Risks of Electronic Voting
This page collects information on the risks of electronic voting
machines and internet voting.
Although computers are great tools for many kinds of problems, they
have limitations. Read on to find out more about the dangers of
electronic voting systems
13 July 2005
Bruce O'Dell tells of Multiple vulnerabilities in Diebold Optical Scan, and warns us:
Based on my experience in the financial services industry, discovery of
multiple security vulnerabilities of this severity in equipment in use by
any bank or brokerage house would trigger an immediate shutdown of all the
affected systems, followed by a full internal and external audit, and, in
all likelihood, formal investigation by regulatory and law enforcement
agencies. We should accept no less from the election services industry.
The affected Diebold optical scan equipment should be immediately withdrawn
from use in any election until independent recertification is achieved, or
a secure alternative is obtained. All other election equipment -
manufactured by Diebold or by other vendors - should be examined, and if
subject to the same vulnerability, should also be withdrawn. An
investigation to determine how equipment with such serious vulnerabilities
to insider manipulation could ever have been certified should also be
launched, and certification and oversight procedures enhanced.
Good people died to gain and defend our right to vote. Election
administration must not be exempt from industry best practices for
security, audit and control. (emphasis added)
29 November 2004
The New York Times gives a very clear, down-to-earth explanation of why electronic voting systems are not yet worthy of our trust:
A columnist in The Washington Post recently suggested that nostalgia
for paper ballots, in today's reliably computerized world, must reflect
a Luddite disdain for technology in general or an Oliver Stone-style
paranoia about the schemings of the political world.
Not at all. It can also arise from a clear understanding of how
computers work - and don't. The more you know about the operations of
today's widely trusted commercial computer networks, the more concerned
you become about most electronic-voting systems.
Virtually all systems provide some sort of confirmation of
transactions. You have the slip from the A.T.M., the receipt for your
credit card charge, the printout of your e-ticket reservation. If your
e-mail message doesn't go through, there is still the copy in your
"Sent" folder. This is the technology world's counterpart to the
check-and-balance principle in the United States government. The first
concept, robust testing, protects against unintended flaws. The second,
accountability, guards against purposeful distortions.
Many electronic systems violate the two basic rules of trustworthy
computing... By definition, they have barely been exposed to real-world
testing. ... Worse, most of the electronic systems are not accountable.
When I voted this year, I fed my paper ballot through an optical
scanner and into a storage box. In a recount, those ballots could have
been pulled out and run through the scanner again. If I had used the
touch screen, I would have had no tangible evidence that the vote
counted or was recountable.
22 September 2004
Apparently, it's possible to change votes in Diebold systems with a five line program
(reported on Slashdot). A separate news story
reports that "By entering a 2-digit code in a hidden location, a second set of
votes is created. This set of votes can be changed, so that it no longer
matches the correct votes. The voting system will then read the totals from the
bogus vote set. It takes only seconds to change the votes, and to date not a
single location in the U.S. has implemented security measures to fully mitigate
the risks."
29 August 2004
The Risks Digest gives an account of New Mexico votes lost in 2000 due to electronic voting errors. A followup by the author corrects his conclusion.
5 February 2004
Good news: the Pentagon has scrapped their Internet voting system because they couldn't "assure the legitimacy of votes that would be cast."
22 January 2004
I read A Security Analysis of SERVE - an Internet enabled electronic
voting system sponsored by the US Federal Government. I also read a
newspaper article
about it. Several security experts reviewed the system and
concluded that it should be scrapped due to gaping security flaws:
Internet voting presents
far too many opportunities for hackers or even terrorists to interfere
with fair and accurate voting, potentially in ways impossible to
detect. Such tampering
could alter election results, particularly in close contests.
Like the proponents of SERVE, we
believe that there should be better support for voting for our military
overseas.... [But] because the danger of
successful, large-scale attacks is so great, we reluctantly recommend
shutting down the development of SERVE immediately and not attempting
anything like it in the future until both the Internet and the world's
home computer infrastructure have been fundamentally redesigned, or
some other unforeseen security breakthroughs appear.
Unfortunately, the state I live in,
Utah, has signed on to try experiments with this system.
2 December 2003
Here are some
questions that every electronic-voting vendor should be expected to
answer. The questions were created by security experts at Johns Hopkins
Institute. They include topics such as security review of the systems,
public review, whether the vendor will certify the system for security
and reliability, and audit trails.
The same researchers analyzed the Diebold voting system and found many problems.
2 December 2003
California will soon require audit-receipts from voting machines:
E-Votes
Must Leave a Paper Trail
http://tinyurl.com/2oz2m
With a receipt, voters will be able to verify that their ballots have
been properly cast.
Beginning July 1, 2005, [California] counties will not be able to
purchase any machine that does not produce a paper trail. As of July
2006, all machines, no matter when they were purchased, must offer a
voter-verifiable paper audit trail
A California newspaper explains the dangers of electronic voting:
Can
America trust electronic voting?
http://tinyurl.com/wcvu
As most of these touch-screen systems are designed, the machine will
"record" your "vote" electronically in as many as three different
places, but you the voter will never know what the machine
recorded. It's on the hard drive, maybe. It's on a flashcard,
maybe. It's somewhere else, maybe. Wherever it is, you cannot see it,
cannot verify it and cannot be sure that it will remain recorded.
[Diebold's] policy seems to be, "Trust us. If you don't, we'll sue
you." As you might imagine, these threats haven't been effective.
Tougher standards for these systems will cost more money. In all
likelihood the present generation of unreliable electronic voting
systems will have to be junked, or expensively rebuilt to meet the
higher standards we're calling for. So it's important to understand
what's wrong with these systems, which should never have been permitted
to be sold in
California in the first place.
A cryptographer has come up with a system to keep voters from using
their receipts to sell votes:
7 August 2003
Some colleagues and I wrote a letter to the editor of the Deseret News
in response an article
they had on electronic voting. Unfortunately, the editors cut out the
crux of our letter in the version they published. Here is the full text:
Dear Editor,
In an article last Thursday, July 31st titled "Upgrade pushed for
voting system," Leigh Dethman suggests that the cost of the machine is
the only significant drawback to an Electronic voting system.
As computer security professionals, we are concerned that Dethman
overlooks other serious risks of electronic voting.
When we move from a relatively simple mechanical process to
computerized complexity, we increase the likelihood of honest mistakes
and malicious tampering going undetected. When the record of a vote is
stored electronically, hardware failure, software failure, bugs,
deliberate back doors, etc. can cause those votes to be recorded
incorrectly.
The move to an electronic voting system must include rigorous quality
and security controls. Electronic voting systems need to be openly peer
reviewed for security flaws or bugs, and electronic election results
must be audited.
When voters make their selections, they need assurance that the
computer has recorded their votes accurately. For example, when
electronic votes are recorded, voters could receive and review a
printed duplicate of the electronically recorded vote and drop it in a
box. With the printed records, electronic tallies can be audited later
using a manual vote tallying processes similar to what we use today.
More than just cost of the machines, there are serious risks that must
be addressed before we can trust electronic voting. The integrity of
the voting process must be protected and verified.
Jared W. Robinson, CISSP
Woody Thrower, CISSP
Jared Oates, CISSP
4 August 2003
These articles discuss either electronic voting machines or internet
voting or both.
Excellent article that explains allmost all of the dangers of e-voting:
http://www.notablesoftware.com/Press/0201cyber.html
Web site that describes the e-voting problem. Also a place for people
to sign their name, in a petition-like fashion:
http://www.verifiedvoting.org/theproblem.asp
Bruce Schneier, author of crypto-gram and industry-recognized security
expert: http://www.counterpane.com/crypto-gram-0012.html
Rebecca Mercuri did her dissertation on the security of e-voting
systems: http://www.notablesoftware.com/RMstatement.htm
http://www.notablesoftware.com/evote.html
Kim Alexander, president of the California Voter Foundation:
http://www.calvoter.org/publications/paperorplastic.html
Tadayoshi Kohno is an information systems researcher:
http://news.com.com/2100-1009-5054088.html
Peter Neumann (moderator of the ACM Risks forum) writes about internet
voting:
http://www.notablesoftware.com/Papers/Risks2114.html
Internet Voting vs. Large-Value e-Commerce
http://www.counterpane.com/crypto-gram-0102.html#10
Return to my home page.