Felten House Administration Testimony

Download PDF
 
Testimony of Edward W. Felten
Professor of Computer Science and Public Affairs, Princeton University


United States House of Representatives, Committee on House Administration
Hearing on
Electronic Voting Machines: Verification, Security, and Paper Trails
September 28, 2006



Open the lid of an electronic voting machine and look inside; what you will see is

a computer, much like an ordinary desktop PC or Mac. Because they are computers, evoting

machines are susceptible to familiar computer problems such as crashes, bugs,

mysterious malfunctions, data tampering, and even computer viruses. The question is

not whether we can eliminate these problems - we cannot - but how we will cope with

them.


Unlike ordinary desktop computers, e-voting systems are entrusted with the most

important process of our democracy - collecting and counting votes - and must perform

that process accurately, reliably, accessibly, and securely. Trust in election outcomes is

necessary for our electoral system to work, but the political system often does not lend

itself easily to trusting relationships. Voting technologies must help to build this trust.

Today's e-voting infrastructure is not up to the task, but tomorrow's can be.


Two weeks ago Ariel J. Feldman, J. Alex Halderman, and I released a paper

analyzing in detail the security of the Diebold AccuVote-TS, one of the most widely used

e-voting systems. The main findings of our study were as follows:


     1. Malicious software running on a single voting machine can steal votes with

        little if any risk of detection. The malicious software can modify all of the

        records, audit logs, and counters kept by the voting machine, so that even

        careful forensic examination of these records will find nothing amiss. We

        have constructed demonstration software that carries out this vote-stealing

        attack.


     2. Anyone who has physical access to a voting machine, or to a memory card

        that will later be inserted into a machine, can install said malicious software

        using a simple method that takes as little as one minute. In practice, poll

        workers and others often have unsupervised access to the machines.


    3. AccuVote-TS machines are susceptible to voting-machine viruses -

       computer viruses that can spread malicious software automatically and

       invisibly from machine to machine during normal pre- and post-election

       activity. We have constructed a demonstration virus that spreads in this way,

       installing our demonstration vote-stealing program on every machine it

       infects.
       

    4. While some of these problems can be eliminated by improving Diebold's

       software, others cannot be remedied without replacing the machines'

       hardware. Changes to election procedures would also be required to ensure

       security.
       

Our web site at http://itpolicy.princeton.edu/voting has links to our full technical report

and a ten-minute video showing our demonstration vote-stealing virus in operation. The

technical report goes into considerable detail and includes a discussion of why existing

election procedures are not sufficient to prevent virus attacks. While we are not alleging

fraud in any specific past election, our results do raise serious concern about the security

of future elections.


One lesson of our study is that security depends on getting the technical details

right. A security measure that sounds robust in the abstract may be useless or worse if

implemented poorly. Too often, the designers of the AccuVote-TS failed to get the

details right.


A good example is the AccuVote-TS access door. The access door on this

machine protects the removable memory card that stores the votes, so the door should be

locked securely and access to the keys should be strictly limited. In fact, the tens of

thousands of AccuVote-TS machines can all be opened with the same key, and this very

same key is used widely in office furniture, jukeboxes, and even hotel minibars. I

bought several keys on the Internet from an office furniture shop and a jukebox supply

shop, and they all open the AccuVote-TS. Details matter. It is not enough to have a key;

it matters which key you use.


Some voting machines, including the AccuVote-TS, record votes internally in a

computer file, with the votes stored in the order they were cast. This approach endangers

the secrecy of the ballot. If election procedures record the order in which voters cast their

votes (or allow partisan observers to do so, as is the practice in my polling place), then a

sequential record of the votes can be correlated with the order of voters to reconstruct the

ballots cast by individual voters. The AccuVote-TS is one voting machine that gets this

detail wrong.


The AccuVote-TS suffers from many such problems. It encrypts stored votes, but

stores the secret decryption key where it is easily found by hostile software. It keeps two

redundant copies of each stored vote, but both copies are subject to easy tampering.

Some of these errors are more technical in nature than the access-door key error and the

vote-recording error, but they are just as serious.


The implications of our study go beyond the specific voting machine we studied

to reveal broader systemic problems. More worrisome than any specific vulnerability is

that, despite its many problems, the system we studied was certified, purchased and

deployed by many states and counties, and is slated for use in the upcoming November

election. This leads us to conclude that existing certification and procurement

procedures are inadequate to prevent the kinds of serious vulnerabilities we discovered.

Here again the details matter, and too often current processes get the details wrong.


Though some claim that election procedures will prevent the kinds of problems

we identified, the rigid procedures described in vendor manuals are often ignored in

practice. Machines are supposed to be sealed with numbered security tape; but missing

or broken tape is usually ignored, and election workers often break the tape themselves

when trying to revive malfunctioning machines. Machines and removable vote-storage

media are theoretically kept under lock and key, but in practice they are often sent home

with election workers or left unattended. At my polling place in Princeton, the night

before an election, the DRE machines sit unattended in an unlocked elementary school

lobby where anyone could tamper with them. Stringent official procedures only matter

if they are followed in practice.


There are several things we can do to improve the security of our e-voting

infrastructure.


In the short term, some limited steps are still feasible before November. Given

the susceptibility of some e-voting systems to electronic tampering, we should take extra

care to secure the chain of custody for voting machines and vote-storage media from now

until Election Day. This cannot repair machines that have already been tampered with,

but it can reduce the likelihood of further tampering. Needless to say, what we need is

not more memos laying down theoretical procedures, but detailed execution to narrow the

gap between procedural theory and practice.


In the medium term, I offer three recommendations. First, we should fix the

certification process to better account for security. Certification seems to focus on

machine attributes that are easily tested, but security problems are difficult to detect by

testing because no predetermined set of test scenarios can account for the tactics of a

clever adversary who systematically exploits gaps in a system.


In practice, the certification process often misses security problems that are

simple but very dangerous. For example, the AccuVote-TS system we studied will

silently accept and install any software update offered by any memory card that is

inserted into the system. The system makes no effort to verify that the offered update is

authorized by the vendor, election officials, or anyone else. This is a very serious

weakness that opens the door to the injection of malicious software and the silent,

automatic spread of viruses. Yet the system was certified despite this obvious

vulnerability. The existing certification process seems unable to detect such problems

reliably. It must be improved.


Second, a voter-verified paper audit trail (VVPAT) is a necessary safeguard

given the state of the art today. With these paper trails, as with other voting

technologies, we must get the details right - poorly designed paper trails can be

unreliable or hard to use, or can compromise the secrecy of the ballot - but a welldesigned

paper trail can improve security and enhance voter confidence, without

compromising accessibility.


In comparing VVPATs with paperless DREs, we must compare apples to apples.

For example, we must not compare a VVPAT that compromises the secret ballot by

recording votes in the order cast (e.g., on a continuous roll of paper) with a paperless

DRE that gets this detail right. Instead, we must assume good engineering in both cases,

and weigh the significant security benefits of VVPATs against their costs.


Paper records, either VVPATs or traditional paper ballots, have their drawbacks.

They are not immune to fraud. What is important is that they have different failure

modes than electronic records, so that the combination of electronic and paper

recordkeeping, if implemented well, can be more robust against fraud than either would

be alone.


One aspect of a well-implemented VVPAT system is that the electronic and paper

records must be compared to each other. We do not need to verify every paper record,

just enough to detect large-scale fraud. Unless an election is very close - which will

probably trigger a full recount anyway - checking a few percent of ballots will suffice.

Similarly, it is not necessary for every voter to read and verify the paper record of his

vote; as long as even a few voters do so, any tampering widespread enough to be

significant will be easily detected.


Third, we must do more to leverage the expertise of independent security experts.

Independent analyses, by experts neither paid by nor reporting to voting machine

vendors, have discovered many areas for improvement in today's technologies, yet most

vendors systematically try to prevent such analyses. For example, my colleagues and I

would be happy to examine other versions of Diebold's AccuVote-TS or AccuVote-TSx

software to determine whether they are subject to the vote-stealing virus problems we

have identified; but Diebold refuses to let election officials call on us for this purpose.

Other vendors follow a similar policy of resisting public study and discussion of the

technologies that count our votes.


In the long run, further research is needed to help us understand how to improve

the voting system. For example, fully electronic verification technologies may one day

be a viable substitute for VVPATs, once researchers have worked out the details

necessary to deploy them in the real world accessibly and securely. We also need more

systematic studies of what really happens in polling places, especially when problems

arise. Finally, there is much to learn from work in other areas of computer security -

today, even video game consoles like the Xbox are more tamper-resistant than voting

machines.


Those not versed in computer security can miss the significance of e-voting

security vulnerabilities. From a security standpoint, what distinguishes computerized

voting systems from traditional systems is not that computers are easier to compromise,

but that the consequences of compromise can be so much more severe. Breaking into an

old-fashioned ballot box can affect a few hundred ballots at most; injecting a virus into a

single computerized voting machine can affect an entire election.


Intuitions developed with older technologies can mislead when applied to

computerized systems. For example, non-experts often fail to appreciate how difficult it

is to tell what is happening inside a computer system. We cannot "just look" to see what

is happening or whether the right software is installed. Often our only recourse is to ask

the system itself what it is doing - which is fine if the system is working correctly, but

fruitless if the system is compromised. There is no point in asking a virus whether a

virus is present.


Similarly, non-experts often assume that pre-election testing is an effective way to

trigger and detect malicious software that might have infected a voting machine. Here

again, computerized systems are different. A modified lever machine will work the same

whether or not it is Election Day; but malicious software on a DRE can check whether

the machine is in pre-election testing mode, or can check the date, or can check whether

the number and pattern of voters is consistent with election day, and can activate its votestealing

capability only in a real election. Our demonstration AccuVote-TS virus takes

measures to remain inactive and thus evade detection during pre-election logic and

accuracy testing. It is very difficult to tell whether such a virus is present. In general,

malicious software is much harder to detect than non-experts would expect.


My point is not that these challenges are insurmountable but that one needs

specialized knowledge and sophisticated analysis to figure out what is possible.

Acknowledging that security experts can learn from election experts, I submit that

election experts can also learn from security experts.


Getting the details of voting right is difficult, especially in today's high-tech

polling place. But failure is not an option. The stakes are too high, and the risk of

malfunction or fraud too great, to make our current course tenable in the long run. We

need to work harder and smarter, exploiting the knowledge of both election experts and

technical experts.





Biography of Edward W. Felten


Edward W. Felten is Professor of Computer Science and Public Affairs, and Director of

the Center for Information Technology Policy, at Princeton University. His research

interests include computer security and privacy, Internet software, and information

technology policy. He has published more than eighty papers in the research literature,

and two books, and he is widely quoted in the press as an expert on security, privacy, and

information technology policy. He has advised the U.S. Departments of Justice, Defense,

and Homeland Security, and the Federal Trade Commission, on security-related issues.

He serves on the Executive Committee of USACM, the U.S. public policy committee of

ACM, the leading professional society for computer scientists. In 2003, Scientific

American magazine named him to its list of fifty global leaders in science and

technology.

Related Articles