Elections grant citizens the ability to pick their representatives and convey their preferences for how they will be governed. Naturally, the integrity of the election system is fundamental to the integrity of democracy itself. The election systems must be adequately built to withstand an assortment of fraudulent behaviors and must be adequately clear and comprehensible that voters, as well as candidates, can acquire the results of an election. Unsurprisingly, history is littered with examples of elections being engineered in order to affect their outcome. Dr. Matt Bishop, professor in the Department of Computer Science at the University of California at Davis and author of Computer Security Art & Science says, three components comprise computer security: “Confidentiality, integrity and availability” (p.3). Bishop describes each component stating: “…[C]onfidentiality is the concealment of information of resources, integrity refers to the trustworthiness of data resources, and it is usually phrased in terms of preventing improper or unauthorized change and availability refers to the ability to use the information or resource desired (Bishop, p.4-6). Out of the three preceding components of computer security, two are essential for e-voting security: confidentiality, which preserves anonymity and trustworthiness, which is critical to instill voter confidence.
The design of an excellent voting system, whether electronic or using accustomed paper ballots or mechanical devices, must make good a number of sometimes, competing standards. As was stated earlier, the anonymity of a voter’s ballot must be safeguarded, both to insure the voter’s anonymity when voting against a pernicious candidate, and to insure that voter’s have no evidence that proves, which candidates received their votes. The essence of such a manifestation would avow the means for votes to be purchased by the candidate. The voting system must also be impervious to tampering to circumvent a wide range of attacks, including ballot stuffing by voters and incorrect tallying by insiders. In the paper entitled, Analysis of an Electronic Voting System, by authors Tadyoshi Kohno, Adam Stubblefield, Aviel D. Rubin and Dan S. Wallach discuss the importance of human factors stating: “Another factor, as shown by the so-called “butterfly ballots” in the Florida 2000 presidential election, is the importance of human factors. A voting system must be comprehensible to and usable by the entire voting population, regardless of age, infirmity, or disability” (p.3).
In other words, a voting system must make available, a connection to such a multifarious population because such a multifarious population is a weighty engineering dilemma and one where, if other security is used well, electronic voting could be an awesome upgrade over current paper systems.
The article, Stop the Presses: How Paper Trails Fail to Secure eVoting, by Daniel Castro, argues how traditional paper ballots are not a secure form of voting and a break down in security controls have led to modified, spoiled and, pilfered ballots, as well as stuffed ballot boxes. For Castro, he believes it is time for the debate on e-voting technology to move beyond a discussion of paper audit trails” (p.1-2). On the other hand, I argue that flaws in any aspect or methodology of voting system security can lead to incorrect election results, whether paper or electronic systems are used. I do agree with Castro, however, that e-voting must transcend the discussion of paper audit trails because both paper and electronic systems have their flaws. For instance, as a result of the Florida presidential election, the incompetence of widely used punch card voting systems, have become well understood by everyday people. Then, there is the adoption of ‘direct recording electronic’ (DRE) voting systems to deal with the incompetencies of the paper system. DRE systems, generally speaking, completely eradicate paper ballots from the voting process. As with common elections, voters go to their community and attest that they are allowed to vote there, perhaps by presenting identification (i.e. ID card), although some states grant voters access to cast votes without and identification at all.
The voter is typically provided with a PIN, a smartcard, or some other token that allows them to come in contact with a voting machine, enter the token, and then vote for their candidates choice. When the voter’s selection is attained, DRE systems will typically present an overview of the voter’s choosing, giving them a final opportunity to make adjustments and then, the ballot is cast and the voter is free to depart. However, the most important complication with such a voting system is that the entire election is subject to the correctness, robustness, and security of the software within the voting machine. Should that code have security relevant flaws, they might be exploitable either by dishonest voters or by mischievous insiders. Such insiders include election officials, the developers of the voting system, and the developers of the operating system on which the voting system runs. If any group introduces defects into the voting system software or takes advantage of pre-existing defects, then the results of the election cannot be confirmed to precisely reflect the votes legally cast by the voters.
In a lecture given by University of California, Davis, Computer Science Professor, Dr. Matt Bishop, on October 22, 2003; concerning e-voting security—he provides a discussion of electronic voting schemes stating: “One of the concerns in electronic voting schemes work by having a computerized voting machine take a user’s votes, through an input device like a touch screen and record it in storage. All votes are stored on three different sets of media for redundancy. At the end of the day, one of the pieces of media is removed from the machine, and the votes on it are uploaded to a server using a modem and telephone line. The server is not on the Internet, and can only be accessed through the phone line when the operators are told to turn on the modem at the server’s end on” (Bishop, Lecture 10/22/2003). The preceding lecture given by Dr. Bishop is an example of how vulnerable e-voting machines are and it takes diligence, prudence and better code writing to avoid malicious attacks, whether the attacks are from insiders or external threats.
Reflecting on Castro’s argument discussed earlier—he said that voting machine security should move beyond the discussion of paper audit trails. I think this is a good point to consider because a paper audit trail in itself is not enough. A voter-verifiable audit trail is a record of how the voter voted, in a form that the voter can read or hear, but this poses two problems. One, the deliberate input of wrong data and two, some people may not want others to see who they voted for. In addition to the aforementioned problems, I hypothesize another issue—the code could deliberately be attacked and if not, one could attack the operating system if not on the actual server and if the server is not connected to anything, the modem could be compromised or hacked. Correspondingly, Forefront: The College of Engineering Magazine, at the University of California, Berkeley, featured an article by Rachel Shafer entitled, E-Voting Machines Crack Under Scrutiny. This article is a discussion of flaws in e-voting machines uncovered by David Wagner, Associate Professor of Electrical Engineering and Computer Sciences at the University of California, Berkeley—he states concerning vulnerability issues: “We looked for anything that could corrupt the software, shut down a polling place or do harm to an election”, say’s Wagner, a renowned Cryptologist and Computer Security expert who co-led the study with University of California, Davis Professor, Dr. Matt Bishop, “The flaws we found were pervasive, blatant and mundane” (p.1).
The preceding discovery by Dr. Matt Bishop and Professor David Wagner was directed toward—Diebold Election Systems. In addition, the USA Today article published June 26, 2006 entitled, Analysis Finds E-Voting Machines Vulnerable, by Andrea Stone, further comments on Diebold’s dishonesty stating: “Election officials in California and Pennsylvania recently issued urgent warnings to local polling supervisors about potential software problems in touch-screen voting machines after a test in Utah uncovered vulnerabilities in machines made by Diebold Election Systems, such as:
-Using corrupt software to switch votes from one candidate to another, is the easiest way to attack all three systems. A would-be hacker would have to overcome many hurdles to do this, the report says, but none is insurmountable.
-Even electronic systems that use voter-verified paper records are subject to attack unless they are regularly audited.
-Most states have not implemented election procedures or countermeasures to detect software attacks” (p.1).
In addition to the preceding scrutiny, critique and attack on Diebold’s software vulner-
abilities, the article (Published December 21, 2005) entitled, California Scrutinizes Diebold E-Voting, by Staff Writer of CNET News Anne Broache elaborates on Diebold’s issues stating: ‘“California election officials said this week that they can’t certify Diebold’s electronic voting systems without additional federal review. In a letter sent Tuesday to the embattled Ohio-based company, Elections Chief Caren Daniels-Meade said “significant unresolved security concerns” exist with memory cards used by Diebold’s systems. She ordered the company to submit the source code of programs associated with those cards for “immediate evaluation” by federal independent testing authorities”’ (p.1).
Comparatively, these above-mentioned articles support the article (Published August 23, 2008) entitled, Diebold Comes Clean, Admits That It’s E-Voting Machines Are Faulty by Darren Murph at Engadget stating: ‘“According to spokesman Chris Riggall, a “critical programming error that can cause votes to be dropped while being electronically transferred from memory cards to a central tallying point” has been part of the software for ten years. The flaw is on both optical scan and touch screen machines and while Mr. Riggall asserts that the logic error probably didn’t ruin any elections (speaking of logic error…), the outfit’s president has confessed to being “distressed” about the ordeal. More like “distressed” about the increasingly bleak future of his company” (p.1).
For quite some time, voting machine vendors have maintained that their systems are secure, such as Diebold spokesman, Chris Riggall and that the closed-source nature makes them even more secure. However, my glimpse into this topic of e-voting security revealed that there is a minute variation in the way software is created for voting machines, relative to other market endeavors. In fact, I believe that an open-source process would result in more accurate software development, as more scientists, software engineers, political activists, and others who hold their democracy in high esteem, would be focused on the quality of the software that is used for the election process. Pushing corporate bureaucracy aside, such an exchange of information results in security vulnerabilities being repaired quickly, performance issues fixed in the process and software development reflecting the desires of the users—communally. I will argue that there are benefits of an open source process—First, open-source processes reduce operational costs and second—the fear of being controlled by the software industry is reduced because many applications depend on the game companies like Microsoft play with its operating systems, and the open-source community, is free from this hegemonic pressure. Referring back to the paper, Analysis of An Electronic Voting System by Tadayoshi Kohno et al, this paper adds emphasis to open-source solutions stating: “Of course, open-source, would not solve all of the problems with electronic elections. It is still important to verify somehow that the binary program images running in the machine correspond to the source code and that the compilers used on the source code are non-malicious. However, open-source is a good start” (p.21).
The preceding quote by authors Tadayoshi Kohno et al reveal that their argument is in clear contrast with closed source, corporate software production where the source code is proprietarily controlled, and is not accessible to any person outside the corporation. The aforementioned paper also discusses the open-design process and how it has proven successful in projects ranging from very focused efforts, such as specifying the Advanced Encryption Standard (AES), through very large and complex systems such as maintaining the Linux operating system and Australia is currently using an open-source voting system (p.21).
Nevertheless, security designs such as the voter-verified audit trail provide a way for electronic voting systems that create a paper trail, to be perceived and attested by a voter. In such a methodology, the accuracy concern on voting machine code is significantly reduced as voters can see and attest a tangible item that describes their vote. In addition, even if, for whatever reason, the terminals cannot declare who the winner of the election is—the paper ballots can be recounted, either by machine or by hand, to acquire progressively more precise election results.
Authors Tadayoshi Kohno et al also describe supporting measures in their paper analysis that DRE vendors are willing to make concerning voting methodologies stating: “Voter-verifiable audit trails are required in some U.S states, and major DRE vendors have made public statements that they would support such features if their customers required it. The EVM (Electronic Voting Machine) project is an ambitious attempt to create an open-source voting system with a voter-verifiable audit trail—a laudable goal” (p.21).
In conclusion, the arrangement where independent vendors produce privately owned code to run elections appears to be inaccurate, and if we do not change the development of creating voting systems, voters will have no belief that election results will reflect the inclinations of the body politic. It is of primary importance and critical to restoring voter confidence to develop powerful, well-designed e-voting system software to instill, voter confidence and maintain a democratic society.*
References:
Bishop, Matt. (2003). Computer Security-Art And Science. Pearson Education, Inc.
Addison-Wesley. P. 3-6.
Broache, Anne. (2005). California Scrutinizes Diebold E-Voting. CNET News. Retrieved on
19 November 2008. http://news.cnet.com/California-scrutinizes-Diebold-e-voting/2100-
1028_3-6004615.html.
Castro, Daniel. (2007). Stop the Presses: How Paper Trails Fail to Secure e-Voting.
The Information Technology & Innovation Foundation. P. 1-2.
Murph, Darren. (2008). Diebold Comes Clean—Admits That It’s E-Voting Machines
Are Faulty. Engadget.com. Retrieved on 19 November 2008.
http://www.engadget.com/2008/08/23/diebold-comes-clean-admits-that-its-e-voting-
machines-are-fault/.
Shafer, Rachel. (2007). E-Voting Machines Crack Under Scrutiny. Forefront: College of
Engineering Magazine at the University of California, Berkeley. P. 1. Retrieved on
October 23rd at 7:20P.M.
http://www.coe.berkeley.edu/news-center/publications/forefront/archive/forefront-fall-
2007/in-the-news/e-voting-machines-crack-under-scrutiny.
Stone, Andrea. (2006). Analysis Finds E-Voting Machines Vulnerable. USAToday.com.
Retrieved on 19 November 2008. http://www.usatoday.com/news/washington/2006-06-
26-e-voting_x.htm.
Tadayoshi, Kohno et al. (2004). Analysis of an Electronic Voting System. IEEE Computer
Society Press, May 2004. This paper previously appeared as John Hopkins University
Information Security Institute Technical Report TR—2003-19, July, 2003.
*This article was originally published in 2008 during the authors tenure at the University
of California, Berkeley, Computer Science 195, Professor Brian Harvey.
No comments:
Post a Comment