July 19, 2018

How Computers Can Make Voting More Secure

By now there is overwhelming evidence that today’s paperless computer-based voting technologies have such serious security and reliability problems that we should not be using them. Computers can’t do the job by themselves; but what role should they play in voting?

It’s tempting to eliminate computers entirely, returning to old-fashioned paper voting, but I think this is a mistake. Paper has an important role, as I’ll describe below, but paper systems are subject to well-known problems such as ballot-box stuffing and chain voting, as well as other user-interface and logistical challenges.

Security does require some role for paper. Each vote must be recorded in a manner that is directly verified by the voter. And the system must be software-independent, meaning that its accuracy cannot rely on the correct functioning of any software system. Today’s paperless e-voting systems satisfy neither requirement, and the only practical way to meet the requirements is to use paper.

The proper role for computers, then, is to backstop the paper system, to improve it. What we want is not a computerized voting system, but a computer-augmented one.

This mindset changes how we think about the role of computers. Instead of trying to make computers do everything, we will look instead for weaknesses and gaps in the paper system, and ask how computers can plug them.

There are two main ways computers can help. The first is in helping voters cast their votes. Computers can check for errors in ballots, for example by detecting an invalid ballot while the voter is still in a position to fix it. Computers can present the ballot in audio format for the blind or illiterate, or in multiple languages. (Of course, badly designed computer interfaces can do harm, so we have to be careful.) There must be a voter-verified paper record at the end of the vote-casting process, but computers, used correctly, can help voters create and validate that record, by acting as ballot-marking devices or as scanners to help voters spot mismarked ballots.

The second way computers can help is by improving security. Usually the e-voting security debate is about how to keep computers from making security too much worse than it was before. Given the design of today’s e-voting systems, this is appropriate – just bringing these systems up to the level of security and reliability in (say) the Xbox and Wii game consoles would be nice. Even in a computer-augmented system, we’ll need to do a better job of vetting the computers’ design – if a job is worth doing with a computer, it’s worth doing correctly.

But once we adopt the mindset of augmenting a paper-based system, security looks less like a problem and more like an opportunity. We can look for the security weaknesses of paper-based systems, and ask how computers can help to address them. For example, paper-based systems are subject to ballot-box stuffing – how can computers reduce this risk?

Surprisingly, the designs of current e-voting technologies, even the ones with paper trails, don’t do all they can to compensate for the weaknesses of paper. For example, the current systems I’ve seen keep electronic records that are subject to straightforward post-election tampering. Researchers have studied approaches to this problem, but as far as I know none are used in practice.

In future posts, we’ll discuss design ideas for computer-augmented voting.

Comments

  1. Foolish Jordan says:

    Isn’t the other big advantage of a computerized voting system that you can count the votes in the blinking of an eye rather than requiring a room of volunteers for several hours?

  2. Mike Schiraldi says:

    What happened to the end of the article? Don’t leave us hanging!

    Unless it’s just “g.”

    [It was just a missin’ “g.” It’s fixed now. — Ed]

  3. I’m glad to see recognition of the fact that paper voting has flaws too. Many analysts seem to want to turn back the clock as their only goal.

    I have to say though, that having your threat model include people voting using insecure voting machines makes the task of designing a secure voting system pretty challenging! Giving the attacker the ability to write the voting machine software is going to make it difficult to detect subtle manipulations. If I were designing the system, I would devote effort to trying to make the machines work right, rather than accepting that machines are corrupt and trying to catch them in the act.

    But in terms of that latter goal, one caution to keep in mind is that people do not want to have to “vote twice”. Ballots are often long and tedious these days, especially in states like California where you may have a dozen or more propositions on the ballot in addition to national, state and local elections. Once you’ve gone through the ballot and made all your choices, you don’t want to have to spend a lot of time closely studying a paper printout to see if it matches everywhere. Few voters are going to be willing to take much time at this task.

    You may not even remember how you voted when you’re doing the check. Especially with numbered propositions, did you vote yes or no on Prop 329? When you voted, you probably had a summary of the measure on display, but what will the printout show?

    The lesson from this is that the design of the paper receipt is just as important as the design of the ballot. And there is a tradeoff between verbosity and clarity.

    Here’s an idea. What if you got a print out after each screen of voting, and it was on semi-transparent paper so you could hold it up over the screen and see if it matched your choices? Then drop it in the ballot box. It would be a lot of paper but it might simplify the task of verifying that the printout matched your choices.

  4. An electronic voting system should end with a screen that looks like a piece of paper and asks you “Is this what you want your votes to be?” It’ll show the order of the ballot and the name of each item voted. For numbered props it’ll show the ‘common’ name as well. If the voter clicks ‘yes’ it’ll record the vote and spit out 2 paper copies: one into a sealed box and the other into the voter’s hands.

  5. Ronald Crane says:

    “Voter verified” systems are subject to a host of attacks that either do not affect hand-filled paper systems at all, or that are easily detected and remedied in that context.

    Attacks against “voter verified” systems range from the mundane “switch the voter’s selection and bet that she doesn’t notice” attack [1], to presentation attacks (e.g., reordering the ballot, dropping candidates from the ballot, modulating touch-screen sensitivity to make it more difficult to select certain candidates, adding or eliminating headings between races, etc.), to denial- or delay-of-service attacks, to an attack that cancels the voter’s “paper trail” after she leaves the machine, flips her electronic selection(s), then prints a new matching “paper trail.” On this last attack, see http://vote.nist.gov/threats/papers/papertrailhack2.pdf for one approach, and http://vote.nist.gov/threats/PaperTrailManipulationIII1.pdf for a more advanced approach that immunizes this attack from certain audits.

    Finally, I take issue with the article’s title, “How Computers Can Make Voting More Secure.” Much of the article focuses on accessibility and voter-error prevention, not on security.

    [1] Ted Selker’s study, cited by the Brennan Center’s report on voting system security, suggests that this is likely to be a very fruitful attack. He found that voters in simulated elections discovered less than 3% of the “errors” on their paper trails. And on the off chance that a voter discovers the “error,” what happens? The pollworkers tell her that there was a “glitch,” or that she made a mistake, and that she should cancel her ballot and re-vote. Given this, isn’t it almost certain that an attack will escape detection?

  6. Ronald Crane says:

    Also, the article does not weigh the benefit of computer assistance against the risks, let alone stratify the risk/benefit analysis appropriately, such as between those having no disability, those with various kinds of vision disabilities, and those with motion and other disabilities. Nor does the article consider how non-computational assistive devices (e.g., the Vote-PAD, magnifying bars, lighting…) might be improved. The focus is solely on using computers to improve voting. I think that that focus is, largely, inappropriate.

  7. Tomer Chachamu says:

    EdB: there are issues with giving people a record of their vote. (The usual example given is store managers telling all their employees to vote for a certain candidate, or they lose their job.)

  8. A computer voting system can potentially be verifiably correct, meaning that it will record every vote given to it, tabulate those votes correctly, and report faults immediately and without damage to votes already collected. (There may be other features one might want in a voting system as well.)

    The problem isn’t that computers are somehow untrustworthy or nefarious – it’s that the people implementing such systems have historically sucked at doing their jobs. A voter-verified paper trail is a necessity for any electronic voting system, but in a properly designed system, it should only be necessary to reference that paper trail in the event of a catastrophic failure of the system. The paper trail should be the failsafe – but this can only really happen in a system that is properly designed, reviewed, and approved by the public (bring on the Open Source Voting Systems!).

  9. Ronald Crane says:

    A computer voting system can potentially be verifiably correct, meaning that it will record every vote given to it, tabulate those votes correctly, and report faults immediately and without damage to votes already collected. (There may be other features one might want in a voting system as well.)

    The VoteHere, et al, proposals purport to do something along these lines. They use such advanced cryptography that even most software engineers will be unable to say whether they are designed correctly or have operated that way on election day. Assuming that such systems become available (and that they somehow also have been proofed against presentation attacks and DoS attacks, and that they aren’t susceptible to some new attack), they could effectively be supervised only by a tiny group of cryptographers. That’s a problem both in terms of security — an attacker need subvert fewer people — but also in terms of the public’s ability directly to supervise its own government.

    What I’d like to know is, what great advantage do computers bring to elections so as to outweigh the risks they create to security and to citizen supervision of government?

  10. Rob Adams says:

    I’ve long wondered why we don’t just replace our e-voting machines with software running on Xbox 360s. These systems are designed, with a lot of resources, to ensure that only signed code runs even given physical access to the machine. Microsoft currently uses this technology only for evil, but this hardware would be perfect for voting! You just need to attach a printer and a touchscreen to it.

  11. Ronald Crane says:

    I forgot one point. I agree that computers are not, of themselves, “untrustworthy or nefarious,” but I disagree that the main problem with them is “that the people implementing such systems have historically sucked at doing their jobs.” Computers and perceptions about them combine a variety of factors that have the net effect of creating large risks to security and to public participation in government. These risks include

    1. Almost unlimited mutability (any computer can execute almost any program, including well-disguised nefarious ones);
    2. High complexity (few people have even a faint idea of what goes on under the hood), which contributes to a widespread inability effectively to supervise computerized systems;
    3. Highly leveraged points of attack (a vendor or a vendor’s OEM can attack elections nationwide);
    4. An undeservedly-high reputation for infallibility (“computers don’t make errors, people do”) combined with a widespread penchant to dismiss errors as “glitches” (see, e.g., Sarasota);
    5. A neato-keeno factor that has a tendency to override the good sense (including the good fiscal sense) of otherwise-sensible people; and
    6. A supporting industry that has strong incentives to sell ever-increasing amounts of stuff, and also to make that stuff cheat.

  12. Ronald Crane says:

    I’ve long wondered why we don’t just replace our e-voting machines with software running on Xbox 360s. These systems are designed, with a lot of resources, to ensure that only signed code runs even given physical access to the machine. Microsoft currently uses this technology only for evil, but this hardware would be perfect for voting! You just need to attach a printer and a touchscreen to it.

    Signed code enforcement is an issue only with respect to local attacks. When the attack occurs at the vendor, or at a vendor’s OEM (software or hardware, take your pick), signed code enforcement is meaningless. Also I doubt that the enforcement is much good on its own terms. The very first Google hit for “‘unsigned code’ xbox” returned this article:

    http://arstechnica.com/news.ars/post/20070301-8954.html

    An anonymous hacker has posted a technique for circumventing the Xbox 360’s restriction on running only signed code. The hack exploits a vulnerability in the console’s operating system kernel, and uses a privilege escalation to switch into hypervisor mode. In this mode, any unsigned code can run—including alternate operating systems such as Linux—with full access to the 360’s hardware….

  13. Ronald Crane says:

    Man, I would love to vote from my laptop. Those lines are so line [long?] its ridiculous.

    The malware-writers, phishers, and pimply-faced hackers — not to mention the vendors of some of the software packages you use — would love to vote from your laptop. The things they could accomplish by doing so are so enormous it’s ridiculous.

  14. A note with regard to crypto voting systems. It’s true that the crypto is complex and subtle, and only a (relatively) few experts can tell if it’s working right. OTOH with at least some of the proposals, they are verifiable after the fact using only publicly available data and published mathematical algorithms. There is no way for anyone to cheat and alter the voting results without it being verifiable and detectable by anyone who is capable of studying the mathematics and writing some software, and there are tens of thousands of such capable people in the world. Voters would be able to download software (including open-source) from a trusted provider of their choice, and validate that their vote was counted. Even though they can’t personally verify the mathematics, there are more than enough experts in the world that would be able to detect any cheating.

  15. I’m yet to be convinced that there is a problem with paper. Indeed, the ONLY advantage of computer based systems is speed of counting (which is a small advantage, possibly no advantage at all since the count is always finished long, long before any physical action is taken).

    Ballot box stuffing can be detected by checking the total number of ballots against the total number of names crossed off, down to the resolution of one polling station. In Australia, each ballot is individually signed by a polling official (at the time they are handed to the voter) so it is easy to identify which signature turns up more often than all the other ones or which ballots are marked with a signature that no one can recognise.

    Moreover, each polling official is also a citizen with an interest in seeing a fair election. Each polling official can keep an eye out for what other officials are doing and the counting rooms are watched by quite a large number of people. Thus, many parts of the system are continually checking other parts of the system and each person knows they have something to lose if they are caught tinkering with the votes. Sure, if a large enough percentage of the officials are crooked then the election will be crooked — but one or two bad apples will not be sufficient.

    Besides all of the above, paper voting is already widely accepted. Computer voting was pushed onto people without broad public consultation and with only partial public acceptance. Note that electronic voting in Australia has been introduced very gradually with an option for people to use paper ballots. In the US it was just dumped on the voters and they were told to be happy with it — this is NEVER the right way to introduce a new technology. Ordinary people understand paper voting, they can put their hand up to become officials and they quite likely know at least someone who has worked as a polling official. In other words, they have some involvement in the process and a feeling of confidence which they never will have with computer voting (everyone knows how dodgy and unreliable computers are… thanks Bill).

  16. Ronald Crane says:

    OTOH with at least some of the proposals, they are verifiable after the fact using only publicly available data and published mathematical algorithms. There is no way for anyone to cheat and alter the voting results without it being verifiable and detectable by anyone who is capable of studying the mathematics and writing some software,….

    Assuming that such systems work, I think that they guarantee something that’s subtly different from this, but that makes all the difference. If a machine cheats, probably either (a) the corrupted records will not decrypt into anything sensible or (b) they’ll decrypt, but their signatures will be incorrect. Now this clearly means that something went wrong, but what, exactly, was it? And how will elections officials — who know even less about crypto-voting than about ordinary e-voting — respond? Will they chalk it up to “a glitch,” count the records that decrypt properly, and leave it at that? Or will they launch the appropriate forensic investigation? Even assuming the latter (which I think is a bad bet), what’ll it find? Probably something like the inquiry into Sarasota’s DRE undervotes: “Well, the implementation is none too good, but (reviewing this source whose correspondence to the election-day executables is unknown [1]) we didn’t find any hard evidence of fraud.”

    Finally, whatever their abilities to guarantee the correct recording of a voter’s selections, such systems are still susceptible to presentation attacks and to DoS attacks.

    I still have to ask what great advantage computerized vote presentation and recording (for non-disabled voters) have over hand-filled paper ballots, such that the risk that they introduce is justified?

    [1] “We assume that the firmware image provided to us was compiled correctly from the source code provided to us. We also assume that the firmware image provided to us was the firmware image that was actually executed by the iVotronic machines on Election Day.” ACCURATE report on the examination of Sarasota’s DREs. http://election.dos.state.fl.us/pdf/FinalAudRepSAIT.pdf

  17. It seems so simple. Mark your paper ballot, deposit it in the box, dump all ballots out and hand count at the precinct. What could be easier? What could possibly require less heavy-to-lift equipment? What could be easier on the poll workers AND the voters?

    We did great with paper for over 200 years in this young country. It is still working great in nearly every current democracy. The points of attack on a paper system are about 5, all fairly easily detectible and requiring a multi-person conspiracy to pull off an actual change in the winner of an election. Electronic voting allows one person in one minute to change the outcome of the election of many candidates.

    It is pathetic (but I suppose “American”) that there even has to BE a debate. Even putting in PBOS gives yet many more chances to electronically change the outcome in an eyeblink. We’ve spent the last 5 years trying to find ways to make e-voting safe and we keep experimenting at the expense of verifiable election outcomes. What kind of concept is this…we will introduce a whole new way to do the most important function in the world, and then we will work for years on trying to figure out how to make it safe and secure and accurate???

    Would we send astronauts into space with KNOWN major “safety and security” problems and tell them to trust the manufacturer, because they are “working on fixing those “bugs/glitches”” or would we hold off launching until we got it right (some will argue we DO experiment with their safety, but generally speaking, NASA is pretty damned tight with their safety demands)? Would we ask the flying public to fly on an aircraft that has not yet passed all safety tests and tell the public the company is “working on it” and to just “trust them”, it will all be ok?

    No, of course we wouldn’t EVER think of doing that – it is way too risky. But we didn’t hesitate for a minute launching the most security-compromised system run by private corporations with convicted felons on their payrolls, we let them keep their counting methods secret, and we are supposed to be comfortable that those in office are ACTUALLY the ones the majority of us voted for? This airline is in for a huge crash, but it is not just a few hundred or thousand impacted (pun intended), it is hundreds of millions. No, rather, it is the several BILLION on this planet.

    So let’s keep tinkering around the edges, we should get it right eventually!

  18. Ronald Crane says:

    Yes. E-voting systems are like drugs for the body politic, except that no one has ever been required to prove that they are safe and effective. Indeed, the powers that be have ignored numerous, serious indications that they are unsafe and/or ineffective, often branding those who raise questions as “conspiracy theorists” or worse.

    As citizens, we have to force our representatives to do the right thing.

  19. One problem with paper ballots is that you have a certain percentage of ballots that are not clearly marked. In a close election this then leads to multiple recounts with different results each time. That happened in a local election in my community several years ago, and the office changed hands a couple of times, well into the new year. It came down to a judge and opposing attorneys studying and arguing over dozens of contested ballots to try to decide which ones should count and who they were for.

    This is basically what happened in Florida in 2000 that led to the recent push for computer voting. In that case the ballots were marked by punching holes rather than with a pen on paper, but it’s the same idea. Any such analog system is inherently imprecise. We all recall the laborious discussion of “hanging chads” and “pregnant chads”, the recounts, the questions. The whole course of world history since then would have been very different if just a few ambiguous ballots were interpreted differently. The eventual election result was completely arbitrary and half the country felt disenfranchised. That’s what you get with paper.

  20. Ronald Crane says:

    Yes, electronic systems have the advantage of quantizing the voters’ selections, but this advantage comes at a very substantial transparency and security cost.

    Florida 2000 was not so much about ambiguities in interpreting punch cards (or, more broadly, hand-filled paper ballots ) as it was about close elections and hyperpartisanship. Half the country felt disenfranchised not because of a few pregnant chads, but because of a blatant conflict of interest in the Florida Secretary of State’s office, because of her arbitrary official act in an area intimately connected to that conflict of interest, and because of a Supreme Court decision based upon an unprecedented interpretation of the 14th Amendment which, at the same time, explicitly denied its own applicability to similar future cases.

    If Florida 2000 had been conducted with DREs, we would indeed likely have been spared the angst and the extended postpartum debate of the actual event, at the price of having no debate, while the systems hummed quietly in the background and produced results whose relationship to the voters’ choices we have no way to verify.

    It’s much better to make the grisly mechanics of elections visible for the citizens to influence, to criticize, and to agonize over, than it is to hide them behind a curtain where a “wizard” pulls levers and makes proclamations.

  21. “What we want is not a computerized voting system, but a computer-augmented one.”
    In the old Europe the level of *suspicion* against some processes for voting is justified by some horrendeous historic experiences: what is sometimes clearly feared is that the process becomes controlled by a tyranny. Some laws have evolved to adapt and mitigate risks but without naming them, so forgetting it.
    Remember William Shirer’s book Rise and fall of the Third Reich about Kochem. http://www.nizkor.org/hweb/imt/tgmwc/tgmwc-22/tgmwc-22-214-02.shtml “The Tribunal will remember the reports that were rendered by the SD after the plebiscite had taken place, showing the means by which the voting papers of suspected persons were checked by the use of skimmed milk and colourless typewriters. ” What protects computer generated ballots ?
    Some countries have simplified the citizen voting ceremony so that complexity could not ease such subversions or others. What remains to do is culture and perception management to mitigate risks in the long time by mean of law.
    Believe in the future of democracies, but with some lucidity.