Controversies: Malware and Lack of Verifiable Paper Backup
- Part 2

Joshua Salwitz works in the customs brokerage industry and is a full-time student at Whatcom Community College.

The foremost technical related issue surrounding the electronic voting systems is the lack of a verifiable paper backup. This specifically applies to the touch screen, or DRE, systems. The optical scan systems, which are used to scan ballots, do not have this issue, as the actual ballots provide a hard copy of the voting records.

The problem with not having an auditable paper trail is that as a voter you make your on screen selection to vote for the candidate of your choice, but there is no way of knowing whether or not the machine is actually recording your choice correctly. Maybe it assigns your vote to another candidate, or perhaps it simply discards your vote completely.

Without having something tangible, that can be verified by the voter before the ballot has been officially cast, there is no way of knowing for certain that the vote was recorded correctly. Currently, only 25 states require that electronic voting machines provide a voter verified paper trail.7 (Note: there is not a uniform definition of “paper trail.”) This lack of verification is a major concern and is very closely tied to the issue of malware.

Malware, or malicious software, is defined by Wikipedia as “software designed to infiltrate or damage a computer system without the owner’s informed consent.” 8 In the case of electronic voting systems, this would generally refer to software that has been installed on a voting system to either invalidate or alter the results of an election. This type of an attack was demonstrated by Harri Hursti in the HBO documentary, “Hacking Democracy,” and also by Princeton researchers.

The manufacturers claim that, if normal security protocols are followed, a person would be unable to have the access needed to install this type of software onto the system. Diebold specifically responded to the Princeton analysis with the statement “the report all but ignores physical security and election procedures.” 9 While this statement may be true, with the adoption of this new technology come sometimes difficult training issues for election staff. They must follow the security procedures that are put in place to safeguard the systems.

Princeton researchers had shown in their research that malicious software could be installed on the new systems in as little as one minute. They also demonstrated that the locks, which secure the voting systems cases on some models, could be easily picked in approximately 10 seconds, thereby giving complete access to the system and the memory cards that are used to store the voting software and the recorded votes.10 It was also discovered earlier this year that the keys used to operate the lock on the system cases are widely available, and in fact, are the same type of keys that many hotels use to secure their mini bars.11

In at least one instance, newly delivered voting systems were left completely unattended. This lack of security around the systems would provide more than ample opportunity for someone to tamper the devices. Ed Felton, one of the authors of the Princeton report on Diebold systems, recently took a photo of himself standing next to these unattended systems and submitted it to the online blog, Freedom to Tinker.

While it may not seem like someone tampering with one particular machine would have much impact on the outcome of a national election, we must take into consideration the process by which the individual machines are prepared for use. Each touch screen system has a memory card loaded into it; this card is where the vote data is stored. These same cards are also used to update the machines when new software is loaded onto it.

During a normal update process, a technician inserts the memory card, which contains the new software, into the card reader on the voting machine. Once inserted, the voting machine sees that there is a newer software version on the card. The voting machine will then automatically install the newer software, found on the card, into its onboard memory. Thereby overwriting any previous version of software installed onto the voting machine. One card may be used to update the entire voting system for a particular county.

A similar process is followed for loading the election parameters into the system prior to an election day. Because of these processes, cards may be swapped from machine to machine on a fairly regular basis. Now, if we consider the possibility that one card has been tampered with and has malicious software on it, and that card is placed into a voting machine, the malware may automatically overwrite the correct software. Any other card that is inserted into this particular machine or any other machine that this infected card is inserted into may itself become infected, thereby spreading the malware throughout the system.10

Depending upon how many machines are being setup at a particular time, or at a particular location, it’s easy to see how this problem can multiply from one machine, to an entire voting precinct, an entire county, potentially even an entire state. Tampering of that magnitude would most certainly have an impact in a national election.

A third issue that surrounds the technology is that the systems are proprietary and the design of both the hardware and the software are not open to outside scrutiny. This concern is of the utmost importance when considered in concert with the aforementioned issues. The fact that the software instructions that control the vote tabulation systems are closed suggests the potential for other security problems as well as the possibility of ill-meaning programmers providing backdoor access into the systems.12

Given that this software runs on a Microsoft Windows operating system, it’s inherently susceptible to the many security flaws contained within Windows. Additionally, since no one, outside of the manufacturers’ and system testers, are allowed to review the software code, it is impossible for anyone to be certain that it functions as intended, save for the claims of the manufacturer themselves. There’s no independent third party review of the software or of the validity of their claims.

With all of these issues taken into consideration, it paints a very disconcerting picture indeed. We have systems that the manufacturers claim are accurate and function properly; however, we have no way of verifying this information because the system design and software code is considered a trade secret and is therefore off limits to outside inquiry. They suggest that the systems are secure, yet they can be opened with a key that anyone can obtain from the Internet and in under a minute a person could install software designed to steal votes. As distressing as all this may sound, there is yet one other issue that begs attention regarding the use of these systems. That is the issue of partisanship.

Almost all industries use lobbying in some form to compel the government to provide certain concessions or benefits to their industries. In many cases this involves making donations to political parties or specific government officials. This is not a new or unusual phenomenon.

Concern arises though when the manufacturers of electronic voting machines openly and strongly support a particular political party or candidate. Given the fact that their systems are completely sealed off to outside eyes, and we only have the words of the manufacturers to assure us, as voters, that their systems are secure, and above all accurate, it is distressing to see them openly and vigorously support a political candidate.

In 2003, the CEO of Diebold Election Systems, Walden O’Dell, spent a great deal of time and effort fundraising for the 2004 Bush/Cheney campaign. He attended strategy sessions and held Republican fundraisers at his personal home. Most alarming though, was a letter O’Dell had written in which he stated he was “committed to helping Ohio deliver its electoral votes to the president next year.” 13

Should the head of a company that supplies the systems which tabulate our nation’s votes be openly making statements of that nature? It raises significant questions about conflicts of interest. How can we have confidence that the system is fair, when we have no idea how it operates, and when the person who was head of the company supplying the systems makes statements regarding how committed he is to ensuring the president’s re-election?

These are some of the issues that surround the use of these new electronic voting systems. While these issues may make the situation appear to be dubious at best, there are options that can allow these systems to be successful. There are precautions that can be taken that will help secure the machines, and modifications can be made to provide more accountability. Additionally, there are electronic voting options other than those currently being offered by Diebold and other manufacturers that do not suffer from the drawbacks that their offerings have.

First are the optical scan machines that were described earlier. They have a built in paper trail, the ballot, and only the ballot itself need be filled out in a voting booth, thereby decreasing the opportunity for someone to install malicious software onto the voting machine. Of the systems currently being offered, these are generally accepted as being far superior, in terms of security and accountability, to the DRE systems. In an address given to the Joint Select Committee on Electronic Voting Systems of the North Carolina General Assembly, elections system expert Rebecca Mercuri stated, “Optically scanned systems continue to be used successfully … . [Optically scanned ballots] have been shown to meet or better that of fully electronic voting products.” 14

The second option would require modification of the design of DRE systems. This would include a more secure case, which cannot be opened with a readily available key. The inclusion of a voter verified paper audit trail, or VVPAT, would also add to transparency in the process. It would also provide more voter confidence as the voter would be able to physically see their choices as selected rather than simply trusting the machine to record them properly.

The major drawback with VVPAT systems currently in use is that they require voter verification prior to the ballot actually being cast, but it does provide at least some form of paper backup. There are also methods under development that utilize cryptography that would allow the voter to verify their ballot after it has been cast without violating ballot secrecy.15

Another option is a system that is currently being designed by E-POLL, and is being tested for use in the European Union, which utilizes biometric security and encryption. This type of system would use smart cards, which are tied to a voter’s fingerprint for verification. It would also use encryption methods similar to those used in online credit card transactions to store the ballots once they have been cast.16

The most intriguing system comes from a company in Delaware, called Open Voting Solutions, Inc. The system is based upon an optical scanning design, but rather than using proprietary hardware, it utilizes off the shelf scanners and standard PCs. A ballot is scanned into their system using a standard scanner; it is then tabulated by their ballot-counting software. The major difference between their software and that of other vendors is that it is completely open source.

Open source means that anyone, including you or I, has access to the code itself and can view it. This makes the system completely transparent as their software can be scrutinized by anyone and everyone. Alan Dechert, President of the Open Voting Consortium, the body that is certifying this system, has said “There is no excuse for any secret methods to be involved in the tabulation of our votes … we expect that Open Voting Solutions’ OpenScan product will become the first commercially available Open Voting System.” 17 However, there remains the need to publicly verify that the software running on election day is exactly the same as that which had been reviewed, in such a way that the public can understand — and that is nearly impossible.

While I have only briefly scratched the surface of the issues, we can see that there are a number of flaws with the electronic voting systems that are being implemented today. But, there are also a number of ways that manufacturers could mitigate some of these problems by making just a few design changes. Additionally, there are other viable products coming to market, like that from Open Voting Solutions, which completely circumvent the problems the other systems have by being completely open to scrutiny.

With computers now being used to do so much in our world, it’s logical to believe that they will one day handle the monumental task of tabulating our votes in an election. And, given our country’s position in the world, many eyes will be upon us to see how we implement these electronic voting systems. As responsible citizens, it is our duty to ensure that our government implements a system that is accessible, easy to use and fast, but above all, it must be one that is secure. The legitimacy of our democracy is at risk if we do not. §