Today Ed Felten released a provacative new paper about Diebold’s AccuVote-TS voting machines. According to the paper, 33,000 of these machines will be used in this fall’s elections. He argues that the machines are fatally flawed, and that election materials need to take emergency measures to ensure the integrity of the elections.
Regular readers of TLF won’t be surprised to learn that I found the paper persuasive. But even though I read the paper expecting to agree with it, I was still surprised at just how poorly designed Diebold’s machines are.
Under the hood, the Diebold machines are glorified PDAs running Microsoft’s Windows CE software. Diebold simply took off-the-shelf computer components, build a more or less ordinary computer, and then wrote software that would perform the vote-counting functions.
The problem is that they took hardly any precautions at all to prevent someone from replacing that software. And because it’s what computer scientists call a general-purpose computer, the replacement software can be programmed to do virtually anything you can imagine. You could install software on your Diebold machine to play Tetris, balance your checkbook, or display a screen saver. Or, as Felten and his grad students demonstrated, you could install software to rig elections.
What’s shocking about Felten’s paper is that Diebold does not appear to have made any serious efforts to prevent such an attack. If you put an appropriately-formatted memory card in the machine, it will over-write its own software with the software on the card. It makes no effort to verify that the new software is legitimate, nor does it seek confirmation from the user before over-writing the software. Felten and company found several distinct mechanisms whereby the machine will accept malicious software, no questions asked.
And most frighteningly, Felten demonstrates that it’s possible to construct a virus that will spread itself between machines and memory cards. Since memory cards are routinely passed around among machines during routine maintenance, this would allow a well-placed lone attacker to corrupt dozens of machines after being given access to a single machine for just one minute.
So Diebold’s machine is deeply, embarrassingly flawed. I tend to think that even a well-designed computerized voting machine would be vulnerable to attack, but Diebold certainly could have done better than this. I think Felten’s analysis makes clear that Diebold is not a company run by people who know or care about computer security.
But I think the broader lesson here is that our political institutions are not ready for computerized voting machines. The fundamental fault for this mess doesn’t lie with Diebold, but with the government officials who chose to ignore the advice of computer security professionals and adopt voting machines built around general-purpose computers. Designing a secure voting system using computerized machines is a much more difficult problem than designing a secure voting system with old-fashioned paper ballots. Our elected officials were blissfully ignorant of those challenges as they stampeded toward computerized voting based on the misguided notion that it’s more “modern” than paper-based methods.
Frankly, I don’t think the cluelessness of government officials is likely to change any time soon. Government officials will read Felten’s paper, demand that Diebold “fix” the flaws he identified, and Diebold will comply by closing the specific loopholes Felten found. But the point of Felten’s paper isn’t the particular flaws. It’s that Diebold’s machines have deep design flaws that require a fundamental re-thinking of the design of voting machines. Government officials have neither the motivation nor the expertise to get Diebold and its competitors to engage in such fundamental re-thinking.