Технології, безпека і вибори. Що читнути зараз
Минулого тижня на reddit було обговорення різних проблем, які стосуються технологій і виборів. Там американський контекст, але вони покривають дуже багато дотичного:
- інтернет-голосування (та Естонію)
- машини для голосування (ну і Індія)
- чому папір рулить, але сканери важливі
- цифробезпекові загрози
ось вам спойлер (ми попереду планети:)
питання: “Яка з машин для голосування зараз найбезпечніша?”
відповідь: “З точки зору безпеки найкраще — паперовий бюлетень заповнений вручну у парі з подільничним підрахунком на оптичних сканерах і аудит з обмеженням ризиків”.
Далі англійською, оригінал тут (може я колись це перекладу)
What do you find are the most convincing arguments against Internet voting, for a non-technical audience?
-
One of the things that experts tell me all the time is that we don’t know how to do anything over the internet with the level of security that we expect from our elections.
Supporters of internet voting often point out that we trust the internet for other sensitive applications, like banking. But you can dispute a transaction and get your money back. There’s really nothing happening online that’s comparable to elections, in terms of the stakes. So the inherent vulnerabilities in the internet raise more serious questions for voting than for any other application.
Internet voting systems tend to be fragile. A few years ago, Washington, D.C. built an online voting system and invited anyone to try to hack in during a mock election. It took me and my students only about 48 hours to gain full control and change all the votes, and the election officials didn’t notice anything was wrong until somebody noticed a musical “calling card” we left for them to find. More here:
https://freedom-to-tinker.com/2010/10/05/hacking-dc-internet-voting-pilot/
More recently, a colleague and I found exploitable vulnerabilities in an Australian online voting pilot during a live election:
https://freedom-to-tinker.com/2015/03/22/ivote-vulnerability/
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
What is the reason for the push for these machines when pen and paper seem so much more obviously secure and transparent…is it just that tallying votes is faster? Or is there something I’m missing?
-
It’s important to note that there are two separate elements of voting where we can choose manual or electronic methods.
The first is the voting machine. You can use your hands as that “machine” and mark a paper ballot by hand, or you can have an electronic device where you make your choices and it spits out a paper record (or only records your vote digitally, which is the big problem in many counties right now).
The second is the tabulation machine. You can have poll workers manually counting votes based on the paper ballots, or you can have an optical scanner that digitally tallies votes based on those same ballots.
Tallying votes isn’t as much of an issue — because optical scanners are pretty fast — as managing the devices that are used to actually record the votes. And many election officials find it more of a hassle to manage stacks of paper ballots than a handful of electronic machines. (Of course, electronic machines break down, so there are management problems there, too.)
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
What do you think about the brazilian voting machines and what happened when the Superior Electoral Court of Brazil denied your participation on an election auditing process?
-
Brazil’s paperless electronic voting machines have major security problems. I haven’t had an opportunity to examine them myself, but fortunately Professor Diego Aranha (formerly of the University of Campinas) has. His research details many flaws, including ways that an attacker could potentially figure out how everyone voted! See: https://sites.google.com/site/dfaranha/projects
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Can you show me proof that the current way of voting is not hacked?
-
No, and that is the fundamental problem with our current election system: it’s based on faith, rather than evidence.
Our election system should be designed to produce evidence sufficient to convince a rational skeptic that the outcome is correct. One way to do that is to have transparent, observable processes, including statistically rigorous risk-limiting audits.
Instead, all too often, voters simply have to take election officials’ word that everything is fine. Most election officials are great people and diligent public servants, but it seems fundamentally wrong that voters should be forced to trust them.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — —-
What is the safest voting machine out there right now?
-
From a security perspective, the safest technology right now is hand-marked paper ballots (HMPB) coupled with precinct-count optical scanners (PCOS) and risk-limiting audits (RLAs).
In this kind of system, voters mark ballots manually and put them into a scanner right in the polling place. The scanner creates an electronic record of the marks, and the physical ballots are stored in a ballot box. This means there are redundant records — physical ballots and electronic records.
Officials can use an RLA to efficiently check that both sets of records agree about the winner. Tampering with both kinds of records (in a way that agreed) would require both a high-tech attack and a large conspiracy of people on the ground changing the paper.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
What’s the best way to overcome the “hanging chad” issue with paper ballots that we saw during the presidential election in 2000?
-
Manufacturers of paper ballots have significantly improved the design of these ballots since 2000. No voting method is perfect, but research from 2012 suggests that the error rate is between 1% and 2%. The vast majority of the voting problems I heard about on Election Day 2018 related to electronic voting machines, rather than paper ballots or their scanners. We’ve come a long way since 2000.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Are you saying that foreign government agencies can and have tampered with actual voting machines and alter votes? From what iv’e read from the Mueller Report was that most efforts were focused on online social media, not actual government infrastructure.
-
If a voting district has been tampered with, what are the steps for a backup with paper ballots and whats the likelihood of people changing their votes/becoming uninterested in redoing the process?
What is the power of blockchain in voting and can it be effective? I only recall one presidential candidate(Andrew Yang) weighing pros and cons of it, but im largely unfamiliar with this method
This is no evidence that foreign governments have tampered with voting machines to alter votes. The problem is, there’s a real threat that such an attack could happen in the future. Across much of the U.S., we vote on computer voting machines that have known vulnerabilities. And even in states that have a paper trail that can’t be changed in a cyberattack, the paper usually isn’t checked unless there’s a recount.
Take a look at this federal court ruling about Georgia’s voting system (released just this morning!). It shows in detail just how open to attack some of the electronic voting systems used today are.
https://pacer-documents.s3.amazonaws.com/47/240678/055111879247.pdf
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
India uses EVMs that haven’t had any problems. They arent connected to any systems whatsoever so can’t be hacked unless you hit each individual machine. Why can’t the US?
-
It’s true that India has the largest deployment of electronic voting machines in the world, based on a home-grown machine that is dramatically simpler than the touch screen computers common in the US, but they still have lots of problems.
I worked with researchers in India several years ago to do a detailed security analysis of the Indian machines. You can read our research paper and see a video of our findings here: https://indiaevm.org
With just a few minutes of physical access, an attacker can tamper with the machines to change the votes stored in them, or to make the machines count future elections dishonestly. We built low-cost hardware devices to carry out both attacks.
As a result of our research, India has recently rolled out a voter-verifiable paper audit trail (VVPAT), which could help detect such attackers. Unfortunately, I understand that there are some major unresolved problems with the implementation. First among them, the audits aren’t risk-limiting, so in a close election, they might not be thorough enough to detect outcome-changing fraud.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
If our local voting area has refused to get paper backups what can we do to pressure them?
-
Point them to the bi-partisan Senate Intelligence Committee’s recommendations:
https://www.intelligence.senate.gov/sites/default/files/documents/Report_Volume1.pdf
Given Russian interventions to undermine the credibility of the election process, states should take urgent steps to replace outdated and vulnerable voting systems… at a minimum, any machine purchased going forward should have a voter-verifiable paper trail.
Or the findings of the National Academies of Science, Engineering, and Medicine:
http://sites.nationalacademies.org/pga/stl/voting/index.htm
[a]ll local, state, and federal elections should be conducted using human-readable paper ballots by the 2020 presidential election.
Or if they really want to get down into the details, to my Coursera course, Securing Digital Democracy:
https://www.coursera.org/learn/digital-democracy
Edit to add: Groups like Verified Voting have great resources about election security that could be a big help for your local efforts.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
While I understand it can be hacked Is there any evidence that any of the previous machines used in previous elections (at any level) have been hacked?
-
While Russia is often cited as wanting to mess with western elections is that any evidence out there of a credible threat/intent to commit wild scale voter hacking at any election? beyond the teenager in his parents basement
There is no evidence that a voting machine has been hacked while it was used in an election. And Russia has found it much easier to mess with our minds (through disinformation campaigns) than with our voting machines, so this is not likely to ever be their top attack vector.
The concern we see about voting security is about closing as many gaps as possible. There are certainly other gaps that are more likely to be exploited. But maintaining confidence is an important part of conducting elections, and people lose confidence when they know that they’re voting on machines with vulnerabilities.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Hi Alex — I work on election security in my state, assessing different county setups. Every county votes on paper, but you showed me last year that even the tabulators are susceptible. I was lucky enough to be in the audience during your talk at DEF CON.
-
ES&S seems to have at least a decent system in place for delivering and handling election definition USB sticks. What’s the real risk of tabulators being hacked? Is there an easy way to check what vulnerabilities exist by firmware version? Do you have any recommendations on securing paper ballot states?
Yes, even tabulators (optical scanners) are susceptible to hacking, because under the hood, they’re pretty powerful computers, with complex, reprogrammable software and sometimes even wireless Internet access (for transmitting results on election night).
In past studies, we’ve found that election definition files (which officials copy to ever machines before the election to program in the ballot design and the counting rules, etc.) can carry malware or exploit things like buffer overflows to infect the machines. ES&S is a good illustration of the risk: they create the ballot programming for 2000 jurisdictions across 34 states from their corporate headquarters, which is a much more centralized point of attack that most people are aware exists.
One important defense is to make sure you have the latest firmware. But voting machine firmware tends to be years out of date, because there’s a lengthy certification process. For instance, the latest certified ES&S software still relies on Windows 7, which will soon be unsupported by Microsoft.
Incredibly, most states do not even require that jurisdictions use the newest available firmware. For example, Georgia currently uses paperless DREs across the state with firmware that hasn’t been updated since 2005.
The strongest and most important defense is to rigorously audit the paper trail, through manual risk-limiting audits. Even if the machines are somehow hacked, such audits ensure that there’s only a small statistical chance that any outcome-altering fraud will go undetected. That creates a powerful deterrent, and if an attack happens anyway, you can correct it by recounting the paper.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Why bother with voting machines at all?
-
There is no way to verify the integrity of the electronic count, neither for an individual voter nor at the national level. Hence, you’ll need a manual count to be able to trust the result, which reduces the machine to an incredibly expensive pen.
Even after hacking many different voting machines myself, I don’t agree that we should get rid of computer counting technology completely. There is a long, rich history of fraud in paper voting (see https://en.wikipedia.org/wiki/Electoral_fraud#Tampering_with_electronic_voting_machines) that we’d be foolish to ignore.
We can do a lot better by using computer systems that are “software independent”. That means that any error or hack affecting the outcome can be detected. One way to do this is to use paper ballots with optical scanners and manual risk-limiting audits, so you get two independent records of every vote that would need to be separately hacked to change the results without detection.
That’s way stronger than either hand-counted voting or unaudited computer voting alone.\
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Why can’t voting machines give you a receipt of your votes? If each receipt had a unique code, you could go to a website later and see whether your vote was counted. Maybe even see all the votes cast (anonymously of course). If your vote(s) don’t show-up you would have a reasonable right to complain. As it is, the whole thing is a black box where no one has any idea of what happens after you leave the machine.
-
There’s an active research area about this, called end-to-end verifiable voting system.
https://en.wikipedia.org/wiki/End-to-end_auditable_voting_systems
The challenge is, can we make a kind of cryptographic receipt that proves to you, the voter, that your vote has been correctly included in the count, but that doesn’t let you prove to anyone else how you voted. (Because if you could, you could use the receipt to sell your vote, or you could be coerced into voting a certain way…)
Hopefully some day soon we’ll have paper-based voting systems that also gives you this kind of proof.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Why are electronic voting machine so much less secure and apparently hack-able than the multitudes of software/machines used to conduct transactions in the paperless economy?
-
Who says e-commerce is secure? Fraud in online banking alone amounts to billions of dollars a year, but we can see it and measure it because the banking system is built around account statements and tracking every dollar. With voting, the technology is certainly no more secure, but fraud is potentially invisible, because of the secret ballot.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
What steps can state and local government take (or have they taken already) to secure voter roll information and keep those interested in foul play from disrupting the voting rights of citizens?
-
The federal government, through the Department of Homeland Security, has been offering free cybersecurity services to state governments for things like these databases. They’ll come in, scan and probe these systems, and produce a report with recommended fixes. So that’s one good option.
DHS’s services are in high demand, though, so there have historically been long wait times for them. But many companies offer similar services where they’ll audit the databases for vulnerabilities.
From a technical perspective, these databases are nothing special. They run on the same technology that powers databases in many other industries. As a result, many of the best practices for protecting them — like reducing unnecessary user privileges and regularly applying software updates — are common knowledge in the IT world.
When the Obama administration saw Russia interfering in the 2016 election, voter registration databases represented their biggest concern. Because they’re connected to the internet, it’s much easier for a hacker to remotely mess with them than with actual voting machines. So even though our tracker page doesn’t evaluate these databases, they’re definitely one of the most tempting targets and highest-priority systems for defending.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Are the computers connected to some kind of system when they’re being used? Also, if they are, could they be affected in that would make it mark a paper ballot incorrectly?
-
Voting machines are supposed to be disconnected from all other systems when they’re being used, but some of them have wireless modems that are used for transmitting unofficial results on election night. Under the right circumstances, these modems can be vectors for remote compromise (because they transmit over, and thus connect to, the internet).
If a hacker were to plant malicious code on a voting machine (whether through modems or by compromising the software that’s used to program the machines before elections), they could cause it to incorrectly mark the ballot.
This is one reason why many experts dislike ballot-marking devices, which are computers that generate paper ballots once a voter is done voting. BMDs are the hot new thing in many jurisdictions that are ditching their paperless voting machines, but with a BMD, you are still trusting a computer to accurately mark the piece of paper.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
PA Pollworker Here — I support HMPBs for all that are able and BMDs for disability use. The state has allowed counties to select systems that are BMD for all if they want. This seems overly expensive and less secure than voting my paper (especially with many counties selecting the ES&S ExpressVote XL — it’s an election, not netflix and chill).
Aside from providing the scientific evidence, is there any way that you would suggest getting the point across to BOE officials and decision makers that HMPB systems are better? The officials make the excuse that disabled voters should not be made to vote on something different. That language seems directly ripped from ES&S promo materials and no one can tell me why we don’t have ramps everywhere instead of stairs.
-
PA native here — I agree that using BMDs (touch screen computers that print your ballot) for all voters creates unnecessary security risks, and there’s no question that the equipment is far more expensive than using hand-marked ballots and a single scanner per polling place.
What I worry about most is that BMDs could be hacked in a way that causes them to print different choices from what the voter marks on screen. In preliminary studies where we’ve had people vote in mock elections where we hacked the BMDs outselves, only a tiny fraction of people notice, and most of them blame themselves for making a mistake rather than suspecting the machine!
One of the most frequent problems raised by voters with disabilities is that when BMDs are only provided for voters who need them, they’re often not set up properly or otherwise out of order. But those seem like much easier problems to address (say, by requiring adequate testing and auditing local municipalities’ compliance) compared to somehow making BMDs unhackable.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Did any country get electronic voting right so far? India, for example, is very large country and uses it and there’s been concern about it recently.
-
This is a hard question to answer. There is no point at which we can definitively say that something is working reliably and securely and that its operator got it “right.” Someone can always find a vulnerability in a system tomorrow that changes our understanding of its security.
Estonia, for example, touts its widespread digitization and its online voting, but there have been problems there.
https://jhalderm.com/pub/papers/ivoting-ccs14.pdf
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
What books would you suggest to learn more about cyber security, especially related to elections?
-
My favorite book about election security is definitely Broken Ballots by Doug Jones and Barbara Simons. It’s basically the definite history of computer security problems in elections.
https://www.press.uchicago.edu/ucp/books/book/distributed/B/bo13383590.html
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Prof. Halderman,
“Paper with audits” are heralded by many as what will save US from insecure elections.
But how is it reasonable to assume audits can help?
The basic needs for a meaningful audit aren’t met. It’s unreasonable to assume that the ballots after a delay and the complex audit process itself will be trustworthy and accurate. This is especially true because audits are controlled by interest-conflicted and / or partisan-conflicted Secy’s of State or election officials. This can’t be the answer.
What are your thoughts about Public Streamed Adversarial-teamed hand-counts?
Why shouldn’t we join the multiple other countries like Japan, Netherlands, Canada, Australia and so many others who hand-count? Don’t we deserve accurate elections?
-
It is much harder to do mass tampering with votes recorded on paper than it is to do so with electronically recorded votes (see my answer here).
There is no way to completely rule out malicious insiders throwing away ballots or things like that, but if we stopped doing everything that was even a little bit risky, we wouldn’t have a civilization anymore.
Paper ballots do come with their own logistical challenges, especially maintaining that physical chain of custody, as you mentioned. But physical problems are a lot more visible and hard to execute at scale than digital problems.
It takes more people to join a conspiracy to successfully produce and distribute forged ballots than it does to plant malware on a computer used for programming voting machines (which would then distribute malicious instructions to all the machines it programs).
It all comes down to that issue of scale. Which method makes wide-ranging attacks easier?
It’s also worth remembering that election officials have successfully safeguarded paper ballots for a lot longer than they’ve handled cyber defenses. Their processes for doing so are simply more robust and fine-tuned.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Why are so many politicians adamantly against paper ballots?
-
Politicians want to give voters what they want, and voters enjoy electronic voting machines because they’re familiar and convenient (they’re basically giant iPads).
Some politicians also harbor mistaken beliefs about the security and reliability of paper ballots compared to electronic devices.
In some cases, politicians aren’t so much against paper ballots as they are against replacing what they have with something else, for cost and logistical reasons.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
I spent 20 years in the casino industry, where independent companies like Gaming Laboratories International Inc. are responsible for vetting slot machines and related computer programs. Why isn’t the voting machine industry similarly regulated? What would it take to move this forward?
-
The voting technology industry is very small. As a result, the individual vendors are very powerful. They have significant sway over federal and state regulators. In some cases, vendors hire former legislative staffers to help them get an “in” with lawmakers so those lawmakers will take their calls before they talk to activists.
Voting technology is a wonky issue that is hard for politicians to grasp. This is where the vendors’ influence is particularly important. When lawmakers turn to outsiders to help them understand it, the best-prepared outsiders are often the vendors.
Most policymakers and citizens haven’t been thinking deeply about voting security for as long as people have been thinking deeply about casino security.
Elections are infrequent, so most people don’t think about election administration on a regular basis. As a result, until relatively recently, there wasn’t much organized activist energy around election security.
The traditionally state-run nature of elections has made many federal lawmakers hesitant to introduce new national regulations.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Are the data cards used in the typical Diebold voting machine still vulnerable to manipulation? I watched a Greg Palast documentary about a decade ago where a code writer manipulated the count with a simple addition of a +5/-5 scenario in the formula and it took 5 votes from candidate A and gave it to candidate B upon the final count.
Also, when are we going to start preventing people who make the machines from contributing to the campaigns of the people who hand out the contracts for the voting machines?
-
You’re referring to a beautiful attack (at least by the perverse standards of security experts!) discovered by Harri Hursti that worked against Diebold AccuVote OS optical scanners.
These machines had an integer overflow bug that meant you could start the counters with the ballot box stuffed for candidate A and a with a very large number of votes for candidate B that would eventually overflow and reset to 0. The net effect would be that the total number of votes matched the number of voters who used the machine, but with a set number of votes stolen from B and added to A.
See: https://en.wikipedia.org/wiki/Hursti_Hack
This has indeed been fixed in newer firmware. However, many states have no requirement that jurisdictions install firmware updates, and nobody tracks which firmware versions are installed nationally, so I can’t tell you how many jurisdictions are still vulnerable today.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
How much money do you estimate it’ll cost to have every poll location “upgraded” to paper ballots and how much to upgrade all of them to paperless that’s secure enough to be reliably untouched by rouge agents?
-
Surprisingly little!
I testified to Congress about this earlier this year (https://jhalderm.com/pub/misc/fsgg-voting-written19.pdf) and concluded that it would cost about $370 million to implement paper ballots in every U.S. jurisdiction that lacks them today (assuming an average of $7500 per precinct to acquire one ballot scanner and one accessible voting device for voters with disabilities).
Once you have paper ballots, risk-limiting audits are cheap. Auditing ever federal race would cost less than $25 million a year.
$370M might seem like a lot of money, but this is by far the cheapest major cybersecurity challenge to solve. And we can do it without any technical breakthroughs.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
Why must voting machines be connected to the internet?
-
Many new models have cellular modems so that they can send in election-night results over the Internet. (In case it needs to be said, this is a bad idea.) But even older models need to be programmed with the ballot design before every election. Officials (or outside vendors) create that ballot programming on a computer called an election management system (EMS) and copy it to the machines on a memory card or USB stick. EMSes often are connected to the Internet, or are only one hop away, since workers copy files to them from Internet-attached systems.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
What are the best policy measures needed to protect elections ?
-
The U.S. desperately need stronger national leadership on election security. The points I’d most like to see are:
A requirement that every federal election be conducted with paper ballots.
A requirement that the results of every federal election be subjected to a risk-limiting audit, to confirm that the computer totals match the paper ballots.
Federal cybersecurity standards for election administration, including requirements to follow security best practices for securing voter registration systems, election management systems, and outcome reporting systems.
None of these measures is particularly expensive or difficult, and many states are already implementing at least some of them. But until we get a minimum election security standard (and further federal resources to help the states implement them), it will be many years until all states have these necessary defenses in place.
— — — — — — — — — — — — — — — — — — — — — — — — — — — — — —
