With low turnouts in many elections in Britain, some people have suggested that electronic voting could be allowed in order to make things easier and hopefully raise voter turnouts, e.g. see this BBC report about e-voting trials in Swindon in recent local elections.
In America there has been a big push towards introducing electronic voting systems after the Florida vote counts in the 2000 presidential election where the voting machines’ performance may have influenced the end result in a tight election.
However the move towards electronic voting is by no means straightforward. With a paper ballot, with the vote manually registered by the voter as occurs in British elections at the moment, you have a high degree of checkability. People know what they write on the ballot before it’s put in the box. Vote counting can be done under the eyes of the candidates, their representatives and independent observers. We can therefore create reliable voting procedures and vote counting procedures quite easily.
With electronic voting, things are not so straightforward. Without knowing what code is running on the computer recording your vote, you cannot be sure whether the vote is correctly registered by the computer. The vote counting is done by the computer essentially out of sight. The possibility of incorrect counting due to software bugs, the software being hacked or plain skullduggery on the part of the software writers has to be taken into account.
America’s recent experiences with voting machines provided by a company called Diebold provide worrying reading:
Under the Help America Vote Act (HAVA), the Election Assistance Commission is charged with establishing voluntary standards for voting machine software and creating an independent testing process for the software. However, this process is far behind schedule. Under HAVA, the Election Assistance Commission members should have been nominated by the President in February 2003. Unfortunately, these nominees have only recently been sent to the Senate for confirmation.
Without this federal review and testing of software, deeply flawed software has been marketed by companies and bought by states. An Analysis of an Electronic Voting System was recently authored by Tadayoshi Kohno, Adam Stubblefield, Aviel Rubin, and Dan Wallach. This voting software, produced by Diebold, has already been purchased by two states. According to this study, some of the most serious of numerous flaws permit a person to:
-vote multiple times,
-view ballots already cast on a machine,
-modify party affiliation on ballots,
-cause votes to be miscounted,
-create, delete and modify votes on voting machine, and
-tamper with audit logs and election results.
States Purchase Insecure Software
As a result of this study, Maryland put on hold its purchase of Diebold voting machines. Later, an independent review confirmed the previous findings. It counted 328 security weaknesses, and concluded that: “The system, as implemented in policy, procedure and technology, is at high risk of compromise” (pg. 17).
Diebold had threatened legal action against students and ISPs who publicised the flaws found in their voting machines, though they have now backed down.
A comprehensive account of both the problems with the machines and the legal actions Diebold attempted in order to try and stop various internal emails detailing flaws in the machines being distributed around the web can be found here. Diebold’s response to the problems has been far from reassuring as the threatened legal action illustrates. But it gets worse, since according to the above article:
The state of Maryland, however, commissioned an investigation of the Diebold machines by SIAC. SIAC found 328 security weaknesses; of those, 26 were designated critical . Among the problems: Diebold doesn’t encrypt vote totals before they are transferred to the Board of Elections over the Internet. Diebold’s response is far from reassuring, as the Washington Post reported:
“Further, as a result of the review, Diebold has rewritten its software to include better encryption coding and harder-to-crack passwords. The encryption and password upgrades will be made only for the machines destined for Maryland , [Diebold executive Mark] Radke said, and would not be available for the 33,000 touch-screen machines already in use elsewhere.”
So there you have it: the squeaky wheel gets the grease. Diebold will fix Maryland’s machines, but everyone else in America will continue to suffer from hundreds of security holes, 26 of them critical. Feel better?
Of course, anyone that really cares about security knows that a system has to be built with security in mind from the get-go. You can’t just bolt security on top of a system after the fact and assume that the any problems will be fixed. But that’s exactly what Diebold proposes to do. They told us to trust them before, and now they’re asking us to trust them again. How trusting are you?
The above articles paint a very worrying picture about the way electronic voting is shaping up in America and suggest other countries should be very careful and cautious about e-voting. It seems to me that the any moves towards e-voting should involve the following requirements (based on the list in the security focus article):
* the use of open source software that is open to scrutiny by anyone
* the voting machines must pass thorough testing to ensure security and reliability
* the voting machines must produce paper copies of the votes, verified as accurate by the voter, to be used for auditing purposes.
* voting machines must be usable by the disabled.
* Surprise recounts must be held in a proportion of randomly selected constituencies in each election.
* voting machines must only communicate with other systems in order to report vote totals. Incoming communication from other systems should be forbidden.
At any rate, until trials have shown that electronic systems can be used reliably without opening up scope for manipulation of the voting process, we should stick to paper ballots.