April 25, 2014

avatar

Ohio Study: Scariest E-Voting Security Report Yet

The State of Ohio released the report of a team of computer scientists it commissioned to study the state’s e-voting systems. Though it’s a stiff competition, this may qualify as the scariest e-voting study report yet.

This was the most detailed study yet of the ES&S iVotronic system, and it confirmss the results of the earlier Florida State study. The study found many ways to subvert ES&S systems.

The ES&S system, like its competitors, is subject to viral attacks that can spread from one voting machine to others, and to the central vote tabulation systems.

Anyone with access to a machine can re-calibrate the touchscreen to affect how the machine records votes (page 50):

A terminal can be maliciously re-calibrated (by a voter or poll worker) to prevent voting for certain candidates or to cause voter input for one candidate to be recorded for another.

Worse yet, the system’s access control can be defeated by a poll worker or an ordinary voter, using only a small magnet and a PDA or cell phone (page 50).

Some administrative functions require entry of a password, but there is an undocumented backdoor function that lets a poll worker or voter with a magnet and PDA bypass the password requirements (page 51).

The list of problems goes on and on. It’s inconceivable that the iVotronic could have undergone any kind of serious security review before being put on the market. It’s also unclear how the machine managed to get certified.

Even if you don’t think anyone would try to steal an election, this should still scare you. A machine with so many design errors must also be susceptible to misrecording or miscounting votes due to the ordinary glitches and errors that always plague computer systems. Even if all poll workers and voters were angels, this machine would be too risky to use.

This is yet more evidence that today’s paperless e-voting machines can’t be trusted.

[Correction (December 18): I originally wrote that this was the first independent study of the iVotronic. In fact, the Florida State team studied the iVotronic first and reported many problems. The new report confirms the Florida State report, and provides some new details. My apologies to the Florida State team for omitting their work.]

Comments

  1. john erickson says:

    If ever there was a field that demanded rigorous peer review, it surely must be the technology and processes surrounding electronic voting. But the providers of these technologies and implementers of the processes that employ them would prefer to ignore more than a century of scholarship and experience in cryptography and instead trust them and trust that “security by obscurity” FINALLY works.

    None of these vendors have given us any justification whatsoever to trust them; on the contrary, they have given us innumerable reasons NOT to trust our precious democracy to their untested, unstudied systems.

    When will they learn? When will our government officials learn? When will we the people learn?

  2. Barry says:

    Seriously, how could these companies all come up with such crappy products? How hard is it to design a system that works and is secure? The companies obviously have no clue, because so far, none of them have tried.

    I bet the open source software community, together with some hardware hobbyist friends, could come up with a much better system. The only problem is that they wouldn’t have the resources to produce such a system in quantity.

  3. Rich Brown says:

    > I bet the open source software community, together with some
    > hardware hobbyist friends, could come up with a much better system.

    The better system exists. It consists of a bunch of pieces of paper with the candidate names and check boxes, some pencils, and a box.

    For elections to be seen as fair the average adult — NOT JUST open source coders — must be able to walk into the polling place and see the voting process isn’t rigged. Walking through the process, the voter can see that:
    * each voter is checked off against a list
    * each voter gets one ballot
    * the ballots aren’t serial numbered or pre-marked
    * each voter gets to mark the ballot in privacy
    * a judge is assigned to guard the ballot box
    The paranoid or interested can stick around after the polls close to watch the ballots counted, and then check the official count the next day to make sure it matches the count announced at the polling place the night before.

    Why make people learn circuit design and C when middle school math is all they need?

  4. Carlos Gomez says:

    I don’t understand why so many voting systems insist on using touch screens. They have calibration issues, and there is no paper trail. As a Canadian, our Federal and Provincial elections are very straightforward so paper ballots work. I really don’t know how much more complicated American elections are, and is it really necessary to use automation to do the vote counting.

    Our local municipal elections have more positions (councillor, school trustee, etc) and those have been conducted using optical ballot scanners. Votes are marked in pencil by filling in bubbles (a la bubble cards). The ballot is then entered via the optical scanner, and the paper ballot kept. You now have the automation that appears to be desirable (I’m not convinced automation is desirable), and a physical paper trail that is the actual marked ballot itself.

  5. Adrian says:

    @Carlos

    The argument for touchscreens (and computerized voting machines in general) is accessibility. The ballots can be translated into multiple languages, screen readers can help the blind vote in private.

    Ballots in some parts of the US can be very complex. The issues presented can depend a lot upon where exactly you live. Here in California, there can be hundreds of versions of the ballot for a given election, depending upon district, language, and party affiliation. Every polling place has to stock many extra paper ballots to ensure that they can always provide the right combination as voters arrive.

    In theory, the computers could let you vote at a polling place in a different district and still present the right issues and candidates. In any language you choose. Even if you’re blind.

    In general, helping more people exercise their right to a secret ballot is a good thing. But I don’t that overrides the need for security and verifiability, that none of the computerized systems have (so far) been able to demonstrate.

  6. Haakon Nilsen says:

    See Monday’s “Democracy Now!” (democracynow.org) for a discussion of this report.

  7. lanibrown says:

    It’s not the touchscreen or the paper or the ballot scanner or the pollworker or the hacker. It’s the know-all, do-all end-to-end system with the absence of business-wise checks and balances and election laws that don’t recognize technological anomalies for what they are — system errors, such as a 13% undervote that should be sent back to the voters.

    Lani Massey Brown
    “A Margin of Error: Ballots of Straw,” featured on http://www.VotersUnite.org

  8. Tel says:

    @Rich Brown: you ar 100% correct. Justice must be done and justice must be SEEN to be done.

    The one caviat with the paper & pencil system is that it costs a bit more. However, given the number of product failures and investigating committees in the electronic voting machine space (and you can be sure there will be more to come), at least we can say that the cost of a paper & pencil election is highly predictable. Of course, the cost of a rigged election and a bad result is so much higher than all the other costs put together that it can’t even meaningfully be compared.

    For some reason, a large number of engineers believe that new technology always beats old technology. Indeed, novelty in itself is often used as an argument for promotion of some particular idea. The thing about old technology is, that it got us this far — so we know it works.

  9. Jean Camp says:

    Voting vendors did exactly as required and nothing more. Naive voting officials wanted a magic system they could just plug in, and then do nothing. And whomever said that advanced technology is indistinguishable from magic was right.

    At every hearing in Indiana there is an army of local vote officials who don’t want to go back to the troublesome days of moving paper, implementing recounts, and tracking boxes. Machines make their lives so much easier. Failures are invisible. No ballots to print. No worries.

    This small army of ladies in sensible shoes have very strong incentives to believe the nice vendors who buy them coffee, validate their woes, and brought forward beautiful technology that appears to solve all their woes. They have strong incentives not to be shown to have been fools to spend so much money on such horrific systems, and to have betrayed the essence of a job to which they are committed for dangerous digital snake oil. Who among us would like to be proven so publicly wrong? Could we stand outside ourselves, stand up and genuinely do the right thing?

    Luckily or not, most of my wild errors were both personal and before the age of ubiquitous video. I disagree furiously with these election officials, but I cannot but have sympathy for them as people.

  10. Jim Cropcho says:

    The iVotronic continues to bewilder me by the seemingly complete lack of attention paid to security during its design. Rather than argue about the nuances of VVPATs, HCPBs, etc, I’ll propose a pragmatic approach: Open-source voting machines are better than what we have now. Paper-based systems are better than what we have now. I ask you: given the current ecosystem of voting method selectors, which is easier to migrate to? I think we should be looking at removing systems which are *known* to produce spurious voter preference as priority number one, and see where we can go from there.