Yesterday was the USENIX/ACCURATE Electronic Voting Technology Workshop held in Boston. Today I will give some overall impressions and highlight just one of the relevant papers.
UPDATE: Avi Rubin blogs on session with Debra Bowen
(inappropriate certification processes for electonic voting)
For me it was a highly educational and engaging day. My experience at conferences with highly academic papers, was in the mid 1980’s when for several years I participated in annual Artificial Intelligence conferences. At those conferences I found the general sessions very useful but the academic papers were very detailed, seemingly crossing the t’s and dotting the i’s on previous papers, those sessions went well beyond my tolerance for detail. The papers presented at the workshop yesterday were all clear and interesting, timely, and most were relevant to voting in Connecticut.
Seeing and meeting the other attendees was also a highlight of the day – researchers whose papers and blogs I’ve read, talked to previously, and who have made huge contributions to raise awareness of the risks of electronic voting. It was also hopeful to see a considerable group of researchers who work with state election officials and three election officials. Alex Shvartsman of Uconn and several of his students were there presenting one of their recent papers. Clearly the most appreciated attendee was Debra Bowen, Secretary of the State of California.
Sixteen of forty-two submitted papers were presented. A huge increase from the eighteen papers submitted last year. Doug Jones from Iowa, who testified to the CT Legislature a year lor two ago, was one of the organizers. He expressed the hope that next year more papers would be available that point the way to improved, reliable voting methods. Most of the papers this year demonstrated the lack of security and reliability in existing e-voting equipment. Several pointed the way for more effective post election paper audits. The final three papers presented five innovative ways that might enhance the voter attractive touch screen voting to make it private and auditable — unfortunately, for the most part, they accomplished the security by requiring a lot of sophistication on the part of the average voter.
I have covered the Uconn paper previously I will cover a paper relevant to Connecticut, from Princeton, here and perhaps more papers on other days.
The Princeton University paper:
Security Analysis of the Diebold AccuVote-TS Voting Maching (pdf)
it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities…Mitigating these threats will require changes to the voting machine’s hardware and software and the adoption of more rigorous election procedures.
The Princeton voting blog includes a Reply to Diebold’s Response it is worth reading in its entirety . There is also a Frequently Asked Questions and a video. Here is an instructive response and reply:
Diebold: “…The unit has security software that was two generations old, and to our knowledge is not used anywhere in the country.”
Authors: “We studied the most recent software version available to us. The version we studied has been used in national elections, and Diebold claimed at the time that it was perfectly secure and could not possibly be subject to the kinds of malicious code injection attacks that our paper and video demonstrate. In short, Diebold made the same kinds of claims about this version — claims that turned out to be wrong — that they are now making about their more recent versions.”
I add that we do not use the AccuVote-TS in Connecticut, we use the AccuVote-OS. However, there is not one shred of evidence that the AccuVote-OS is any more secure from a software and hardware point of view. It is of course considerably safer (if effectively audited) since it is an optical scan and at least the paper ballots are guaranteed to match the expressed intent of the voter. In contrast we have ample evidence that all the Diebold systems, although different in some details, have many of the same and similar problems and weakness. Reports by Uconn, Florida, and the State of California all point to the same flaws in every Diebold model and operating system version tested.
Another consistency is the same vendor denials after every test: “Its a different version”, “We fixed those problems”, “Procedures will prevent problems”, “the average voter and poll worker does not understand computers”, etc.
Let me paraphrase the Princeton Report:
- For example, an expert criminal or former intelligence service employee could be hired or coerced(*) to break into voting machine storage in as little as as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates.
- For example, single or multiple election official(s) could be bribed or coerced(*) to take advantage of weak or violated procedures to get physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates.
- For example, in Connecticut, unethical or coerced employees or contractors working for Diebold(**), who we pay to program each election within the state could easily could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates.
(*) These criminals or officials need not have voting machine software expertise. The malicious code could come from former or current Diebold employees familiar with the system. Or criminals with enough computer expertise to match that regularly demonstrated by small groups of graduate students.
(**) This is not to suggest that employees of another company or even state employees could not be bribed, coerced, or have criminal intent. But it would at minimum give more credibilty if the state did the programming of elections, we knew the employees (and their resume’s) associated with each memory card by name, and that at least there were some barriers to their having expertise in and access to the Diebold source code.
How can we acknowledge the possibility that a single voter could be coerced for a single vote, that a candidate might “help” an elderly person fill out an absentee vote, that our Governors and Mayors can be bought, and not recognize that election officials, Diebold employees, or criminals can be bought or intimidated to steal an entire election? How can we acknowledge that I-84 and Uconn dorms can be substandard despite procedures designed to prevent problems, and not acknowledge that memory card custody procedures can fail?
To paraphrase Lincoln, “you can protect Diebold voting machines from some of the people some of the time, but you cannot protect voting machines from all of the criminals and incompetent programmers all of the time.”













