Today at 10:00 AM Eastern I’m testifying at a House Administration Committee hearing on e-voting. Here is the written testimony I submitted.
Archives for September 2006
Reacting to our report about their AccuVote-TS e-voting product, Diebold spokesmen are claiming that the machines are never networked. For example, Diebold’s official written response to our report says that the AccuVote-TS “is never attached to a network” and again that “These touch screen voting stations are standalone units that are never networked together.” This is false – AccuVote-TS systems are designed to be networked.
The Diebold manual that came with our machine explains how to network AccuVote-TS machines. The manual is called “AccuVote-TS User’s Guide: GEMS Touch Screen Client 4.1”, revision 1.0. In section 8.5, “Transfer Results”, the manual explains,
Results [of elections] are transferred are [sic] by means of a TCP/IP network connection, either directly, by modem or ethernet.
Representative tests of all results transfer configurations should be performed in the process of election confinguration, including transmissions by direct, modem, or ethernet connection.
Touch the Transfer Results button in order to activate the Transfer Results Window… Enter the network host name in the Host Name field using the [keyboard]. Enter the network user Id in the User Name field and the network password in the Password field.
Other sections of the manual contain similar text describing the transfer of election results over a network.
Appendix E of the manual lists “[s]upplies required and recommended for AccuVote-TS system operation, maintenance and logistical support”. The list includes “network cards” and “ethernet cabling”.
Diebold’s insistence that the voting machines cannot be networked is especially odd given that the conclusions in our report don’t rely in any way on the use of networking – even if Diebold’s no-networking claim were true, it would be irrelevant.
One of Diebold’s responses to our paper and video about their products’ security is that election workers are honest and would never do anything to corrupt an election. Like many of Diebold’s arguments, this one is mostly true but almost entirely irrelevant.
The overwhelming majority of election workers are honest and diligent. They put in a long, hard day and struggle with unfamiliar equipment, receiving little or no pay in return. They’re on duty in the polling place for the best of reasons. Next time you vote, remember to thank them.
But one of the lessons of our study is that even one dishonest election worker can cause big trouble. So the relevant question is not whether the average election worker is honest, but whether a would-be villain can get a job as an election worker.
The answer to that question is almost certainly “yes”. Election workers are in short supply in most places, so any competent adult who volunteers is likely to get the job. And every election worker I’ve talked to has had private access to a voting machine for more than a minute – enough time to inject the kind of vote-stealing software we demonstrated.
As always with computer security, we don’t just worry that things will go wrong on their own. What really vexes us is that our adversary is trying to make things go wrong. If a single election worker can corrupt an elections, then the bad guys will become election workers. Without the necessary safeguards, the many honest election workers won’t be able to stop them.