February 5, 2023

Voting Machine Insecurity

Recently, researchers at John Hopkins and Rice Universities reported serious security flaws in electronic voting technology sold by Diebold. I haven’t yet had a chance to read the paper carefully, but I know all of the authors and I would be very surprised if they are wrong. Eric Rescorla discusses the paper and Diebold’s response.

This story follows a common pattern, in which a company claims that its secret technology is secure, only to have the security claim collapse when the system’s design finally does become known. This happens so often that security experts now routinely discount security claims that have not been subject to public scrutiny.

The researchers’ results should not be taken as evidence that Diebold machines are less secure than other secret systems. Most likely, all of the secret systems suffer from a similar level of problems. If Diebold fixes the reported problems, then Diebold’s systems will probably be more secure than their competitors.

This effect is what makes legislation like H.R. 2239 so important. Secrecy makes it difficult for vendors to differentiate their products based on security, since the secrecy makes it so difficult for a buyer to tell a secure product from an insecure one. Opening the systems up for inspection allows vendors to compete based on security, and that competition helps everybody.

E-Voting Bill Introduced

My Congressman, Rep. Rush Holt, has introduced an important e-voting bill, H.R. 2239. The bill would address the serious concerns raised by a broad coalition of computer scientists (including me) about the security and trustworthiness of electronic voting systems.

The bill would do three main things. First, it would require that voting systems generate a paper trail that the voter can verify at the time he/she votes. Second, it would require the software used in voting machines to be open for public inspection. Third, it would institute random, surprise recounts in 0.5% of jurisdictions, as a quality control measure. The bill also contains safeguards to ensure that disabled voters can cast their votes.

The text of the bill is not yet on the House’s web site; I’ll post a link here when it becomes available. I have seen a preview copy of the bill, and I think it does an excellent job of ensuring that our transition to e-voting maintains the trustworthiness of our elections. I support it strongly, and I hope you will do so too.

UPDATE(10:55 AM, May 27): The bill’s text is now available.