MAG: And those are very serious situations. First, I’d like to ask on DREs, direct recording electronics, or many people call them touch-screen machines: Even if we had a printer put on them, would that solve the problem?
MB: So there’s a concept with these touch-screen DRE voting machines, a concept called a voter-verified paper trail. The idea here is that votes are recorded electronically, but before you finalize casting your vote, there’s a little printer, similar to a cash register receipt printer, next to the machine, usually behind glass, that prints out the votes that the machine is recording, all the different candidates in each race it thinks you voted for. What you’re supposed to do is, before pressing the “Yes, I want to cast my vote” on the touch-screen display, you should look at that voter-verified paper trail print-out and confirm that it actually reflects your vote, and at that point, it should print out on that display “Vote confirmed, scroll forward,” and then the display on the screen will go blank and let the next person vote. So this is intended to improve the reliability and the security of these machines, because it means that there is now a paper record of what’s been voted for, so if the electronic record is tampered with, or is lost, or is challenged later on, you can go to these print-outs and count up the votes that the machines printed out. Now, this does, in fact, prevent a number of ways of attacking these machines, a number of types of vote tampering pretty well, but they’re not perfect; they don’t solve the problem as well as we’d need them to, and probably not well enough to use with the kinds of machines that we’ve seen here. The first problem is that the paper trail produced by these printers only gets counted if there’s an actual recount. It’s a very labor-intensive process to go through all the voting machines and count up each of the tallies in each of the races.
MAG: So on election night, what we get as a result has nothing to do with these paper print-outs.
MB: That’s right. These are just secondary records that are used only if there’s a recount of particular machines, so if there is no recount, then these paper trails are never looked at. So somebody would have to suspect there was a problem, or challenge the results of the election for these paper trail records to even be taken into consideration. So that’s one weakness. Another weakness is that we really don’t know that much about how voters behave with these print-outs. We don’t know if people actually look at them carefully, so if the machine is running software or firmware that’s trying to cheat, it may be able to print out invalid choices right on the printer.
MAG: And I believe that has been found.
MB: So, the behavior of voters— because you know, the voter’s looking at the screen to cast their ballot and there’s this little receipt printer, or this little cash register–type printer on the side, we don’t really know if people look at it carefully enough to tell if their choices are accurately recorded. The other problem is that in these voting machines, the printer itself—many of the characteristics of the printer—are under the control of the software running on the voting machine and so the corrupted voting machine that has bad software loaded into it by someone might be able to print out the paper trail in a very misleading way that might look acceptable to the voter but in fact actually reflects a vote for someone else. For example, it could print out the correct candidates, but then print “cancelled” below them, and then print the candidates that the machine wants to vote for.
MAG: Hmm. Now, we also have the other option with the opscan. Now that too is vulnerable. How would you compare the two?
MB: So, the optical scanning voting systems are a little different. There, rather than voting on a touch-screen, you vote by filling out a piece of paper, one of these optically scanned forms where you usually cross out with a pen or pencil something next to the candidate you want to vote for, so you actually use a paper ballot, and it’s at the voting booth. It’s just a booth; there’s no actual voting machinery where you fill out the form, it’s just a little booth you get privacy to fill out your ballot in. Then you take this ballot and feed this into a scanning device that sits on top of a ballot box and basically the scanning device reads the marks you put on the ballot and figures out who you voted for, records a tally for those candidates in those races, and deposits your ballot in the ballot box. Then, at the end of the election, the electronic results from the optical scanner and the paper ballots are sent back to the election headquarters. Now, what we found in looking again at all these systems is that it’s possible to tamper with the electronic records of optically scanned ballots that are returned from the polling place back to headquarters and change what results are recorded. So these systems, as they’re implemented, are still vulnerable to tampering, but they at least have the benefit that you still have the paper ballots that the voters voted on. And, as long as the ballot boxes are adequately secured, and somebody is watching them and they’re properly sealed, if you suspect there might have been that kind of tampering, you can go back and count the paper ballots in a secure place and find out who the voters intended to vote for.
MAG: Okay. Now, some people say that we can also solve the problem by doing a one to three percent audit. Would that work? Are there some problems that you’ve found?
MB: We didn’t look at auditing procedures in our study in any particular detail, except the procedures as used in California, as they might interact with some of the vulnerabilities that we found. So, I can tell you what they do in California is automatically recount one percent of the precinct results as a kind of safeguard, so one percent of the voting machines will have their paper ballots (if they’re an optical scan system, or if there are voter-verified paper trails) counted and matched against the electronic results that were recorded in those machines. And, if there’s a mismatch, then they know that there was some tampering with those particular machines. Now, this is actually helpful for catching deep problems that affect all of the machines. If, for example, the manufacturer of a voting machine included bad software in every machine that was sent everywhere, the one percent recount procedure would be likely to catch that because the fraud would be uniformly distributed among all of the voting machines. But what this is not as good at catching is targeted fraud where somebody goes to a particular precinct and knows that there will be, for example, a lot of votes for the candidate they don’t want to win, and arranges for those particular machines to run tampered software, which as we showed could be very easily loaded in. The safeguards to prevent that in software don’t work nearly as well as they’re intended to. Now, the one percent recount will only catch that if, by sheer luck, a chance of one in a hundred, the machines that were tampered with get selected for the audit.
MAG: So we have a serious situation. We’ve got a system that you’ve indicated is fatally flawed, the two systems available both have problems; one from your point of view has the advantage, at least, of the voter completing the ballot with their own hand, which could be counted. What, then, can we do for 2008?
MB: Again, we’re in a real bind. I don’t envy the election officials who are going to have to make some very hard decisions, coming up. Now, one thing I should emphasize: we looked only at the software and the systems themselves. We looked at the software. The red teams looked at the hardware as delivered, and tried to tamper with it, using some of the problems that we discovered with the software systems. And what we found was that the software and the hardware don’t prevent tampering. So that’s not the only set of security mechanisms in place in an election. The elections are also protected by procedures and by physical security of the machines themselves. So what our results tell you is that the security system depends entirely on those procedures. Any security that we were relying on the machines to have or the software to have, we shouldn’t assume it’s there; it’s fatally flawed. So what we’re saying is all of the security in an election depends on the security procedures and the protocols and the physical seals and the two-person control by poll workers and election officials and people watching what’s going on---that’s where all of the security comes in. Now, the problem that we have is that those procedures were designed on the assumption that the machines were offering a certain level of security to start with, but in fact they’re not. So those procedures have to be thought out from the beginning very carefully, and whether or not a practical set of procedures can be designed that actually adds security, I’m not sure.
MAG: So you’re really saying that you could have the best security procedures in the world, but if what they’re checking out has problems, it may help a little bit, but you’re still left defenseless.
MB: You have the problem that an election is a logistically very complex event. You may have a thousand polling places in a county, and thousands of poll workers who get a few hours of training and have been basically hired to work just on Election Day, and you may have half a dozen of them in any polling place, carrying out procedures that they do maybe once a year after a few hours of training. The equipment has to be distributed to these polling places; some of them are in lobbies of apartment buildings, in school gyms, sometimes even in private homes. That equipment might be delivered the night before. In some cases, it’s sent home with the poll workers, who bring it to the polling place on the morning of Election Day and basically had it in their homes overnight and had access to it completely without restriction. So building a physical security system that prevents anybody from tampering with equipment in such a complicated event and with so many people involved, this is going to be very hard.
MAG: Well, I understand the Secretary of State of California is going to institute some changes, which may include in some places a hundred percent count. Do you think we may have to do that for 2008?
MB: One of the things that the Secretary of State required was that in many cases the DRE machines all have to have their paper trails recounted—one hundred percent of them, not just one percent. That will certainly prevent certain attacks that would otherwise not be detected with just a one percent recount. They’ve limited the number of DREs for the Diebold and the Sequoia system to just one per polling place in order to accommodate voters with disabilities who can’t use the optical scan ballots without needing assistance, but who might be able to use the DRE machines, and that is intended
to reduce the scale and the number of people who’d have access to the machine throughout the day, to limit what would need to be protected and to make it easier to do that hundred percent recount. These seem like, to me, frankly, very sensible ways of mitigating this. What I’d be less confident in saying is that this is going to give you a secure election, but these seem like steps in the right direction. It’s certainly more secure than not doing these things.
MB: So there’s a concept with these touch-screen DRE voting machines, a concept called a voter-verified paper trail. The idea here is that votes are recorded electronically, but before you finalize casting your vote, there’s a little printer, similar to a cash register receipt printer, next to the machine, usually behind glass, that prints out the votes that the machine is recording, all the different candidates in each race it thinks you voted for. What you’re supposed to do is, before pressing the “Yes, I want to cast my vote” on the touch-screen display, you should look at that voter-verified paper trail print-out and confirm that it actually reflects your vote, and at that point, it should print out on that display “Vote confirmed, scroll forward,” and then the display on the screen will go blank and let the next person vote. So this is intended to improve the reliability and the security of these machines, because it means that there is now a paper record of what’s been voted for, so if the electronic record is tampered with, or is lost, or is challenged later on, you can go to these print-outs and count up the votes that the machines printed out. Now, this does, in fact, prevent a number of ways of attacking these machines, a number of types of vote tampering pretty well, but they’re not perfect; they don’t solve the problem as well as we’d need them to, and probably not well enough to use with the kinds of machines that we’ve seen here. The first problem is that the paper trail produced by these printers only gets counted if there’s an actual recount. It’s a very labor-intensive process to go through all the voting machines and count up each of the tallies in each of the races.
MAG: So on election night, what we get as a result has nothing to do with these paper print-outs.
MB: That’s right. These are just secondary records that are used only if there’s a recount of particular machines, so if there is no recount, then these paper trails are never looked at. So somebody would have to suspect there was a problem, or challenge the results of the election for these paper trail records to even be taken into consideration. So that’s one weakness. Another weakness is that we really don’t know that much about how voters behave with these print-outs. We don’t know if people actually look at them carefully, so if the machine is running software or firmware that’s trying to cheat, it may be able to print out invalid choices right on the printer.
MB: So, the behavior of voters— because you know, the voter’s looking at the screen to cast their ballot and there’s this little receipt printer, or this little cash register–type printer on the side, we don’t really know if people look at it carefully enough to tell if their choices are accurately recorded. The other problem is that in these voting machines, the printer itself—many of the characteristics of the printer—are under the control of the software running on the voting machine and so the corrupted voting machine that has bad software loaded into it by someone might be able to print out the paper trail in a very misleading way that might look acceptable to the voter but in fact actually reflects a vote for someone else. For example, it could print out the correct candidates, but then print “cancelled” below them, and then print the candidates that the machine wants to vote for.
MAG: Hmm. Now, we also have the other option with the opscan. Now that too is vulnerable. How would you compare the two?
MB: So, the optical scanning voting systems are a little different. There, rather than voting on a touch-screen, you vote by filling out a piece of paper, one of these optically scanned forms where you usually cross out with a pen or pencil something next to the candidate you want to vote for, so you actually use a paper ballot, and it’s at the voting booth. It’s just a booth; there’s no actual voting machinery where you fill out the form, it’s just a little booth you get privacy to fill out your ballot in. Then you take this ballot and feed this into a scanning device that sits on top of a ballot box and basically the scanning device reads the marks you put on the ballot and figures out who you voted for, records a tally for those candidates in those races, and deposits your ballot in the ballot box. Then, at the end of the election, the electronic results from the optical scanner and the paper ballots are sent back to the election headquarters. Now, what we found in looking again at all these systems is that it’s possible to tamper with the electronic records of optically scanned ballots that are returned from the polling place back to headquarters and change what results are recorded. So these systems, as they’re implemented, are still vulnerable to tampering, but they at least have the benefit that you still have the paper ballots that the voters voted on. And, as long as the ballot boxes are adequately secured, and somebody is watching them and they’re properly sealed, if you suspect there might have been that kind of tampering, you can go back and count the paper ballots in a secure place and find out who the voters intended to vote for.
MAG: Okay. Now, some people say that we can also solve the problem by doing a one to three percent audit. Would that work? Are there some problems that you’ve found?
MB: We didn’t look at auditing procedures in our study in any particular detail, except the procedures as used in California, as they might interact with some of the vulnerabilities that we found. So, I can tell you what they do in California is automatically recount one percent of the precinct results as a kind of safeguard, so one percent of the voting machines will have their paper ballots (if they’re an optical scan system, or if there are voter-verified paper trails) counted and matched against the electronic results that were recorded in those machines. And, if there’s a mismatch, then they know that there was some tampering with those particular machines. Now, this is actually helpful for catching deep problems that affect all of the machines. If, for example, the manufacturer of a voting machine included bad software in every machine that was sent everywhere, the one percent recount procedure would be likely to catch that because the fraud would be uniformly distributed among all of the voting machines. But what this is not as good at catching is targeted fraud where somebody goes to a particular precinct and knows that there will be, for example, a lot of votes for the candidate they don’t want to win, and arranges for those particular machines to run tampered software, which as we showed could be very easily loaded in. The safeguards to prevent that in software don’t work nearly as well as they’re intended to. Now, the one percent recount will only catch that if, by sheer luck, a chance of one in a hundred, the machines that were tampered with get selected for the audit.
MAG: So we have a serious situation. We’ve got a system that you’ve indicated is fatally flawed, the two systems available both have problems; one from your point of view has the advantage, at least, of the voter completing the ballot with their own hand, which could be counted. What, then, can we do for 2008?
MB: Again, we’re in a real bind. I don’t envy the election officials who are going to have to make some very hard decisions, coming up. Now, one thing I should emphasize: we looked only at the software and the systems themselves. We looked at the software. The red teams looked at the hardware as delivered, and tried to tamper with it, using some of the problems that we discovered with the software systems. And what we found was that the software and the hardware don’t prevent tampering. So that’s not the only set of security mechanisms in place in an election. The elections are also protected by procedures and by physical security of the machines themselves. So what our results tell you is that the security system depends entirely on those procedures. Any security that we were relying on the machines to have or the software to have, we shouldn’t assume it’s there; it’s fatally flawed. So what we’re saying is all of the security in an election depends on the security procedures and the protocols and the physical seals and the two-person control by poll workers and election officials and people watching what’s going on---that’s where all of the security comes in. Now, the problem that we have is that those procedures were designed on the assumption that the machines were offering a certain level of security to start with, but in fact they’re not. So those procedures have to be thought out from the beginning very carefully, and whether or not a practical set of procedures can be designed that actually adds security, I’m not sure.
MAG: So you’re really saying that you could have the best security procedures in the world, but if what they’re checking out has problems, it may help a little bit, but you’re still left defenseless.
MB: You have the problem that an election is a logistically very complex event. You may have a thousand polling places in a county, and thousands of poll workers who get a few hours of training and have been basically hired to work just on Election Day, and you may have half a dozen of them in any polling place, carrying out procedures that they do maybe once a year after a few hours of training. The equipment has to be distributed to these polling places; some of them are in lobbies of apartment buildings, in school gyms, sometimes even in private homes. That equipment might be delivered the night before. In some cases, it’s sent home with the poll workers, who bring it to the polling place on the morning of Election Day and basically had it in their homes overnight and had access to it completely without restriction. So building a physical security system that prevents anybody from tampering with equipment in such a complicated event and with so many people involved, this is going to be very hard.
MAG: Well, I understand the Secretary of State of California is going to institute some changes, which may include in some places a hundred percent count. Do you think we may have to do that for 2008?
MB: One of the things that the Secretary of State required was that in many cases the DRE machines all have to have their paper trails recounted—one hundred percent of them, not just one percent. That will certainly prevent certain attacks that would otherwise not be detected with just a one percent recount. They’ve limited the number of DREs for the Diebold and the Sequoia system to just one per polling place in order to accommodate voters with disabilities who can’t use the optical scan ballots without needing assistance, but who might be able to use the DRE machines, and that is intended
to reduce the scale and the number of people who’d have access to the machine throughout the day, to limit what would need to be protected and to make it easier to do that hundred percent recount. These seem like, to me, frankly, very sensible ways of mitigating this. What I’d be less confident in saying is that this is going to give you a secure election, but these seem like steps in the right direction. It’s certainly more secure than not doing these things.
(Note: You can view every article as one long page if you sign up as an Advocate Member, or higher).
