Electronic voting is getting slammed this week. First, Dan Gillmor’s Sunday Column took election officials to task for not insisting on providing physical paper trails that can be followed should the results of an election be in doubt. Then on Wednesday several computer security experts at Johns Hopkins University and Rice University published a scathing analysis of the design of the Diebold AccuVote-TS, one of the more commonly used electronic voting systems, based on source code that the company accidentally leaked to the Internet back in January. Exploits include the ability to make home-grown smart-cards to allow multiple voting, the ability to tamper with ballot texts, denial of service attacks, the potential to connect an individual voter to how he voted, and potentially the ability to modify votes after they have been cast. The New York Times and Gillmor’s own blog have since picked up the report. Diebold has since responded to the analysis, but at least so far they haven’t addressed the most damning criticisms.
There are several lessons to be learned from all this:
- Paper-ballot voting systems can fail and can be rigged, as anyone who was awake in November 2000 can attest. However, they have two advantages over electronic systems. First, they are easily understandable. Every voter and poll worker understands that ballots should be kept in a locked box to keep them from being stolen or modified. Far fewer people know how to prevent man-in-the-middle attacks on protocols that don’t encrypt their passwords. Second, paper ballots are localized. If I want to rig a paper-ballot election I need to do a lot of leg-work to get all those physical artifacts changed. With some of these electronic security exploits I just need access to a single voting booth and I can silently change every vote it registers for the rest of the day.
The solution lauded by both the Johns Hopkins team and Gillmor is to have a “voter-verifiable audit trail” as a backup for the electronic system. Whenever a vote is cast, a paper ballot is printed and checked by the voter for accuracy. If the print-out reads correctly, the ballot is stored as a record of the vote. If it is incorrect, the vote is invalidated and the paper ballot destroyed. Should the electronic record be questioned, the paper audit can be counted to confirm the results.
- To be secure a system needs openness, not secrecy. Security is hard to get right, and there are a lot more bad guys in the world than there are good guys working on a single programming team. The best way to secure a system is to publish the full specs and source code and let the world’s experts look for loopholes. Diebold claimed their system was secure, and even had outside certification by “independent testing authorities.” But once the code was shown in the light of day the warts became visible. Vendors who sell “secure” software without publishing their source code are like used-car salesmen who won’t let you do a test-drive first.
Diebold is in an interesting situation now. The Johns Hopkins analysis found security holes big enough to fly a starship through, but they had to make a lot of assumptions due to not having the complete specification. Diebold is defending their software in part because of those holes in the team’s knowledge, but unless the whole system is brought out into the light for a full and informed debate to occur there’s no way it can be trusted.
- The Johns Hopkins analysis notes that there was a large amount of additional source code they could have used to analyze the security of the system, but did not. The problem was that the extra source was protected by a PKZip password. PKZip doesn’t provide any real security (there are plenty of password-breaker programs online) but the team didn’t crack the minimal encryption because they were worried about being arrested under the Digital Millennium Copyright Act. Yet again, the DMCA has a chilling effect and leaves our Nation worse off and less secure in the process.
Luckilly, if you live in California there’s something you can do. Secretary of State Kevin Shelley is soliciting public comments on a recent task force report on touch-screen voting machines, until Aug. 1. Comments can be sent to Secretary of State Kevin Shelley, attn: Touch Screen Report, 1500 11th St., Sacramento, CA 95814. E-mail comments to email@example.com or fax at 916-653-9675.
- Technical Response To The Johns Hopkins Study On Voting Systems (Diebold, 25 July 2003, updated 29 July 2003)
- Computer Voting Is Open to Easy Fraud, Experts Say (NYT, 24 July 2003)
- Security Experts: Electronic Voting Machines Threaten Democracy (Dan Gillmor’s Blog, 23 July 2003)
- Analysis of an Electronic Voting System (Kohno, Stubblefield, Rubin and Wallach, 23 July 2003)
- Electronic Voting Machines Need More Safeguards (Dan Gillmor in Silicon Valley, 20 July 2003)
- Ad Hoc Touch Screen Task Force Report (California Secretary of State, 2 July 2003)