CRYPTO-GRAM December 15, 2003 by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc. schneier@counterpane.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on security: computer and otherwise. Back issues are available at . To subscribe, visit or send a blank message to crypto-gram-subscribe@chaparraltree.com. ** *** ***** ******* *********** ************* In this issue: Blaster and the August 14th Blackout Counterpane News Crypto-Phone The Doghouse: Amit Yoran Crypto-Gram Reprints Quantum Cryptography News Beyond Fear News Computerized and Electronic Voting Comments from Readers ** *** ***** ******* *********** ************* ---material deleted--- ** *** ***** ******* *********** ************* Computerized and Electronic Voting There are dozens of stories about computerized voting machines producing erroneous results. Votes mysteriously appear or disappear. Votes cast for one person are credited to another. Here are two from the most recent election: One candidate in Virginia found that the computerized election machines failed to register votes for her, and in fact subtracted a vote for her, in about "one out of a hundred tries." And in Indiana, 5,352 voters in an district of 19,000 managed to cast 144,000 ballots on a computerized machine. These problems were only caught because their effects were obvious--and obviously wrong. Subtle problems remain undetected, and for every problem we catch--even though their effects often can't be undone--there are probably dozens that escape our notice. Computers are fallible and software is unreliable; election machines are no different than your home computer. Even more frightening than software mistakes is the potential for fraud. The companies producing voting machine software use poor computer-security practices. They leave sensitive code unprotected on networks. They install patches and updates without proper security auditing. And they use the law to prohibit public scrutiny of their practices. When damning memos from Diebold became public, the company sued to suppress them. Given these shoddy security practices, what confidence do we have that someone didn't break into the company's network and modify the voting software? And because elections happen all at once, there would be no means of recovery. Imagine if, in the next presidential election, someone hacked the vote in New York. Would we let New York vote again in a week? Would we redo the entire national election? Would we tell New York that their votes didn't count? Any discussion of computerized voting necessarily leads to Internet voting. Why not just do away with voting machines entirely, and let everyone vote remotely? Online voting schemes have even more potential for failure and abuse. Internet systems are extremely difficult to secure, as evidenced by the never-ending stream of computer vulnerabilities and the widespread effect of Internet worms and viruses. It might be convenient to vote from your home computer, but it would also open new opportunities for people to play Hack the Vote. And any remote voting scheme has its own problems. The voting booth provides security against coercion. I may be bribed or threatened to vote a certain way, but when I enter the privacy of the voting booth I can vote the way I want. Remote voting, whether by mail or by Internet, removes that security. The person buying my vote can be sure that he's buying a vote by taking my blank ballot from me and completing it himself. In the U.S., we believe that allowing absentees to vote is more important than this added security, and that it is probably a good trade-off. And people like the convenience. In California, for example, over 25% vote by mail. Voting is particularly difficult in the United States for two reasons. One, we vote on dozens of different things at one time. And two, we demand final results before going to sleep at night. What we need are simple voting systems--paper ballots that can be counted even in a blackout. We need technology to make voting easier, but it has to be reliable and verifiable. My suggestion is simple, and it's one echoed by many computer security researchers. All computerized voting machines need a paper audit trail. Build any computerized machine you want. Have it work any way you want. The voter votes on it, and when he's done the machine prints out a paper receipt, much like an ATM does. The receipt is the voter's real ballot. He looks it over, and then drops it into a ballot box. The ballot box contains the official votes, which are used for any recount. The voting machine has the quick initial tally. This system isn't perfect, and doesn't address many security issues surrounding voting. It's still possible to deny individuals the right to vote, stuff machines and ballot boxes with pre-cast votes, lose machines and ballot boxes, intimidate voters, etc. Computerized machines don't make voting completely secure, but machines with paper audit trails prevent all sorts of new avenues of error and fraud. CRS Report on Electronic Voting: Voting resource pages: Bills in U.S. Congress to force auditable balloting: Virginia story: or Indiana story: Nevada story: or California Secretary of State statement on e-voting paper trail requirement: Maryland story: More opinions: Voter Confidence and Increased Accessibility Act of 2003 My older essays on this topic: ** *** ***** ******* *********** *************