Tuesday, 29 November 2016

On the potential for fraud in electronic elections

A lot of people have questions right now about the role of electronic voting in the recent US election. I have been steering clear of pretty much all news about the election (for obvious reasons) but I think I can still shed some useful light on the matter. In fact I think it might be more useful to speak in generalities, and you can apply this knowledge to specific news stories.

I'm afraid it's not going to be very reassuring.

I completed a Computer Science PhD on the topic of e-voting in 2008[1]. That's old, for a PhD, but there have not been any startling new developments in the field since then. In fact most of the e-voting systems in use in the US probably pre-date my PhD by quite a long way.

Let's start with the basics. Polling place e-voting systems[2] are usually broken down into 2 categories: DRE and Optical scan.

DRE

DRE stands for Direct Recording Electronic. These machines sometimes print out a ballot, but the main record of the vote cast is internal to the machine. This record is fundamentally unreliable, because the voter never sees it. The machine can display one thing on its screen and record something completely different (or indeed nothing at all) in its internal memory, and the voter has no way of knowing.

Optical Scan

Optical Scan systems fare somewhat better. The original ballot -- as seen by the voter -- still exists and can be rechecked. If you don't trust the system, you don't have to run the ballots back through it, you can count them by hand.

But this advantage is totally meaningless unless you sometimes count the ballots by hand. If you rely on the results from scanning machines you're back to the same problems the DRE systems have. And in reality these ballots are rarely counted. No one wants the added expense, or to have to deal with finding that the results don't match, so they don't look.

Computers

There's a famous essay[3] called Reflections on Trusting Trust where Ken Thompson outlines why you "can't trust code that you did not totally create yourself", and he means totally. I don't want to get too technical in this post (but I recommend giving the essay a go). Let's just say that it is well-known in computer science that computers are fundamentally untrustworthy.

Usually the first objection I get when I make this statement is something to do with electronic banking. We trust that, don't we? Well no, not really. We keep extensive audit trails (my bank records my side of the transaction, your bank records yours). And the wiser among us check those records. And identity theft, and banking fraud are huge problems. 

We can't keep an audit trail like that for elections. The secrecy of the ballot is vital to ensuring one-voter one-vote [4]

Possible Attacks

I'm not going to comment on any specifics from the recent election. As I've said, I've made a point of not reading about it. I'm not saying any of these things have happened to any system used in US elections. These are simply scenarios that I can imagine.

Employees

Employees of companies who sell voting systems may be politically or financially motivated to modify the behavior of those systems to help a particular party or candidate. It would take a very skilled engineer to make these changes and cover their tracks. But it's certainly possible.

Viruses

All electronic voting devices have to have some way for poll workers to input the current ballot options. This is often done with a USB key, or a CD, or by connecting the device directly to another computer. Someone who knows the target system well enough could potentially get a virus [5] onto voting computers via these or other updates. (Do a search for 'stuxnet' for an example of a politically motivated virus).

Human error

Not technically an 'attack' I suppose, but just as serious. Code is written by humans. If a poll-worker counting paper ballots makes a mistake, that mistake affects the ballots in front of them. If a software developer makes a mistake, that error could potentially change the outcome of an election. Even high-quality software testing (which is sadly rare in the IT industry) cannot hope to find all errors.

Decentralization

The one saving grace that I see in US elections is their decentralization. In many countries there is one central authority running elections, designing ballots, buying voting machines. But the US is different. A US presidential election is essentially thousands of elections, because elections are often run at the county level (or sometimes even more locally).

On the other hand (partly because of the Electoral College) you don't actually have to subvert all of those elections to alter the final outcome. Some states, and even some districts, are more valuable than others. Focusing attacks on systems that are more vulnerable, in areas that are more valuable, where the expected outcome is less clear, could significantly reduce the required investment while still pushing your favorite candidate over the finish line.

Conclusion

The kinds of attacks I've outlined require significant investment. But elections in the US are at the very least a multi-billion dollar business. When you include all the political ramifications .... let's just say I find it hard to understand why this topic hasn't received more attention.

I'd welcome any comments or questions. You can comment on this post, or send me an email to mmcgaley[at]gmail[dot]com

Other Resources

I recommend this video, by Tom Scott: https://www.youtube.com/watch?v=w3_0x6oaDmI
You can read my PhD thesis here: http://eprints.maynoothuniversity.ie/1486/
An essay on the history of e-voting in Ireland: http://www.internethistory.ie/articles/EVoting
The findings of the Commission on Electronic Voting in Ireland: http://notesfromthesound.com/archives/www.cev.ie/index.htm



[1] Sorry about the use of footnotes, I guess I'm still an academic at heart.
[2] I won't even go into Internet voting. (a) It's a horrible idea, and (b) it's not in widespread use.
[3] Famous among computer scientists. It was originally a lecture delivered when Thompson received his Turing Award, which is often called Computer Science's Nobel Prize.
[4] This is why I find Oregon's decision to use all-mail-in balloting baffling.
[5] There are actually several kinds of "malware" (malicious software) including viruses, trojans, and others. But 'virus' will do for this post.