Feldman, Halderman, and Felten (from Princeton) have just released an in-depth review of an actual Diebold Touchscreen voting machine. There isn’t anything surprising about their results, but it is a very good thing that it was done with this level of care, detail, and access. I particularly like the “Vote Stealing Control Panel,” which really drives the point home. I’ve been trying for years to get my hands on an actual voting machine to do a security review, and the fact that it’s so difficult (the Princeton team doesn’t reveal its source) is what should really worry us all. A voting machine that academics cannot freely review? In what possible world does this constitute democracy? The Princeton paper, building on Kohno et al. and Hursti’s work, shows just how bad things are underneath when there is no public oversight.
Dan Tokaji‘s review of the paper is particularly good, although maybe a little bit harsh regarding the VVPAT: the Princeton team doesn’t claim that VVPAT will solve everything, though they may indeed be too optimistic about how much it will solve.
No, what really worries me about the Princeton review is what’s missing from it. The elephant in the room is cryptographic voting: not one single word about it in the Princeton paper. Why is this significant? Because none of the Princeton attacks would succeed against a properly implemented cryptographic voting system. Consider one of Dan Tokaji’s conclusion:
From the standpoint of election procedures, this finding puts a premium on limiting access and maintaining a chain of custody, both for memory cards and for voting machines (section 5.2). Once software is loaded onto the machines, they have to be treated with the level of care that one would treat a ballot box. Just as it is possible to stuff ballots into an unguarded ballot box with a paper-based system, it is possible to manipulate vote totals on an electronic system if it is left unguarded.
Indeed, all current voting systems are forced to ensure a monumentally complex chain of custody, where the custodians are generally underpaid and untrained in computer technology (except for that lucky Maryland precinct where Avi Rubin volunteers: maybe all computer-savvy folks should follow his example?) Unfortunately, while VVPAT may help somewhat, it still requires a particularly complex chain of custody: what happens to the paper ballots printed by the machine? How do we know they get dropped in the right box? Who maintains the security of the multiple ballot boxes in each precinct? VVPAT sounds great on paper (no pun intended), but I strongly suspect that, in practice, it will create its own batch of problems.
Cryptography-based voting can untangle the chain of custody completely, so that even if some untrusted person or code is injected into the machine, no adversary can successfully cheat the election. This is paradoxical, and if you’ve never heard of it before, you should be skeptical of it and read the works of Chaum, Benaloh, Neff, and many others (you can even read the intro chapter of my PhD thesis). Crypto voting can be done efficiently, with a relatively simple user interface, and it works as long as a small fraction of the voters verify their vote or simply ask their preferred political organization to do so in their place.
I applaud the security reviews of Kohno et al., Hursti, and Feldman et al. The usefulness of their work is incredibly high: we must continue to raise awareness regarding unverified voting machines and systems. However, paper-based voting is by no means the only answer, and it isn’t even a good enough answer. As long as we have a complex chain of custody to deal with — and the complexity of US elections practically guarantees this if we don’t have crypto —, we will have issues in one form or another.
The elephant in the room needs to be acknowledged. Cryptography-based voting can provide a solution. It’s time we start building such a solution, and now’s not a moment too soon.