Login:
Password:
Lost Password?
Print this article  |  E-mail this article  |  Comment on this article

Could Crypto Resolve the Voting Machine Controversy?

By Scott M. Fulton, III, BetaNews

October 3, 2006, 2:14 PM

(continued from previous page)

Today, Diebold touts the improved efficiency of its remodeled AccuVote-TSX voting consoles. "Every cast ballot is immediately encrypted and redundantly stored within the AccuVote-TSX voting station to secure ballot information," a Diebold sales brochure reads. "Wireless ballot accumulation capability can accelerate the tabulation process and enable the secure collection of encrypted post-election data from multiple voting stations to a single voting station for subsequent transmission to a central election server."

In 2003, Dr. Jones' Iowa study found the repeated use of a single, factory-determined encryption key -- a simple, eight-character sequence which he actually published on the University Web site -- to be one of AccuVote-TS' key vulnerabilities. Would the TSX model be susceptible to the same problem?

In June 2005, the California Secretary of State's office evaluated the TSX model for use in its statewide elections. A 22-page staff report found that, although supervisor keys were now selectable by the administrator, the Admin key itself continued to be a single key set by the factory.

"Because the encryption key for the AccuVote-TSx's Administrator card is set by the factory," the staff report reads, "the system could be vulnerable to fraud or manipulation if the same encryption key is used to encode Administrator cards for multiple jurisdictions or elections. For this reason, the vendor should be required to issue these cards with unique encryption keys for each jurisdiction and for each election."

Despite that finding, the staff did recommend the TSX for certification.

If Diebold's voting systems are indeed guilty of applying encryption to protect the wrong areas of the voting cycle, then what exactly are the "right areas?" This was the question posed in a masters' thesis by MIT student Ben Adida last August.

One of the schemes Adida suggests is a radically different kind of information network, which bears no correspondence to anything Diebold - or perhaps anyone else - presently produces. Some scientists call this system prkt b voter. Here, the consoles which acquire the voters' selections transmit these votes to no less than a public bulletin board system. These votes are encrypted using session keys generated at the time of voting.

"On this bulletin board," Adida writes, "the names or identification numbers of voters are posted in plaintext, so that anyone can tell who has voted and reconcile this information against the public registry of eligible voters. Along with each voter's name, the voter's ballot is posted in encrypted form, so that no observer can tell what the voters chose."

At first, it's clear to everyone who voted, but not what for. Each voter casts an encrypted ballot, proof of whose integrity is provided to each voter by means of a receipt. As Adida describes, "By comparing the codes on the receipt with those on the screen of the machine, [the voter] can be certain that the machine properly encoded her vote. In addition, since [the voter] can easily claim, at a later point, that a different confirmation code appeared on the screen, she cannot be coerced."

After all votes are cast and verified, election workers then convert the votes into their decrypted counterparts, which result in elements where it's clear what was voted for, but not who did the voting. Like the Heisenberg Uncertainty Principle applied to politics, you can always accurately measure who voted or what for, but never both simultaneously.

How this may improve the system, Adida argues, is that it creates a controlled hand-off point between cast and tallied ballots, where individual human beings may be held accountable. "Any observer can verify the processing of these encrypted votes into an aggregate, decrypted tally," Adida writes. By contrast, with current systems, a blind handoff takes place, with at least one person involved who does not -- who cannot -- know either element.

The integrity of the voter process has come under close scrutiny itself. As researchers from the University of Newcastle (UK) wrote, "In a possible attack, the [Web bulletin board] arranges for the voter to see a correct record of her ballot receipt, which, in collusion with the mix-net, has been deleted or altered. As a result the voter could mistakenly believe that her vote has been accurately counted."

In a "mix-net" system, messages between given senders and recipients are clouded together in such a way that their routing cannot be independently ascertained. Like the new judging system for figure skating, this could arguably provide "security through obscurity."

As computer security expert Bruce Schneier wrote in 2004, "Software used on [direct-record electronic voting] machines must be open to public scrutiny. This also has two functions. One, it allows any interested party to examine the software and find bugs, which can then be corrected. This public analysis improves security. And two, it increases public confidence in the voting process. If the software is public, no one can insinuate that the voting system has unfairness built into the code."

"The bad guys don't care whether you use encryption," Ed Felten wrote, "they care whether they can read and modify your data. They don't care whether your door has a lock on it; they care whether they can get it open. The checkbox approach to security works in press releases, but it doesn't work in the field."

<< Prev | 1 | 2

Add a Comment (15 Comments)

BetaNews reserves the right to remove any comment at any time for any reason. Please keep your responses appropriate and on topic. Foul language and personal attacks will not be tolerated.

Name (required):

E-mail (required):

Enter Your Comment:

By darkiq1966

edited Oct 6, 2006 - 1:35 AM

Did you also know that all votes that are tallied and voter info from all machines are sent over the net via a freakin dial up modem after polls are closed.

Score: 0

By prooky

posted Oct 4, 2006 - 2:59 AM

"A few days after the demo was first posted, Princeton's Ed Felten added that the memory card slot could be broken into using the same kind of lock-picking tool used to break open hotel mini-bars."

That's not entirely correct.
The article on Ed Felten's blog says it uses a standard key that is also used to lock mini-bars etc.
So no lockpicking needed.

Score: 0

By cwgroove

edited Oct 3, 2006 - 3:56 PM

Electronic Voting - (can be) Better than a classic ‘paper trail’

Synopsis:
Voter is assigned and printed a private, random file number which allows voter to check registered votes by internet or telephone (automated voice synthesis). At end of voting day, sorted file numbers are assigned internal positions (1 through total number of voters). The voter files are then available to the public per these position numbers.

Details:
When voter ‘starts’ (first interaction with machine) a random file number (6 digits or more) is generated from a fast free-running roll-over counter (same system as slot machines). While the voter is voting (touch screen, most likely) this number is sorted against previous file numbers (in the very unlikely event (1/million) that the number is already assigned, the voter will be asked to reinitiate). The file number is printed on a receipt/coupon as well as displayed (privately) on the machine. At the end of the day/voting session, votes are tabulated (as usual) and the sorted (numerical order) file numbers (pointing to each voters’ inputs/decisions) are then also given numerical position numbers (1 for lowest to n the largest where n is also the total number of voters). These voter files are then made available on the internet and/or automated telephone system so that a file can be read by accessing it either by the private file number (random) if and when the voter checks his/her own listing or by the position number which allows anyone to select an anonymous voting record. A news service, if it so desires, can easily write a program to read all the files and thus do their own recount/tally (to check it against the official publicly released post poll closing results). Each voting machine must of course, have a unique identifier prefixing the file and position numbers. Suggestions are the election district number and/or zip code (listings and maps should also be internet available).

Hardware:
The touch screen voting terminals should also be designed and manufactured per published specifications thus insuring hardware interoperability. The present machines can be used as ‘de facto’ standards to limit the number of hardware configurations (and thus software drivers) needed to be accommodated.

Refinements: (to allow challenges and prevent double sets of records)
After voting; even before polls are closed, the voter can (and possibly should) check his/her vote either at the polling place or immediately at home. If in error, this would be the most opportune time to challenge. After the polls close it's a different situation; one first checks his/her vote with the 'secret' file number. If the voting record is correct, the voter selects 'yes' (approval) which then releases the voters 'position' number. If 'no' a challenge is indicated (legal means must be developed to deal with this possibility). The voter can then (or later) check the vote record via this 'position' number to give assurances against the existence of two sets of voter records (private 'file' number vs. public 'position' number). During voter record approval, a printout (hardcopy) can be made if desired. If there seems to be errors and a possibility of a challenge exists, the hardcopy should be signed, dated, and possibly notarized and/or witnessed.
(The primary purpose of this voting system is to prevent this situation from occurring!)

Hard Copy: (the only absolutely required printout would be the voters file number, time/date, and poll location/designation)

Comparatively; public verifiable voting records, as presented in this document, are simple, quick, and easy!

Score: 0

By Grazer

posted Oct 4, 2006 - 12:40 PM

Nice write up. I also think the voter's name and registration should also be in the file, to make sure there is no double voting. Of course, as a developer that does most of my work with relational databases, I am thinking of each vote "file" as a row in a table. Each row should have to reference a voter registration entry and reference(s) to the chosen candidate(s).

Score: 0

By Banquo

edited Oct 3, 2006 - 3:24 PM

Paper ballots have been used for thousands of years. Everyone knows how to use them and there is tangible evidence of how people voted. But no, let's all switch to buggy, insecure and complicated computers. Woops, software glitch! Where did all the votes go? Oops, hacker broke into the system. Was the election rigged? Who knows. What a great idea! We're too lazy to wait for votes to be counted, we need instant satisfaction. Bah, and get off my lawn.

Oh and it's cryptography, please type out the last six letters. I hate it when people shorten it to crypto. Sounds like Superman's dog or something.

Score: 0

By DotNet_Coder

posted Oct 3, 2006 - 3:34 PM

Sure, let's stick to old tried and true ways just because they work. Where is the innovation in that? Where is the progress moving forward. Plus, paper-ballots, while being used for thousands of years, still have their downsides; the amount of money that has to be paid to count and recount the ballots; the in-accuracy (like the article says, just remember the election of 2000); the chance that a number of ballots could be lost during tranist, etc.

Yes, there are flaws and risks in moving to electronic ballots. But, with better design and better technology, this is certainly the direction that we as a nation need to move in. If I am willing to trust my money to a computer (as I do daily with my bank and my purchases), then why can we not have that same level of trust in the voting process?

~dnc

Score: 0

By pcardout

edited Oct 23, 2006 - 10:38 PM

Dear DotNet -- While your discussion of down-side of paper is true enough, the following comment

>> If I am willing to trust my money to a computer >>(as I do daily with my bank and my purchases), >>then why can we not have that same level of >>trust in the voting process?

is dangerous because it is appealing to the non-computer-literate (I don't mean you) yet misses the crucial point differentiating banking from voting. Banking occurs daily and round the world and on-line transactions are often followed by paper statements. Those folks who still balance their checkbooks will find software errors, thus improving the systems. Further, banks have no interest in defrauding their customers (because of the huge business risk if they are caught). Voting occurs rarely, and the key point is that without a verifiable paper trail, there is no way of knowing about fraud or software error. Finally, the incentive to cheat is huge, and if it can be done anonymously, the risk to the perp is low. I'll assume that your point is that, in principle, computer voting could be as straightforward and honest as computer banking, but your phrasing admits the other interpretation, which is that it already is safe and secure, which is clearly not the case.

Score: 0

By Scotch Moose

posted Oct 4, 2006 - 11:05 AM

Progress should be measured in tangible improvements not just hand waving and vaporous claims of advanced technology.

Recounting, if necessary, should be recounting not just reprinting.

If Diebold is confident in, and committed to the quality of their product, they should welcome and facilitate the independent evaluation of their voting machines. Instead, they obstruct and prevent people like Ed Felten from evaluating their product.

Score: 0

By AaronDobbins

posted Oct 3, 2006 - 3:34 PM

One would have thought paper ballots weren't a problem until the hanging chad incident of 2000. There election officials argued over whether or not a vote should actually count if the punch did not go all the way through. These arguments led to a very close race that ended in Bush's first election victory.

There, personal bias may have come into play more so than electronic voting machines, provided the electronic tallying of the votes is not laced with malicious code. The purpose is not just the speed of counting votes, but to take the human interaction and interpretation out of counting votes.

I do agree with you that both systems pose risks, but I think electronic voting is the way of the future.

Score: 0

By Banquo

posted Oct 3, 2006 - 3:42 PM

Well that is true but that was all caused by a rather stupid and flawed ballot design.

Score: 0

By tnculp

posted Oct 3, 2006 - 2:54 PM

This isn't really that complicated. A really easy solution would be include an integrity check of the system's OS. Think redundant systems. If someone tries to load a new software version from the slot, the internal memory runs an integrity check against the new software. If they don't match, then the systems locks out and alerts the officials. This way, the only way to break into this would be to physically break inside the machine, remove the flash ROM and contains the original software, and update it as well. Add some audible or silent alarms, like notification that the case has been opened, etc. and make it hell to break open in the first place.

Score: 0

By drumcat

posted Oct 3, 2006 - 3:49 PM

I know of some safes that are hard to open. That's not the point, either. Whether it's paper or electronic, it's the integrity of the process.

If you think your paper votes were hosed (Florida) or if you get turned away or messed with (Ohio), it doesn't matter whether it was paper or bits. What matters is transparency and fairness.

In reality, the best option isn't these voting machines. The key is mail-in voting. Don't make me go stand in a stupid line with some volunteers who try hard but don't have enough training. Then, after kinks get worked out, online. This is just a Diebold government handout.

Score: 0

By yohimbe9

posted Oct 3, 2006 - 3:43 PM

Sounds simple. Store a hash or something that identifies the "authentic" software. The problem is that with a proper boot-loader you could just re-write the hash with whatever you want. Or you could install a kernel patch of some sort that whenever the check is run a valid result is always returned.

Score: 0

By drumcat

posted Oct 3, 2006 - 3:50 PM

Or, you can do the simple thing -- once the physical door is opened, it must be reset by a voting official.

Score: 0

By DotNet_Coder

posted Oct 3, 2006 - 3:35 PM

I agree with your post 100%. Make the system inaccessible to outside influence and a lot of the issues of ballot tampering would go out the window.

~dnc

Score: 0

Dec 1 - 9:34 PM ET Alltel breaks in a mobile wallet with mFoundry

Dec 1 - 7:38 PM ET Intel tries to turn the tables on AMD in document discovery dispute

Dec 1 - 6:59 PM ET Palm to restructure yet again, may cut more jobs

Dec 1 - 4:58 PM ET Blockbuster downloads headed for more devices via Live Mesh

Dec 1 - 4:55 PM ET AOL's PlaySavvy speaks to game-shy parental units

Dec 1 - 4:41 PM ET Less bad news than anticipated for the semiconductor industry in 2008

Dec 1 - 3:51 PM ET 'Xohm' makes way for 'Clear,' as Sprint/Clearwire merger moves ahead

Dec 1 - 2:01 PM ET Chasing down the latest Cyber Monday tech deals

Dec 1 - 12:50 PM ET Will 'Cyber Monday' fare better than a weak 'Black Friday?'

Dec 1 - 12:38 PM ET Microsoft Cashback goes offline to Black Friday shoppers