There's quite a hubbub surrounding e-voting. Security Center Editor Larry Seltzer doesn't care if he doesn't see a paper record of his ballot, and frankly he'd feel better if none existed. But caution in e-voting is definitely called for.
Electronic voting has been in the news a lot lately, almost as much as in late 2000. The punch card debacle of that year inspired many states to adopt electronic systems in a precipitous hurry.
Unfortunately, it appears that one of the major systems is riddled with security flaws.
It all began when someone leaked onto the Internet what was purported to be the source code for Diebold AccuVote-TS Voting Terminal
(the code no longer seems to be available where it had been). It was analyzed by a number of experts, including Avi Rubin, a well-known security researcher and co-author of the essential "Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition.
") His analysis of the code may be found here.
Organizations have formed around the issue. VerifiedVoting.org
is run by a computer science professor, David Dill of Stanford .
. VerifiedVoting.org has a number of polemical FAQs along with good background on the issue.
The site also offers an online petition of sorts where people can endorse several technical goals, including a paper trail that gives a voter a sense of confirmation that their vote was actually registered. Dill is very big on this idea that the voter should have some sort of physical confirmation that their vote was counted. This paper trail would also enable a recount from every individual vote.
Heres how the system would work: The voting machine tabulates nothing. You vote on the touch screen, or whatever the interface is provided, and the machine prints out the ballot. The ballot lists out everything you voted for in text as well as a machine-readable section that encodes the same data. When you are satisfied that the ballot says what you want it to, you then take it out of the voting booth to the Board of Elections people (soon to be called Board of eLections) and they scan the ballot with some separate device. Im not sure if there is a practical way to encode write-in votes, or if there needs to be a manual entry process for such ballots.
Now I dont care for the idea of there being a record of every individual vote, since it makes it easier to determine how any one individual voted, although the proposed system can be set up with safeguards against this happening. Im actually more comfortable with trustworthy machines and then trusting them to keep running tallies.
Think of how much easier it would be to do a Florida-style recount if they didnt have to look at every stupid punch card. And not every older voting system allows you to do a recount the way Dill insists.
For example, in my New Jersey district, we have the mechanical machines with levers you swing to make a selection. When you finish making your selections, you pull a handle to open the curtain behind you and the vote is mechanically registered and the levers reset. There is no record of an individual vote, however, running tallies are kept by mechanical counters on the machine, to which voters are not allowed access.
At the end of the day, when the machine is opened, it prints out a total for each cell on the ballot. This is the way Ive voted on my whole life (1980 was my first election) and I havent heard of voters being upset that they didnt have a paper ballot to check. In fact, it seems to me that these individual ballots are more of a problem than theyre worth.
Its easy to imagine a more aggressive electronic voting system that actually tabulates votes and is sufficiently secure that no voter could compromise it. There would need to be rules around its operation:
The machines should not be on any network. Were I designing an electronic polling place, I would have the screen as the only interface accessible to the voter. No hacking would be possible unless the programming is so bad that the voter can do something other than vote. Every vote could be logged to persistent storage, perhaps even redundant persistent storage, although Im not sure Id want it to be.
The machine should provide access with a locked rear panel and only election officials will have the key. It would be good to have the machine burn the results to a CD-R, which would also help with archiving of results, although even a floppy disk provides far more capacity than necessary. Extra disks could be provided to official challengers and observers. It wouldnt be hard to put a cheap display on the back of the unit to display the results if that would make officials happier.
If the machines are on a network, it should be only a local network with no WAN links. (This reminds me of the old line "Never put your hand in the food processor. If youre going to do it anyway and youre right-handed, use your left hand.")
In addition, the network shouldnt use TCP/IP, but some oddball proprietary protocol. This would make it harder for an attacker to use off-the-net hacking tools to attack the machine. But I think its best just to keep the machines off a network.
One of the problems with the Diebold system is that they use smart cards, which are easily counterfeitable, the very sort of product I get a hundred spams for a day. The point of the smart cards is to prevent voters from voting more than once.
Remember the mechanical systems they use where I live? Whats so hard about having mechanical curtain in the electronic voting booth? The vote is registered only when the curtain is opened, so the voter can only register one vote.
These electronic voting systems are relatively small and not free-standing machines as are the mechanical systems Im used to. But still the recording of the digital vote to the card could be tied to the process of opening of the curtain of the voting booth. A simple switch and a connection to the voting machines USB or a parallel port, would solve this problem.
Lets imagine that the machine has somehow been compromised. With either the VerifiedVoting.org proposal or my own, the only ways this could happen is from tampering by Board of Elections personnel, which is possible no matter what technology is used; or by hacked code in the system itself. In either case, there are technical means for determining whether the code has been tampered with, including performing test voting runs with the equipment.
Finally, theres the open-source issue. I agree public confidence is important in a system such as this and open source would be a good thing. But Im not sure its essential. Certainly, if the product is not open source, at least one completely independent audit of all aspects of the system, hardware and software, would be mandatory. Of course, this would be necessary if it were open source too. (Just because source code is available to a program dont assume its been scrutinized. There have been examples of intentional tampering with source trees of open-source products.)
There have been some hysterical calls from non-technical people to put a stop to electronic voting altogether as if its some sort of virus. I really hope people will try to be rational and not assume that the existence of bad implementations means that there are no good ones.
In a sense, I endorse VerifiedVoting.orgs goals: We shouldnt put up with any flawed voting system. A flawed system is a flawed system, whether its an electronic ballot or a paper one with hanging chads.
Security Topic Center Editor Larry Seltzer has worked in and written about the computer industry since 1983.
More from Larry Seltzer