Today at 10:00 AM Eastern I’m testifying at a House Administration Committee hearing on e-voting. Here is the written testimony I submitted.
E-Voting Testimony
September 28, 2006 by
Research and commentary on digital technologies in public life
Freedom to Tinker is hosted by Princeton's Center for Information Technology Policy, a research center that studies digital technologies in public life. Here you'll find comment and analysis from the digital frontier, written by the Center's faculty, students, and friends.
Use the KISS rule on engineering.
Punch cards don’t do it then. Big sheet of paper, marker, draw big X through desired candidate’s name, put paper in box. That’s KISS.
supercat Said:
(ideas snipped)
“Why Diebold didn’t do something like that I have no idea.”
For the exact same reason they throw hysterical fits even now at the thought of installing decent printers for a vvpat at their machines… money.
Our money, to be precise.
Even with their (self-confessed) rampant overcharging for such “extras”, the very installation and support costs of such concepts would have cut into the profit margins from the endless money flowing from the government teat… and that would not have been well received by Diebold management.
One retrofit that should be possible before November would be an externally-applied locking clamp which accepts two or more padlocks and will prevent an AccuVote from being opened. Given the dimensions of the machine, it should be fairly easy to mass-produce such devices out of metal in such a way as to allow use of the machine but prevent unauthorized access while padlocks were installed.
Still, fixing the lock doesn’t fix some of the more fundamental problems. System integrity requires that all software be loaded and run from media which can be protected against alteration and which can be examined fully. The machine should have no internal persistent storage media other than RAM (cleared on power-up) and an unmodifiable boot ROM.
I don’t know if any manufacturers produce commercially any memory cards with two partitions that may be independently physically write-protected (via use of a sliding lever or other such device), but it would be trivial to design such a thing. Prior to the election, an official programs the memory card to its correct initial state (a proper code image and valid election parameters on one half; a blank set of ballots on the other); both halves are then write-protected and representatives of both parties verify that everything is as it should be. Next, the ballot side of the chip is un-write-protected, seals are placed on the write-protect switch of the code side, and the card is then used for the election. Ideally, the machine should have a window through which people may view the card and ensure it’s the right one.
After the election, the ballot side is re-write-protected and seals are applied to the switch. Representatives of both parties can then use reading devices to copy the exact contents of the chip and show a cryptographic hash. Both parties’ devices readers should yield the same hash, and both parties should sign statements for each other agreeing what the hash value was.
Why Diebold didn’t do something like that I have no idea.
Peter Butler Says:
“I’ve got an idea. Porta-Punch cards.”
Better idea. Run an e-voting machines’ concepts of security past independent third-parties who are actually versed in computer security.
Have the manufacturers make the needed changes in their systems BEFORE buying them… much less deploying them.
Do this BEFORE laying out billions of dollars for such machines.
And then back those systems up with paper… simple paper ballots sans Diebold PR BS.
Simple paper ballots sans irrelevant scare pictures of old chads that have nothing to do with the ballots being discussed.
Tell us, Ed… did the guy have the grace to look embarrassed after he pulled that one?
I’ve got an idea. Porta-Punch cards. Many of remember the 80-column “IBM card.†Right? A simple 100% mechanical holder and an attached manual punch device would make neat easy to read holes in these cards.
Okay, okay, I know. Even idiots in high humidity states have the right to vote. And election officials can not he held responsible for ballot layouts that confuse the easily confused. Let’s do two things:
(1) Use a card material that will work in a steam room.
(2) Require that ballot layout be tested on 8 year old children. Or if that still discriminates against the mentally challenged then have the layout approved by a university committee. (Personally, I like the 8yo approach.)
Side issue: Do card readers exist today? I’ve not seen one in 20 years.
Use the KISS rule on engineering.
“Voting systems must be transparent to ordinary people. ” (Josh Rubin)
I think that this is a key principle that many people lose sight of. I might be happy to trust Diebold’s voting machines if all the election judges were people like Ed Felten, Avi Rubin, and Bruce Schneier. But the average educated, well-intentioned, conscientious election judge probably doesn’t have much of a clue when it comes to computer system security. A great strength of the traditional paper ballot system is that an ordinary person can understand the security model without extensive training.
This is also why the frequent assurances along the lines of, “Well, we ran X elections with no problems.” are in fact very worrying. If there was a problem, how on earth would they know?
It may be technically possible to detect or prevent tampering with Diebold’s current hardware, but I don’t think we should accept the results of a close election that uses them. We deserve better.
Voting systems must be transparent to ordinary people.
I tried to put the link to the Avant News article in the previous entry, but I guess the software ate it. Let’s try again:
http://www.avantnews.com/modules/news/article.php?storyid=281
For a glimpse of the future, we need only look to Avant News: “19-Year-Old Diebold Technician Wins U.S. Presidency”
(A tip of the hat to Bruce Schneier for this.)
Your written testimony states that even a “careful forensic examination” of a compromised system will “show nothing amiss.” However, it just occured to me that it’s likely that the memory cards and internal storage use flash memory. Since flash memory has a limited number of erase-write cycles, some sort of wear-levelling (like the PCMCIA Flash Translation Layer specification) is used. So, overwriting data won’t necessarily cause the data to immediately change on the underlying flash chip.
In normal operation, you’d never expect a vote to change once committed to storage. However, when your attack overwrites the vote, it seems likely that two copies of that vote exist on the device for a limited amount of time: one before the change, and one after. Do you think it would be possible to examine the underlying memory chip for such inconsistencies? Have you explored this possibility?
The one limitation is that old flash blocks will eventually be recycled, and any record of vote tampering would be destroyed when this happens. However, with sufficiently large storage devices (with one erase block per expected vote), old blocks will likely never be recycled, so any vote tampering could be detected.
Your testimony puts it so clearly that (I hope) even Congressmen can understand.
Thanks,
Jim H.
“Thank you for helping us clarify to people that because it is so easy to commit by anyone with the slightest inclination to do so, any voting fraud could have been committed by absolutely anyone.”
“And you’re sure it remains completely impossible to trace who committed any fraud?”
“Because of their considerable experience in this field, and unparalled ability to remedy the aforementioned shortcomings, this house recommends the retention of our current preferred supplier”