Glass Box Voting

Interesting article on the costs of voting machines. A spokesman for Premier Election Systems (formerly Diebold Election Systems) is quoted saying:

“An ATM is significantly a more expensive device than a voting terminal…” said Riggall. “Were you to develop something that was as robust as an ATM, both in terms of the physical engineering of it and all aspects, clearly that would be something that the average jurisdiction cannot afford.”

Glass Box Voting was founded on the premise that that statement is not true.

The article also reminds us of the fun fact that Diebold Accuvote-TS machines can be opened with a standard minibar key.

I do not agree with the premise of the headline that money for improving voting machines has all gone to Iraq - our government has the resources to fund multiple priorities, and the integrity of the voting process seems to me to be an important priority. I agree with Ed Felten:

“It all depends what you compare it to,” said Felten. “If you compare the amount of money we spend actually administering the election versus the amount that’s spent trying to convince people to vote this way or that way, it looks pretty small. It you compare it against the importance of getting the outcome right, it also looks relatively small. So, to me, it’s an investment that we should be willing to make.”

Hat tip to infodiva and slashdot. Also want to remind new readers of an old post: The difference between an ATM and a voting machine.  Edit - oops, meant to link to Voting as a security problem.

I have read Bruce Schneier’s blog for years, it’s a excellent source of information about cryptography and security. I appreciate his Snake Oil Alerts in particular, because they educate you on what to look out for. A common claim by vendors, for example, is that 2048 bit RSA keys are “better” somehow than 256 bit AES keys, which just isn’t the case.

On the topic of voting, I would start with The Problem With Electronic Voting Machines.

On gmiller’s OSDV blog, which I found from the Facebook group .

[UPDATE]

I’m in favor of unmoderated comments.  Once I figure out how to set this site to do that, I will.

I just watched a very good talk on voting cryptosystems and the cryptographic principals and primitives behind them.  I found the link here.

What’s a better way to store votes?

versus

Safes

Safes are good places to keep money, because money, like mushrooms, grows in the dark. Safes are not good places to keep things that require light, like votes and houseplants.

When you put money in a safe, your concern is that the money be there when you open it. The bank that owns the safe has the same objective. You probably do not want the safe to have a readout that displays it’s contents to arbitrary members of the public.

You trust your bank, your bank trusts you (although they often should do more to be sure it is you, not someone stealing your identity) and it all works out. The bank staff knows how to operate the safe correctly, since they do it every day, and the safe is guarded at night by people who don’t know how to open it.

Ballot Boxes

As discussed before, a ballot box has different and greater security requirements.

A ballot box collects votes, not money. Votes, or more precisely ballot images, are not fungible like money - they are multidimensional, multivalued data elements rather than scalar units with a denomination. For example, my vote yesterday included the primary candidate for president (pick one), primary candidate for representative (pick one), circuit court judge (pick no more than two from a list of two), female delegates to the national convention (vote for no more than four), and male delegates to the national convention (vote for no more than four).

(How common is it to vote for delegates by gender btw?)

A ballot box must make information about it’s contents public. It should display how many votes have been cast, and should allow auditors to determine that votes have not been altered at any point.

Update

After watching the video in the post above, I realize that I overstated the case. A ballot box much make some information about it’s contents public, e.g. number of votes and the current validity status of each vote. The vote choice or ballot image must not be visible at all times, but only at the end of the process when it’s tallying time.

The Problem With Voting Machines

Bruce Schneier is a vital information source to keep track of news in the area of cryptography and security. In 2004 he published an article on his blog entitled The Problem With Voting Machines. At the start of that article he summarizes the four required characteristics of a voting system: accuracy, anonymity, scalability and speed.

Accuracy means both correctly capturing voter intent in a cast vote record of some form and then protecting it from modification, loss or forgery. Anonymity is the same as ballot secrecy or voter privacy - the principle that a voter’s identity can in no way be determined from the cast vote record. Scalability refers to the ability for the systems to handle the large surges of usage that come on election day, as well as the complexity of overlapping jurisdictions. Speed means the ability for the system to produce official results rapidly.

Schneier’s recommendation is twofold - first that all DREs must use VVPAT and second that software must be open to public scrutiny.

Why Johnny Can’t Vote

Barbara Simons is a past president of the Association for Computing Machinery and expert on voting systems. In March 2005 she wrote a valuable editorial in the APS News. I highly recommend reading the whole thing, but her conclusion is worth quoting in its entirety:

The issue of e-voting should have been primarily a technological issue—one involving computer security, human factors, reliability, and efficiency. Instead, because of the vast sums of money involved, e-voting has been heavily politicized.

Election officials were told that DREs in the long run would be cheaper than alternative voting systems. They were told that DREs had been extensively tested and that the certification process guaranteed that the machines were reliable and secure. No mention was made of the significant costs of testing and of secure storage of DREs; no mention was made of the inadequacy of the testing and certification processes, to say nothing of the difficulty of creating bug-free software.

Technologists are attempting to educate election officials, policy makers, and the public about the risks of paperless DREs. It is critical for the continued existence of democracy throughout the world that we succeed.

Here’s a quick survey of some of the recent studies of voting system security.

California Secretary of State’s Top to Bottom Review

This study took place from March to August of 2007, and consisted of three efforts in parallel - documentation review, source code review, and red-team testing. It covered machines from four major vendors, Diebold Elections Systems (now Premier Elections Systems), Hart InterCivic, Sequoia Voting Systems, and Elections Systems and Software (ES&S).

Bruce Schneier summarized the results thus:

The state of California conducted a security review of their electronic voting machines earlier this year. This was a serious review, with real security researchers getting access to the source code. The report was issued last week, and the researchers were able to compromise all three machines — by Diebold Election Systems, Hart Intercivic, and Sequoia Voting Systems — multiple ways. (They said they could probably find more ways, if they had more time.)

Brennan Center Report

In 2005 the Brennan Center for Justice published a report with input from numerous voting system and security experts. They surveyed DRE, DRE+VVPAT and OpScan systems, and found problems common to all types and produced recommendations for how to mitigate those problems. The most serious common problem is that all systems are subject to code substitution attacks in which a device’s firmware is replaced with a malicious firmware image that can manipulate the stored vote according to the attacker’s wishes.

The recommendations were aimed at elections administrators, providing guidance on how jurisdictions could attempt to mitigate vulnerabilities procedurally, rather than offering technical recommendations.

GAO Report

The Government Accountability Office produced a report on electronic voting in 2005. Top concerns in their document include the lack of protection of audit records from tampering, the ability to modify the electronic ballot definition so that the voter is presented with an incorrect ballot, and vendors distributing uncertified software images.

UPDATE Thanks for Rick for jogging my memory.

An Analysis of an Electronic Voting System

This paper was published in 2003 highlighting numerous attack vectors against the Diebold Accuvote-TS. It was criticized by the vendor for not taking into account procedural controls to mitigate problems. The back and forth on this topic can be found at Avi Rubin’s site.

SAIC Report

After the above was published, the State of Maryland commissioned a report from SAIC on the Diebold Accuvote-TS. It supported many of the findings in the above paper, and had a long list of recommended changes to be applied to the Accuvote-TS. If anyone is aware of an official response from Diebold please post a link in the comments.

Questions for Vendors

While tracking down the links above, I stumbled across Dr. Rubin’s list of questions to ask your voting machine vendor.

Voting is one of the most vexing security arenas to be found, and beware of those that try to simplify the problem. A number of core issues make voting much more challenging than more traditional security domains such as the financial industry and the military. Predominant among these issues are the principles of ballot secrecy, vote integrity, and mutual suspicion.

Ballot Secrecy

The secret ballot is a cornerstone of democracy. Voting in secret prevents manipulation of elections by means of vote buying or voter coercion. In technology terms, it means that no information shall link the voter to the record of their ballot.

Vote Integrity

As a security term, integrity simply means the assurance that a data item is unchanged, and thus that it has not been tampered with or modified. If a vote is recorded without integrity protections, the final tally is suspect since it could have been changed along the way.

Mutual Suspicion

In many security domains there are trusted agents who are assumed not to attempt to subvert the system, in Common Criteria protection profiles you often find an assumption labeled “NO_EVIL_ADMIN” that simply means that to satisfy the security claims for the product you must assume that the administrators of the product are trusted - and if they are not trusted you cannot satisfy those security claims in most cases. This approach is not satisfactory in the voting arena.

After the jump, a comparison to the security requirements in the financial industry, particularly ATMs.

(more…)

On Election Day 2007, I founded Glass Box Voting to build a demonstrably secure voting system. For years, the voting equipment marketplace has been occupied by companies whose lack of commitment to security and transparency has been widely criticized by security analysts, elections administrators and voting integrity activists. Also for years, I’ve been saying to myself, “this is a brilliant opportunity for an energetic team of smart, security minded folks to build a better system.” Eventually I got tired of waiting, and decided to build that team.

This being the first post, I will introduce myself.

(more…)