an absentee ballet from their voting district."
There's a current flap in Muncie, IN related to this. Indiana law requires that all absentee ballots sent out must be initialed by representatives of both major parties. (Republican and Democrat. I'm not sure exactly how the law is worded. It may or may not have provisions for other parties.) In the recent local elections, including mayoral, 19 ballots were sent out lacking the initials of the Republican monitor. These 19 ballots went to a heavily Democratic precinct and 18 of the 19 ballots came in with votes for the Democratic candidate for mayor - a 17 vote net plus for the Democrat. The Republican candidate won the election by 8 votes when those 19 ballots were rejected for not having the initials of the Republican.
MOST people seem willing to accept that the occurrence was an unintentional oversight with no chicanery involved, but the Democrat is currently trying to get a special election to "rectify" the problem. Personally, I try not to assume malice when incompetence is an adequate explanation, but it strikes me as a bad precedent and even if no trickery is involved this time, I wouldn't want to see it become a common occurrence.
IOW, you can't count on your votes being counted as you intended them on absentee ballots any more than from voting on election day at the polling place.
Clive Thompson is featured on Democracy Now 2008-01-10 discussing this article. URL is http://www.democracynow.org. The video/audio podcast is not available yet, but should be posted later today.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.