May 28, 2024

Diebold Voting Machines "At High Risk of Compromise"

As expected, an independent study of the Diebold electronic voting machines purchased by the state of Maryland has found that “The system, as implemented in policy, procedure, and technology, is at high risk of compromise.” The study was commissioned by the state and performed by SAIC. A Washington Post story by Brigid Schulte reports that SAIC “found 328 security weaknesses, 26 of them critical”.

The report is available to the public only in heavily redacted form, which in itself does not inspire confidence. What is in the redacted version is bad enough; for example, it reports that the Diebold machines didn’t even bother to encrypt the vote totals before sending them to the Board of Elections.

Diebold, which had previously said we should trust their unspecified security mechanisms, now says that we should trust them to implement unspecified fixes for these problems.

In case you have any remaining confidence in unaudited electronic voting systems, consider this: a Diebold executive told the Washington Post that the fixes will be made to the Maryland machines, but not to the 33,000 Diebold electronic voting machines already in use outside of Maryland.

Bizarro Compliments

To a technologist, law and policy debates sometimes seem to be held in a kind of bizarro world, where words and concepts lose their ordinary meanings. Some technologists never get used to the bizarro rules, but some us of do catch on eventually.

One of the bizarro rules is that you should be happy when the other side accuses you of lying or acting in bad faith. In the normal world, such accusations will make you angry; but in bizarro world they indicate that the other side has lost confidence in its ability to win the argument on the merits. And so you learn to swallow your outrage and smile when people call you a scoundrel.

Which brings us to Brigid Schulte’s electronic voting article in this morning’s Washington Post. The article reports that the computer scientists’ campaign for more secure (and less secret) electronic voting technology is getting some real traction, especially in light of the recent Johns Hopkins report detailing severe flaws in a Diebold e-voting product. The computer scientists’ progress is certified, bizarro style, by none other than the head of the Federal Election Commission’s Office of Electrion Adminstration:

“The computer scientists are saying, ‘The machinery you vote on is inaccurate and could be threatened; therefore, don’t go. Your vote doesn’t mean anything,’ ” said Penelope Bonsall, director of the Office of Election Administration at the Federal Election Commission. “That negative perception takes years to turn around.”

You can’t buy that kind of bizarro endorsement!

Guided Voting

Eugene Volokh offers an interesting post on “guided voting,” a simple idea with important implications.

Voters often rely on the recommendations of others, such as political parties, interest groups, or well-informed individuals. For example, if I have a friend on the local school board and I trust her judgment about school-board matters, I might follow her advice about how to vote in the next school board election. This may be a perfectly rational decision for me to make – my friend’s choices may advance my beliefs more than my own decisions would, if the differences between her political views and mine are outweighed by her superior understanding of school board issues. Many voters would probably feel the same way about taking voting advice from political parties or interest groups.

Prof. Volokh suggests that if voting is done over the Net, then some centralized web site could provide guided voting services to users. The user would tell the site how his vote should be determined, and the site would then prepare a little computer program designed to cast the user’s votes in accordance with his preferences. A voter might choose to accept advice from several sources, with some procedure for resolving disagreements among those sources.

From a purely technical standpoint, guided voting could be used with any voting technology. With non-electronic technology, a guided voting service could print out a sort of checklist that the voter could take into the voting booth. With electronic voting technology, the guided voting service could print out some kind of bar code, which the voter might feed into a scanner in the voting booth.

This might seem at first like a questionable idea, but it doesn’t differ much from what many people already do. Most people make up their minds before they reach the polling place. And most people, I would expect, rely heavily on the recommendations of others in deciding how to vote. Guided voting is just another step down a well-trodden road.

The more problematic aspect of Prof. Volokh’s post is in his suggestion that recommenders collect and use statistics about how many votes they are influencing.

Moreover, guided voting would for the first time let groups actually measure exactly how influential its recommendations are. The [system’s] organizers can tell each group how many voters in each district followed its recommendation. They can even count the votes in which this group’s recommendation made the difference, rather than just being redundant of the other recommendations that the voter was following.

So when group X comes to a legislator to lobby him about some issue, it won’t just say “We have 2000 members in your district” or “We’ll spend $30,000 in your district on this issue.” Rather, it will for the first time be able to say “Our recommendation last election changed 15,000 votes in your district. What will you do to make sure that we recommend you next time?”

These kinds of statistics are not a necessary consequence of guided voting. Although Prof. Volokh’s centralized-website system would gather these statistics, a less centralized guided voting system need not do so. And in my view, it’s important to maintain the secrecy of each vote, so that nobody can tell for sure who is voting for which candidate.

In any case, some kind of guided voting seems inevitable, given the complexity of many ballots and the advance of technology.

Voting Machine Insecurity

Recently, researchers at John Hopkins and Rice Universities reported serious security flaws in electronic voting technology sold by Diebold. I haven’t yet had a chance to read the paper carefully, but I know all of the authors and I would be very surprised if they are wrong. Eric Rescorla discusses the paper and Diebold’s response.

This story follows a common pattern, in which a company claims that its secret technology is secure, only to have the security claim collapse when the system’s design finally does become known. This happens so often that security experts now routinely discount security claims that have not been subject to public scrutiny.

The researchers’ results should not be taken as evidence that Diebold machines are less secure than other secret systems. Most likely, all of the secret systems suffer from a similar level of problems. If Diebold fixes the reported problems, then Diebold’s systems will probably be more secure than their competitors.

This effect is what makes legislation like H.R. 2239 so important. Secrecy makes it difficult for vendors to differentiate their products based on security, since the secrecy makes it so difficult for a buyer to tell a secure product from an insecure one. Opening the systems up for inspection allows vendors to compete based on security, and that competition helps everybody.

E-Voting Bill Introduced

My Congressman, Rep. Rush Holt, has introduced an important e-voting bill, H.R. 2239. The bill would address the serious concerns raised by a broad coalition of computer scientists (including me) about the security and trustworthiness of electronic voting systems.

The bill would do three main things. First, it would require that voting systems generate a paper trail that the voter can verify at the time he/she votes. Second, it would require the software used in voting machines to be open for public inspection. Third, it would institute random, surprise recounts in 0.5% of jurisdictions, as a quality control measure. The bill also contains safeguards to ensure that disabled voters can cast their votes.

The text of the bill is not yet on the House’s web site; I’ll post a link here when it becomes available. I have seen a preview copy of the bill, and I think it does an excellent job of ensuring that our transition to e-voting maintains the trustworthiness of our elections. I support it strongly, and I hope you will do so too.

UPDATE(10:55 AM, May 27): The bill’s text is now available.