This diary is a look at the potential for e-voting fraud, from an academic's perspective. I have a PhD in Computer Science, with publications in computer security. I am not a US citizen. I am employed at one of the top computer science departments in the US.
Below, I summarize the paper Analysis of an Electronic Voting System by Tadayoshi Kohno (Security and Cryptography Group, UC San Diego), Adam Stubblefield (Computer Security and Applied Cryptography, Johns Hopkins), Avi Rubin (Computer Science professor and Technical Director of the Johns Hopkins Information Security Institute, and Dan Wallach (assistant professor of computer science, Rice University). I have simply lifted extracts which I believe can be readily understood by the lay(wo)man.
I finish with some links to additional information on e-voting problems, and some comments about Bev Harris.
As a foreigner, it is fascinating to see the empirical trend in the US of fraud used to hold onto power: JFK (Illinois?), Nixon, Reagan (Iran). What makes some people assume Bush/Rove will buck the trend?
Here is the title with extracts of the Abstract. My emphasis (bold).
Analysis of an Electronic Voting System
July 23, 2003
Abstract
... Recently, ..., the source code purporting to be the software for a voting system from a major manufacturer appeared on the Internet.
... Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts.
... common voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal. ... we demonstrate that the insider threat is also quite considerable. We conclude that, as a society, we must carefully consider the risks inherent in electronic voting, as it places our very democracy at risk.
Here's the kicker, part of a summary of results in the Introduction.
we discovered significant and wide-reaching security vulnerabilities in the AccuVote-TS voting terminal. Most notably, voters can easily program their own smartcards to simulate the behavior of valid smartcards used in the election. With such homebrew cards, a voter can cast multiple ballots without leaving any trace. A voter can also perform actions that normally require administrative privileges, including viewing partial results and terminating the election early. Similar undesirable modifications could be made by malevolent poll workers (or even maintenance staff) with access to the voting terminals before the start of an election. Furthermore, the protocols used when the voting terminals communicate with their home base, both to fetch election configuration information and to report final election results, do not use cryptographic techniques to authenticate the remote end of the connection nor do they check the integrity of the data in transit. Given that these voting terminals could communicate over insecure phone lines or even wireless Internet connections, even unsophisticated attackers can perform untraceable "man-in-the-middle" attacks.
Now, if you have even just a little technical background training, this should have set your heart palpitating.
Here is Table 1 of the paper, summarizing the main forms of attack:
| Voter (with forged smartcard) | Poll Worker (with access to storage media) | Poll Worker (with access to network traffic) | Internet Provider (with access to network traffic) | OS developer | Voting Device Developer |
Vote multiple times using forged smartcard | yes | yes | yes | - | - | - |
Access administrative functions or close polling station | yes | yes | - | - | yes | yes |
Modify system configuration | - | yes | - | - | yes | yes |
Impersonate legitimate voting machine to tallying authority | - | yes | yes | yes | yes | yes |
Modify ballot definition (e.g., party affiliation) | - | yes | yes | yes | yes | yes |
Cause votes to be miscounted by tampering with configuration | - | yes | yes | yes | yes | yes |
Tamper with audit logs | - | yes | - | - | yes | yes |
Create, delete, and modify votes on device | - | yes | - | - | yes | yes |
Link votes to voters | - | yes | - | - | yes | yes |
Delay the start of an election | - | yes | yes | yes | yes | yes |
Tamper with election results | - | yes | yes | yes | yes | yes |
Insert backdoors into code | - | - | - | - | yes | yes |
Even if you don't quite understand the row/column labels, one thing should be clear: from a computer security perspective, the potential for fraud is incredible.
The final part of the paper I wish to quote is a segment which appeared on another diary earlier today:
4.4 Votes and audit logs
Unlike the other data stored on the voting terminal, both the vote records and the audit logs are encrypted and checksummed before being written to the storage device. Unfortunately, neither the encrypting nor the checksumming is done securely.
All of the data on a storage device is encrypted using a single, hardcoded DES [NBS77] key:
#define DESKEY ((des_key*)"F2654hD4")
Note that this value is not a hex representation of a key. Instead, the bytes in the string "F2654hD4" are fed directly into the DES key scheduler. If the same binary is used on every voting terminal, an attacker with access to the source code, or even to a single binary image, could learn the key, and thus read and modify voting and auditing records.
What this basically says is: since 1997, there has been a gaping encryption hole left uncorrected, and any idiot can jump in and do whatever they want.
Perhaps now it may be clearer why many of us working in computer security have viewed this as the biggest threat to democracy in this country.
I shall finish with some general information/links on e-voting, followed by some comments on Bev Harris.
THE CASE AGAINST ALL-ELECTRONIC VOTING
Internationally renowned computer scientists as well as election experts
and activists are taking to the Web to point up the dangers of voting
equipment that doesn't produce paper ballots for verifications.
-- Professor David Dill's Web site calls for voting machines that provide a
"voter-verifiable audit trail." It includes an excellent "frequently asked
questions" page: verify.stanford.edu/evote.html
-- The Voting Technology section of the California Voter Foundation, an
excellent compendium of news, links and analysis by foundation President Kim
Alexander: www.calvoter.org/votingtechnology.html
-- "Election Guardians," a site devoted mainly to the suit filed by
Riverside County resident Susan Marie Weber challenging the legality of that
county's all-electronic system: www.electionguardians.org
-- "Black Box Voting," a site run by publicist and author Bev Harris,
including exposes of Sen. Chuck Hagel's previously undisclosed involvement
with the company that made the machines that count all votes in his home state:
www.blackboxvoting.com
-- Excellent recent articles by Salon.com's Farhad Manjoo on touch-screen
voting technology and problems recently revealed by Harris and others: salon.com/tech/feature/2002/11/05/voting_machines/ and salon.com/tech/feature/2003/02/20/voting_machines/
-- "Electronic Voting" site of Rebecca Mercuri, a specialist on election
technologies and a leading critic of all-electronic systems: mainline.brynmawr.edu/rmercuri/evote.html
-- Links to resolutions and documents debated by the Santa Clara County
Board of Supervisors: www.sccgov.org/agenda/view/0,5310,ccid%253D215948,00.html scroll to item 30. Supervisor Peter McHugh's successful amendment
supporting voter-verified paper audit trail is listed as "2/25/03 Supp Info 4."
-- Links to papers on election risks by Peter Neumann, principal scientist
at SRI International's Computer Science Laboratory: www.csl.sri.com/users/neumann/neumann.html#5 !
-- Report of the Caltech-MIT Voting Technology Project (July 2001),
endorsing use of optical-scan equipment: www.vote.caltech.edu/Reports/index.html
Source: Chronicle research
Bev Harris
You may have noticed the "Bev Harris is a shrill conspiracy theorist" branding that's going on. (Let's face it, her website is as amateurish as it gets.) While Greg Palast may be shrill, Bev Harris is an order of magnitude less so, and commands genuine respect with computer security academics and professionals, despite attempts to smear her as "shrill". For example, the present paper cites Harris on the first page of the introduction:
... source code that appears to correspond to a version of Diebold's voting system appeared recently on the Internet. This appearance, announced by Bev Harris and discussed in her book, Black Box Voting [Har03], gives us a unique opportunity to analyze a widely used, paperless DRE system and evaluate the manufacturer's security claims.
Somewhat shrill, maybe; but she has made some extremely valuable contributions to research by computer security experts on e-voting fraud.