A (Die)Bold Indictment of Computerized Voting

by on September 13, 2006 · 14 comments

Today Ed Felten released a provacative new paper about Diebold’s AccuVote-TS voting machines. According to the paper, 33,000 of these machines will be used in this fall’s elections. He argues that the machines are fatally flawed, and that election materials need to take emergency measures to ensure the integrity of the elections.

Regular readers of TLF won’t be surprised to learn that I found the paper persuasive. But even though I read the paper expecting to agree with it, I was still surprised at just how poorly designed Diebold’s machines are.

Under the hood, the Diebold machines are glorified PDAs running Microsoft’s Windows CE software. Diebold simply took off-the-shelf computer components, build a more or less ordinary computer, and then wrote software that would perform the vote-counting functions.

The problem is that they took hardly any precautions at all to prevent someone from replacing that software. And because it’s what computer scientists call a general-purpose computer, the replacement software can be programmed to do virtually anything you can imagine. You could install software on your Diebold machine to play Tetris, balance your checkbook, or display a screen saver. Or, as Felten and his grad students demonstrated, you could install software to rig elections.

What’s shocking about Felten’s paper is that Diebold does not appear to have made any serious efforts to prevent such an attack. If you put an appropriately-formatted memory card in the machine, it will over-write its own software with the software on the card. It makes no effort to verify that the new software is legitimate, nor does it seek confirmation from the user before over-writing the software. Felten and company found several distinct mechanisms whereby the machine will accept malicious software, no questions asked.

And most frighteningly, Felten demonstrates that it’s possible to construct a virus that will spread itself between machines and memory cards. Since memory cards are routinely passed around among machines during routine maintenance, this would allow a well-placed lone attacker to corrupt dozens of machines after being given access to a single machine for just one minute.

So Diebold’s machine is deeply, embarrassingly flawed. I tend to think that even a well-designed computerized voting machine would be vulnerable to attack, but Diebold certainly could have done better than this. I think Felten’s analysis makes clear that Diebold is not a company run by people who know or care about computer security.

But I think the broader lesson here is that our political institutions are not ready for computerized voting machines. The fundamental fault for this mess doesn’t lie with Diebold, but with the government officials who chose to ignore the advice of computer security professionals and adopt voting machines built around general-purpose computers. Designing a secure voting system using computerized machines is a much more difficult problem than designing a secure voting system with old-fashioned paper ballots. Our elected officials were blissfully ignorant of those challenges as they stampeded toward computerized voting based on the misguided notion that it’s more “modern” than paper-based methods.

Frankly, I don’t think the cluelessness of government officials is likely to change any time soon. Government officials will read Felten’s paper, demand that Diebold “fix” the flaws he identified, and Diebold will comply by closing the specific loopholes Felten found. But the point of Felten’s paper isn’t the particular flaws. It’s that Diebold’s machines have deep design flaws that require a fundamental re-thinking of the design of voting machines. Government officials have neither the motivation nor the expertise to get Diebold and its competitors to engage in such fundamental re-thinking.

SHARE: 14 comments

About Tim Lee

Timothy B. Lee (Contributor, 2004-2009) is an adjunct scholar at the Cato Institute. He is currently a PhD student and a member of the Center for Information Technology Policy at Princeton University. He contributes regularly to a variety of online publications, including Ars Technica, Techdirt, Cato @ Liberty, and The Angry Blog. He has been a Mac bigot since 1984, a Unix, vi, and Perl bigot since 1998, and a sworn enemy of HTML-formatted email for as long as certain companies have thought that was a good idea. You can reach him by email at leex1008@umn.edu.

Read more articles by Tim Lee.

  • Lewis Baumstark

    To be clear, the use of off-the-shelf hardware and software is not, in itself, a flaw. Even if Diebold used custom hardware with fully made-from-scratch software (something that is, like it or not, cost-prohibitive in most cases), someone would figure it out. (Probably by obtaining a physical machine like Dr. Felton did.)

    The real flaws are the deeper issues you mention: clueless government, apathetic and unaccountable voting-machine vendors, and a mindset that electronic voting is “required” to make our electoral system the bees knees.

  • Steve R.

    The Diebold saga is straight out of Dilbert comic strip. In watching this saga unfold I am left with two thoughts. It is unfortunate that the government purchasing processes is inefficient, but we also need to recognize that Diebold management is screwing the government. From the perspective of maximizing corporate profit one could say that this is a good thing. However, if we live in an ethical society, screwing the customer is bad.

    All voting systems (irrespective of technologies used) are subject to fraud and abuse. I am dismayed that much of the discussion simply throws out obvious flaws and is luddite in nature. (I will acknowledge that flaws of any device or operating process should be analyzed.)

    I believe that there is a future in electronic voting. The current security fiasco is really a reflection of bad management not bad technology. Good management would have implemented good security. The first solution is to get rid of Diebold as the provider of voting machines. Next, I hope an innovative company develops a reasonable secure electronic voting system. (Not perfect, but reasonable.)

  • http://www.redmonk.com/jgovernor James Governor

    inefficient and screwing the government? ha ha ha ha ha ha ha hah a ha. who do you think pays them for election wins?

  • Lewis Baumstark

    To be clear, the use of off-the-shelf hardware and software is not, in itself, a flaw. Even if Diebold used custom hardware with fully made-from-scratch software (something that is, like it or not, cost-prohibitive in most cases), someone would figure it out. (Probably by obtaining a physical machine like Dr. Felton did.)


    The real flaws are the deeper issues you mention: clueless government, apathetic and unaccountable voting-machine vendors, and a mindset that electronic voting is “required” to make our electoral system the bees knees.

  • http://www2.blogger.com/profile/14380731108416527657 Steve R.

    The Diebold saga is straight out of Dilbert comic strip. In watching this saga unfold I am left with two thoughts. It is unfortunate that the government purchasing processes is inefficient, but we also need to recognize that Diebold management is screwing the government. From the perspective of maximizing corporate profit one could say that this is a good thing. However, if we live in an ethical society, screwing the customer is bad.



    All voting systems (irrespective of technologies used) are subject to fraud and abuse. I am dismayed that much of the discussion simply throws out obvious flaws and is luddite in nature. (I will acknowledge that flaws of any device or operating process should be analyzed.)



    I believe that there is a future in electronic voting. The current security fiasco is really a reflection of bad management not bad technology. Good management would have implemented good security. The first solution is to get rid of Diebold as the provider of voting machines. Next, I hope an innovative company develops a reasonable secure electronic voting system. (Not perfect, but reasonable.)

  • http://www.redmonk.com/jgovernor James Governor

    inefficient and screwing the government? ha ha ha ha ha ha ha hah a ha. who do you think pays them for election wins?

  • http://www.techliberation.com/ Tim Lee

    I think the off-the-shelf components do make the hacker’s job a little easier, since the learning curve isn’t as steep and he’s more likely to have tools on hand. But I agree that ultimately all general-purpose computers are vulnerable to this kind of attack.

  • Steve R.

    Risk is everywhere. People die in automobile accidents everyday, but we still drive despite the risk. Technology/procedures could be implemented to make cars safer, but we all know that practical limits exist. We simply aren’t going to reduce the speed limit to 10 MPH or require massive bumpers or require full occupant restraints to save lives.

    You are correct that “ultimately all general-purpose computers are vulnerable to this kind of attack.” Felten’s research will help us understand how to make the electronic voting process better. But to simply imply that because a system is “weak” that it should be discarded is a false logic since every system has a weakness. I will acknowledge that a system can be so weak that it should never be implemented. I am not yet convinced that that is the case in terms of electronic voting.

  • http://www.techliberation.com/ Tim Lee

    I think the off-the-shelf components do make the hacker’s job a little easier, since the learning curve isn’t as steep and he’s more likely to have tools on hand. But I agree that ultimately all general-purpose computers are vulnerable to this kind of attack.

  • http://www2.blogger.com/profile/14380731108416527657 Steve R.

    Risk is everywhere. People die in automobile accidents everyday, but we still drive despite the risk. Technology/procedures could be implemented to make cars safer, but we all know that practical limits exist. We simply aren’t going to reduce the speed limit to 10 MPH or require massive bumpers or require full occupant restraints to save lives.



    You are correct that “ultimately all general-purpose computers are vulnerable to this kind of attack.” Felten’s research will help us understand how to make the electronic voting process better. But to simply imply that because a system is “weak” that it should be discarded is a false logic since every system has a weakness. I will acknowledge that a system can be so weak that it should never be implemented. I am not yet convinced that that is the case in terms of electronic voting.

  • http://enigmafoundry.wordpress.com/ enigma_foundry

    Tim:

    Excellent Post. Keep up the excllent work.

    EF

    Risk is everywhere. People die in automobile accidents everyday, but we still drive despite the risk.

    Yes, but risks are taken foor reasons, usually some kind of reward, and the risk of the subversion of Democracy and the ensuing social, economic, cultural (and perhaps even military) chaos that can result from this fundamentally flawed effort to replace a system that has minor problems with one that has super-major problems that won’t go away, make me say: JUST SAY NO TO EVOTING.

    My jurisdiction in the City of Saint Louis has evoting as an option-you can evote or you can use the paper ballot. I will use paper.

    Does anyone know how common having a choice about this is? I suspect it must be fairly rare.

  • http://enigmafoundry.wordpress.com eee_eff

    Tim:

    Excellent Post. Keep up the excllent work.

    EF

    Risk is everywhere. People die in automobile accidents everyday, but we still drive despite the risk.

    Yes, but risks are taken foor reasons, usually some kind of reward, and the risk of the subversion of Democracy and the ensuing social, economic, cultural (and perhaps even military) chaos that can result from this fundamentally flawed effort to replace a system that has minor problems with one that has super-major problems that won’t go away, make me say: JUST SAY NO TO EVOTING.


    My jurisdiction in the City of Saint Louis has evoting as an option-you can evote or you can use the paper ballot. I will use paper.


    Does anyone know how common having a choice about this is? I suspect it must be fairly rare.

  • Steve R.

    This is more about an incompetent company than technology. Brain Moore wrote“What boggles my mind is: I’m a programmer — this isn’t hard stuff. The design of a secure, option selecting system is trivial stuff — banks do far more complex things with billions of dollars every day. Why is it hard to do this? Why are there bugs? You present a hardcoded list of options and count the number of times each button is pressed. Then, allow ZERO physical data access to the machine until the election is over. That’s it. Monkeys could program that. What’s the problem here?”

    The use of a hyperbolic example that chaos will descend on us if we try something new stretches credibility; based on the intractable logic to guarantee law and order to protect democracy I would suggest that everyone (with proper ID) report to a stadium on election date and we do a hand count (a proven form of technology). (This avoids little things such as ballot stuffing, dead people, and chads.) Since we can’t fit everybody into a stadium at one time we could brand everyone who voted when they leave so they can’t vote again. Just think 100% participation!

  • http://www2.blogger.com/profile/14380731108416527657 Steve R.

    This is more about an incompetent company than technology. Brain Moore wrote“What boggles my mind is: I’m a programmer — this isn’t hard stuff. The design of a secure, option selecting system is trivial stuff — banks do far more complex things with billions of dollars every day. Why is it hard to do this? Why are there bugs? You present a hardcoded list of options and count the number of times each button is pressed. Then, allow ZERO physical data access to the machine until the election is over. That’s it. Monkeys could program that. What’s the problem here?”



    The use of a hyperbolic example that chaos will descend on us if we try something new stretches credibility; based on the intractable logic to guarantee law and order to protect democracy I would suggest that everyone (with proper ID) report to a stadium on election date and we do a hand count (a proven form of technology). (This avoids little things such as ballot stuffing, dead people, and chads.) Since we can’t fit everybody into a stadium at one time we could brand everyone who voted when they leave so they can’t vote again. Just think 100% participation!

Previous post:

Next post: