April 24, 2014

avatar

Unattended Voting Machines, As Usual

It’s election day, so tradition dictates that I publish some photos of myself with unattended voting machines.

To recap: It’s well known that paperless electronic voting machines are vulnerable to tampering, if an attacker can get physical access to a machine before the election. Most of the vendors, and a few election officials, claim that this isn’t a problem because the machines are well guarded so that no would-be attacker can get to them. Which would be mildly reassuring – if it were true.

Here’s me with two unattended voting machines, taken on Sunday evening in a Princeton polling place:

Here are four more unattended voting machines, taken on Monday evening in another Princeton polling place.

I stood conspicuously next to this second set of machines for fifteen minutes, and saw nobody.

In both cases I had ample opportunity to tamper with the machines – but of course I did not.

Comments

  1. Ray Sondetre says:

    Actually, to be pedantic, you won’t know whether those machines were protected (e.g., by monitoring over CCTV) from tampering unless you actually try to modify them.

  2. Ed Felten says:

    Ray,

    I know there were no CCTV cameras in these locations. Nor were there any security guards, nor even locked doors.

  3. subjugate bipartisan voter says:

    Reminds me of the calls for UN observers.
    http://www.worldnetdaily.com/news/article.asp?ARTICLE_ID=39255

  4. vw says:

    Seriously, you should submit to the NYT polling place photo project.

  5. Dr. Nume says:

    Fifteen minutes is quite a long time to loiter, you could have at least shot a few baskets while you were waiting.

  6. Andy says:

    You seem to be a knowledgeable person so your assertion that the machines could be tampered gets attention. However, you fail (or choose) to not qualify such tampering as being detectable or undetectable. Clearly, you could have probably stolen one of the machines, but in the end … the stolen machine or the tampered machine would have been detected.

    If you have taken the time to enquire as to the security components (physical or software) that would make tampering the machine detectable, then failing to point that out in your writings creates fear and mistrust needlesly. Half truths and hollow claims made to assert or back your position lead to such fear and mistrust and are a disgrace. Such careless and unfounded claims may contribute to voter disillusionment and ultimately voter participation. My clear frustration comes from seeing someone who purports to care about voters votes being counted, but who puts getting his version of ‘truth’ (or maybe just his picture) circulated to the actual peril of voters votes ever being cast. It is so clearly irresponsible.

    If you have not taken the time to educate yourself on the security components of the machines, then you are both irresponsible in your reporting as well as negligent. You are claiming that because machines are delivered to the polling sites (public buildings) that they are not secure yet you apparently don’t know that they are.

    You also lead readers to believe that gaining access to the delivered machines would allow you to tamper with same. Tamper is a broad term and generally when used in context of electronic voting machines refers to more than doing some minor physical damage. The tem leads the reader to believe (as evidenced by Doug’s response) that someone could change some votes or vote counting/tabulation logic and no one would know. (Not true Doug). Have you investigated how, if you had the time and could gain access to the very core of the system, you would perform such ‘tampering’? I doubt that you have because I don’t detect from your posting that it is your intended purpose to decieve.

    It seems you have a belief and you believe what you are saying, but examing the process it would take to corrupt one single machine would challenge that belief and the assertions of persons know or unknown who have convinced you such is possible.

    For those who make it this far, the fact is that the machines pictured have no external input device capable of modifying or updating the machine code or votes stored on the machine. There are no USB ports or other adapters that would allow ‘hackers’ to interface with the machine. There are no wireless connections, no internet or local network connections, and no machine is connected to another machine or external computer in the polling place. The specific information loaded to the machine when it is set for a particular election is resident on the internal cpu and the single memory cartridge in the machine. That cartridge is the only form of input accepted by the machine and is prepared by those County officials so designated by law and entrusted by our democratic process. Once prepared, the machine will only function with that cartridge and that cartridge will only function with that machine. Any attempt to remove and tamper with the cartridge will (for this election) permanently disable the machine and cartridge from further use.

    These are just a few of the safeguards of this machine, and to ignore these and the many more by Mr. Felten while causing alarm with his postings is an injustice to the County officials who may be criticized as well as the voters effected. (yes … I realize I’ve changed persons in this response and appologize now as I’m not going back to proof.) And, as said above, if the truth is not being ignored but has simply not been ernestly and honestly sought is equally bad for other reasons. It is credibility versus integrity.

    Let me close by saying that I agree that it would be best that machines delievered to polling sites be secured and protected from damage and from even the appearance of access. I’m not sure how that can be accomplished without undue expense to the taxpayers. The Election Officials cannot hire and pay enough staff to guard or protect the machines and the machines are ‘guests’ in private and public buildings not under the control of those Election Officals. It is for that reason and many others that the machines were made with multiple safeguards so that voters can be assured with understandable measures that the machines have not been compormised.

    As for claims by Election Officials that the machines are secure and guarded, I think Mr. Feltens pictures and writings are clear. What was not clear was that guarded or unguarded, those machines cannot be tampered with and votes or vote counting in those machines cannot be altered without detection.

  7. Branden Robinson says:

    Wow. That is some powerful, powerful Kool-Aid.

    If I should ever find an LSD/psilocybin cocktail to be insufficiently hallucinogenic, I’ll just swipe whatever Andy’s drinking.

  8. Richard says:

    the Diebold system is flawed.

    Andy, It’s been shown that it’s possible to stuff the digital ballot box by altering the memory cards.

    The cards (we hope) are shipped in the condition:

    Hillary:
    0
    Obama:
    0

    To stuff the ballot box, all that is needed is to alter the card to store:

    Hillary:
    -1000
    Obama:
    +1000

    before any votes are cast. The vote totals are incremented by each vote and provided enough people cast ballots to make both totals positive by the end of the election, the total number of votes cast matches the total number of voters, and the fraud is undetected.

    There are more sophisticated attacks which involve altering the software on the machine, but even that very simple approach works because the computer can represent “negative votes” internally.

    America had a bad system with the hanging chads in 2000, America now has a new bad system which is open to new vulnerabilities.

    what are the suggestions for learning from these experiences and building a properly tamper-proof system?

    Why doesn’t a federal body, such as the FIPS or the NSA vet the designs for these machines? It would be possible to build a tamper-proof system. It would probably be possible to make a Diebold-II that overcame the problems of the current system and generated an audit trail as it counted votes.

  9. Ed Felten says:

    Andy,

    I have studied these machines. I have had one in my lab for over a year. When I say they’re subject to tampering, I’m not just blowing smoke, nor am I trying to mislead.

    The technologies and procedures in place are inadequate to detect malicious tampering.

    Your claim that it is impossible to tamper with the contents of a cartridge is incorrect. Your claim that any modification or replacement of a cartridge will make the machine nonfunctional is incorrect.

  10. JZP says:

    Others have pointed out to the anonymous Andy that Mr Felton is well-versed in the security mis-features of these machines. The flaws -and their lack of attention- are more than staggering. Even the simple optical scanners of paper ballots have poor data recording and integrity, with memory cards routinely shipped flawed and regional polling places having no requirements to report how many flawed cards are foun/shipped back. Without a voter-verified paper trail, assurances are meaningless.

    Sample citation off the top of my head: “Optical Voting Machines May Leave Paper Trail, but Problems Still Rampant” http://www.fsrn.org/content/tuesday%2C-february-5%2C-2008

  11. JustMatt says:

    Mr. Andy,

    I’ll give you the benefit of the doubt and assume you aren’t a Troll and are trying to present a valid point of view. However, Mr. Felton has a long record of rigorously examining voting systems. On on this topic, given his extensive laboratory testing and real-world experience as an election worker, I trust Mr. Felton’s opinion more than I trust facts from other people*.

    I also agree with the Kool Aid comment.

    * Yeah, I am shamelessly stealing that line from Star Trek IV

  12. Mitch Golden says:

    Ed -

    Clearly, since nothing is getting done about this, you should just shut up about it and use it as your opportunity. It’s true that you couldn’t probably have gotten to be a presidential nominee without getting caught, but doesn’t Representative Felten have a nice ring to it?

  13. JustMatt says:

    Carpe Electrum!

    Ok ok, lousy dog Latin I know, but who is going to understand ‘carpo legio’ ?

  14. Robert says:

    Not sure how it is/was where you are.. but in my state (Virginia) the machines are “initialized” at the start of the day with no less than two persons (one from each party) present and the results are **printed** at that time to show 1) the number of times the machine has been powered, the number of total counted votes, the number of votes this session (whom for) etc. 2) the boxes are locked and tagged

    in the case of 1) printouts / zeroing, if the print out shows any tally for either candidate, that would be your “ballot stuffing” before the polls open. only if a hack were done, that counted every other vote for the oposing candidate as a vote for the one you want, could the system be faked, and that takes more than just having physical proximity to the machines, it requires opening the boxes, and then tampering with the code on the machines.

    Initial counts are zero and throughout the day counts are taken to identify if there is a miscount, its compared to the count held seperately at the poll’s registrar book, when the two don’t match up, causes need to be found and fixed.

    in the case of opening a sealed machines, the tags are recorded and checked against records to see that they haven’t been pulled and replaced before the officers of the polling place remove them officially.

    I have to agree, at least in part with Andy … while you were allowed to be in the area where the machines are … there could be measures employed internal to the machines, the cases that contain them, and procedures, to identify if there had been any tampering prior to the election officers putting them into use. Making assertions that they were unguarded? certainly … were they suceptible to hacking? should not have been …. but I’ll tell you what.. you want them any more protected, then YOU put up the money to have someone guard them 24/7 when they get delivered to a polling place.

    We already pay too much for some voting priviledges and at some point in time it has to be accounted for.. personally.. I wouldn’t mind reducing the number of polling places so that access prior to opening could be better controlled (say everyone comes to the courthouse to vote) … but to accomdate people and because there are some pretty stupid voting laws on the books.. fat chance of ever consolidating the locations that much..

    As a case for cost .. the first election I worked was an off year primary for the democratic party. total in the precinct over 2000, total showing up to vote? under 20. so less than a 1 percent turnout, and because its required to have no less than 1 member from each of the main political parties.. its double the cost. (usually no less than three persons, and often is four to 6 persons depending on the number of voters in that precinct.

  15. Ed Felten says:

    Robert,

    Maybe there are adequate safeguards in your state or county. I’m convinced that in my county and state there aren’t. And yes, I know what’s inside the machine — my lab has one of these machines, which we have taken apart and analyzed.

    Your statements that “there could be measures employed … to identify if there had been any tampering” and that the machines “should not have been” susceptible to tampering are really just speculation. You hope these things are true. I had the same hope — before I studied the machines and procedures actually in use here.

  16. EEJ says:

    Bravo! Bravo!

    Thanks (again) Ed for helping to shed light on the problems with our current voting methods.

    Please note, that I don’t think the whole problem is with the voting machines specifically, but with the process and equipment as a whole.

    Robert: Not too sure where you live, but I live in Tampa FL, and there’s no way to have everyone come down to the courthouse on the same day to vote. It just isn’t feasible. I already have to wait in line for 20 minutes to an hour at my current polling place, if I stop by after work.

    Don’t you think a more feasible change to the system would be to have voting take place on the weekend? Less people unable to vote due to work, More volunteers available to man the polling places. Sounds like a win-win to me.

  17. dmc says:

    Andy & Robert–

    How much does it cost to keep the voting machines in a locked room until the day of the election?

  18. ITMonkey says:

    when I read the comment that the machines can’t be tampered with…..I beg to differ. I was very concerned poll worker starting in our training class. We were split up into pairs to set up the machine (we use Diebold Accu). The woman who I was partnered with just starting opening things right away. What was she able to open? the compartment where the memory card is stored and the area where the paper trail is located. Sounds okay, right? but – and hear it comes – right before we were allowed to go stand by a machine – a Diebold representative had just gone around and LOCKED all the compartments on all the machines. I know because I watched him lock all 20 of them. I called him over and told him how she was able to open both compartments with minimal effort. His reply? they weren’t PROPERLY locked so I ask him if he doesn’t know how to lock his own machines. He locked them AGAIN and guess what? yep -she was again able to open them with NO EFFORT! Less you think that I am some liberal (and, yes I am) – we tried both machines next to us and the SAME THING. Hmmmmm…so I ask the Diebold rep what his last name was but he would only give his first name – Dave.

    So tamper proof my big ass. But wait – it gets even better! We were told in our training session that we had to come pick up the machines a day before the election and keep them IN OUR CARS! But we were warned that if it got too cold…bring them indoors.

    I live in Ohio so this issue is very important to me so after the training, I sent numerous letters and phone calls to my county election board with links and copies of documents outlining the lax security on these machines. Never once did I get a reply BUT – I was blacklisted. I kept calling to find out my polling location but was told that I was no longer needed – that they had all the areas covered. But about 1/2 later, my roommate calls me to tell me that she had just received an urgent call that they needed her and at least 10 more democrat poll workers. Hmmmm…..I call back and I get the same story – nope, all full – no problem here. I tell them about the phone call my roommate got and I was put on hold. After about 10 minutes on hold, I call back and just get put through to voice mail. Never did get an answer.

    So I complained and then was contacted by the Green Party to be a election judge which I did. you just are at a polling place and make observations of the ENTIRE voting process. The county election board is required to allow the judge to see ANYTHING they want. After showing up at the board of elections and being refused…I wasn’t budging and after a supervisor was found – I was able to get my paper signed and I was on my way to the polling place.

    What did I see there? a machine that went down exactly FOUR minutes after the polls opened and the machine was down for the rest of the day. Even though there was tech assigned to our area, he was just too busy from having to fix almost 12 machiens that malfunctioned within the first hour….and that is just in our local district. I also saw machines that wouldn’t take a democrat vote and another machine that switched the voting from democrat to republican.

    Does anyone remember that the dude that owned Diebold was from Ohio and he PROMISED OHIO to bush to win…..wonder what was going on with the machines back then. And that main programmer for the software was a convicted criminal and what crime did he commit? building backdoors on other software he did so the system could be compromised at a later time.

    These machines need to be gone. ’nuff said.

  19. Bart L says:

    Andy…wow.

    Let me see if I can sum all of that up:

    Diebold and the government say the systems are secure, so we should trust them. Is that about right?

  20. Debora Weber-Wulff says:

    Robert,

    reducing the number of polling places will disenfranchise some people, as they will be unable to reach their polling place. Not everyone in America owns a car, and I hear the public transport isn’t so hot.

    Here in Germany the official reason for using machines is said to be in order to “save money” by reducing the number of polling places. Many more people here are not mobile and thus have to resort to absentee ballot or just not voting. That is not democratic!

    We just had an election in Hesse using the NEDAP machines that the Netherlands has discarded as being useless. No paper trail, trivial to hack (Long information in German: https://berlin.ccc.de/wiki/Wahlcomputer, Video of a live switch of EPROMs, on the Dutch site). There were many and sundry things went wrong, and some nice pictures of unattended machines, including one machine spending the night at the house of a local party member….

  21. Whoever says:

    My wife worked at a polling center. Amongst the horror stories, it is clear that the single touch-screen voting system that they had was not properly secured, and, worse still, no action was taken when the serial number on the seal did not match the records showing what the serial number should be.

    This just goes to show that tampering is clearly possible.

    Apart from the problems listed above, which could be described as purely local, the procedures to check that the optical scan machines had not been pre-stuffed with ballots were flawed. It would be very easy for a poll worker to pre-stuff a box and then certify that the box was empty at the start of voting. No independent judge was involved in looking for pre-stuffing of ballots in the optical scan machines.

  22. Spudz says:

    Andy wrote: “Such careless and unfounded claims may contribute to voter disillusionment and ultimately voter participation.”

    Oh my God! Felten’s careless and unfounded claims might even lead to *voter participation*? But we can’t have *that*! Oh, this is just awful! Awful!
    :)

  23. Felix says:

    I’m not sure if this has been covered already – but do we know that these were machinese that votes were actually stored on? For all I know, these could have just been extra machines lying around that weren’t planning on being used (for this) election anyways. Or is this an irrelevant point?

  24. Monkay says:

    Consider this system: Polls are always open; voting going on constantly (24/7, all year); Every person gets one vote per year; length of a term of office variable. I don’t have any particular point, just wanted to present a possibility For The Future (dramatic music) . . .

  25. Ed Felten says:

    Felix,

    The four machines shown in the second photo were actually used in the election — I verified this myself.

    The other group of two might conceivably not have been used — but they were the only two machines present at a polling place that uses two machines.

  26. Felix says:

    Interesting – I assume from your comment that at the time you took these pictures, the polling had not closed yet so that the final vote tally would’ve not yet been recorded. I’m just trying to think if there’s something that we’ve overlooked here and are jumping to conclusions too fast.

    Also, I’m thinking about ways to get extra security – perhaps recording the vote totals at various intervals during the day would help. That could later be checked up with the number of people that voted in each interval, so that at least someone couldn’t go in and hack all the results without being detected. Just a thought.

  27. Tel says:

    Hey Andy, great to hear from you! Seems like you have a bit of inside knowledge, or at very least you have been reading from very different sources to most of the locals round here.

    That cartridge is the only form of input accepted by the machine and is prepared by those County officials so designated by law and entrusted by our democratic process. Once prepared, the machine will only function with that cartridge and that cartridge will only function with that machine. Any attempt to remove and tamper with the cartridge will (for this election) permanently disable the machine and cartridge from further use.

    Are you able to disclose how this interlock mechanism works? Even in broad terms… is it a cryptographic handshake, some sort of mechanical device, etc?

    It is for that reason and many others that the machines were made with multiple safeguards so that voters can be assured with understandable measures that the machines have not been compormised.

    I’m sure a lot of people agree with you there, including Ed and the rest — particularly the bit about “assured with understandable measures”. Hopefully we will all work towards a security system that everyone understands and no one can find flaws with. The first step is clear documentation of how these systems work, and then careful testing in an open environment. For example, Sequoia took a bit of a beating at the hands of UCB researchers, but ultimately that has to happen in order for the product to improve:

    http://www.engineering.ucsb.edu/articles/voting_machine_hackers

    Meanwhile, the sealed “edges,” supposedly tamper-proof, often go home with election officials. But the USCB team found it could modify the machines unnoticed. It took them 18 seconds to swap out an initialization cartridge with a counterfeit containing their own code – all without breaking the cartridge’s seal.

    In response to the UCSB team’s work, Sequoia said its systems were safe when used with proper security precautions at polling places, calling the “unfettered access” the researchers had to the machines unrealistic. In a rebuttal, the UCSB team noted that in the past the machines had been openly sold in the Internet or outright stolen.

    Many, many more examples documented on this site in the old articles.

  28. eduardo says:

    perhaps a better system will arrive more quickly if someone steps up to the plate to actually tamper with one of these machines, in a way that will in fact be detected and widely reported in the press. Elect Mickey Mouse, for example.

  29. Kezorm says:

    Keep up good work, voting machines should have an open design verifiable by everyone they should have secure write only log of all activities since their manufacture with added redundancy in case of component failure, all should have unique serial numbers and their design should be field tested for a couple of months with a huge price for anyone who manages to hack one.
    Lastly they should print a confirmation of a vote for anyone who requests it.

    I’m really surprised that USA voting is in such a terrible condition.

  30. Spudz says:

    Kezorm seems to have forgotten that one of the design goals is secrecy of the ballot.

  31. Igor Levicki says:

    You should have changed firmware to print out “ALL YOUR VOTES BELONG TO US!” on startup.

  32. David Warde-Farley says:

    I’ve never understood what would be wrong with the following, extremely simple safety measure:

    - Voting machine counts your vote.
    - Voting machine PRINTS a receipt.
    - Voter VISUALLY VERIFIES that the vote is for the same person he punched in on the console.
    - Voter drops into box.

    Thus we get fast results from the voting machines that are independently verifiable by a paper count (which can take longer, but because we already have the digital estimate, it needn’t be done as quickly as possible. In case of significant discrepancy, the paper ballot should be trusted.

    Would this really be too much for the average citizen to comprehend?