Glass Box Voting

The Problem With Voting Machines

Bruce Schneier is a vital information source to keep track of news in the area of cryptography and security. In 2004 he published an article on his blog entitled The Problem With Voting Machines. At the start of that article he summarizes the four required characteristics of a voting system: accuracy, anonymity, scalability and speed.

Accuracy means both correctly capturing voter intent in a cast vote record of some form and then protecting it from modification, loss or forgery. Anonymity is the same as ballot secrecy or voter privacy - the principle that a voter’s identity can in no way be determined from the cast vote record. Scalability refers to the ability for the systems to handle the large surges of usage that come on election day, as well as the complexity of overlapping jurisdictions. Speed means the ability for the system to produce official results rapidly.

Schneier’s recommendation is twofold - first that all DREs must use VVPAT and second that software must be open to public scrutiny.

Why Johnny Can’t Vote

Barbara Simons is a past president of the Association for Computing Machinery and expert on voting systems. In March 2005 she wrote a valuable editorial in the APS News. I highly recommend reading the whole thing, but her conclusion is worth quoting in its entirety:

The issue of e-voting should have been primarily a technological issue—one involving computer security, human factors, reliability, and efficiency. Instead, because of the vast sums of money involved, e-voting has been heavily politicized.

Election officials were told that DREs in the long run would be cheaper than alternative voting systems. They were told that DREs had been extensively tested and that the certification process guaranteed that the machines were reliable and secure. No mention was made of the significant costs of testing and of secure storage of DREs; no mention was made of the inadequacy of the testing and certification processes, to say nothing of the difficulty of creating bug-free software.

Technologists are attempting to educate election officials, policy makers, and the public about the risks of paperless DREs. It is critical for the continued existence of democracy throughout the world that we succeed.

Here’s a quick survey of some of the recent studies of voting system security.

California Secretary of State’s Top to Bottom Review

This study took place from March to August of 2007, and consisted of three efforts in parallel - documentation review, source code review, and red-team testing. It covered machines from four major vendors, Diebold Elections Systems (now Premier Elections Systems), Hart InterCivic, Sequoia Voting Systems, and Elections Systems and Software (ES&S).

Bruce Schneier summarized the results thus:

The state of California conducted a security review of their electronic voting machines earlier this year. This was a serious review, with real security researchers getting access to the source code. The report was issued last week, and the researchers were able to compromise all three machines — by Diebold Election Systems, Hart Intercivic, and Sequoia Voting Systems — multiple ways. (They said they could probably find more ways, if they had more time.)

Brennan Center Report

In 2005 the Brennan Center for Justice published a report with input from numerous voting system and security experts. They surveyed DRE, DRE+VVPAT and OpScan systems, and found problems common to all types and produced recommendations for how to mitigate those problems. The most serious common problem is that all systems are subject to code substitution attacks in which a device’s firmware is replaced with a malicious firmware image that can manipulate the stored vote according to the attacker’s wishes.

The recommendations were aimed at elections administrators, providing guidance on how jurisdictions could attempt to mitigate vulnerabilities procedurally, rather than offering technical recommendations.

GAO Report

The Government Accountability Office produced a report on electronic voting in 2005. Top concerns in their document include the lack of protection of audit records from tampering, the ability to modify the electronic ballot definition so that the voter is presented with an incorrect ballot, and vendors distributing uncertified software images.

UPDATE Thanks for Rick for jogging my memory.

An Analysis of an Electronic Voting System

This paper was published in 2003 highlighting numerous attack vectors against the Diebold Accuvote-TS. It was criticized by the vendor for not taking into account procedural controls to mitigate problems. The back and forth on this topic can be found at Avi Rubin’s site.

SAIC Report

After the above was published, the State of Maryland commissioned a report from SAIC on the Diebold Accuvote-TS. It supported many of the findings in the above paper, and had a long list of recommended changes to be applied to the Accuvote-TS. If anyone is aware of an official response from Diebold please post a link in the comments.

Questions for Vendors

While tracking down the links above, I stumbled across Dr. Rubin’s list of questions to ask your voting machine vendor.

There are many types of devices that can be described as voting machines, here are some common terms and jargon used in the field.

DRE: Direct Recording Electronic. A device that gathers votes through a user interface, stores them internally, and then produces a tabulation of the votes at the end of the voting period.

OpScan: Optical Scanner. This device tabulates the vote result by scanning paper ballots that might be bubble sheets filled in by the voters, or might be produced from a ballot printer.

VVPAT: Voter verified paper audit trail. This is the capability for a voting machine to produce a lasting paper record which is reviewed by the voter prior to casting the final vote.

Voting is one of the most vexing security arenas to be found, and beware of those that try to simplify the problem. A number of core issues make voting much more challenging than more traditional security domains such as the financial industry and the military. Predominant among these issues are the principles of ballot secrecy, vote integrity, and mutual suspicion.

Ballot Secrecy

The secret ballot is a cornerstone of democracy. Voting in secret prevents manipulation of elections by means of vote buying or voter coercion. In technology terms, it means that no information shall link the voter to the record of their ballot.

Vote Integrity

As a security term, integrity simply means the assurance that a data item is unchanged, and thus that it has not been tampered with or modified. If a vote is recorded without integrity protections, the final tally is suspect since it could have been changed along the way.

Mutual Suspicion

In many security domains there are trusted agents who are assumed not to attempt to subvert the system, in Common Criteria protection profiles you often find an assumption labeled “NO_EVIL_ADMIN” that simply means that to satisfy the security claims for the product you must assume that the administrators of the product are trusted - and if they are not trusted you cannot satisfy those security claims in most cases. This approach is not satisfactory in the voting arena.

After the jump, a comparison to the security requirements in the financial industry, particularly ATMs.

(more…)

trans·par·ent, [trans-pair-uh nt] adj.

1. transmitting light, able to be seen through with clarity;
2. open, frank, candid;
3. guileless.

In optics context, transparency connotes the unhindered transmission of light. In a broader context, the term implies openness, communication and accountability. When applied to voting technology, Verified Voting describes the term as

election procedures should promote openness along with security; election laws should make it easy for candidates and/or voters to get reliable, manual recounts in close elections or when there is initial evidence of a problem in the election; and most importantly, citizens must be able to freely participate in observing elections.

For a manufacturer of voting equipment, transparency refers to availability of information about the design and testing of the equipment. This can include availability of source code, design documentation, information about test methodology and results, vulnerability analyses, bug databases, and more. Making this information available for public analysis and scrutiny in promoting public acceptance of and trust in the equipment. It can be argued that the major manufacturers currently practice transparency only when it cannot be avoided, and then to the minimum extent possible, and this promotes the current distrust of manufacturers among the voting integrity community.

In The Transparent Society, David Brin points out that “It is hard for recent cave dwellers to transform themselves into smart, honest, and truly independent creatures of light.”

On Election Day 2007, I founded Glass Box Voting to build a demonstrably secure voting system. For years, the voting equipment marketplace has been occupied by companies whose lack of commitment to security and transparency has been widely criticized by security analysts, elections administrators and voting integrity activists. Also for years, I’ve been saying to myself, “this is a brilliant opportunity for an energetic team of smart, security minded folks to build a better system.” Eventually I got tired of waiting, and decided to build that team.

This being the first post, I will introduce myself.

(more…)