Ballot Security and the Threat of Bad Actors
Ensuring the integrity of the popular plebiscite, the most basic of democratic processes, in the 21st century cyber age may in the end come down to an age-old principle – trust, but verify.
Published November 1, 2004
By Myrna E. Watanabe
Academy Contributor
In August, Venezuelans, voted on whether to keep Hugo Chávez as president. This nationwide tally of more than 14 million registered voters was taken on direct-recording electronic (DRE) voting systems.
Chávez was not recalled, and the ink was barely dry on the voting machine printouts when accusations of fraud were made. The vote was a recall on Mr. Chávez, based on a petition signed by more than 3 million voters. Surely the vote, which was 57.8% in favor of retaining Chávez, must have been manipulated, thought some. And what better way to manipulate the vote than by subverting DRE machines?
A Simple Concept
There are several basic designs for DRE machines, with various permutations and combinations of features. Bernard Liu, legal staff attorney for the Elections Division of the Secretary of State’s office in Connecticut, described these machines as “the most simple application” of computer technology. A common automated teller machine (ATM), he explained, is more sophisticated. DREs simply record and compute votes.
The machines, many of which have touch screens like ATMs, must be activated for each voter. In some cases the poll worker activates the machine, either directly or through a local workstation. In others the poll worker may give the voter an electronic key: a card with a magnetic strip or a smartcard that contains a computer chip.
The poll worker will program the card to allow only one person to vote. If there are primaries being run on a given day, the card can be programmed for the primary ballot of a specific party. The ideal system will have no information programmed into the card that will identify the voter. Once the voter or poll worker activates a machine, a ballot will come up on the screen.
Frank Wiebe, president of AccuPoll, Inc., a small vendor of voting machines in Tustin, California, explained how his company’s machines work; other companies’ machines may work slightly differently. The AccuPoll machine is activated for a voter with a memory-only smartcard. The machine, said Wiebe, verifies that the card is for the correct polling place and is enabled for voting. It also has encoded within it the type of ballot that the voter needs to see.
Tangible Representation on Paper
The initial screen contains a set of instructions. After reading the instructions, the voter is asked to hit the “next” button to see each individual contest. At the end of the ballot, the voter sees a ballot review screen. Wiebe explained that the machine will not allow an over-vote – i.e., if you are supposed to vote for two of five names, you cannot vote for more than two – and will issue a warning if you have under-voted by skipping races or voting for fewer candidates for given offices.
“If they [voters] decide to change their minds, they would just touch the button for that contest,” Wiebe said. The machine would return to that specific contest to allow the voter to make the change. After reviewing the ballot, the voter would push the “cast your ballot” button.
After that button is pushed, Wiebe continued, “the representation of the ballot is written into memory [and] the go-vote key is disabled.” The vote is stored in the hard drive and in flash memory. Some machines do not print out a paper representation of the vote, but the AccuPoll machines do. “They have a tangible representation on paper, which the voter can confirm, that the vote could be recorded as desired,” noted Wiebe. The voter then puts the paper ballot into a ballot box so that the vote can be verified.
In some cases, as with the AccuPoll machines, the individual voting machines are networked to a central workstation at the polling place. In others, the machines are linked via the Internet to a computer at a centralized election office. And in yet others, the machines are not linked at all.
Variations on a Theme
There also are various permutations of a completed paper ballot. Some machines – those that have been most criticized by computer experts – provide no paper record at all. Others provide a “receipt” that cannot be proved against the record within the computer, as it cannot be matched with a specific ballot. Other machines generate a random number for the electronic ballot that also is on the paper ballot. That allows the paper ballot to be compared with the computer’s record.
Eugene Spafford, executive director of Purdue University’s Center for Education and Research in Information Assurance and Security, noted that there are a number of areas in which the electronic voting system can be compromised – beginning with people. “You have a very broad range of individuals who are working as the election clerk and monitors,” Spafford said, and there are no standardized tests for elections officials. In a medium-to-large-sized county, Wiebe noted, “it’s a 6- to 12-month project to transition from an old system to a new system.” And the transition includes educating both voters and poll workers.
A person intent on subverting the system could fabricate smartcards or smart keys to allow multiple votes. In their often cited paper, “Analysis of an electronic voting system” (T. Kohno et al., IEEE Symposium on Security and Privacy 2004, IEEE Computer Society Press, May 2004), Johns Hopkins’ Avi Rubin and colleagues review vulnerabilities of one DRE system. They note that there is no cryptography in the smartcards, thus, “there is no secure authentication of the smartcard to the voting terminal.” They further note that poll workers may have access to cards that can administer or end an election. These, too, can be duplicated.
Software Vulnerability
Another vulnerable area is the software, Spafford said, noting that the people who build voting machines are not necessarily security experts. He said companies “don’t build-in all the safeguards because that would be too expensive.” While the vendors may claim that their machines are safe, Spafford said, “Most of these vendors certainly don’t have the level of software testing that a Microsoft or Oracle has.” A Trojan horse – capable of wreaking havoc on software – can’t be found by the usual testing done on DREs, Spafford said.
Concern about the integrity of the software used in electronic voting systems is shared by Jennifer McCoy, of Georgia State University, in Atlanta. Commented McCoy, who led the Carter Center’s observation of the Venezuelan plebiscite: “I think it’s theoretically possible to manipulate the software.”
Local area networks (LANs) are also subject to potential tampering, and wireless LANs are particularly insecure. “There are definitely a lot of security exposures for a wireless LAN and we would never advocate for such,” says Wiebe. Liu says Connecticut is not considering networked machines or machines that are connected to the Internet. The advantage of stand-alone machines, he noted, is that people set on malfeasance would “have to hack into every single machine you have to try to change the vote.”
The Human Touch
Vote tabulation is also vulnerable to tampering. Transmission from the individual terminals to the polling place workstation can be compromised, as can transmission from the polling place workstation to the central tabulation location. With no verifiable paper trail, “you cannot do a recount; all you can do is a re-read,” Spafford explained. And if, when the machines are opened, the counts are all zeros, he added, then “all the votes are gone.” Posting results at the polling place and again at the central tabulation location, he added, shows that there has been no tampering between the time the tabulations left the polling place and when the numbers were entered into a central computer.
The Venezuelan plebiscite illustrates why a verifiable paper trail is so important. So far, the Carter Center has gone through two audits of the results. The first was what McCoy called “a quick count,” where election observers called in the machines’ data to headquarters on the polling day. The second was in response to a report that criticized the first audit as not relying on a random sample.
“The paper ballot had the number of the machine on it; it had the result of the vote; then it had a 32-character string, numbers and letters combined,” noted McCoy. These numbers could be matched up to numbers printed on a tally sheet for each ballot that was cast.
Absentee Ballots
The center’s second audit report also compared voting machine results and numbers of signatures on the recall petition, but was based on a random sample.
Arnold Urken, a demographics and electronic voting expert from Stevens Institute of Technology in Hoboken, New Jersey, participated in a recent panel discussion on electronic voting held at The New York Academy of Sciences (the Academy) and sponsored by the Science Writers in New York. Other members of the panel included former Undersecretary of the Navy Jerry MacArthur Hultin, now of Stevens Institute; journalist Steve Ross; and former ABC White House correspondent Steve Taylor.
Urken indicated his sense of insecurity with the DREs by advising: “If you want your vote to be counted as carefully as your money, consider requesting an absentee paper ballot so that you do not run the risk of having your vote changed, corrupted, or eliminated by a computer malfunction.”
Also read: Deep Fakes and Democracy in the Digital Age
About the Author
Myrna E. Watanabe, PhD, is a freelance writer based in Patterson, NY. Her articles appear in many publications, including Nature, Nature Medicine, The Scientist, and The Hartford Courant.
