The Failure of Electronic Voting Systems

Rob Conery (of SubSonic and Microsoft MVC projects) wrote a very interesting article a few weeks ago titled, “Hacking Your Vote“. He summarizes the various electronic voting systems, their bugs, and their designs.

As a software engineer, I find it utterly amazing that a $50 million dollar Diebold system was designed using a Microsoft Access database — an unsecured Microsoft database. Rob also shows some screenshots of Diebold’s database on his blog entry.

Luckily, my state, California, banned these machines in 2004. In 2007, computer scientists from UC investigated various voting machines and you can read the summaries at the California Secretary of State web site.

In December 2005, California discovered voting system programming code that escaped the review of federal testers. On May 2, 2007, a congressional task force voted to investigate anomalies in 2006 election results in Florida’s 13 Congressional District…

– Top-to-Bottom Review Summary, California Secretary of State News Release

Princeton’s Security Analysis of Diebold AccuVote-TS Voting Machine Executive Summary lists four major findings stating:

1. Malicious software running on a single voting machine can steal votes with little if any risk of detection.
2. Anyone who has physical access to a voting machine, or to a memory card that will later be inserted into a machine, can install said malicious software using a simple method that takes as little as one minute.
3. AccuVote-TS machines are susceptible to voting-machine viruses — computer viruses that can spread malicious software automatically and invisibly from machine to machine during normal pre- and post-election activity.
4. While some of these problems can be eliminated by improving Diebold’s software, others cannot be remedied without replacing the machines’ hardware.

I don’t understand why the federal government can’t create a secure, reliable, and easy to use voting system. The US government has tackled much more difficult technical problems, such as landing a robot on the surface of Mars.

There’s only simple math (counting) involved in electronic voting machines. There’s no analysis, no AI (artificial intelligence), no complicated algorithms. So why can’t software engineers combined with security professionals build a secure and reliable system?

I don’t believe this is a partisan system or partisan belief that votes should be accurately counted. I still find it amazing that commercial software development companies have such a hard time designing, building, and validating their electronic voting systems.

I’d love to see the US government quit trying to have commercial companies build their own electronic voting system and design one for themselves. After the design is done and a prototype is built and tested, have the machine sent to a security conference such as the Black Hat conference and leave it on the conference floor for testing. This is a system that I believe people would line up and volunteer to test. A series of these machines could go around the states on tour like a national or international treasure exhibit at museums. Once the government finishes their design and testing, then various commercial companies could compete to manufacture the systems in bulk.

Resources:

News Articles, Studies, Press Releases (mostly static content)

• E-Vote Still Flawed, Experts Say (Wired, Jan 2004)
• California Bans E-Vote Machines (Wired, April 2004)
• Analysis of an Electronic Voting System (IEEE Symposium on Security and Privacy, May 2004)
• ACM Policy Recommendations on Electronic Voting Systems (Sep 2004)
• Security Analysis of the Diebold AccuVote-TS Voting Machine (Center for Information and Technology Policy, Princeton University, Sept 2006)
• California Top-to-Bottom Review of Voting Machines (California Secretary of State, 2007)

Blogs & web sites

• Election Machinery blog (written by Princeton and Sanford freshmen about voting technology)
• Voting blog entries (Freedom to Tinker, Bloggers from CITP, Princeton)
• CalTech/MIT Voting Technology
• Black Box Voting – American’s Elections Watchdog Group