Hugh Thompson Answers Voting Machine Security Questions 122
You posted your questions for Herbert H. Thompson, PhD, on November 3rd and 4th. He decided to wait to answer until after the election in case there was a flagrant voting machine problem he could include in his answers -- and there has been at least one, but it is probably not a "security" problem per se, and is a long way from being resolved in any case. So here we go. Good food for thought here.
1) paper trail?
by ummit
This is a really basic question and it seems I should know an answer, but it never seems to be discussed: Why are the electronic voting machine companies generally so dead-set against emitting verifiable and auditable paper records? It can't just be cost, because they could and would just pass that on to their customers.
Hugh: In some states the debate has already been settled in that there is legislation in place requiring a voter-verified paper trail. Verifiedvoting.org has a good tracker of this here.
There are a few points often cited by groups resistant to a voter-verified paper trail. A first argument is that printers can fail. In touch-screen - Direct Record Electronic or DRE machines - printers are often the only components with moving parts (although some systems do have hard drives) which increases the risk of mechanical failure. Printers also bring issues like running out of paper, jams, misprints, etc. Another reason (cited less frequently) is the cost of paper/printing, but as you pointed out, this is a cost that can be passed on to counties.
Some election officials have also made the argument that they've already bought machines that don't have a paper trail and retrofitting existing machines would be costly and painful. I've also heard the argument that having a paper receipt doesn't matter because in most cases they won't be referenced.
I don't think that the sum of these arguments against a paper trail come any where near countering the necessity of having some sort of redundant recording mechanism. A critical system should always failover securely and a voter verified paper trail, if implemented properly, can meet that need for DRE machines.
2) Re:paper trail?
by Thansal
Sort of a follow up, how do the states/districts decide what machine to go with? Is it a standard "go with the lowest bidder", is this why we see such shoddy machines going into action? Do the decision making organizations tend to have specific features they look for? Anything else you would like to share about the decision making processes that you have seen?
Hugh: There are a couple of key things to keep in mind. First, there are only a few main machine suppliers. Second, the Help America Vote act (see http://www.fec.gov/hava/law_ext.txt) provided a ton of money to invest in electronic voting machines within a short (debatably unrealistic) timeframe. Given these two factors, the sales that I've seen have boiled down to readily visible machine elements like purchase price, how many other places have used the machines successfully, deployment cost, maintainability, ongoing service/maintenance cost, personal relationships, etc.
Generally, buyers of this technology aren't factoring in security: the machines pass certification lab tests but the testing doesn't cover security well (or at all). The National Institute of Standards (NIST) is working on certification procedures to address this very problem and the hope is that security will factor prominently into buying decisions made in the future. Hopefully existing machines will be retrofitted to meet those new standards too.
3) Largest Inherent Flaw?
by eldavojohn
In your opinion, what is the largest inherent flaw within electronic voting systems today? Diebold's been in the news for having many potential problems ranging from securing the physical hardware to the ability to hack the software or firmware. I'm sure you're quite prepared to pose a case against implementations but can you think of a more intuitive scheme (encryption, network layout, verification scheme) to protect against "hacking our democracy?"
Hugh: The biggest problem with e-voting isn't technical; it's procedural. Ignoring the perennial social voting issues (voter suppression, dead people voting, etc.) there's no real guidance given to elections administrators on how to safely and effectively use electronic voting equipment. If one has no idea what a memory card is, why would you bother trying to secure it?
One glaring example of bad procedure is 'sleepovers', a practice where voting machines are sent home with poll workers before an election to make the process of transporting them to polling places on election day easier (see http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9002204 for some info on this). If one were dealing with a box to hold ballots, 'sleepovers' wouldn't be a problem because the morning of the election a group of poll workers could inspect the box and verify that it was empty (including the old false bottom trick; see 'Stuffer's ballot box' at http://americanhistory.si.edu/vote/paperballots.html). If election officials knew the risks of tampering with some of these electronic voting machines (just search Slashdot for 'e-voting' for examples) then a voting machine sleepover suddenly seems like a pretty bad idea.
Right now we're at a point where election supervisors and poll workers are given a technology that they don't understand with little or no guidance on how to use that technology safely and securely. That's a recipe for serious risk, for voting or anything else.
4) Here is my question...
by Noryungi
Let's assume for a moment the 2006 US House/Senate election goes this way: Republicans keep control of both through a series of smallish victories, Democrats gain a few seats, and the results are explained away in the mainstream media as "fluke results", "margin of error", etc...
How do you prove that foul play (hacking) has been involved?
Do you even have a plan in place to check the results?
Please note that this is a very serious question. There was a saying, a few years back, that said a novice hacker is someone known in a small circle, a confirmed hacker is someone who is known all over the Internet, and a great hacker is someone who is totally invisible.
What if the election was subtly hacked, in a way that left lingering doubts (51%-vs-48% kind of results and all that), but no solid proof?
Hugh: First it's important to define e-voting security as a technology issue and not a partisan politics issue; what we've seen so far has been bad software and bad procedures to administer that software. Given the types of vulnerabilities that have been found, proving (and sometimes even detecting) foul play can be very difficult if the malicious person is skilled and the effect is minor (meaning a small percentage of the actual votes cast). For the types of vulnerabilities uncovered in some of the touch screens, optical scan readers, and backend tabulation systems, exploits can be written for some of them that are 'self erasing.' This means that the last executed bits of code can change things so that it looks like the original which could make slight tampering difficult to detect or prove in purely electronic systems. I think this argument speaks to the need for a voter-verified paper receipt so that there will be at least a good answer to the recount question.
5) OSS?
by Xzzy
Does the HBO show spend any time discussing the three "sides" to the debate? E-Voting, open sourced e-voting software, and paper voting? The last Slashdot article on this topic, when Diebold's complaint was announced, spent some time on this. The worry being, the debate is nothing more than "e-voting good" or "e-voting bad", ignoring the possibility that "open source e-voting" might be a viable middle ground.
How do you think open source could fit into this issue? Or should it?
Hugh: When it comes to voting, I'm not sure if it's a matter of open vs. closed source but instead a matter of standards and inspection by people who understand security. I'd be a fan of any solution, open or closed source, that allows trusted, knowledgeable, and independent software and hardware security practitioners the ability to inspect the systems and the code that runs them.
For example, I believe that there should be some sort of standards organization that is chartered with inspecting the system AND has proven security expertise to act as a representative of the people. For airplanes we put faith in FAA and airline carrier safety and security inspections. This kind of process has worked pretty well for a long time for machines that we place our trust in like airplanes, elevators, etc. but we're still a long way away from it in voting unfortunately. If the voting systems were open source, this may come automatically as a function of the 'citizen inspector' and might get us to where things should be faster but I think its still possible in a closed-source environment.
6) Pen-and-paper voting
by NetDanzr
What, exactly, is the argument against pen-and-paper voting? It seems to me that everybody wants to migrate to voting machines - electronic or mechanical - but so far nobody has explained to me what's wrong with good old-fashioned "put an X next to your candidate's name" voting.
Hugh: There are some pretty interesting (and legitimate) drivers behind e-voting and I'll go through the biggest.
The first is a push for disabled voters to be able cast their ballot using the same mechanism as able-bodied voters in a non-assisted way. Many states have mandated that machines must be able to service blind and illiterate voters and section 301 of the Help America Vote Act (HAVA)requires that such facilities at least be available (see HAVA section 301 from http://www.fec.gov/hava/law_ext.txt). Most touch screen machines do this through audio output to a headphone jack.
Another driver is the desire to capture voter intent unambiguously. Every year thousands of votes aren't counted because there's some ambiguity in how the voter intended to vote. In pen and paper voting, someone can put Xs (or shaded-in ovals) next to two candidate names instead of one or make a stray mark on a paper ballot which may lead to some late night debates involving lawyers and magnifying glasses. One of the hopes for e-voting was to drastically reduce voter intent ambiguity by guaranteeing that someone couldn't vote for multiple candidates in the same race simultaneously.
Efficiency (theoretically) has been another driver, more so in counting than in the actual voting process itself.
The sum of these present a good case to at least rethink pen-and-paper as the answer but, as with any new system, care has to be taken that the solution fixes more problems than it creates.
7) Why is it so hard?
by gorbachev
As a software engineer I'm constantly amazed at how incompetent Diebold and other companies making e-voting applications appear to be. This stuff is not rocket science at all, but fairly uncomplicated, basic software engineering.
Why do you think it's so hard for Diebold and other companies to come up with solutions that work well? Is it a stubborn unwillingness to listen and learn from critics, sheer incompetence, or something else?
Hugh: We've certainly seen some pretty glaring security problems in voting machines that span touch screens, tabulators, and optical scan devices. We've really seen problems across vendors too. The biggest problem I think is that there's no real economic driver to make the systems more secure. The people that buy voting machines typically haven't discriminated based on the security quality of the machines because they have no visibility into it. It's like buying a car without something like consumer reports crash test ratings. Unless someone actually starts looking at machine security and comparing it then we're left to making buying decisions based on qualities we can see like purchase price, market share, and whatever unsubstantiated thing the vendor wants to tell us about features and quality. Even given some of the vulnerabilities that have been found, and supposedly fixed, we're still no better off. If you determine that company X has vulnerability Y in one of their voting systems who's to say if the competition's voting system is any better or worse? We are at the point now where we know the systems that have been looked at are sub-par with respect to security and hopefully that's enough to spur consumers (counties that buy the machines) to start asking some tough questions to vendors about security and get us to a place where they can factor security quality into their buying decisions.
8) On Open vs. Closed Networks
by the-banker
It has always seemed to me that the real Achilles heel of e-voting is the networked approach that most vendors have taken. With a networked approach, fraud can be perpetrated on a mass scale if entry is gained at one weakness.
As a former election judge, I have enough experience to know that rigging a paper election is a daunting, nearly impossible task, as there are literally thousands of ballot boxes that would have to be compromised for any sort of advantage (on a state or national scale).
Are these concerns balanced (or even discussed) when officials are purchasing equipment? Do local Board of Elections have not only the expertise, but the concern to ask the right questions? And how do BoE directors react when they hear about your concerns and research?
Hugh: I agree that networking machines together is a serious risk certainly from a scale-of-attack perspective and unfortunately some counties continue to modem in results from polling places using procedures that are insecure.
I think the bigger issue is visibility and awareness; election officials just aren't given procedural guidance on how to administer the systems securely. The result is risk and I think many of these risks aren't weighed with the proper magnitude by election officials because it's unfamiliar territory. I think that most Board of Elections officials are good people who want to do the right thing but just don't know what questions to ask vendors about security and don't know how to interpret their answers. This isn't just a problem in voting, it's a problem with software security in general and I think it's important that if you're investing heavily in a software-based solution that you ask hard questions about security. I think a good starter set of questions to throw at software vendors (voting or otherwise) is:
- What process improvements have you made as a result of vulnerabilities reported in your software?
- What is your patch release (or update) strategy?
- Have you had an external (and reputable) security auditing or penetration testing firm evaluate your system? Can we see a summary of their report?
- Can we have our own security auditing firm evaluate your system?
- Do you have a dedicated team to assess and respond to security vulnerability reports in your products?
- What is your vulnerability response process?
- What training do your development and testing groups receive on security?
- What percentage of your test team is focused on security?
- What are the terms and period of your security support agreement?
- Do you offer security training, documentation or guidance to people that will be operating your system?
9) The greatest threat to e-voting?
by sharkb8
Do you think the greatest threat of an e-voting system being hijacked is during the voting itself, with one or more people influencing things at the polling place, during the processing, with untrained, nonaccountable poll workers and supervisors, or do you think a greater threat would be someone maliciously attacking an electronic vote counting repository/database?
Hugh: In terms of attack, the greatest risk is still probably a people risk; and that has existed for a long time. The concern with e-voting is that some of the vulnerabilities found make it so that the number of folks that would have to be involved to tamper with results is fewer than before and that their efforts may scale. From that perspective I think there's risk at each stage of the process from how voter registration databases are stored and secured, to how they are cast on election day, to when they get aggregated at the central tabulator. The 'riskiest' piece of the process actually varies from state to state and county to county based on the procedures they have around security. In some places the biggest threat may exist in registration databases that are stored on unprotected servers. In other counties risk may come from poll workers that election officials know very little about who are allowed to take voting machines home the night before elections to make the setup process easier the next day. In others, the biggest risk might lay in the central tabulator which is housed in an unlocked room, where many people enter and exit throughout the day.
Many of these risks could be reduced by poll worker training and procedural change on how machines are operated and secured.
10) Is the Harm Really that Great?
by logicnazi
I am saddened and dismayed by the poor engineering and ignorance of basic security practices that our electronic voting machines show. However, is this really something we should panic about or even the biggest problem in our election system?
All voting systems are vulnerable to fraud. What makes these electronic systems different is that one or a very small number of individuals can engineer a fraud. However, their ability to execute a fraud is limited by the media polls (we will suspect something if the results are inexplicably different than polled) and knowledge of precinct history. Thus the danger from individuals changing the vote seems to really be that they will shift a close race (say 10% apart) one way or another.
However, this sort of shifting close races doesn't greatly degrade the structural force of voting. All candidates will still try to enact policies to garner support whether they need 50% of the votes or only 45%. Much of voting is random, affected by things like personal charisma rather than policy questions so clearly the system doesn't work because we always have the person who 50% want but rather it works because of the structural pressure not to stray too far from what the people want. Or to put it in political science terms, what does all the work is the tendency of all candidates to shift to the middle so in the long run who actually wins each race isn't so important.
But now comparing the potential for electronic vote fraud to things like machine politics (with conventional ballot stuffing), safe districts, voter disenfranchisement efforts, felon lists etc.. etc.. it doesn't seem like it is such a big deal. Making sure the polling places in the inner city don't have enough machines has a much bigger structural effect, by making sure one group's votes don't count at all, than just giving one candidate a random 10% of the vote. Creating a safe district removes virtually all of the structural pressure of voters on government and it seems far more effective and less dangerous to accidentally strike the wrong people from the rolls or put too few voting machines in some precincts.
In short are we letting our concern over the technology of voting blind us to the bigger issues? Shouldn't we be paying more attention to who gets to vote, how districts are drawn and other conventional aspects of voting than to the potential for individuals to electronically cheat?
Hugh: I think that the flaws we've seen with electronic voting are only a piece of the problem and that the largest issues we have in voting are people ones. The technical flaws, though, may amplify some of the classic people threats. As you pointed out, some of the vulnerabilities may allow a malicious person's actions to scale or may mean that a smaller number of people to have a bigger influence. Even just within the space of e-voting security I'd argue that many of the risks that come from machine vulnerabilities can be greatly reduced if we had some sound broad procedures/education around using and administering the machines securely.
The voting process has always posed some significant challenges. E-voting security is a small piece of the larger problem. It is a piece that we know we can do something about, though, by establishing some basic security assessment standards for the machines themselves and some procedural and education standards for those that administer elections. The biggest sin would be that e-voting vulnerabilities merit a prominent place on the laundry list of voting problems in years to come. I think we're at a point where some simple things can be done to move it off that list and I hope that some of the standards efforts that have begun now in earnest get rolled out so attention can be focused on other ongoing voting challenges.
Secure tallying (Score:5, Interesting)
What I'm envisioning is some kind of method where votes can be tallied, and the running tally can be periodically published during the count. I imagine it would have some kind of hashing technology, like PGP, where tallies are perhaps encoded in a string, and the string is published. The hashing token, or whatever mechanism allowed a vote to be legitimately added to the tally, would be passed from one voter to another, after they voted. This puts the power to count votes into the hand of the voters, rather than a poorly-trained election volunteer, a partisan, or a hackable machine. Because of the constraints of the token and hashing, a voter can only vote as they are allowed, without destroying the tally hash string.
Unfortunately, this is [X] a highly technamalogical solution, and while it might be possible, it would be difficult to get people to understand, and thus endorse it.
Re:Secure tallying (Score:5, Interesting)
Some places already have partial solutions to this problem. What follows is specific to Wake County, NC; your laws may vary:
At poll closing time, the optical-scan machine prints multiple copies of a totals tape, showing total ballots cast (which bloody well needs to match the number of authorization forms issued), and totals for each race.
Two of these results tapes go back to the BoE by different means (in addition to the scanner sending in its results electronically). A third is posted at the polling place.
Therefore, you can check up on the official, precinct-by-precinct, certified results by going around to the precincts and copying down these numbers. If the official tallies differ by more than the number of absentee and provisional voters in the precinct, there's a problem.
This will catch central-tallying anomalies (like someone hacking the central database). It doesn't catch problems with the individual precincts' scanners, but some random percentage of those are hand-count audited after each election to check up there.
Ambiguity = Not counted?! (Score:4, Interesting)
This is ridiculous! If a paper ballot has an ambiguity and won't be counted, it should be flagged as such as soon as it's inserted into the machine so that the voter can have some sort of opportunity to ensure that their vote is counted. This is a terrible argument for touch-screen voting.
Think about this for a moment; this means that things like ballot ordering or candidate name has an influence on whether or not your vote will even be counted, and you wouldn't ever know.
Re:The Democrats Won (Score:3, Interesting)
I have heard "they're better for blind/disabled"...and I don't believe it for a second. How do you measure this? Do blind and disabled voters agree?
I have heard "faster totals"...yeah, but - is fast better than accurate?
I have heard "saves printing costs" - at the expense of having to hire more tech-savvy voting machine attendants?
I'm not convinced at all, and I don't really care who wins, as long as we make every possible effort to insure that the winner is the person who received the most votes. It's not about Democrats, Republicans, or Green/Rainbows, it's about making sure every vote counts, and the results are auditable. It's about Democracy, folks, and it's up to all of us to make sure that every vote is accurately and verifiably counted.
Re:Anonymity (Score:3, Interesting)
> are uncorrelated with the voters. The total number of votes == the total number of voters, but we don't know who voted for whom.
The votes wouldn't need to be tied to the social security number, only the account would need to be. Have the server randomly generate voting pages where the options (A,B,C) each represent a candidate or party on a random basis (on my ballot A is democrat, on your ballot A is republican). Once your vote is submitted, the server enters your choice of candidate (democrat, republican, independent) in a central database but doesn't record who you are, but ALSO enters your choice of option (A,B,C) in a seperate database that you have access to which is tied to your social security number. The random page generated for you by the server is not retained anywhere. You can access the second database (at least for you own user id) and see that your option (A,B,C) has been recorded correctly, but no-one can use that info to tell who you voted for (except yourself, assuming you remember or keep a record of what A,B,C corresponds to. The actual results database is not tied to your SS number or user id. The whole thing could be done with open-source software, and done transparently.
People can also check that the totals for the database of candidate choices equals the totals for the database of option choices. Accuracy can be verified but anonymity is retained.
Re:The Democrats Won (Score:3, Interesting)
and if a person is completely blind, how in the name of whatever Deity you believe in is a touch screen that they can't see going to help?
and just how disabled are you if you can't put an X in a 1.25" circle? even if you have tourette's or something and you screw up your ballot, you can get another one as many times as you need to until you get it right.
faster? results before you go to bed (well, results when you wake up if you live in the east) isn't fast enough for you?
i'll certainly agree with you on that computerized voting machines are a solution in search of a problem.
Tyranny of the Majority (Score:3, Interesting)
Haven't there already been several instances of claims of this kind? Isn't it the case that systematic problems with exit polling (and other polls) make it very difficult to make strong, credible claims about election results?
It seems like 10% is a fairly significant margin in most races, so I'm not sure why one would treat this as though it were a small thing. I do appreciate the point that somehow this may not change the structural correcting force arising from elections, but I do think that it can cause a situation where you have tyranny of the majority (or even a large minority). If a politician has a buffer zone of 10%, that may allow him to pander to one particular consituency while completely ignoring all others, as long as the buffer zone is enough to have him safely reelected. Persumably, in the fair election a politician has to aim to satisfy not just a majority of constituents but a sizable enough majority to ensure victory. So, it seems like such a vote buffer might still really lead to very significant qualitative change. If nothing else, one can look to how differently a legislature operates when the majority party has a margin of a few percent of seats versus when they have a margin of, say, 10%. In the latter case, one often sees compromise all but disappear.
I guess another way to look at it is that policy difference can be quite large, even between relatively similar political candidates. People thought, for example, that Bush and Gore were pretty similar, and in many of their policies they were (when compared to the larger spectrum of political ideologies, compare with people like Bernie Sanders or Pat Buchanan). If you believe, however, that the Iraq war would not have happened under a Gore presidency (seems at least plausible), then we're talking about thousands of U.S. soldiers dead, tens of thousands wounded, tens or hundreds of thousands of Iraqis dead, hundreds of billions of dollars spent, and the fate of an entire nation radically changed. No matter your feelings about the Iraq war, my point is only that this is, indeed, quite signficant. I'd have a hard time trying to argue to the families of all those dead and wounded that it isn't.
I appreciate the point that people aren't voting based on perfect (or, perhaps, even good) information anyway, and there are many other ways to steel elections, but it's hard to see how you can face up to facts like those just mentioned and not at least try. In any case, as Dr. Thompson alluded to, it's a false dichotomy. It's not as though you have to choose to fight only one source of fraud, and it will take different people with different expertise to combat each.
Re:Why not have voting over internet? (Score:2, Interesting)
The whole process took 10 minutes from walking in the front door to walking out again. I didn't have to show ID. I can see the utility of computerized systems for giving independence to disabled voters, but I don't understand the mad rush to implement it for the general populace.
* If you are homeless, you can describe or draw where you spend most of your time on the voter registration form. I don't know how they find you in the roles, presumably there's a "none" heading under addresses.