Feldman, Halderman, and Felten (from Princeton) have just released an in-depth review of an actual Diebold Touchscreen voting machine. There isn’t anything surprising about their results, but it is a very good thing that it was done with this level of care, detail, and access. I particularly like the “Vote Stealing Control Panel,” which really drives the point home. I’ve been trying for years to get my hands on an actual voting machine to do a security review, and the fact that it’s so difficult (the Princeton team doesn’t reveal its source) is what should really worry us all. A voting machine that academics cannot freely review? In what possible world does this constitute democracy? The Princeton paper, building on Kohno et al. and Hursti’s work, shows just how bad things are underneath when there is no public oversight.
Dan Tokaji‘s review of the paper is particularly good, although maybe a little bit harsh regarding the VVPAT: the Princeton team doesn’t claim that VVPAT will solve everything, though they may indeed be too optimistic about how much it will solve.
No, what really worries me about the Princeton review is what’s missing from it. The elephant in the room is cryptographic voting: not one single word about it in the Princeton paper. Why is this significant? Because none of the Princeton attacks would succeed against a properly implemented cryptographic voting system. Consider one of Dan Tokaji’s conclusion:
From the standpoint of election procedures, this finding puts a premium on limiting access and maintaining a chain of custody, both for memory cards and for voting machines (section 5.2). Once software is loaded onto the machines, they have to be treated with the level of care that one would treat a ballot box. Just as it is possible to stuff ballots into an unguarded ballot box with a paper-based system, it is possible to manipulate vote totals on an electronic system if it is left unguarded.
Indeed, all current voting systems are forced to ensure a monumentally complex chain of custody, where the custodians are generally underpaid and untrained in computer technology (except for that lucky Maryland precinct where Avi Rubin volunteers: maybe all computer-savvy folks should follow his example?) Unfortunately, while VVPAT may help somewhat, it still requires a particularly complex chain of custody: what happens to the paper ballots printed by the machine? How do we know they get dropped in the right box? Who maintains the security of the multiple ballot boxes in each precinct? VVPAT sounds great on paper (no pun intended), but I strongly suspect that, in practice, it will create its own batch of problems.
Cryptography-based voting can untangle the chain of custody completely, so that even if some untrusted person or code is injected into the machine, no adversary can successfully cheat the election. This is paradoxical, and if you’ve never heard of it before, you should be skeptical of it and read the works of Chaum, Benaloh, Neff, and many others (you can even read the intro chapter of my PhD thesis). Crypto voting can be done efficiently, with a relatively simple user interface, and it works as long as a small fraction of the voters verify their vote or simply ask their preferred political organization to do so in their place.
I applaud the security reviews of Kohno et al., Hursti, and Feldman et al. The usefulness of their work is incredibly high: we must continue to raise awareness regarding unverified voting machines and systems. However, paper-based voting is by no means the only answer, and it isn’t even a good enough answer. As long as we have a complex chain of custody to deal with — and the complexity of US elections practically guarantees this if we don’t have crypto —, we will have issues in one form or another.
The elephant in the room needs to be acknowledged. Cryptography-based voting can provide a solution. It’s time we start building such a solution, and now’s not a moment too soon.
Benlog 
Comments
5 responses to “Princeton, Diebold, and the elephant in the room.”
[…] Why do we need electronic voting anyway? It is inherently insecure. I think a lot of people, first off, tend to forget how insecure and exploitable paper ballots are- Chicago, Mexico City, and lots of other places will tell you that paper ballots are very, very exploitable. Secondly, I of course assume that a serious e-voting initiative would have at least a Voter Verifiable Paper Audit Trail- basically, a way to do recounts on paper, with a way for voters to verify that the right paper votes have been cast. (aka, ‘two databases are more secure than one.’) Finally, lots of smart people are working on even more secure alternatives, that potentially are even more secure than VVPAT approaches. I’d be certain that a serious open source-based voting project would not make the same mistakes everyone else has. […]
I don’t think it’s an elephant in the room… rather it’s a baby elephant outside the room in a pen.
That is, all the cryptographic solutions for in-precinct voting are too complex and too procedure-specific (ordering attacks, etc.) to be used “in prime time”. For sure, I’m amazed at the lengths that Chaum and Benaloh have gone to make cryptographic voting more simple. But, man… try sitting down with an election official and explaining, for example, Chaum’s PunchScan technique. It’ very very difficult to do on their level.
I think they could have said something along the lines of “Cryptographic voting solutions are showing promise, but are not yet ready for deployment.”
Joe,
I think you’re mistaken and, unfortunately, you’re helping to spread FUD about crypto voting (though you’re certainly not the only one): election officials hear that crypto voting isn’t ready, and so they don’t investigate any further.
In a “normal” voting system, election officials aren’t expected to understand how a computer really works, or even how an optical scanner really works. And yet we use these machines. The point is that *some expert* understands it, and any another expert can verify it. There’s no need to hold crypto voting to a higher standard on this issue.
What matters is how a voter votes. In many schemes, in particular Neff’s, that process is extremely simple and can easily be explained.
It’s time to stop spreading this fear of crypto voting complexity. Sure, let’s talk about how to explain it better. But let’s not build up impossible criteria that, somehow, other voting systems are not held up to.
Ben, we should probably talk at length about this offline. I want to believe that crypto voting is around the bend.
Election officials and those with whom they give the task of certifying machines want and need to understand how a machine claims to do what it does. I think the only one that meets this kind of a standard now, that I’ve seen, is the PunchScan scheme… although I don’t claim to have investigated them all.
I’ve seen very smart people struggle with Neff’s scheme, for example. We need to do better.
Bubble-in scantron cards. That’s it. Not too simple, not too complex, more resistant to fraud than electronic voting… and a paper trail.