August 23, 2017

Honest Election Workers

One of Diebold’s responses to our paper and video about their products’ security is that election workers are honest and would never do anything to corrupt an election. Like many of Diebold’s arguments, this one is mostly true but almost entirely irrelevant.

The overwhelming majority of election workers are honest and diligent. They put in a long, hard day and struggle with unfamiliar equipment, receiving little or no pay in return. They’re on duty in the polling place for the best of reasons. Next time you vote, remember to thank them.

But one of the lessons of our study is that even one dishonest election worker can cause big trouble. So the relevant question is not whether the average election worker is honest, but whether a would-be villain can get a job as an election worker.

The answer to that question is almost certainly “yes”. Election workers are in short supply in most places, so any competent adult who volunteers is likely to get the job. And every election worker I’ve talked to has had private access to a voting machine for more than a minute – enough time to inject the kind of vote-stealing software we demonstrated.

As always with computer security, we don’t just worry that things will go wrong on their own. What really vexes us is that our adversary is trying to make things go wrong. If a single election worker can corrupt an elections, then the bad guys will become election workers. Without the necessary safeguards, the many honest election workers won’t be able to stop them.

Comments

  1. I’m still trying to figure out how to view the situation you’ve uncovered. On the one hand, I’m pretty certain that poll workers actually had more ability to tamper with election results in the early days of our country than they do today. On the other hand, Diebold’s performance is embarassing for everyone who works in politics.

    So, do you think it is feasible to get rid of this junk in time for this year’s election? I’m a little skeptical. But, if not, someone needs to figure out how we manage Diebold’s hubris.

  2. Being somewhat familiar with cryptographic/cryptological reasoning, and the mundane workings of the world, I’m confident many people will not be getting the point of targeted infiltration. (Perhaps unless it is presented as malicious turban-wearing Arab terrorists attacking the homeland.)

  3. the_zapkitty says:

    Stephen Purpura Said:

    So, do you think it is feasible to get rid of this junk in time for this year’s election? I’m a little skeptical.

    It depends on if the afflicted states have a “rollback” capability: the ability to go back to their previous system. I would think that few do, given the provisions of HAVA. A new backup paper system could be deployed, but it could not be as efficient as the pre-Diebold systems ditched by the states.

    And Diebold would still be lying at every step of the way about how their system would have worked “perfectly”.

    ” But, if not, someone needs to figure out how we manage Diebold’s hubris.”

    Practicality dictates a solution where the emplaced machines have their specifics released to third parties and the machines can then be can be sanitized by third-party observers 24/7 during the balloting.

    Realpolitik dictates ignoring or even quashing the Princeton findings until after the November Debacle has run its course.

    Any way you choose: expensive, inefficient, troubled elections… and all the while Diebold will be lying nonstop until finally hit with a court order.

    All in all it is an extreme disservice to the American people who paid out billions for a better election system in order to avoid a repeat of 2000.

  4. On the one hand, I’m pretty certain that poll workers actually had more ability to tamper with election results in the early days of our country than they do today.

    I don’t think so. The problem is that in the past, yes, you could cheat, but it required an apparatus, a fairly large number of people in on the deed and probably at the local level. That needs a big conspiracy to contain the secret; very big if you’re changing national or even statewide elections. Now it can be done by one person getting into the local voting place; even a very large and widespread fraud now requires a relatively small conspiracy. One person at each precinct, or perhaps not even that many, with a more centralized control.

    So instead of needing tens of people to commit fraud at a single precinct, those tens of people can change the vote in an entire state. It’s a much worse situation than before. And there’s no trail now.

  5. “On the one hand, I’m pretty certain that poll workers actually had more ability to tamper with election results in the early days of our country than they do today.”

    Er … right. Previously, to change a vote required either stuffing ballot boxes or spoiling lots of ballots. Doing that in a dispersed way would be ineffective under the electoral college system: a few extra/spoiled votes in each district tends to have no effect, even if there are 100,000 in total, vs. 20,000 in each of five hotly-contested swing districts. But concentrating them that way leads to some districts showing either suspiciously high numbers of spoiled ballots (remember 2000?) or suspiciously high numbers of ballots period. Which triggers an investigation and a recount.

    Now, a fraudster can change someone’s vote other than by spoiling their ballot. They can flip 10,000 votes for Kerry to votes for Bush in each of five districts with five conspirators — perhaps only one — and with much less work, resulting in the same net change of 20,000 in “how many more voted for Bush than for Kerry” and no change whatsoever in those districts’ counts of a) total ballots or b) spoiled ones.

    The election could be stolen right out from under our noses.

  6. And while we’re at it, here’s a way to make paper votes even more secure against large-scale (or even small-scale) tampering, while preserving the secrecy of the ballot, the transparency of the process, and actually using advanced computer security technology.

    When each voter registers, they’d receive a unique 256-bit code in the form of a barcoded sticker. Records of which codes were assigned and which never used would be kept, but records of which code went to which voter would be destroyed — a double-blind sort of system.

    At the polling place, a voter would not need to give out their name or other info (and could disguise their physical appearance too, if desired). They would have the sticker scanned. If the code was in the database and not flagged as having voted already, they could vote. Which would involve peeling the sticker off its backing and attaching it to the ballot. When they’d cast their ballot, the database would updated to mark them as having voted.

    Ballots would now not be anonymous, but pseudonymous.

    Stuffed ballots would be easy to detect as there’d be some mixture of ballots with invalid codes and with duplicate codes.

    There are then new ballot-spoiling and other fraud attacks, but all except some of the ballot-spoiling attacks would require compromising the central DB or the communications network. The communications could be encrypted and spread-spectrum, and all electronics generator-powered, making sabotage of the infrastructure extraordinarily difficult (e.g. via cutting phone lines, jamming signals, or engineering power failures). Protecting the central DB is the kind of security problem we’re getting fairly good at solving. Observers from all parties could monitor the DB and the site of its physical hardware for anything suspicious.

    What remains are accidents or attacks that spoil ballots by invalidating votes after the fact (with duplicated or bogus bar codes, or by traditional means) or before (by stopping someone voting). High rates of spoiled ballots or rejected voters would raise a red flag, and moreover could readily be detected on a polling-site by polling-site basis, finer grained than currently. And ballot-stuffing attacks would be even harder to pull off.

    Of course, recounts could still be done, too.

    It’s even possible for a court to keep but seal the mapping between codes and voters, and for specific sets of multiple ballots a) selecting multiple candidates and b) sharing one bar code, unseal the identity of the voter to an election official when shown these ballots. Under the circumstances, the voter’s intent isn’t revealed (the ballots have multiple candidates selected) so this doesn’t ruin the secrecy of their ballot. They can be contacted and allowed to recast their vote (again, with a secret ballot, of course) into the recount. (Multiple same-code ballots with the same candidate selected on all of them can just be treated as one vote for that candidate, secure in the knowledge that the voter’s intent is preserved.)

    This last creates a fairly weak attack on ballot secrecy: clone a sticker, and with multiple blank ballots, present a bunch of dummied-up ones to a judge along with the real one the voter made, all the while knowing which one that is, in the hopes of discovering his or her identity. This would not scale and would be hard to do in practise. It and other attacks are further weakened by putting counterfeiting-resistance features into the stickers, such as holograms or microprint, commonly used on currency and credit cards now.

    One attack remains to discuss: someone can acquire multiple stickers and (perhaps changing their physical appearance on each occasion) cast multiple votes. (By buying stickers from the poor, or looking for mailboxes of people that are dead or on vacation, or even dumpster diving behind an apartment block full of apathetic voters, for example.)

    If each sticker’s code is linked to only one valid polling place for using it at, this is hard to pull off without being caught. (And makes the above claim, that suspicious activity can be detected at the fine grained level of individual polling sites. Secrecy of the ballot is preserved because a code can still only be linked to some set of hundreds or even thousands of people, rather than just one, via access to the DB.) Or, the existing method of having to show ID at the polling place can be used. In this case, to avoid the specter of a poll worker building up a mapping of sticker codes to IDs, the sticker is then kept hidden until unpeeled and applied to the ballot, with ID being used instead of scanning the sticker to validate someone’s eligibility to vote.

  7. Ballots would now not be anonymous, but pseudonymous.

    Any system which would allow a voter to prove how he/she voted is bad, for a variety of reasons. Simplest scenario: employer or union boss suggests that if you want to keep your job, you’re going to have to prove to them that you vote for Snidely Whiplash in the upcoming election.

    Paper ballots are pretty good. Electronic systems that use write-once media may also be okay. Electronic systems using rewritable media are bad.

  8. Under the system I proposed, I don’t see any way to prove how you voted. The ballot is still marked behind a privacy screen and dropped in a box with many others; the bar code is no longer linked to personally identifiable information even if (a copy of) the ballot somehow were obtained by someone; etc.

  9. Richard Gadsden says:

    Paper ballots and manual counts work pretty well over in Europe. Maybe America should learn a lesson: “if it’s not broke, don’t fix it”

  10. So the relevant question is not whether the average election worker is honest, but whether a would-be villain can get a job as an election worker.

    Well, Diebold’s machines were originally created in Brazil around 1995 by a local firm named Procomp, later acquired by Diebold after US 2000 elections failures in Florida.

    As you have guessed, it now turns out that a poll worker in a tiny and poor village in northeast Brazil had just found someone tried to intercept her poll worker notification letter, in order to steal her place.

    The spectre of voting machines most probably will come back to haunt us.

  11. To QrazyQat and Neo: ballots are a fairly new thing in American history, since they became commonly used in the latter part of the 19th century. In the early days of the country, voting consisted of annoucing your support for a candidate and standing on a side. The poll keeper decided which candidate had more support and reported that information back up the chain.

    Back in the day of Washington and Jefferson, voting also involved a lot of beer. Beer paid for by the candidates’ surogates and given directly to the voters during the parties that led up to the vote.

  12. the_zapkitty says:

    Stephen Purpura Did Say:

    “To QrazyQat and Neo: ballots are a fairly new thing in American history, since they became commonly used in the latter part of the 19th century.”

    You are thinking of the “All candidates on one secret ballot” concept, otherwise known as the Australian ballot.

    Ballots were in use in America before there was a USA… secret ballots to boot! 🙂 And they have been in use continuously

    Look in any encyclopedia under “Ballot”.

  13. “Paper ballots and manual counts work pretty well over in Europe. Maybe America should learn a lesson: “if it’s not broke, don’t fix it””

    If you’ll recall the 2000 election, you’ll realize that it was broke. It’s just that their idea of how to fix it is making things worse.

    Now, “If it ain’t broke, don’t fix it” should be displayed in big huge neon signs over the entrance to every workplace where they do maintenance and tech support. If I had a dime for every time that a server/a road/the water/the power/whatever had been working perfectly right up until the moment that some well-meaning idiot decided it needed “fixing” …

  14. Deepak Dhami says:

    I am very happy that Princeton has brought up this issue. Like other places in world corruption is coming, honesty and loyalty is leaving this country. This country has made so many bold moves like this in past and has paid price however at end country has succeeded. I disagree for going back to old system; rather we should make this idea more secure from listening and learning from other critic. DieBold is stupid not listen to Princeton, getting free advise. They should fire their all IT people who are egotistical and not admitting their stupid mistakes. I think Princeton should come up with the system and hell with DieBold.
    This system can be broken form many other places which are not address by either DieBold or Princeton.
    Until Money talks and BS walks, System can be broken form
    1. Dishonest poll worker – He can put virus through his own key no need to unscrew or remove seals
    2. Dishonest telephone line man, or switch board operator can boot voting machine and put virus. I am sure this machine can be power on by network for up dates.
    3. Dishonest DieBold employee – easy no brainier what he or she can do.

    Remember as per Princeton, with current system you need only one person to corrupt the entire system. What if we find out after the election that there were problems counting votes. Is DieBold bonded to cover re election cost?

    System is lacking checks and balances. Here are some my thoughts.

    Do not centralize the voting system. Network needs to divide in small groups so virus can not spread all over.
    Commutations to these machines should not be carried through common telephone lines system, System should be on independent communication system or like military network.
    Also, there are so many ways we can improve the system. Already so many ideas are posted here. I am not posting more ideas here because I do not want to give it to DieBold for free, however I will be happy to give it free to Princeton. You guys should do same.

    I am sure university like Princeton or similar one can come up with unbreakable system. We went to Mars, correct?? We are American we do not surrender we should lead the world and stop being negative.

    You all should pardon my English.

    Thanks for reading

    Deepak