|
Edited on Wed Jun-22-05 12:36 PM by GettysbergII
Election Fraud
A primary concern of any election system, whether done by hand, via computer, or any other mechanism is that it must provide sufficient evidence to convince the losing candidate that he or she actually lost. Naming the winner is the easy part. When we talk about evidence, however, we bring up all the same issues that might occur in a criminal investigation, including tampering (either by insiders or outsiders) and maintenance of a proper chain of custody over the evidence.
Vote by Mail
A simple system to first consider is voting by mail. Virtually all ballots in Oregon are cast by mail, and a significant number are cast in many other states. Mail-in votes are trivially subject to bribery or coercion (either “I’ll pay you $10 for your vote” or “I’ll break your kneecaps if you don’t give me your vote”) at the level of individual voters. This would become expensive to perform at a large scale, particularly without knowledge of the fraud becoming public. To perform such fraud at a wholesale level, where a small number of people might attempt to damage the system is far more difficult. A corrupt mail courier could only tamper with the ballots that he or she personally handled, and tamper-resistant features on the ballot or envelope might make such tampering hard to disguise. Once the ballots arrive at the central tabulation facility, fewer people would need to be involved, but hopefully stronger security measures are in place to prevent such fraud. If, for example, ballot envelopes are counted before even being opened, then those counts could be compared, in batches, to the tallies after the batches are scanned and processed. Such measures are comparable to separation of duty techniques common in the banking industry, where no one employee can ever embezzle funds without another employee discovering the missing funds as part of their job.
Precinct-based optical scan
Precinct-based optical scan systems compare favorably to vote-by-mail systems. Because the voter must vote privately in a (hopefully) well-controlled polling place, coercion and bribery don’t work. The precinct ballot scanner catches overvoting and allows the voter to try again, a feature not possible with mail ballots. The scanner also keeps its own tally of the votes, which can be rapidly transmitted over a modem or spoken over a telephone. Printouts can be physically signed by precinct-level voting officials, and independently tabulated by interest groups that are willing to send representatives to each precinct. This provides an important hedge against the risk of ballot box tampering, particularly while the ballot boxes are in transit from the local precinct to some form of central storage (probably the single greatest vulnerability in any paper-based election system). However, a significant risk remains. What if the software inside the scanner incorrectly tabulated the ballots? No election observer would be able to independently count the ballots themselves. Likewise, precinct-level election officials generally do not (and certainly should not) handle ballots after they are cast. The risk of software error might result from software bugs, or could possible be the result of fraudulent programming (sometimes referred to as a Trojan horse). Today’s certification and “logic and accuracy testing” are completely insufficient to detect such problems2. However, so long as the paper ballots are handled properly, they will remain, after the election, allowing for a meaningful recount. The ability to perform such a recount provides a critical hedge against the risk of scanner failures.
DRE voting systems
Direct Recording Electronic (DRE) voting systems offer a number of benefits relative to precinct-based optical scan systems. They also introduce significant new complexity, new risks, and new costs. A DRE terminal may cost thousands of dollars, and many must be purchased to allow busy precincts to limit voter waiting times to avoid the problems observed, for example, in Franklin County, Ohio. Modern DREs are, at their core, general-purpose programmable computers. Some even run Microsoft’s Windows CE operating system. This gives DREs the flexibility to support a variety of attractive features including large text, speech synthesizers, and multiple languages, all of which help making voting accessible to a wider demographic of voters. This same flexibility, unfortunately, significantly increases the ease with which someone might tamper with the software. Such tampering could occur where the machine was manufactured or anywhere else from the moment the machine leaves its manufacturer to the day of the election. Anyone who has uninterrupted physical access to a DRE voting system for any length of time could potentially tamper with its software. Consider software updates. As with normal consumer software vendors, DRE vendors are constantly improving and modifying their software to satisfy the needs of their customers. They then submit this software for “certification” by an Independent Testing Authority. There are three U.S. companies currently serving as Independent Testing Authorities. However, in cases where outside computer security firms or academics have had the opportunity to independently examine DRE software, they have found significant and wide-ranging flaws. As such, it appears that the ITAs do not have the skills to properly audit voting system software. We also observe that ITAs make no warrant that voting systems are actually suitable for use in an election. Rather, much more weakly, they claim that voting systems “satisfy FEC standards”, which unfortunately require almost nothing with regard to software quality or security, or even about usability or accuracy. More elaborate standards are in development, but are nowhere near adoption. A fundamental attribute of all modern DRE systems is their elimination of the paper trail we have with optical scan systems. While these systems will allow voting totals, or even individual votes in some cases, to be printed at the end of the election, this does not provide a hedge against software failures in the DRE. It’s entirely possible that a DRE voter could vote for one candidate, which would be displayed on screen, while an entirely different candidate could be recorded internally as having received that vote. If such an error occurred, neither the voter nor any election official would be able to undo the damage after the fact. If such an error occurred systematically, it could swing the outcome of an election. And, if the faulty software was deliberately placed in the machine, it could even be programmed to modify itself to eliminate any traces of its having been present. If such fraud were occurring, it would not be visible to poll workers or election observers. As with any other voting system, DRE votes must ultimately be centrally tabulated. This information may be communicated over a modem or carried by hand in a computer memory card. As with traditional ballot boxes, such data may be subject to tampering while in transit. However, while ballot boxes are large objects that can be easily observed and tracked, computer memory cards are small and sleight-of-hand can allow for quick substitutions. Likewise, telephone lines are not terribly secure against attackers who can climb telephone poles. While appropriate cryptographic techniques can mitigate against all of these risks, many DRE vendors either use no cryptography at all or do it improperly, leaving the data effectively unprotected while in transit. Once the data arrives at the central tabulation facility, it is typically stored in off-the-shelf personal computers running a Microsoft operating system and some form of database. These computers, themselves, may be subject to attack by election insiders. Anyone with physical access to these computers and the appropriate tools could execute a database script to directly modify the database records, overwriting any original data without leaving any evidence of such tampering. Furthermore, in the case that these machines are ever connected to the Internet, perhaps to deliver results to an election web server or to the press, these machines could be attacked over the Internet. Even if all the latest security patches have been applied, attackers may well keep other security attacks in reserve, specifically to attack such election computers.
2 Logic and accuracy testing for an optical scanner generally involves running a “test deck” through the machine. After scanning the deck, the tally is read from the machine. The scanner’s tally can be compared to the known totals. Unfortunately, a well-designed Trojan horse can tell when it’s being tested, either by identifying that, in fact, it’s seeing the same test deck it always sees, or even by observing that the test ballots are arriving much faster than “normal” voters might cast their ballots.
|