Dan Tokaji's Blog
Professor Dan Tokaji
Election reform, the Voting Rights Act, the Help America Vote Act, and related topics -- with special attention to the voting rights of people of color, non-English proficient citizens, and people with disabilities

Dan Tokaji's Blog Links Publications & Working Papers
Equal Vote
Wednesday, September 13
 
Princeton Paper on Diebold's AccuVote TS
Researchers at Princeton University today released a "Security Analysis of the Diebold AccuVote-TS Voting Machines." The Diebold TS is the type of direct record electronic voting machine used in Georgia and Maryland, among other places. The Princeton report is receiving a fair amount of attention, including this AP story. Here's the report's abstract:

This paper presents a fully independent security study of a Diebold AccuVote-TS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities -- a voting-machine virus. We have constructed working demonstrations of these attacks in our lab. Mitigating these threats will require changes to the voting machine's hardware and software and the adoption of more rigorous election procedures.
The report warrants attention. With the caveat that I've only had a chance to do a relatively quick read of the report, some initial reactions follow. My focus is on the impact that the Princeton researchers' findings should have on the ongoing law and policy debates regarding electronic voting.

The Princeton report's most important contribution to this debate is that the researchers actually had access to a DRE machine, in contrast to some prior research that relied solely on the software and assumptions about how it would be implemented. The researchers also made an effort to consider how these machines are implemented in real elections, though it's hard to tell, at least in some places, on what they're basing their statements about the procedures followed in implementing this equipment. In one place, their description of data being downloaded onto memory cards (section 2.2) comes from Diebold itself. That seems quite fair. But in other places -- such as the process for setting up machines on election day (section 3.3.1) and post-election procedures (section 3.3.3) -- it's not clear to me what they're relying on for their description of the process followed. I'm not saying that their descriptions are inaccurate, just that it's hard to verify the accuracy of their procedural descriptions from the report itself.

This is a critical point, because if there's one thing that emerges quite clearly from their report, it's that procedures matter when it comes to the implementation of electronic voting systems. In fact, this is true of any type of voting equipment. The main vulnerability that the Princeton researchers identify with Diebold's DRE is that someone with "physical access to a voting machine, or to a memory card that will later be inserted into a machine, can install ... malicious software using a simple method that takes as little as one minute." I have no reason to believe this finding to be false. The key point is that, to perpetrate such an attack, one would need access to either a voting machine or an access card that would be inserted into a machine.

From the standpoint of election procedures, this finding puts a premium on limiting access and maintaining a chain of custody, both for memory cards and for voting machines (section 5.2). Once software is loaded onto the machines, they have to be treated with the level of care that one would treat a ballot box. Just as it is possible to stuff ballots into an unguarded ballot box with a paper-based system, it is possible to manipulate vote totals on an electronic system if it is left unguarded. The report also highlights the dangers inherent in transferring memory cards from one machine to another -- as reportedly happened in Cuyahoga County's recent primary election -- since this could spread a vote-stealing "virus" from one infected machine to another.

The report's emphasis on chains of custody and other procedures deserves careful attention. The report's recommendations with respect to the "voter-verifiable paper audit trail" (VVPAT), on the other hand, warrants skepticism. The report concludes that implementing the VVPAT "makes our vote-stealing attack detectable." This may be true in theory -- if voters actually check the paper, and if a sufficient number of paper records can be routinely audited. It is doubtful whether this is true in practice, at least with the most commonly used VVPAT systems. The Princeton researchers did not examine a DRE system that has the VVPAT, much less attempt to evaluate the workability and efficacy of such a device in a real-world election environment.

Among the practical problems with the VVPAT is that, in their most common configuration, the paper tape is difficult to check and even more difficult to recount. The report asserts that it is sufficient to choose a "small fraction" of polling places to confirm with a "high probability" that the result is accurate, but doesn't show the math to support this assertion. Of particular importance is whether recounting a "small fraction" will really be sufficient for small, local elections in which changing a relatively small number of votes within a single county really could swing the result -- and where the risk of election fraud, of the type the researchers raise, is accordingly the highest.

To their credit, the report does mention the practical difficulties that have emerged in implementing the VVPAT, some which I've discussed here and here. But to suggest that the VVPAT is the "most important" way of mitigating vote-stealing is to go beyond what their evidence supports. One would really want to examine the functioning of the VVPAT in a real-world election environment, before making such an assertion -- something that, unfortunately, was not done before state legislatures starting passing laws to require the VVPAT and even to make it the official ballot record, a "reform" that could turn out to have disastrous consequences.

None of this should detract from what I think to be the most important policy recommendation to emerge from the Princeton report: that it is essential to have procedures in place to prevent tampering with either memory cards and voting machines. Whether existing procedures are already in place, or whether they need to be improved in some places, is more difficult to ascertain from the report. I suspect that there is a genuine need for such procedural improvements, to prevent the type of attacks that the Princeton researchers envision.

Powered by Blogger Site Meter


Moritz College of Law The Ohio State University