Debugging Election Codes
Are electronic voting machines secure? No, says EECS professor David Wagner.
Before Congress passed the Help America Vote Act (HAVA) in 2002, voting machines were a low-profit niche product. But HAVA allocated more than $3.8 billion in federal funds to upgrade voting systems nationwide and to be spent within three years. It was a bonanza for voting machine vendors, who convinced most counties to replace their old, low-status paper-based systems with shiny new touchscreens. But they are not secure, and thanks to a report co-authored by Wagner, California now leads a growing multi-state movement to eliminate their potential threat to democracy and ensure accurate elections in the future.
The machines were questioned almost immediately by grassroots activists like Bev Harris, whose Black Box Voting blog gathered news and focused concern about the machines’ trustworthiness. Soon, researchers and hackers discovered that, among other vulnerabilities, voting machines could be opened with ordinary keys from hotel mini-bars, and their vote counts could then be changed undetectably by simply swapping out their memory cards. In other words, any poll worker, driver, night watchman or other individual with unsupervised access to the machines could throw the results of a close election.
Wagner, a computer security expert, explains that the main problem with current voting machines is that they are built on top of standard, non-secure computer hardware and operating systems. To ensure proper security for something as important as a voting machine, the security must be designed into the system from the ground up. Superficially, voting machines seem like ATMs, which are a solved problem; ATMs handle huge numbers of interactions, dispense paper receipts and can be audited. But what makes voting machines much more difficult, Wagner explains, is the secret ballot. A trustworthy electronic voting system must break the link between the voter and votes in a way that cannot be reversed.
For several years, mainstream politics and media viewed questions about voting machine security as lunatic fringe. But, according to Wagner, a turnaround of opinion was set in motion by forward-thinking elections officials. “Some elections officers took the activists’ concerns seriously and forced these vendors to pry open the covers and hand over the source code,” Wagner recalls. “That’s what made it real; we could actually examine the code, so it wasn’t just speculation anymore.”
Access to this code allowed California Secretary of State Debra Bowen last year to commission a joint UCB–UC Davis “top-to-bottom review” of voting machine systems. Wagner served as a principal investigator for the code review, and his team found major vulnerabilities. For example, a knowledgeable person with access to a Diebold AccuVote TSx machine could install a virus that would falsify the machine’s results, then spread to all the other AccuVote machines in the county and falsify all of their results during the following election.
The report prompted Bowen to limit the machines to one per polling place, for accessibility, and most Californians now vote on paper. Since then, Florida and Colorado have followed, Ohio is in the process of switching over while commissioning its own study, and many other states are considering similar moves. “I’m not worried about this year’s votes in California,” says Wagner. “Eighty to 90 percent of the state uses optically scanned paper. I’m worried about states like Maryland, which uses mostly paperless voting machines. If there’s any question over those results, it’s hard to see any good answer.”
But a well-designed electronic voting machine could be a boon to democracy. That’s why Wagner serves as a principal investigator for ACCURATE, an NSF-funded effort to develop the technical design foundations for first-of-their-kind, trustworthy electronic voting machines, which would also make voting more accessible. As Wagner explains, “Only a computer can do things like handle multiple languages, read the ballot aloud through headphones for blind people and zoom in for the visually impaired.”
“I’m optimistic now,” says Wagner. “Four years ago, secure voting looked hopeless, but more and more states are getting it. Meanwhile, I’m also impressed with all the election officials I’ve worked with; they’re very dedicated and conscientious. There’s no money or fame in being a county elections officer. You do it because you care.”
ACCURATE (A Center for Correct, Usable, Reliable, Auditable, and Transparent Elections) -
Topics: Security & privacy