April 18, 2014

avatar

Why seals can't secure elections

Over the last few weeks, I’ve described the chaotic attempts of the State of New Jersey to come up with tamper-indicating seals and a seal use protocol to secure its voting machines.

A seal use protocol can allow the seal user to gain some assurance that the sealed material has not been tampered with. But here is the critical problem with using seals in elections: Who is the seal user that needs this assurance? It is not just election officials: it is the citizenry.

Democratic elections present a uniquely difficult set of problems to be solved by a security protocol. In particular, the ballot box or voting machine contains votes that may throw the government out of office. Therefore, it’s not just the government—that is, election officials—that need evidence that no tampering has occurred, it’s the public and the candidates. The election officials (representing the government) have a conflict of interest; corrupt election officials may hire corrupt seal inspectors, or deliberately hire incompetent inspectors, or deliberately fail to train them. Even if the public officials who run the elections are not at all corrupt, the democratic process requires sufficient transparency that the public (and the losing candidates) can be convinced that the process was fair.

In the late 19th century, after widespread, pervasive, and long-lasting fraud by election officials, democracies such as Australia and the United States implemented election protocols in an attempt to solve this problem. The struggle to achieve fair elections lasted for decades and was hard-fought.

A typical 1890s solution works as follows: At the beginning of election day, in the polling place, the ballot box is opened so that representatives of all political parties can see for themselves that it is empty (and does not contain hidden compartments). Then the ballot box is closed, and voting begins. The witnesses from all parties remain near the ballot box all day, so they can see that no one opens it and no one stuffs it. The box has a mechanism that rings a bell whenever a ballot is inserted, to alert the witnesses. At the close of the polls, the ballot box is opened, and the ballots are counted in the presence of witnesses.

drawing of 1890 polling place
(From Elements of Civil Government by Alexander L. Peterman, 1891)

In principle, then, there is no single person or entity that needs to be trusted: the parties watch each other. And this protocol needs no seals at all!

Democratic elections pose difficult problems not just for security protocols in general, but for seal use protocols in particular. Consider the use of tamper-evident security seals in an election where a ballot box is to be protected by seals while it is transported and stored by election officials out of the sight of witnesses. A good protocol for the use of seals requires that seals be chosen with care and deliberation, and that inspectors have substantial and lengthy training on each kind of seal they are supposed to inspect. Without trained inspectors, it is all too easy for an attacker to remove and replace the seal without likelihood of detection.

Consider an audit or recount of a ballot box, days or weeks after an election. It reappears to the presence of witnesses from the political parties from its custody in the hands of election officials. The tamper evident seals are inspected and removed—but by whom?

If elections are to be conducted by the same principles of transparency established over a century ago, the rationale for the selection of particular security seals must be made transparent to the public, to the candidates, and to the political parties. Witnesses from the parties and from the public must be able to receive training on detection of tampering of those particular seals. There must be (the possibility of) public debate and discussion over the effectiveness of these physical security protocols.

It is not clear that this is practical. To my knowledge, such transparency in seal use protocols has never been attempted.


Bibliographic citation for the research paper behind this whole series of posts:
Security Seals On Voting Machines: A Case Study, by Andrew W. Appel. Accepted for publication, ACM Transactions on Information and System Security (TISSEC), 2011.

Comments

  1. Mark says:

    Just as a seal is a proxy for a witness, why not allow multiple seals as proxies for multiple witnesses?

    Prior to the election at least three witnesses apply their own seals to the device. After the election each witness checks and removes their own seal. Witnesses are nominated by election candidates or their parties.

    The reason I suggest at least three witnesses is to prevent the candidate who polls second invalidating the election by falsely claiming that a seal was broken. That would require collusion between witnesses.

    I realise that multiple witnesses can still collude to invalidate an election, but suggest that is no worse than the current situation. It might also be necessary to limit the number of seals – perhaps polling in the top four entitles you to nominate a witness for the next election.

    A particular advantage of this scheme is that it does not require standardisation of seals. Parties may choose their own.

    • pete.d says:

      Note that some of the difficulties acknowledged here exist even in the 19th century version. Assuming only two 19th century witnesses to the balloting, what’s to prevent one of the witnesses from falsely claiming some irregularity? They might not be so bold as to claim gross box-stuffing, but they could still disrupt the process by making an accusation of some less-obvious tampering.

      So, yes…requiring seals from three independent parties would help mitigate that concern. But at the end of the day, even from just two would approach the kind of security we had when the ballot box was always in view. And with enough collusion, even three is not enough. IMHO, the point is to make it impractical to make statistically significant attacks on the election, not necessarily to completely eliminate all chances of a problem.

      It seems to me that the current seal approach obviously fails to accomplish this, but that the multi-party seal suggestion has a high likelihood of success.

  2. tz says:

    Seals should stay at the zoo and eat fish.

    Of course each approved party could choose and apply their own seal – and they would hopefully know how to detect tampering with the particular seal.

    In the 2000 election, it would have been easier to reconduct the election in that county in Florida rather than counting hanging chads. But then those electors would have a second chance, unlike everyone else.

    So what happens when the seals are missing or cut or otherwise obviously tampered with?

    Denial of service?

  3. golden says:

    My biggest issue with electronic voting machines is this: What problem do they solve? Under the 19th century protocol, elections were more readily trusted, and while counting was slower than we are used to today, the ballot box was auditable.

    But who cares if the result is slow. The electoral system is designed to handle slow counting.

    What is the problem with continuing to do things in this way? Any polling place needs observers in any case, and in fact, it is the observing, not the counting, that is most easily automated – through the use of web cams, for example.

    • RonK says:

      > in fact, it is the observing, not the counting, that is most easily
      > automated – through the use of web cams, for example.

      Even when humans are observing in person they are relatively easily fooled. The situation is not going to be improved by adding an extra layer which has its own security problems (how can the remote viewer be certain that the video feed he inspects hasn’t been tampered with?). Or did you suggest we add web cam observers in addition to the ones there (still has problems, what happens if the web cam observers disagree with the observers who are physically there?).

  4. RonK says:

    Your post doesn’t take the final step and come to the obvious conclusion: not only would a seal protocol need to be open and transparent, but in addition, the entire design of the electronic voting machine, both hardware and software, has to be open and transparent. This, unfortunately, conflicts with the desire to give the impression that the government is saving money by shelling out responsibility for these machines to private industry.

  5. Anonymous says:

    Was anyone else terribly disappointed that this article did not cover adorable yet militant seals with a penchant for democracy?

  6. Anonymous says:

    Buy Acme Seals, http://www.acmeseals.com

    • Andrew Appel says:

      Normally I might delete this comment as spam, but it makes a point: Anyone can buy these seals. If you want to do some experiments yourself, buy a batch of 100 of some particular kind of seal, and figure out ways to defeat them. These might involve simply removing and replacing; or changing the serial number (what’s called a “partial counterfeit”) of a fresh seal to match the number of a seal the attacker removes from a container. Once you have figured out one or two methods, practice this method 50 times until you can do it in 15 seconds. Then you will have evaluated for yourself, scientifically, how secure these seals are. Freedom to Tinker!