California Voting Machine Audit Results

The state of California conducted a security review of their electronic voting machines earlier this year. This was a serious review, with real security researchers getting access to the source code. The report was issued last week, and the researchers were able to compromise all three machines -- by Diebold Election Systems, Hart Intercivic, and Sequoia Voting Systems -- multiple ways. (They said they could probably find more ways, if they had more time.)

Final report and details about the audit here. Good blog entries here and here. We don't know what California will do now.

This is no surprise, really. The notion that electronic voting machines were somehow more secure every other computer system ever built was ridiculous from the start. And the claims by machine manufacturers that releasing their source code would hurt the security of the machine was -- like all these sorts of claims -- really an attempt to prevent embarrassment to the company.

Not everyone gets this, unfortunately. And not everyone involved in voting:

Letting the hackers have the source codes, operating manuals and unlimited access to the voting machines "is like giving a burglar the keys to your house,'' said Steve Weir, clerk-recorder of Contra Costa County and head of the state Association of Clerks and Election Officials.

No. It's like giving burglars the schematics, installation manuals, and unlimited access to your front door lock. If your lock is good, it will survive the burglar having that information. If your lock isn't good, the burglar will get in.

I have two essays on this, from 2004: "Why Election Technology is Hard," and "Electronic Voting Machines." This essay -- "Voting and Technology" -- was written in 2000.

EDITED TO ADD (7/31): Another article.

EDITED TO ADD (8/2): Good commentary.

Posted on July 31, 2007 at 10:57 AM • 47 Comments

Comments

David (Toronto)July 31, 2007 11:34 AM

Bruce you understate the problem!

The burglar doesn't need "unlimited access to your front door lock", just unlimited access to the same make and model of front door lock. If the lock isn't good then once they've figured out how to get in quickly they'll only need seconds or minutes in the field.

About the same time as some folks take to vote!

(Damn glad we still use paper (mostly)).

Thomas ReinerJuly 31, 2007 12:01 PM

@ David
Lucky you. Here in Germany they´re all crazy about voting computers. Even after some experts managed it to install a chess program on one of the voting machines.

No, these things are soooooo secure :/

MarkJuly 31, 2007 12:04 PM

Weir, head of the state Association of Clerks and Election Officials, displays determined ignorance that would be pitiful if it weren't so damaging. His threat model is wacky. Script kiddies may not have copies of manuals and source code. Anyone seriously intending to affect the outcome of an election by compromising voting machines will.

How do I know this? Voting machine manufacturers are ordinary commercial software developers, subject to no externally imposed security control. I worked for a major security software vendor, developing products for financial service providers, the DOD and national security agencies. They're subject to mandated security controls over software development environment and procedures. Yet anyone in IT has access to source code and manuals (PDF) from the source code control system. If Weir imagines that a determined adversary couldn't get a tech employee placed with a voting machine manufacturer, he's dreaming in technicolor.

Andre LePlumeJuly 31, 2007 12:21 PM

Look on the bright side. It'd be cool to have a front door lock that my postman could reprogram to play chess. :^)

Joe BuckJuly 31, 2007 12:55 PM

I'm a Californian, and an admirer of Debra Bowen. But it's absurd that US states put partisan politicians in charge of state elections. Most countries assign the task to nonpartisan judges.

another bruceJuly 31, 2007 1:10 PM

why doesn't somebody put an initiative on the ballot requiring open source software on voting machines?

JasonJuly 31, 2007 1:58 PM

Why have computerized voting machines at all? They're totally unnecessary, and add complexity to what is, fundamentally, a very simple problem. In other countries -- Canada, Britain, and Switzerland, for example -- they count the votes in each precinct. By hand. There are already poll workers and election officials from both parties available at each polling place in the U.S. The average U.S. polling location serves 300 voters. Do the math. It's not tough to figure out that this is not a problem that needs to be solved with computers. This is a problem that exists solely because we insist on using computers where none are necessary.

neduJuly 31, 2007 2:11 PM

"[...] requiring open source software on voting machines?"

@another bruce

Are you proposing that voting machine software should be made available under a license meeting the open source definition?

"The Open Source Definition"
http://www.opensource.org/docs/osd

Particularly, are you proposing that voting machine software should be freely distributable, and allow modifications and derived works?

Or are you just throwing the term "open source" around like a journalist?

David (Toronto)July 31, 2007 2:20 PM

In Canada, our ballots are generally very simple. In a federal or provincial election you basically get one vote for the candidate of your choice in your riding. Mind you we can have a lot of independant and minor party candiates for that position. The party that wins the most ridings, wins control of the government.

Municipal elections are only a bit more complicated. You get to vote for the Mayor, a councillor, school board rep, and another position or two.

With about 300 people per poll, counts works well manually. We still get staff bringing in their ballot boxes several hours after the polls close. And we see some terrible balancing errors from time to time.

In the US, as I understand it, they go to town with elected positions and almost all at the same time. How many positions, I can't say but I've heard it includes public prosecutors, police chiefs, and judges.

There's a big difference counting for 3-5 elected positions per ballot and counting many times more than that. I suspect that has a lot to do with the use of machines.

Dan WeberJuly 31, 2007 3:12 PM

If you want to "require open-source software" on voting machines, you don't understand the nature of the threat.

Open-source machines are compromised all the times. Just like BS said at the top, "the notion that electronic voting machines were somehow more secure every other computer system ever built was ridiculous from the start," and so is the notion that open-source electronic voting machines will somehow be more secure than every other open source computer system.

What we need is to make it so that the security of the voting machine doesn't matter. The machine should be a tool to make voting (and maybe counting) easier, but it should not be the repository of votes or of the ballots.

aJuly 31, 2007 3:15 PM

I bet the manuals have the default security codes, which most likely are the same than they were set to be in the factory, even if it says on huge letters to change the codes to be something else for security reasons.

When the ATMs have the default codes still and someone gets caught for fiddling with the programs on the ATM, it's usually easier to audit and notice the difference than when all voting is electronic. How would we know if any votes are missing or if everyone really voted or whatever the results show?

GrahameJuly 31, 2007 5:19 PM

> It's like giving burglars the schematics, installation manuals, and unlimited access to your front door lock.

umm, no. I do not expect my door lock to prevent a skilled and determined thief, but nevertheless, I have one, and I make sure it is locked. Because the greater part of my threat profile is opportunistic street kiddies who simply copy what they hear others have done.

Voting machines need to be secured against script kiddies too. But voting machines have a rather different threat profile to my house, and so they need to be secured against other things too.

I know that it's custom to rail against security theatre here, but it seems to me that the concept partially applies to voting systems: they are the guarantor of our continued freedom, so they most be secured against all perceived threats against them, not just all real threats.

Maybe it's just me, not being in US, but I can't help seeing a relationship between poor voting systems, and the deterioration of freedoms, and the loss of quality in political discourse

Matthew CarrickJuly 31, 2007 6:02 PM

Using computers for tabulating election results is like basing your religion on an oral tradition. No thanks. If any Canadian official ever decided to float the idea of not using paper ballots it would fail. Badly. Noisily.

king haroldJuly 31, 2007 6:07 PM

@another bruce:
Because the officials and politicians don't get it, and even if they did get it, a few "contributions" would persuade them. Check out what happened with AB1668 at http://bytesfree.org/blog for an example of a motivated company defeating a policy that was designed to benefit the public.

king haroldJuly 31, 2007 6:45 PM

@Matthew Carrick:
Typically, American elections are "consolidated," meaning that municipal, state, and federal elections are combined into one event for the convenience of the county clerks that actually conduct local polling and vote-counting. Each ballot may have dozens of candidates and issues on it, affecting multiple and overlapping territories. Therefore, nearly all counting is automated in some manner.

The thing about paper ballots is that they leave "artifacts" that can be audited to determine whether someone was cheating. And in fact, the artifacts are the votes that the voters themselves marked. We usually put the ballots (artifacts) in locked boxes accompanied by police officers that watch over them until the counting process is completed.

On the other hand, with a computerized voting system, even one with a "paper trail," you never can be sure that what the paper recorded is what the voter intended to mark. Further, the actual votes are merely electronic impulses in the computer, subject to any kind of manipulation (intentional or not) that any other data inside of a computer may suffer. The paper trail is a non-verifiable verification that the actual votes were accurate, and it isn't possible to have a police officer standing at every possible point where a vote may join or leave the group.

@nedu:
As for open source software, "many eyes make all bugs shallow." Yes, you do want the software to be available for inspection, modification (just not inside of the voting machines that will be used in an election), and distribution, in order for potential defects to be discovered *before* an election.

As I understand it, when Microsoft's Windows NT & Windows 2000 code was stolen, there was no uptick in break ins or viruses from it. All the flaws that XP suffered before SP2 were not the result of bad guys seeing the source. They were the result of bad guys having access to working, but closed, systems.

Using custom, but closed-source, software or even COTS software in a voting machine is just plain stupid. How can you be sure that the vendor's product is reliable and relatively secure without checking for things like buffer overflows and double-freeing memory? Do you wait until some joker decides to make K-Fed our next president?

Even so, the benefits of open source cannot fully overcome the dangers of computerized voting.

VickiJuly 31, 2007 8:28 PM

For a little longer, we here in New York are doing things the old-fashioned way: the state legislature has passed a bill to use the old lever-style voting machines for this years' elections, given that there is no electronic one that has yet passed the state's certification.

It looked, for a little while, like we would instead all be voting on paper ballots, for manual tabulation.

The latter is an even older technology that Mr. Edison's machines, but has the advantage that there's no difficulty in getting replacement parts.

Avni RambhiaJuly 31, 2007 9:25 PM

Mark makes a good point that any policy or directive which assumes the security vendors want to do (or can do) the right thing is inherently flawed. What's needed is a neutral third party validation of the functional integrity and anti-tamper robustness of any voting machine (and all updates to it). Arguably this is hard to do, but CableLabs has - for example - successfully automated functional and robustness conformance testing for cable/set top box devices. I firmly believe that congress needs to sanction (perhaps under the aegis of the NSA or Sandia) an office dedicated to specifying requirements for certified voting machines, for issuing (and revoking!) certifications, and even for reviewing anti-tamper technology vendors who could then be approved to supply anti-tamper technology for the voting machines. Until then, I don't see how we can ever vote with confidence on voting machines, particularly those driven by software and worse, which can be updated remotely.

@thomasJuly 31, 2007 9:41 PM

"""Electronic voting = most corrupt guy wins. Why do it?"""

Like all things "E" (e-mail, e-commerce, ...), it's basically what we have now, only more e-fficient.

Matt from CTJuly 31, 2007 10:37 PM

Connecticut's Secretary of State announced this week that the mechanical machines are retired effective immediately.

Most voting will be done by paper ballot, optically read -- excepting persons (such as the blind) who'll use handicap accessible machines to aid the privacy of their vote. We won't ask what happens when only one handicapped person votes in a precint...

Optical scanning seems to be a great compromise between integrity of the votes with an efficient counting system.

Mechanical machines were an innovation to help curb ballot-box stuffing. One wonders if newer technology can help here -- say video cameras the record each voter placing a ballot in the box. More or less ballots then faces to go with them, we have a situation.

=======
As to the length of the ballot, it varies widely from state to state, and even community to community. At the low end, some city voters may only elect a Town Council & School Board; on the high side I know of communities that still elect positions such as Fire Chief and Highway Crew Foreman, along with various committees such as Library Board, Cemetery Board, Water Board, Board of Health, etc. You may also have essentially archaic positions stripped of their historical duties, but that still are mandated constitutionally or statutorily to elect.

And add in Referendum questions -- again, vary by region, but ranging from approving municipal budgets, to authorizing new taxes / districts, to passing laws w/o the Legislature's approval, to State constitutional amendments.

As a total aside for "impressive," Middleborough, MA just had a Town Meeting on a locally controversial issue -- not a referendum, a meeting -- with some 4,000 voters in attendance.

While I don't know what mechanism they used, from past experience with large but not huge meetings like that, it couldn't have been by show of hands (people's arms get tired); they had an exact count so it wasn't a verbal "the ayes have it" situation; paper ballots are kind of logistical challenge at that scale when everyone is in attendance and may be waiting on the outcome of one vote to determine if another agenda item needs to be voted on or not next -- and if they wanted it secret they could've adjourned to a referendum. Since the meeting was held outside, my guess is they had the able bodied voters walk to either the left or right side of the field to indicate their vote and voted the elderly / handicapped who couldn't walk easily by having them show hands.

FrancesJuly 31, 2007 10:47 PM

In Toronto municipal elections, ballots are marked by closing a broken line to make a solid line. There can be multiple choices for different positions. The ballots are immediately put through a scanner which reads the choices and keeps the ballot. If it has not been marked correctly, it can be returned for correction. It is simple and fast and results are available minutes after the polls close.

neduJuly 31, 2007 10:58 PM

"Yes, you do want the software to be available for inspection, modification (just not inside of the voting machines that will be used in an election), and distribution, in order for potential defects to be discovered *before* an election."

. . .

"Even so, the benefits of open source cannot fully overcome the dangers of computerized voting."

@king harold

I'm glad you recognize that open source software is not sufficient to assure election integrity, availability, confidentiality and auditibility.

I won't argue against open source software, in general, but for election systems it's not necessary, either.

Even if all the software for a voting machine were open source--and all the firmware, too--there still would be hardware providing "black box" functions. Yet a high assurance, security-fault tolerant design must function correctly despite compromised hardware. But once we've admitted that there are practically uninspectable subsystems which can fail maliciously, then it's just a matter of engineering which subsystems those are: hardware, firmware, software, or combined subsystem. Thus, open source is not necessary.

Given that open source software is neither necessary nor sufficient for a secure voting system design, then it becomes a political matter as to how hard some people want to push for open source everywhere, just on principle. Given a limited amount of political capital and influence, I'd argue against dissipating it here. There are enough critical issues in voting systems that I don't think it's worth fighting over non-critical issues.

That said, I have in the past, and will continue to argue strongly for "open architectures" in election system design. It's my considered judgement that the top-level architecture must be fully inspectable. Further, there are significant security benefits in obtaining components and subsystems from multiple vendors.

Richard BraakmanAugust 1, 2007 2:22 AM

It strikes me that slot machines at casinos are checked and certified more thoroughly than any voting machine. The threat model there is similar, since both the owners and the users of the machines have a motive to subvert their functioning.

Slot machines are easier to secure from their users, because usage is public and can be monitored. Tampering by the owner is very hard to detect in the field, however, since a slot machine with 90% payout looks just like one with 100% payout. It would take careful recordkeeping and analysis to tell the difference.

Nevertheless, confidence in these machines is high among the public. Perhaps the gambling industry can help certify voting machines. After all, what could go wrong?

Nick FortuneAugust 1, 2007 3:12 AM

"Even if all the software for a voting machine were open source--and all the firmware, too--there still would be hardware providing "black box" functions."

Yes, yes. But insisting on open source software closes several avenues of attack.

For one thing, it allows widespread peer review of the code, which can find problems that might be missed even by the most conscientious internal review.

Secondly, it makes it far harder for intentional backdoors to be included in the software. Deliberate subversion of the process then _has_ to moved off to hardware.

Hardware is another problem, and one that also needs to be discussed. Black box testing can be applied to hardware components, and is probably the place to start.

However, you don't leave your front door open just because the catch on the bathroom window is faulty.
Similarly it seems foolish to condone closed source software in such a critical role purely because an unrelated element of the system also requires a verification process.

Let's close all the avenues we can.

Colossal SquidAugust 1, 2007 5:25 AM

Bryan said "Electronic voting = most corrupt guy wins. Why do it?"

I think you've answered your own question.

bobAugust 1, 2007 6:51 AM

"We don't know what California will do now."

Sure we do - they will spin it to make out like this is the best possible outcome, spend a bunch of money to "prove" it is, leave the status quo, then pat themselves on the back and give themselves raises.

RonKAugust 1, 2007 7:55 AM

@ Richard Braakman

> Nevertheless, confidence in these [slot] machines is high among the public.

Could someone give me a reference for that? I always had the impression that the vast majority of people playing slot machines just want to be able to have some non-zero chance of hitting the jackpot, not that they were interested in their exact expected return (e.g., it being 0.8426 on the dollar rather than 0.8362).

Dan WeberAugust 1, 2007 8:53 AM

The gambling industry is *very* interested in keeping confidence high in gambling machines. Every gambler has lots of options, especially in a casino town.

The electronic voting industry? Not so much. Voting is a monopoly. Fortunately. But it also means that voters cannot decide "eh, I'm not confident here, I'll go vote someplace else." They have no choice. Dealing with the election board is only slightly more pleasant than dealing with the school board.

Casinos are tempted to tamper in their favor, of course, but the penalty for being caught cheating is incredibly high. It's not like the games aren't *already* tilted in the casinos' favor. They just need to keep that going.

Matt from CTAugust 1, 2007 9:13 AM

The slot machine line of logic kind of scares me. It's fun but not logical to gamble.

And I'm afraid we'd end up with the elections being run by the State Lotterys and held at the local Quickie Mart. Just mark off your selection and have the clerk run the card through the Powerball machine... :D

Dan WeberAugust 1, 2007 9:50 AM

> It's fun but not logical to gamble.

In that case, going to a football game or an opera isn't logical, either. All you get out of it is *sneer* enjoyment.

The gambling industry needs to convince millions of individuals that they are trustworthy. Those individuals make choices with their own money and will face the consequences of their own mistakes. The industry responds accordingly.

The voting industry only needs to convince a few over-worked election workers, who aren't spending their own money, and the consequences are graded strictly on a pass/fail curve. The industry responds accordingly.

cynrhAugust 1, 2007 10:24 AM

"Letting the hackers have the source codes, operating manuals and unlimited access to the voting machines "is like giving a burglar the keys to your house,'' said Steve Weir, clerk-recorder of Contra Costa County and head of the state Association of Clerks and Election Officials."

The 'hackers' Mr. Weir referred to above was a group of Univ of California-Davis computer scientists led by a professor that published the results. It's frankly discouraging to see how deeply rooted the 'obfuscation' element of security is engrained in the public, when a simple outside peer review/audit by academics is compared so freely to burglaring.

AnonymousAugust 1, 2007 11:13 AM

Open source voting machines would by nature be more secure, as the code is publicly available, and as such, more minds can try to crack and subsequently improve upon it.

The notion that open source code is inherently insecure is a fallacy. If all discovered security holes, by every random amateur and black hat hacker in the country are plugged, the compiled code will be much less likely to be compromised than code written by a private company. Also, people seem to forget that once the code is compiled and running, one can't make modifications to it. It's not like knowing the source code allows one to change the source of the program that is actually running in the machine.

Furthermore, I think that any system that is going to be used for a national election of the people, should be completely open to inspection by the people that are to be using it. Private companies writing closed source code for voting introduces too many variables, especially if said companies have conflicts of interest that may entice them to write the code with a subtle bias toward one particular candidate or party. Taking the 2000 and 2004 elections into consideration, this country needs more transparency in the voting process, not obfuscation.

neduAugust 1, 2007 11:25 AM

"[I]t seems foolish to condone closed source software in such a critical role purely because an unrelated element of the system also requires a verification process."

@Nick Fortune

I'm afraid you're missing a subtle point. That's pro'lly my fault, I didn't explain carefully enough. Let me start out with an anecdote:

A few months ago, I reviewed a "Discussion Paper on Coding Conventions and Logic Verification" for voting machines.

http://vote.nist.gov/Code-20061025.pdf

My initial reaction to this paper was a comment on section 5.1 (p.3). I noted that these coding standards appeared to bar the use of Verilog or VHDL.

The point of this anecdote is that it's all too common for people to think of software and hardware as entirely unrelated. But they're not.

In fact, the boundaries between software, firmware, and hardware get real fuzzy when you start looking at them closely. And, whether a particular function block is implemented in ASIC or on a general purpose processor doesn't change the fact that that function block is potentially compromisable and replacable by malicious functionality.

You wrote, "However, you don't leave your front door open just because the catch on the bathroom window is faulty."

That might be a great analogy if we were discussing a house. It might even be an okay analogy if we were discussing an air-traffic control system--or another system that cannot be feasibly implemented without software. It might also be reasonable if the voting system were being deployed 20 km downrange from Cape Canaveral--at an altitude of 23.5 km. But none of those conditions apply here.

Instead, voting systems have there own set of domain-specific requirements. In particular, the requirement for voter confidentiality imposes significant constraints on the system. And, in essence, that requirement yields a requirement for a durable, voter-inspectable ballot. And once that constraint has been fixed, there's not a lot of excuse for software anywhere in the critical failure path.

BrianSAugust 1, 2007 12:44 PM

@anonymous
"Open source voting machines would by nature be more secure, as the code is publicly available, and as such, more minds can try to crack and subsequently improve upon it. "

This logic is typical of the open source world, and inheritantly flawed.

The software produced by coders writing for open source is no more less secure than that produced by equally talented and qualified developers in a closed source situation.

Once beyond the writing of the code, the quality of the reviewer (skill, education, tools), depth of the review, and the remediation paths for flaws establish the "secureness" of the code. Reviews in themselves are not enough, the reviews must be done by people who know what to look for, know how to look for it, and know how to get it fixed, etc.

I would agree that on a topic like voting machines, open source with academic review and availability of the code for independant review is key, but more for establishment of trust in the system than for creating a natively more secure code base. I think a team from MIT engaged in a closed source private review might be just as capable of finding bugs as a team from CalTech engaged in an open public way. I might however be more prone to trust the open source methods because if I felt the need and had the skill I could verify them.

Mad PiperAugust 1, 2007 2:55 PM

(grain of salt for this whole comment: I used to work for one of the companies reviewed)

One of the problems all solutions have dre, scan, and manual is the sad fact that voters cannot or will not follow instructions. You can put signs up, print on the ballot and tell voters how you want the ballot filled out and they will circle names (not fill in the box), put BIG check marks that cover multiple races, mark too many/few, etc...

Combine this with the fact that anything but a manual, visual count will be using some kind of tabulating machine and even a visual count will probably be recording results in a database these kinds of vulnerabilities WILL exist. Dont get me started on the number of problems that manual counting procedures have had since cavemen were voting on how to distribute the days catch.

The only solution that has and will continue to work is the procedures around the equipment and polling/count ing locations.

For example the company I worked for would tell counties: "I know this looks like a computer, and you feel it should be connected to your network so it can get the latest updates, but it is not. It is a ballot appliance that should be kept off ANY network and locked in a secure room with limited (2 man rule) access" You would not believe the number of IT departments that would just come in a few weeks before the election "just run some updates" and force the county to totally reload the machine as they could no longer trust it.

It is not really a question of the DRE machines being more vulnerable (some of the machines on the market are better), any voting process is going to have vulnerabilities and flaws. The procedures need to be designed so that the risks are minimized.

derfAugust 1, 2007 4:35 PM

It's not like the use of paper is any better or worse. People still have to move the ballots from the poll stations to the counting location. People still have to sit and count them. People still have to tally the tallies. Introducing fake ballots at any point in the process isn't any more or less difficult under an electronic system.

Dan WeberAugust 1, 2007 9:08 PM

"The notion that open source code is inherently insecure is a fallacy."

No, it isn't. But "open source" is irrelevant.

ALL code is insecure. Closed-source code is insecure. Open-source code is insecure. Code written by professionals is insecure. Code written by amateurs is insecure.

NeighborcatAugust 1, 2007 9:24 PM

Open source code may become more secure over time, but doesn't this mechanism require system failures to prompt corrective actions?

Why would anyone intending computer voting fraud share a discovered flaw with those responsible for improving the code? So a fix can be written and make the work irrelevant? That seems to be counter to the black hat's interests, no?

MadPiperAugust 1, 2007 10:50 PM

Neighborcat:
The idea is not that the "black hats" would voluntarily reveal the attacks, but researchers, hobbyists, concerned citizens , and others would examine the code looking for flaws and reveal them.

I can see this working better here than in your average open source project due to the fact that many more people care about security flaws in voting machines than care about "my swiss army text editor". If these programs were open I am sure there would be many groups willing to pay people to do nothing else than look at the code.

Also note, just because the code is open, does not mean that whichever company needs to accept patches for the code from the public, just the notification that a problem exists.

MesserjockeAugust 2, 2007 4:46 AM

In Germany, we still use paper ballots, counted by hand.
This way of voting has one great advantage:
It´s completely transparent.
anybody can watch any step of the process (except someone elses vote, of course).
From the empty urns arriving at the voting place, to the counting of the ballots by the helpers.
Why change that system to using a coumputer, which is always a black box to me when i´m standing in front of it?
Even if it´s open source, how could one be certain that the same version is running on the machine????


Messerjocke

Nick FortuneAugust 2, 2007 4:48 AM

@nedu

> In fact, the boundaries between software, firmware, and hardware
> get real fuzzy when you start looking at them closely."

I think it would be more true to say that it's possible to obscure
those boundaries. It doesn't have to be that way.

> And, whether a particular function block is
> implemented in ASIC or on a general purpose
> processor doesn't change the fact that that
> function block is potentially compromisable and
> replacable by malicious functionality."

Verifying that the code running on the machine, be it software, hardware or firmware, is a separate issue. There are a few ways to approach the problem. Hash fingerprints of the software and black box testing of the hardware would be a good place to start. I'm sure there are others on this list who could tighten that up a lot.

Remember, if we're talking about setting standards for electronic voting, there is no reason why we should not mandate a standard design. We can insist that all components are modular and can be easily removed to check that they still conform to specs. And we can define what functions may and may not be delegated to hardware or firmware.

> You wrote, "However, you don't leave your front
> door open just because the catch on the bathroom > window is faulty."
>
> That might be a great analogy if we were
> discussing a house.

If we were discussing a house, it wouldn't _be_ an analogy.

> that requirement yields a requirement for a
> durable, voter-inspectable ballot.
> And once that constraint has been fixed,
> there's not a lot of excuse for software
> anywhere in the critical failure path.

Doesn't follow. Putting all the functionality in a custom chip doesn't prevent backdoors in the design, but does make them harder to find. It also makes it harder to verify on Election Day that the chip that drives the machine is the one that was specified, and it makes it harder to change to functionality to conform to new legislation.

The key, I feel is being able to verify the machine: before, after, and preferably during an election. Then maybe we can have some confidence that the machine is performing the function it is supposed to perform.

wmAugust 2, 2007 7:12 AM

@derf: "It's not like the use of paper is any better or worse. People still have to move the ballots from the poll stations to the counting location. People still have to sit and count them. People still have to tally the tallies. Introducing fake ballots at any point in the process isn't any more or less difficult under an electronic system."

I disagree. The fundamental difference between paper votes and electronic votes, I think, is that people can see pieces of paper but that they can't see electrons.

For example, observers can *watch* a ballot box being transported, and verify that the box isn't switched, emptied or added to. Observers can watch the counting of the votes, and confirm that the official tally agrees with their own count (there may be slight counting errors, but these should be small in the overall scheme of things). The observers can also count the number of ballots placed in the ballot box during voting, and ensure that it's the same as get taken out for counting, to detect pre-voting box stuffing.

Introducing fake ballots *is* reasonably hard under such a system.

(Here in the UK, these sort of checks are implemented by allowing a representative of each candidate to watch all proceedings -- between them they will guard against fraud in *any* candidate's favour.)

With electronic systems, however, votes go into a machine, and numbers come out of the machine, but there's no way for anyone to tell if there's any relationship between the two.

XellosAugust 2, 2007 7:16 AM

"Introducing fake ballots at any point in the process isn't any more or less difficult under an electronic system."

It's a matter of scale. Ballot stuffing is limited to the tens or hundreds of votes unless you've got a lot of people in on the scheme. A single person can't do a whole lot, and as everyone knows, the more people involved in a scheme the more likely it is to be found out.
On the other hand, the electronic systems allow a single person to control thousands or, depending on the system, even more votes. One person getting in to one of the central tabulators can throw a whole district.

There's also the issue of auditability. Paper is easy to audit. It's something we've been dealing with for centuries. These machines, especially the DREs, are not. Some of them seem to go out of their way to NOT provide any audit trail, and of course, even the ones that do can't be trusted. We all know about rootkits, and what they can do to audit trails on systems. Not one of these EVMs that I've ever read anything about or seen has taken security even slightly seriously. Not a single one of them has had any features designed to deal with serious levels of auditing.

Combining the actual design of these systems with the backgrounds of the companies selling them (it's very instructive to check out on the histories of these people, and not just the convicted-of-felony-fraud-programmers they use) make the whole thing very fishy.

VinceAugust 9, 2007 1:45 PM

Most of the comments focus on the actual security of the system. This is irrelevant. The most important criteria for a voting system is that the voters believe it is fair and unbiased (not necessarily 100% accurate). This requires any system to be relatively easy to use, transparent and auditible after-the-fact. As Xellos points out above, paper ballots even when counted electronicly satisfy these criteria rather well. Computer-based systems with their lack of transparency to the voter will always be suspect no matter how carefully designed and tested. Moreover, the vendors' unwillingness to provide meaningful audit trails doom them to the scrap pile.The closest a computer system can come to satisfying the voter's needs is to print a paper copy of the voter's electronic entries and then require the voter to place it in a secure area before registering the vote. In the end, a scanable ballot is probably more cost effective.

Chris KendonAugust 16, 2007 6:36 AM

The critical point is that an election must not only be fair, it must be seen to be fair. So the losers can't say they were cheated.

This requires that ALL the source code for the system, including the application code, the OS and the compilers users to compile it MUST be available for public review by anyone who wants to look at it, with no time limits. It doesn't have to be open source, copyrighted or patented code can be published, but if the source code is secret the product is unfit for any purpose involved in voting.

Newcastle Student AccommodationJune 30, 2008 11:35 AM

I bet the manuals have the default security codes, which most likely are the same than they were set to be in the factory, even if it says on huge letters to change the codes to be something else for security reasons.

When the ATMs have the default codes still and someone gets caught for fiddling with the programs on the ATM, it's usually easier to audit and notice the difference than when all voting is electronic. How would we know if any votes are missing or if everyone really voted or whatever the results show?

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..