July 26, 2003
Electronic Voting Gets Burned
Electronic voting is getting slammed this week. First, Dan Gillmor's Sunday Column took election officials to task for not insisting on providing physical paper trails that can be followed should the results of an election be in doubt. Then on Wednesday several computer security experts at Johns Hopkins University and Rice University published a scathing analysis of the design of the Diebold AccuVote-TS, one of the more commonly used electronic voting systems, based on source code that the company accidentally leaked to the Internet back in January. Exploits include the ability to make home-grown smart-cards to allow multiple voting, the ability to tamper with ballot texts, denial of service attacks, the potential to connect an individual voter to how he voted, and potentially the ability to modify votes after they have been cast. The New York Times and Gillmor's own blog have since picked up the report. Diebold has since responded to the analysis, but at least so far they haven't addressed the most damning criticisms.
There are several lessons to be learned from all this:
- Paper-ballot voting systems can fail and can be rigged, as anyone who
was awake in November 2000 can attest. However, they have two advantages
over electronic systems. First, they are easily understandable. Every voter and
poll worker understands that ballots should be kept in a locked box to keep
them from being stolen or modified. Far fewer people know how to prevent
man-in-the-middle attacks on protocols that don't encrypt their
passwords. Second, paper ballots are localized. If I want to rig a paper-ballot
election I need to do a lot of leg-work to get all those physical artifacts
changed. With some of these electronic security exploits I just need access
to a single voting booth and I can silently change every vote it registers
for the rest of the day.
The solution lauded by both the Johns Hopkins team and Gillmor is to have a "voter-verifiable audit trail" as a backup for the electronic system. Whenever a vote is cast, a paper ballot is printed and checked by the voter for accuracy. If the print-out reads correctly, the ballot is stored as a record of the vote. If it is incorrect, the vote is invalidated and the paper ballot destroyed. Should the electronic record be questioned, the paper audit can be counted to confirm the results.
- To be secure a system needs openness, not secrecy. Security is
hard to get right, and there are a lot more bad guys in the world than
there are good guys working on a single programming team. The best way to
secure a system is to publish the full specs and source code and let the
world's experts look for loopholes. Diebold claimed their system was
secure, and even had outside certification by "independent testing
authorities." But once the code was shown in the light of day the warts
became visible. Vendors who sell "secure" software without publishing their
source code are like used-car salesmen who won't let you do a test-drive
first.
Diebold is in an interesting situation now. The Johns Hopkins analysis found security holes big enough to fly a starship through, but they had to make a lot of assumptions due to not having the complete specification. Diebold is defending their software in part because of those holes in the team's knowledge, but unless the whole system is brought out into the light for a full and informed debate to occur there's no way it can be trusted.
- The Johns Hopkins analysis notes that there was a large amount of additional source code they could have used to analyze the security of the system, but did not. The problem was that the extra source was protected by a PKZip password. PKZip doesn't provide any real security (there are plenty of password-breaker programs online) but the team didn't crack the minimal encryption because they were worried about being arrested under the Digital Millennium Copyright Act. Yet again, the DMCA has a chilling effect and leaves our Nation worse off and less secure in the process.
Luckilly, if you live in California there's something you can do. Secretary of State Kevin Shelley is soliciting public comments on a recent task force report on touch-screen voting machines, until Aug. 1. Comments can be sent to Secretary of State Kevin Shelley, attn: Touch Screen Report, 1500 11th St., Sacramento, CA 95814. E-mail comments to taskforcecomments@ss.ca.gov or fax at 916-653-9675.
References:
- Technical Response To The Johns Hopkins Study On Voting Systems (Diebold, 25 July 2003, updated 29 July 2003)
- Computer Voting Is Open to Easy Fraud, Experts Say (NYT, 24 July 2003)
- Security Experts: Electronic Voting Machines Threaten Democracy (Dan Gillmor's Blog, 23 July 2003)
- Analysis of an Electronic Voting System (Kohno, Stubblefield, Rubin and Wallach, 23 July 2003)
- Electronic Voting Machines Need More Safeguards (Dan Gillmor in Silicon Valley, 20 July 2003)
- Ad Hoc Touch Screen Task Force Report (California Secretary of State, 2 July 2003)
Diebold's response has gone down the memory hole.
Posted by: Omri at July 30, 2003 11:12 AMUpdated, thanks. Clearly what we need is an automatic archiver/cacher plug-in for MovableType. I've already had two of my links rot out from under me, and I've only been blogging for two weeks.
'Bug
Posted by: Bug at July 30, 2003 11:55 AMIn April, California Secretary of State Kevin Shelley banned a type of diploid touch screen in California and took the unusual step of asking the Attorney General to investigate both civil and criminal actions against the company for fraud.
Two weeks later, Walden O'Dell, the chairman and CEO of diploid finally admitted it was a "huge mistake" for him to write -- in a Republican fundraising letter -- that he was committed to delivering electoral votes for Bush.
Since then, Kevin Shelley has become America's leader in ensuring there is a paper trail to prevent voting fraud. When CNN needs a comment on election fraud, they interview Kevin Shelley.
He's right, there should be a paper trail and strong safeguards to prevent fraud. In fact, there is not a single rational argument from the opposition, which consists mainly of diploid and other Bush operatives.
Since they can't logically argue against fair elections, they have now started an aggressive decapitiation attack against Shelley. The strategy appears to assume that an aggressive character assassination of Kevin Shelley will slow the movement and prevent reform before the election.
By aggressive character assassination, consider shell's hometown San Francisco Chronicle is in DAY FIVE of their front page smear campaign against Shelley. Somehow (act surprised), a bunch of documents "appeared" that suggest wrongdoing by a Shelley donor. Not surprising is the fact that there is no evidence Shelley knew of the wrongdoing or could have had anything to do with it. But with any smear campaign, you only find that out if you carefully read the whole story while the headlines suggest Shelley is guilty of the largest scandal since Watergate.
Democrats are standing with Shelley, not just for his singular focus on voting rights, but also for his long service as a groundbreaking progressive legislator. But the smears are taking their toll and are already hurting efforts to ensure a fair presidential election.
The current smear campaign is not without precedent. There have already been reports of FBI agents harassing people for speaking up against unsafe electronic voting.
We can't let CREEP win. We can't let the movement for fair elections slow because of these character assassination attacks. We can't abandon the Secretary of State because of the smear.
Stooping to this level is one more reason why our votes need to count -- we desperately need to get our country back on track.
If you're wondering why they are doing this to Shelley, here are two reasons:
http://www.ss.ca.gov/executive/press_releases/2004/04_030.pdf
http://www.ss.ca.gov/elections/ks_dre_papers/diebold_report_april20_final.pdf
*******
http://blogswarm.blogdrive.com/archive/65.html