Below are excerpts about voting from the November CRYPTO-GRAM.
CRYPTO-GRAM
November 15, 2004
by Bruce Schneier
Founder and CTO
Counterpane Internet Security, Inc.
schneier@counterpane.com
A free monthly newsletter providing summaries, analyses, insights, and
commentaries on security: computer and otherwise.
For back issues, or to subscribe, visit <http://www.schneier.com/crypto-gram.html>.
Or you can read this issue on the web at
<http://www.schneier.com/crypto-gram-0411.html>.
Schneier also publishes these same essays in his blog:
<http://www.schneier.com/blog>. An RSS feed is available.
** *** ***** ******* *********** *************
In this issue:
Why Election Technology is Hard
Electronic Voting Machines
Clever Virus Attack
Mail-in Ballot Attack
Computer Security and Liability
Crypto-Gram Reprints
World Series Security
News
Counterpane News
The Security of Checks and Balances
The Doghouse: Merced County
Security Information Management Systems (SIMS)
Technology and Counterterrorism
Comments from Readers
** *** ***** ******* *********** *************
Why Election Technology is Hard
<http://www.schneier.com/blog/archives/2004/10/getting_out_the.html>
Four years after the Florida debacle of 2000 and two years after
Congress passed the Help America Vote Act, voting problems are again in
the news: confusing ballots, malfunctioning voting machines, problems
over who's registered and who isn't. All this brings up a basic
question: Why is it so hard to run an election?
A fundamental requirement for a democratic election is a secret ballot,
and that's the first reason. Computers regularly handle
multimillion-dollar financial transactions, but much of their security
comes from the ability to audit the transactions after the fact and
correct problems that arise. Much of what they do can be done the next
day if the system is down. Neither of these solutions works for elections.
American elections are particularly difficult because they're so
complicated. One ballot might have 50 different things to vote on, all
but one different in each state and many different in each district.
It's much easier to hold national elections in India, where everyone
casts a single vote, than in the United States. Additionally, American
election systems need to be able to handle 100 million voters in a
single day -- an immense undertaking in the best of circumstances.
Speed is another factor. Americans demand election results before they
go to sleep; we won't stand for waiting more than two weeks before
knowing who won, as happened in India and Afghanistan this year.
To make matters worse, voting systems are used infrequently, at most a
few times a year. Systems that are used every day improve because
people familiarize themselves with them, discover mistakes and figure
out improvements. It seems as if we all have to relearn how to vote
every time we do it.
It should be no surprise that there are problems with voting. What's
surprising is that there aren't more problems. So how to make the
system work better?
-- Simplicity: This is the key to making voting better. Registration
should be as simple as possible. The voting process should be as simple
as possible. Ballot designs should be simple, and they should be
tested. The computer industry understands the science of user-interface
-- that knowledge should be applied to ballot design.
-- Uniformity: Simplicity leads to uniformity. The United States
doesn't have one set of voting rules or one voting system. It has 51
different sets of voting rules -- one for every state and the District
of Columbia -- and even more systems. The more systems are standardized
around the country, the more we can learn from each other's mistakes.
-- Verifiability: Computerized voting machines might have a simple user
interface, but complexity hides behind the screen and keyboard. To
avoid even more problems, these machines should have a voter-verifiable
paper ballot. This isn't a receipt; it's not something you take home
with you. It's a paper "ballot" with your votes -- one that you verify
for accuracy and then put in a ballot box. The machine provides quick
tallies, but the paper is the basis for any recounts.
-- Transparency: All computer code used in voting machines should be
public. This allows interested parties to examine the code and point
out errors, resulting in continually improving security. Any
voting-machine company that claims its code must remain secret for
security reasons is lying. Security in computer systems comes from
transparency -- open systems that pass public scrutiny -- and not secrecy.
But those are all solutions for the future. If you're a voter this
year, your options are fewer. My advice is to vote carefully. Read the
instructions carefully, and ask questions if you are confused. Follow
the instructions carefully, checking every step as you go. Remember
that it might be impossible to correct a problem once you've finished
voting. In many states -- including California -- you can request a
paper ballot if you have any worries about the voting machine.
And be sure to vote. This year, thousands of people are watching and
waiting at the polls to help voters make sure their vote counts.
This essay originally appeared in the San Francisco Chronicle.
<http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2004/10/31/EDG229GREK1.DTL>
or <http://makeashorterlink.com/?J353212C9>
Also read Avi Rubin's op-ed on the subject.
<http://www.avirubin.com/vote/op-ed.html>
** *** ***** ******* *********** *************
Electronic Voting Machines
<http://www.schneier.com/blog/archives/2004/11/the_problem_wit.html>
In the aftermath of the U.S.'s 2004 election, electronic voting
machines are again in the news. Computerized machines lost votes,
subtracted votes instead of adding them, and doubled votes. Because
many of these machines have no paper audit trails, a large number of
votes will never be counted. And while it is unlikely that deliberate
voting-machine fraud changed the result of the presidential election,
the Internet is buzzing with rumors and allegations of fraud in a
number of different jurisdictions and races. It is still too early to
tell if any of these problems affected any individual elections. Over
the next several weeks we'll see whether any of the information
crystallizes into something significant.
The U.S has been here before. After 2000, voting machine problems made
international headlines. The government appropriated money to fix the
problems nationwide. Unfortunately, electronic voting machines --
although presented as the solution -- have largely made the problem
worse. This doesn't mean that these machines should be abandoned, but
they need to be designed to increase both their accuracy, and people's
trust in their accuracy. This is difficult, but not impossible.
Before I can discuss electronic voting machines, I need to explain why
voting is so difficult. Basically, a voting system has four required
characteristics:
1. Accuracy. The goal of any voting system is to establish the intent
of each individual voter, and translate those intents into a final
tally. To the extent that a voting system fails to do this, it is
undesirable. This characteristic also includes security: It should be
impossible to change someone else's vote, ballot stuff, destroy votes,
or otherwise affect the accuracy of the final tally.
2. Anonymity. Secret ballots are fundamental to democracy, and voting
systems must be designed to facilitate voter anonymity.
3. Scalability. Voting systems need to be able to handle very large
elections. One hundred million people vote for president in the United
States. About 372 million people voted in India's June elections, and
over 115 million in Brazil's October elections. The complexity of an
election is another issue. Unlike many countries where the national
election is a single vote for a person or a party, a United States
voter is faced with dozens of individual election: national, local, and
everything in between.
4. Speed. Voting systems should produce results quickly. This is
particularly important in the United States, where people expect to
learn the results of the day's election before bedtime. It's less
important in other countries, where people don't mind waiting days --
or even weeks -- before the winner is announced.
Through the centuries, different technologies have done their
best. Stones and pot shards dropped in Greek vases gave way to paper
ballots dropped in sealed boxes. Mechanical voting booths, punch
cards, and then optical scan machines replaced hand-counted
ballots. New computerized voting machines promise even more
efficiency, and Internet voting even more convenience.
But in the rush to improve speed and scalability, accuracy has been
sacrificed. And to reiterate: accuracy is not how well the ballots are
counted by, for example, a punch-card reader. It's not how the
tabulating machine deals with hanging chads, pregnant chads, or
anything like that. Accuracy is how well the process translates voter
intent into properly counted votes.
Technologies get in the way of accuracy by adding steps. Each
additional step means more potential errors, simply because no
technology is perfect. Consider an optical-scan voting system. The
voter fills in ovals on a piece of paper, which is fed into an
optical-scan reader. The reader senses the filled-in ovals and
tabulates the votes. This system has several steps: voter to ballot to
ovals to optical reader to vote tabulator to centralized total.
At each step, errors can occur. If the ballot is confusing, then some
voters will fill in the wrong ovals. If a voter doesn't fill them in
properly, or if the reader is malfunctioning, then the sensor won't
sense the ovals properly. Mistakes in tabulation -- either in the
machine or when machine totals get aggregated into larger totals --
also cause errors. A manual system -- tallying the ballots by hand,
and then doing it again to double-check -- is more accurate simply
because there are fewer steps.
The error rates in modern systems can be significant. Some voting
technologies have a 5% error rate: one in twenty people who vote using
the system don't have their votes counted properly. This system works
anyway because most of the time errors don't matter. If you assume
that the errors are uniformly distributed -- in other words, that they
affect each candidate with equal probability -- then they won't affect
the final outcome except in very close races. So we're willing to
sacrifice accuracy to get a voting system that will more quickly handle
large and complicated elections. In close races, errors can affect the
outcome, and that's the point of a recount. A recount is an alternate
system of tabulating votes: one that is slower (because it's manual),
simpler (because it just focuses on one race), and therefore more accurate.
Note that this is only true if everyone votes using the same
machines. If parts of town that tend to support candidate A use a
voting system with a higher error rate than the voting system used in
parts of town that tend to support candidate B, then the results will
be skewed against candidate A. This is an important consideration in
voting accuracy, although tangential to the topic of this essay.
With this background, the issue of computerized voting machines becomes
clear. Actually, "computerized voting machines" is a bad choice of
words. Many of today's voting technologies involve
computers. Computers tabulate both punch-card and optical-scan
machines. The current debate centers around all-computer voting
systems, primarily touch-screen systems, called Direct Record
Electronic (DRE) machines. (The voting system used in India's most
recent election -- a computer with a series of buttons -- is subject to
the same issues.) In these systems the voter is presented with a list
of choices on a screen, perhaps multiple screens if there are multiple
elections, and he indicates his choice by touching the screen. These
machines are easy to use, produce final tallies immediately after the
polls close, and can handle very complicated elections. They also can
display instructions in different languages and allow for the blind or
otherwise handicapped to vote without assis
tance.
They're also more error-prone. The very same software that makes
touch-screen voting systems so friendly also makes them
inaccurate. And even worse, they're inaccurate in precisely the worst
possible way.
Bugs in software are commonplace, as any computer user knows. Computer
programs regularly malfunction, sometimes in surprising and subtle
ways. This is true for all software, including the software in
computerized voting machines. For example:
In Fairfax County, VA, in 2003, a programming error in the electronic
voting machines caused them to mysteriously subtract 100 votes from one
particular candidates' totals.
In San Bernardino County, CA in 2001, a programming error caused the
computer to look for votes in the wrong portion of the ballot in 33
local elections, which meant that no votes registered on those ballots
for that election. A recount was done by hand.
In Volusia County, FL in 2000, an electronic voting machine gave Al
Gore a final vote count of negative 16,022 votes.
The 2003 election in Boone County, IA, had the electronic vote-counting
equipment showing that more than 140,000 votes had been cast in the
Nov. 4 municipal elections. The county has only 50,000 residents and
less than half of them were eligible to vote in this election.
There are literally hundreds of similar stories.
What's important about these problems is not that they resulted in a
less accurate tally, but that the errors were not uniformly
distributed; they affected one candidate more than the other. This
means that you can't assume that errors will cancel each other out and
not affect the election; you have to assume that any error will skew
the results significantly.
Another issue is that software can be hacked. That is, someone can
deliberately introduce an error that modifies the result in favor of
his preferred candidate. This has nothing to do with whether the
voting machines are hooked up to the Internet on election day. The
threat is that the computer code could be modified while it is being
developed and tested, either by one of the programmers or a hacker who
gains access to the voting machine company's network. It's much easier
to surreptitiously modify a software system than a hardware system, and
it's much easier to make these modifications undetectable.
A third issue is that these problems can have further-reaching effects
in software. A problem with a manual machine just affects that
machine. A software problem, whether accidental or intentional, can
affect many thousands of machines -- and skew the results of an entire
election.
Some have argued in favor of touch-screen voting systems, citing the
millions of dollars that are handled every day by ATMs and other
computerized financial systems. That argument ignores another vital
characteristic of voting systems: anonymity. Computerized financial
systems get most of their security from audit. If a problem is
suspected, auditors can go back through the records of the system and
figure out what happened. And if the problem turns out to be real, the
transaction can be unwound and fixed. Because elections are anonymous,
that kind of security just isn't possible.
None of this means that we should abandon touch-screen voting; the
benefits of DRE machines are too great to throw away. But it does mean
that we need to recognize its limitations, and design systems that can
be accurate despite them.
Computer security experts are unanimous on what to do. (Some voting
experts disagree, but I think we're all much better off listening to
the computer security experts. The problems here are with the
computer, not with the fact that the computer is being used in a voting
application.) And they have two recommendations:
1. DRE machines must have a voter-verifiable paper audit trails
(sometimes called a voter-verified paper ballot). This is a paper
ballot printed out by the voting machine, which the voter is allowed to
look at and verify. He doesn't take it home with him. Either he looks
at it on the machine behind a glass screen, or he takes the paper and
puts it into a ballot box. The point of this is twofold. One, it
allows the voter to confirm that his vote was recorded in the manner he
intended. And two, it provides the mechanism for a recount if there
are problems with the machine.
2. Software used on DRE machines must be open to public
scrutiny. This also has two functions. One, it allows any interested
party to examine the software and find bugs, which can then be
corrected. This public analysis improves security. And two, it
increases public confidence in the voting process. If the software is
public, no one can insinuate that the voting system has unfairness
built into the code. (Companies that make these machines regularly
argue that they need to keep their software secret for security
reasons. Don't believe them. In this instance, secrecy has nothing to
do with security.)
Computerized systems with these characteristics won't be perfect -- no
piece of software is -- but they'll be much better than what we have
now. We need to start treating voting software like we treat any other
high-reliability system. The auditing that is conducted on slot
machine software in the U.S. is significantly more meticulous than what
is done to voting software. The development process for
mission-critical airplane software makes voting software look like a
slapdash affair. If we care about the integrity of our elections, this
has to change.
Proponents of DREs often point to successful elections as "proof" that
the systems work. That completely misses the point. The fear is that
errors in the software -- either accidental or deliberately introduced
-- can undetectably alter the final tallies. An election without any
detected problems is no more a proof the system is reliable and secure
than a night that no one broke into your house is proof that your door
locks work. Maybe no one tried, or maybe someone tried and
succeeded...and you don't know it.
Even if we get the technology right, we still won't be done. If the
goal of a voting system is to accurately translate voter intent into a
final tally, the voting machine is only one part of the overall
system. In the 2004 U.S. election, problems with voter registration,
untrained poll workers, ballot design, and procedures for handling
problems resulted in far more votes not being counted than problems
with the technology. But if we're going to spend money on new voting
technology, it makes sense to spend it on technology that makes the
problem easier instead of harder.
A version of this essay appeared on openDemocracy.com:
<http://www.opendemocracy.com/debates/article-8-120-2213.jsp>
Avi Rubin's experiences as an election judge:
<http://avirubin.com/judge2.html>
Electronic Voting Resrouce Sites:
<http://www.blackboxvoting.org/>
<http://www.verifiedvoting.org/>
<http://www.votingintegrity.org/>
Problems with 2004 Presidential Election:
<http://www.eff.org/deeplinks/archives/cat_evoting.php>
<http://votingintegrity.org/archive/news/e-voting.html>
<http://www.dailykos.com/story/2004/11/3/04741/7055>
<http://www.alternet.org/election04/20416/>
<http://www.newstarget.com/002076.html>
<http://ustogether.org/Florida_Election.htm>
<http://www.washingtondispatch.com/spectrum/archives/000715.html>
<http://www.michigancityin.com/articles/2004/11/04/news/news02.txt>
<http://edition.cnn.com/2004/ALLPOLITICS/11/05/voting.problems.ap/index.html>
or <http://makeashorterlink.com/?B283122C9>
<http://www.palmbeachpost.com/politics/content/news/epaper/2004/11/05/a29a_BROWVOTE_1105.html>
or <http://makeashorterlink.com/?X3A323CB9>
<http://www.ansiblegroup.org/furtherleft/index.php?option=content&task=view&id=51>
or <http://makeashorterlink.com/?C593122C9>
<http://www.truthout.org/docs_04/110504V.shtml>
<http://www.truthout.org/docs_04/110604Z.shtml>
<http://www.commondreams.org/views04/1106-30.htm>
<http://www.truthout.org/docs_04/110804A.shtml>
An open-source project to develop an electronic voting machine:
Essays on e-voting:
<http://www.pcmag.com/article2/0,1759,1677194,00.asp>
<http://www.wired.com/news/evote/0,2645,65031,00.html>
** *** ***** ******* *********** *************
................
..............
.................
.................
...............