Schneier on Security
A blog covering security and security technology.
« DHS Reality Show |
| U.S. COMSEC History from 1973 »
December 24, 2008
Comparing the Security of Electronic Slot Machines and Electronic Voting Machines
From the Washington Post.
Other important differences:
- Slot machine are used every day, 24 hours a day. Electronic voting machines are used, at most, twice a year -- often less frequently.
- Slot machines involve money. Electronic voting machines involve something much more abstract.
- Slot machine accuracy is a non-partisan issue. For some reason I can't fathom, electronic voting machine accuracy is seen as a political issue.
Posted on December 24, 2008 at 6:02 AM
• 46 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Can add another one to the list... governments can get a lot of influence in the design and operation of the machines, for casinos that's not going to happen as easily.
c.f. the last Scottish elections - the government at the time made a mess of the forms against specific advice and the election turned out to be a complete farse, and that's not including votes getting lost at sea, or random thugs smashing up ballot boxes with golf clubs.
I'm guessing there's more milage in allowing "security flaws" in voting machines.
Further thoughts on the first difference: slot machines are always kept on-site, while EVMs are kept in storage most of the time, making it easier (in theory) to tamper them undetected.
@Peter: "governments can get a lot of influence in the design and operation of the [voting?] machines, for casinos that's not going to happen as easily."
My impression is that gambling computer software/hardware design is in fact intensely regulated by various governments (Nevada).
@Bruce: "For some reason I can't fathom, electronic voting machine accuracy is seen as a political issue."
That's because there's always a political party that loses and can cry sour grapes over perceived injustice.
ATMs are the same thing, too. I once took money from an ATM, but actually received none and got a receipt for the withdrawl. I marched into the bank office and got it taken care of immediately. I'm the only person I've ever heard of who had this problem with an ATM.
Yet it seems we willingly accept voting machines that can randomly (or nonrandomly) lose or change thousands of votes at a single machine, with no way to audit or correct mistakes. You'd think it shouldn't be so hard to develop a voting machine that's as accurate as an ATM.
The reason an ATM can be accurate is because it can be audited. There's a known amount of money in the machine that is reconciled daily. If the machine makes a mistake, you can take your receipt into the bank, and they can perform an audit and determine if it balances.
With an electronic voting machine, the only starting point is zero, and no one knows how many votes should be in the machine at any given moment in time. There's no way to reconcile what should be in the machine.
It's simple, electronic voting machines should be used to aid in counting PHYSICAL ballots. But there should always be a physical ballot. Optical readers seem to be tried and true. It feels like we're trying to use electronic voting technology not to make voting more accurate or easier, but for technology's sake.
"Optical readers seem to be tried and true."
Here, have some chads. We have both kinds: dimpled and hanging.
One major diference (even with the propriatary code issues) is that voting machines are desinged to be honest. While slot machines are designed to be dis-honest.
The emulation of slot machine ROMs has exposed that at specific times no matter what you press in a gamble you have Zero chance of winning.
Auditability is the key here. If you want people to vote with a machine, that's fine - just have it spit out a paper ballot at the end that the voter can read and verity. The ballot goes into a secured ballot box. Then randomly audit samples and do a full manual recount if there's any sign of trouble. And Bob's your uncle.
This past election, I voted on an old-school paper ballot with a pencil, which was then read by an optical scanner. My wife used the machine (ironically, this took longer because most people seemed to prefer it). She said there was a ribbon of paper ticking out the back of the machine, but the voter couldn't actually see what was on it. What would we call that - electoral integrity theater?
Not really theater as it is a legitimate audit trail, allbeit one which could be improved.
If the machine decides to forget all the votes made so far, you can use the hardcopy etc.
Mark Sense works well. Punch cards, not so much.
IMHO, mark/sense ballots are about the epitome of voting technology. You get immediate feedback on overvotes or other spoiled ballot issues immediately, right while the voter is standing there and can correct it.
I have a friend who's worked every election for 40 years, and my wife worked a different precinct this year and went through the training with the township clerk. They both said that they had NEVER had an inexplicable issue with a mark/sense ballot. In the few times they'd done recounts, the votes only changed by 4 or 5 votes, and in every single case the counters could see exactly what caused the machine to misfire, and there was no confusion.
Punch cards are just a really bad idea. Mark sense is a really good one. They don't have the read problems of punch cards, but they are both machine readable and human readable and they are their own audit trail.
Another difference, which helps explain the politicization, is that the expectation for a slot machine is that the person using it will lose, while the person owning it will win. If that changes, then the owner will remove it from service. With voting machines, it's very possible, at least in some places, that everyone who uses it expects "their" side to win.
If you use a slot machine and lose your money, it doesn't really violate your expectations. Everyone around you is using the same machines, and they're mostly losing too. Winning is an aberration. If all of your circle of friends are Democrats who vote, and you find after the election that your district results were 51% Republican, you may suspect something is amiss. The Republican across town whose circle of friends is composed entirely of other Republicans who vote, would be likewise suspicious if the results were 51% Democratic. The only voters who go to a voting machine with the same expectation of loss as all slot machine users have are independents.
I don't think that's an issue of dishonesty. Your arrival at the slot machine is for all practical purposes random.
And digital machinery is not known for being random; it is bound to use a pseudo-random number generator.
On the other hand, once the cards in a game of blackjack have been shuffled; there is invariably a sequence of choices where you have no chance of winning. Again, it's a matter of what state you find the game in as you enter.
You can always flip a coin to decide to play or not; that makes it fair. If the game is set to lose, and you flip "don't play", you win; if you flip "play" you lose. Vice versa if the game is set to win.
They are becoming harder to fix, that's why you see politicians promoting absentee ballots -- why ?
- Cuz Postal ballots can be left in the car-trunks and only used when needed.
- Cuz you can mark them youself .. no need for Dallas football team.
There is about 1000% more crime in absentee ballots; making any errors in voting machine irrelavant.
"For some reason I can't fathom, electronic voting machine accuracy is seen as a political issue".
Maybe because Republicans seem to be keener on using voting machines, and when things go wrong as a result, the Republican Party seems to be the beneficiary more often than not. Then there are the blatant conflicts of interest. For example, Wikipedia gives the following information.
"In August 2003, Walden O'Dell, then the chief executive of Diebold, announced that he had been a top fund-raiser for President George W. Bush and had sent a get-out-the-funds letter to 100 wealthy and politically inclined friends in the Republican Party..."
Maybe that's a one-sided view of the matter. The Wikipedia articles goes on to say that "When assailed by critics for the conflict of interest, [O'Dell] pointed out that the company's election machines division is run out of Texas by a registered Democrat".
But who swings more weight - the CEO or a divisional manager?
In case you think I'm politically biased, by the way, I'm British and a member of the British Conservative Party.
Really, the problem is that electronic voting systems use the same machine to prepare ballots and to count the prepared ballots, with the only verification being the same machine (again) showing you an ephemeral copy of the ballot. It's simple enough to design a better system:
1. Use one machine just to present the polling information (electronic systems are better than paper systems for this) have it print a readable paper ballot that goes in the voter's hand (this is even more verifiable than a punch card system, for instance). The ballot printer can easily add optical scan barcodes, checksums, etc - lottery tickets are the best model. There also ought to be the sort of tear-off chit that current punch card systems have, so it's easy to compare the recorded number of voters, the recorded number of votes, and the actual number of ballots.
2. Allow the voter to reject any printed ballot they regard as spoiled, for any reason - in addition to ensuring the voter has a chance to verify their vote, this is even more resistant to vote buying than current paper ballot systems, since it allows you to prepare a phony ballot, post it on YouTube or whatever if you want, and just not submit it.
3. Prepare the official vote count by hand. A barcode scanner can be pretty fast if everything it needs to scan is the same size. Don't keep a separate electronic record (preferably the machine from step one has no easily writable storage, or only a minimum) or a separate physical copy of the ballots; those are both points of failure rather than beneficial records. To understand this, realize that anyone with sufficient access to insert tampered ballots can tamper with only one copy of the vote records; now all they have to do is claim there was vote tampering (there was) and they can easily prove it, triggering recounts, court battles, whisper campaigns, etc. Redundant copies of the ballots are bad.
4. Reporting the vote tally should be done by a machine separate from all of the above, whose only purpose is to accept a vote count and transmit it securely. Nothing in the polling station should connect the ballot printers to or the ballot counters to the Internet directly.
I realize the preceding is somewhat off-topic, and far too long, but the system will work, and it's a very simple design, so it's really annoying to keep reading "improved" designs that try to fix what should be replaced.
On voting machines being a political issue, have you ever seen a politician not make something they control a political issue?
The two major parties re-draw districts to make them more solidly one party or the other so that the votes aren't close. They basically work to establish each district as one way or the other. Why wouldn't they want to work deals to jimmy the votes in those districts to not vary from the intended outcomes?? They just get mad at each other when the other party steals votes in a non-prearranged way.
Any time you have a concentration of power without the ability for the citizens to audit and review the complete process, you have corruption. If not at the start then at least eventually.
An important difference between voting machines and slot machines is in the parameterization of the inputs and the results.
With a voting machine, the inputs are variable, as the set of candidates and propositional votes vary from jurisdiction to jurisdiction. In contrast, the inputs and outputs of slot machines are almost totally fungible with minimal ability to modify behaviour.
It doesn't necessarily invalidate the idea of comparing security between these systems, but there will legitimately be differences in their behaviours and analyses.
@A nonny bunny
Your argument that you can make the game "fair" by flipping a coin to decide whether to play or not is troublesome. Consider the case where a mugger is waiting in an alley to slug you and take your wallet. If you flip a coin to decide whether to go down the alley, does that make the mugging "fair?"
Great points. I'm actually studying this stuff in my postdoc... BTW, that graphic is from 2006.
"Slot machines involve money. Electronic voting machines involve something much more abstract."
To me, this is the key differentiating point. The problem is that votes are worthless to the people administering the election.
If state legislatures were to ascribe a dollar value -- say $100 -- to each vote, mandate an independent audit of each election, and penalize their state election board's budget by the aggregate dollar amount of the lost/miscounted votes, I bet elections and voting machines would get a lot more accurate.
@A Nonny Bunny
Did you read the article pointed to? It said there was ZERO chance to win in certain situations. The machine was rigged to beat you no matter what you did, as it was programmed to do. There was nothing pseudo-random about it. If you would, explain how that is gambling.
How about just making the voting machines open source? Have the source code that is to be actually used in the machines available to be scrutinized by the public well in advance of the election?
@Frank Ch. Eigle:"My impression is that gambling computer software/hardware design is in fact intensely regulated by various governments (Nevada)."
It was an analogy, in a casino it is the casino that benefits on messing about with the machines and regulated by the government. In an election it is the current political party in government that can benefit from machine rigging and is regulated by the electoral commission (apparently).
Another important one: Slot machines were invented to perform entirely new tasks (new types of games); electronic voting machines are simply replacing another sort of equipment for the same task, and so just get treated the same as the old ones even though the vulnerabilities are not always identical. (Sometimes they are-- lever voting machines have long been acknowledged to be randomly broken and unreliable, and yet New York state has used nothing else for a long time.)
Not that the existing procedures were necessarily airtight for the old equipment, either. Read Election Administration Reports for a while if you want to get worried about every form of voting used in the US.
And the most important difference of all: Voting machines are supposed to give us a verifiably accurate count that is *objectively* correct, but their audit trail, if any, must be *anonymous*. Slot machines do not have anything like voting's requirement for a secret ballot. We must know how many votes were cast and what was on each one, but we must not be able to reconstruct who cast which vote.
Actually, yes, it is theater. If a computer voting machine spits out a paper tape and not all voters see it, and the paper tape is used only for auditing, there is no reason whatsoever to trust the paper tape any more than the voting machine's electronic count. Any bug in the machine that produces incorrect totals, could just as easily produce incorrect printouts.
The key to paper ballots is that:
1. The voter him/herself marks or examines the paper ballot and casts it
2. The paper ballot itself is what is counted
If you don't have that, "paper trails" are at least part theater.
Note: Optical scanners satisfy the above conditions. You can trust that the pile of ballots you have is legitimate for recount, if you mistrust the machine's count. They're real ballots. Having a *ballot marking machine* that produces ballots that a *separate* optical scanner then reads, also satisfied these conditions, as long as the voter gets to take the ballot from the marking machine to the optical scanner.
"For some reason I can't fathom, electronic voting machine accuracy is seen as a political issue."
There's a partial explanation for this. But it's easily overlooked--unless you remember some of the history of the activist campaign. There's path dependence in the political process.
Setting aside early advocacy by Rebecca Mercuri and a very few others, much of the first grassroots activism arose from the Seattle area. CS people in Redmond not only easily grasped the issue, but moreover were socially acquainted with Boeing engineers grounded in a culture of risk-analysis for critical systems.
When those early grassroots activists approached their political representatives, the representatives they approached --and began to convince-- were Democrats.
As the issue gained momentum, the Republicans reflexively opposed a "Democratic" movement.
A path dependent outcome.
> If you use a slot machine and lose your money,
> it doesn't really violate your expectations.
> Everyone around you is using the same
> machines, and they're mostly losing too.
> Winning is an aberration.
That also describes using voting machines, too.
I expect lose money every time.
@gary: The Washington Post graphic was about computerized gambling machines in Nevada, USA. The crooked machine described in the article linked by your comment appears to be British.
So, this could be understood as an example of what happens when the regulatory regime is inadequate.
Former Slot machine designer here, slot machines aren't that secure. Despite all of the measures in place, if a rotten egg developer wants to make a machine payout, they can. It happens more often than is generally assumed, but the scope is limited as the idiot draws attention to themselves my suspiciously winning large amounts of money. The other layers of security, auditing payouts ratios, casino's pooling of information together about suspicious players works pretty well at catching all kinds of chicanery.
And that's what is different between the two. When you have rivals that have a vested intrerest in their collective security working together, you'll have better security.
Anon for annon's sake.
In regards to the emulator game not being fair, I think there is a misconception going on here. It is quite likely that the game has randomly (using a pseudo RNG that obviously starts with the same seed value in this case) determined what the win amount would be. This is random (or pseudo, you get the idea) and fair. The fact that no matter what you do within that particular game state changes the payout is irrelevant; it's still random, it's just giving you the illusion of choice.
To couch this in another way, think of a game where you pick a token to reveal a win amount below the token. One way to implement this is to decide how much the player will win, then place that amount under whatever token they choose. This is still random, but it's giving the player the illusion of choice, which adds to the excitement and involvement in the game.
"much of the first grassroots activism arose from the Seattle area."
I strongly dispute that. But perhaps you live near Seattle, so that's what you saw? I'm not sure.
Activism on voting machine issues became a nationwide thing rather suddenly, in response to the 2000 Florida recount and then, within a couple of years, HAVA and the sudden proliferation of touchscreen voting as a result of HAVA. It was in those two years that this activism suddenly blossomed throughout the country.
You are right that a lot of it started with groups that were lefty / liberal / progressive / Green / Democrat. That had nothing to do with Seattle, Microsoft, or Boeing.
"I strongly dispute that. But perhaps you live near Seattle, so that's what you saw? I'm not sure....
"Activism on voting machine issues became a nationwide thing rather suddenly...."
Then tell me your story.... about the early days when you first brought the issue to people's attention, and they'd never before thought about it quite like that. Perhaps they looked at you like some kind of weirdo.... But, fortunately, people with strong technical backgrounds tolerated weirdos and would try to listen to what you had to say. The politicians were harder.
Tell me your story. I'd like to hear it. So tell me your story.
@Cos: "You are right that a lot of it started with groups that were lefty / liberal / progressive / Green / Democrat. That had nothing to do with Seattle, Microsoft, or Boeing."
I think you're right. Had the razor thin Florida count went just as thinly the other way, righty groups may have done the same thing (or they may have blamed it on faulty registration, or something else in the process).
A parrallel: I saw a boxing match a few years ago, and after the final bell one of the fighters and his manager were celebrating and hugging. He had his hands raised with a big smile, then the announcer declared the other fighter the winner. The losing fighter was furious, sure he lost because of poor scorekeepers and not because the other guy may have landed more punches. The winning fighter thought the score was fine.
I have a close friend who works for Ceasars in customer service. He deals with a lot of people who thinks the machines are rigged or broken. I bet he'll never have someone come in after hitting a jackpot and say "man, i think somethings wrong with your machine, I am sure I lost."
Moral of the story: it shouldn't suprise any of us that those who lose are the ones most likely to think the process needs to change.
So, ideally some things shouldn't be political. Realistically, it's not hard to see why they are, as wrong as it is.
The real difference is that with slot machines, everyone expects anyone who's able to cheat to do so, so there's an obvious need for counter-cheating measures and accountability.
With voting machines, nobody can come out and say that they expect cheating, so there's basically a mass delusion that security isn't so important because hey what are you really defending against anyway. Who would try to steal an election? And if you try to answer that you risk sounding like a crackpot, paranoid or conspiracy theorist.
Do any of you actualy KNOW anything about slot machines or do you just like to whine about gambling?
Smart people here? Not so much.
But the point that an electronic device with a specific designed payout can be made secure from hacking and on site tampering because somebody spent time and money to prevent fraud and attacks in design and operation is very much relevant
I'm certainly not whining about slot machines (or fruit machines in GB). That pejorative is petty and gratuitous. Every part of any slot game can be made to have a statistical chance to win (even if it is 10,000,000 - 1 or any other vanishingly small amount) and keep the payout at whatever percentage the house requires. I certainly hope that's what they do in Nevada (nobody here seems to have found out what the laws are in that regard). When you have a chance that is zero at any handle pull, that is cheating, just like the pea under the shell game. Aggregating payouts for all the machines shouldn't be allowed exactly for that reason - it would be easy (and perhaps even necessary) to have a machine that had a payout of zero, and since most gamblers are transient (and the machines can be easily moved), it would be a clever way of cheating some customers. When you choose to gamble and it is government-sanctioned, there are laws against cheating, enforcement, and (I hope) review by agencies of the machines used. I would expect nothing less. Casinos are certainly profitable enough to stand the cost of auditing. Tag a few machines, have them brought in for analysis. It would be easy to find if machines are paying out too much or too little. No machine should be allowed to be set to zero payout, which is the responsibility of the manufacturers. If found to be possible, the manufacturer cannot sell machines in the state.
With touch-screen voting machines, it amazes me how little security is built into them, how their totals are so easily manipulated. If the person I voted for disappoints me, that's one thing and can be rectified next time around, but if my vote is transferred to another candidate, that strikes at the heart of the state. There was no reason for these machines to be built in the first place, except fatuous ones. Speed need not be an issue if enough people are used to check votes. The scanning system appears better as there is a paper trail, but again it can be gamed because recounts are not allowed unless a vote total is close enough by law to merit such a recount.
Random recounts in random districts would take care of that, and if the machines aren't in compliance statistically, a total recount then needs to be done (which can be done with verified machines or by hand).
BTW, I have only gambled a few times in my life when with friends who took me to casinos or racetracks for (what they considered) festive occasions. On my own I never gamble.
The 'monopoly' game you refer to does not meet current Nevada regulations as I understand them, in particular the regulations for the PRNG. The regulations are available from:
As I said, this movement blossomed spontaneously all over the country due to some major national events. I got interested in vote counting process around the same time millions of other people did, during the Florida recount.
In 2002, HAVA passed, and had the maybe-unintended side effect of bringing touchscreen voting to many many jurisdictions in a very short time, and it was in response to that that I became active in voting process reform, as did many many other activists - it was the sudden influx of new paperless machines in the wake of HAVA that did it, and this was happening all over the country.
A lot of leaders emerged in the grassroots movement around 2002/2003 in the wake of HAVA, some who had been concerned about these issues for a while, some who were new to it. A lot of them, and a lot of the local activist groups that worked with them, started independently of each other, all over the country.
One of the more prominent activists, Bev Harris, is indeed from the Seattle area. She started at about the same time as most of the rest, first getting involved in 2002 IIRC, and doing some real work by 2003. I don't recall that she had any particular tech background before then - she learned the tech stuff as a result of getting into voting machine activism.
Other leaders and prominent activists emerging around the same time were elsewhere. Professor David Dill at Stanford (in the bay area), for example - and the organization founded around his work, Verified Voting, based in San Francisco. US Representative Rush Holt from New Jersey (one of the few scientists in Congress), who became concerned about paperless voting during the debate over HAVA in 2002, and was already introducing bills to evolve the law in the direction of paper by 2003.
FYI, I heard of Dill, Holt, and Verified Voting, and had actually worked with them, well before I was familiar with Bev Harris and Paul Lehto, the most promiment Seattle-area people I can think of in this movement. I also think their side of the movement has not been the most effective (though the amount of information Bev Harris has dug up is amazing, and has been very useful to others).
Thanks for the regulations. It appears that Regulation 14 addresses those machines. I'll read the pdf when I have a few moments.
What scared me today is that I went to an ATM and took out some money, then noticed the manufacturer's name on the machine - our old friends at Diebold. I'm never using that bank's ATMs again.
Thanks very much for your story.
Incidentally, I want to correct one misperception: I didn't mean to claim that prominent, contemporary movement leadership personalities ever emerged from crackpot, paranoid, conspiracy-theorist weirdos.
Bev Harris might possibly be an exception to that rule. Although afaik, she doesn't have a technical background in CS, EE or Aerospace. And, of course, she came along quite some time after NIST SP 500-158 in August of 1988: "Accuracy, Integrity, and Security in Computerized Vote-Tallying"
Anyhow, though, thanks for your story.
I wrote a little article in early 2004 about why e-banking was not a good justification for e-voting. No doubt I got some of the ideas from Bruce S's writings.
I hadn't thought of e-gambling machines. (I would think that some of the logic in favor of electronic slot machines can be transferred to online gambling devices.)
Slot machines are programmed so the house always wins, in that it profits from the activity - but the customer can win some of the time (a lot more of the take from slot machines goes to the customer than the take from state lotteries, in most places.)
That element of the programming has no place in election machines, of course.
Another part of the reason is voter-suppression by one Party, against the constituents (real or supposed) of another Party. Here in the States, the Republican Party has a two-decade history of voter-suppression (until the 1960's, the Democrats did this in the South). Also in the last twenty years, Republican candidates have won more small-turnout elections, and the Democrats have won more of the large-turnout elections (at least, that's the overall perception). Hence, keeping turnout low has become the province of one Party; confusing vote schemes help to lower turnout.
usually a political group/party tends to be more popular, and tends to win election to the bureaucracy that runs the district's elections. therefore, *another* group that often loses elections will suspect hankypanky.
I'll note that most slots aren't incredibly accurate. Typically, the most accurate ones are the ones run by a state, where there are legal requirements for accuracy (an example: West Virginia Lottery Commission). A lot of white and grey market slots and slot features that try to break into the VLT market encounter this problem - they weren't really designed to always be right to start with.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.