Wednesday, September 27, 2006


Diebold redux

I've waited a week or so to write about the recent Diebold voting machine news, and I've waited because I wanted to take the time to digest it all, see the news items settle down, and think about just how I wanted to respond. References are at the bottom; you might want to go there first to review the situation.

A couple of notes, first, about what I said in May.[1] My main point was that voting by computer could be far better and far more secure and tamper-proof than what we have now, but only if it were "properly designed, constructed, and checked." I observed that the Diebold system does not qualify there, and "[w]e should right now be working on designing a proper system — I suggest one where the source code is openly available, for all to review and validate."

But the Diebold situation is quite the opposite of that. The New York Times article[5] gives an arrogant — and dangerous, if we're to continue using these machines — company policy:

Mark G. Radke, director for marketing at Diebold, said that the AccuVote machines were certified by state election officials and that no academic researcher would be permitted to test an AccuVote supplied by the company.
The ironically named machines were "certified" by "state election officials", who have no expertise in computer security, so what assurance does that give us that anything is correct about the machines? Apart from that, "certified" is surely the wrong word here; more likely, they were "accepted" by these officials, who likely read something they were given by Diebold, and then signed off on it.

So in reality, the machines were certified by Diebold itself. That may comfort someone, but it doesn't comfort me. We need independent certification by experts in the technology. Far from restricting what some "academic researcher" should be permitted to do, we should welcome, and in fact demand more eyes, more hands, more analysis, more testing.

Avi Rubin isn't comforted either.[2] Professor Rubin spent the day of the Maryland primary elections working as an election judge, something he's done twice before. This time, he did them with the Diebold machines, and his experience with that, as reported in his blog, is something you must read. Professor Rubin teaches computer security and privacy at Johns Hopkins University, and he is an expert in the technology. While Diebold plays down the importance of security of the software, stressing how the physical security is key to the integrity of the overall system, Professor Rubin points out a number of problems with the physical access to the machines, even down to the confirmation that the machines had the correct ID numbers (happily, in this case they did not use the machines in question).

And it's not just the academics or the ACLU, or the Carter Foundation, or some other left-wingers who have a problem with this. The Washington Post reported[3] that Maryland Governor Ehrlich wants to go back to paper ballots, and, while the state's board of elections administrator thinks it's crazy to switch at this late time, "her staff would 'work around the clock' to correct the problems that plagued the primary." On the other hand, we have some indication that Ms Lamone is among those state election officials who don't understand computer technology ([4], and note the part where she's asked about the reliability of computer systems). Further:

She vowed that her office would help local election boards retrain judges, recruit new ones and force Diebold Election Systems to fix the problems that caused some of its machines to malfunction.
She'll "force" them? How? They haven't yet; why does she think they can be "forced" to change anything if there's no threat of having the machines pulled from the election? Lawsuits? Maybe, but good luck.

On the other hand, lawsuits are ultimately one answer to this: hold those responsible accountable for what they're doing to the election system. The problem, though, is that this isn't just causing confusion, delays, and difficulty at election time. It is doing that, but it's also damaging the confidence people have that elections are properly and fairly run, and that will likely result in lower turnout in the future — even if they don't actually manipulate the election results.

OK, there are the complaints and the problems. What can we do about them; how can we fix them? We can, as Governor Ehrlich suggests, go back to paper (or mechanical voting machines, as we use in New York). But that's not the right answer (though it's certainly all we can do by November 2006). If I'm right that computer voting can be so much better than what we have now, we should be making it better. How?

Design a system that works with the realities of how people go to vote. Design in the sorts of reasonable overrides that we know we need, that we can anticipate because they happen all the time, and make sure that the overrides keep proper audit trails so we can validate them later, when there are any questions. Make sure the system does the right thing in the event of computer or network failures. Make sure we can fix legitimate human error, and track what happened afterward.

Design a system with multiple isolated copies of the voting information. Make sure that there is no single point of failure, and, further, that there is no single point where tampering can be done effectively and without detection. Store the information securely, and, again, keep an audit trail.

Design a system that uses signed software modules, and refuses to use software modules that do not have valid signatures. This ensures that the software came from the right source and was not tampered with. Similarly, sign (and encrypt) the data produced by the system.

Design the system and then have the design reviewed by an independent panel of experts. Implement the design and then have the implementation reviewed by an independent panel of experts. Design operational procedures and have the procedures reviewed. Have everything reviewed and vetted at every step in the process, and make the process open, so that anyone who wants to check it... can. Make it so that everyone can assure herself — either first hand or by proxy — that it's been done correctly and secured.

Finally, have it certified independently of the company, and give the signing keys only to the certification body. Make sure those who are certifying it are qualified to certify computer software in general and security-related software in particular. Since they, and only they, hold the signing keys, everything has to go through them. Make sure they can do this and that they inspire trust in the public, who will be using these machines to cast their votes.

As I said in May, I don't believe this is an intractable problem. We trust computers to deal with many billions of dollars, and each of us trusts them with our own life's savings. They can work, and they can work reliably. But we have to make sure they do.

[1] My earlier analysis of what computer voting could give us, and what assurances we'd need in order to properly deploy them.

[2] Avi Rubin's blog entry, "My day at the polls - Maryland primary '06", which describes his first-hand experience with the problems with the Diebold machines.

Two Wasington Post articles about the backlash from officials in Maryland:
[3] "Ehrlich Wants Paper Ballots For Nov. Vote"
[4] "If Paper Ballots Restore Trust In Elections, Let's Switch"

[5] A New York Times business-section article, "The Big Gamble on Electronic Voting".


Anonymous said...

I am very glad to see you handling this, and to see it in SkepCirc. From my reading, I still think you underestimate the problems with the machine. (On the other hand, I am technologically declined, so you may be able to soothe some of my fears.)

Some problems that have already occurred should be mentioned. (And before this, you do not mention the various demonstrations of the ease of hacking of the machines, using either a forged memory card or a machine that is not suitably secured, particularly the Hursti demonstration.)

Because there was no money in the budget to keep the machines suitably secured, in the recent Bilbray/Busby election, poll workers were allowed to take the machines home with them, unsupervised, for periods of a week or more, which strikes me as a recipe for disaster.

You do not mention a potential danger for those machines that have wireless modems and wireless ports, and the possibility of hacking them from a distance without physical access to the machines.

As a matter of simple confidence, there should be an absolute prohibition for management of any company selling voting machines from making any contribution to any political party, candidate, or partisan 'special issue' group. There has been too much worry about the connection between Diebold and George Bush, Jack Abramoff, Bob Ney etc. This has to be prevented.

The use of unexamined proprietary code is something you mention. However, i am unaware if it is possible to create a tamper-proof code, one which basically disintegrates if tampered with -- and, of course, the problem with this is that you have to be able to input the candidates' names into the machine. (I have wondered if it might be posible to create 'one-use' only machines, safe but cheap, that could only register the votes for a given election and then be storable for a certain length of time -- but would this be aggravating the difficulty of checking the code for each machine?

The idea of a paper trail is certainly necessary. Again I see the possibility of creating a double trail, a copy of which would bve given to the voter and one would be stored in the machine. The danger in this would be the ease of checking the second trail and destroying ballot secrecy, since at least here in NY a person who votes is given a particular number and I don't see how the stored ballots could be sufficiently randomized.

I agree that this situation has to and can be fixed in time for the 2008 elections, but I am worried about the upcoming elections. I simply do not trust the Republican party, the party of Ken Blackwell, Katherine Harris and Tom Feeney among others, to permit an honest ballot when the overall election is likely to be both close and 'leaning Democratic.'

Other countries have used the ideas of exit polls as a check on the fairness of an election to good use. If the election varies too much from the exit poll, it is at least suspicious. A number of American elections have gone against the exit poll results -- suspiciously usually in favor of the Republicans. Is there anyway this can be used as a check?

A lot of questions, but glad to have someone who has the level of technical knowledge to answer them

Prup (aka Jim Benton)

btw, and cut this in moderating it, can you go back to the standard Blogger comment form. I don't remember my 'blogger password' and my computer doesn't have it. The other system, including word verification, seems to be a lot better.

Barry Leiba said...

Hi Jim, and thanks for the comment.

No, I didn't talk directly about all the problems that've been uncovered with the Diebold machines, because the news media have covered them extensively. The summary, which I said in both the May post and this one, is that the Diebold machines do not meet the standards we'd need in order to have good, safe voting machines.

As to wireless networks, no, proper voting machines would not use the kinds of wireless networks we're used to using to connect to the Internet, because the existing security on those networks isn't adequate. And as I said in May: "First, as I said about the network that we'd transmit the data on: private. This stuff would not go on a public network, such as the Internet. Not now, and not in the foreseeable future. Further, the data would be encrypted and signed, preventing snooping and tampering." It's possible that they could be on a next generation of wireless (but private!) network, one that doesn't suffer from the security problems that plague what we have now.

I agree with you when you say that the manufacturer must be politically detached. Absolutely!

As to tamper-proof code, there are two approaches here, and they could be used together. As I say here, the code (and the operational data, such as the slates of candidates) could be digitally signed, and the system would refuse to operate with code or data whose signatures fail to verify. The way digital signatures work, any changes after the signature is created would cause the signature verification to fail. The second approach is to use special hardware that will fail to function if it's tampered with (such hardware exists, and is already used in high-security systems). The basic code that verifies the signatures in the rest of the system and controls the loading and running of it could be in the special hardware.

Using a system like that, necessary changes could be made, and operational data could be created and modified, but only by the authorized entity that has the signing keys.

Using exit polls as a sanity check sounds reasonable on the surface, but I know there's a lot of disagreement about the accuracy of exit polls. The whole subject of exit polls would make an excellent Skeptics' Circle entry itself... but it'd have to be written by someone who's studied exit polls far more than I have.

(And as to the comment moderation, I've used that from the beginning — even when I had the CAPTCHA enabled, I still moderated the comments, and I turned the CAPTCHA off because I didn't think it added anything. What you may be having difficulty with right now is that I've switched to Blogger's beta-test system, and the logins aren't compatible between the regular system and the beta. I hope those difficulties will go away when they switch over to the beta system for real.)