1 August 2007
Lots of other people have already commented on the California voting machine evaluation. See, for example, blog posts by Avi Rubin, Bruce Schneier, and Ed Felten (links to their blogs at the upper left of this page). I won't bother adding my two cents.
The responses to the evaluation by the vendors have been predictable. The study was unrealistic, it ignores process, an enemy wouldn't have full access to the source code, etc. But these responses ignore the first two questions that any security professional asks when doing an evaluation: what are you protecting, and against whom?
In the US, most elections are run by political appointees. Over the years, a variety of procedures have been adopted to try to prevent fraud; most of them involve some form of multi-party access. For example, ballot counting is overseen by representatives of all parties. That said, there is often a lot of opportunity for mischief by the party in control in some jurisdiction; if nothing else, they control what machines are purchased. This issue is finally drawing some much-need scrutiny.
The security question, then, is this: are today's processes, designed for older generations of voting technology, sufficient to protect electronic voting machines? Put more bluntly, given the ease of replacing code, opening locks, and bypassing seals — as described quite vividly in every independent study I've seen — are electronic voting machines and the associated processes secure against attacks by insiders? Remember that these insiders have a lot of money and skill, and demonstrably have the motive. Do they have the means? The conclusions of the reports are quite damning with respect to the ease of certain attacks; the real question is whether or not would-be insider attackers have sufficient access. The attacks are fast and easy; I strongly suspect that they're quite practical, given just a bit of luck.
I should note that I do agree with the vendors and election officials that process is important. I told Avi Rubin that before he released his famous paper on Diebold voting machines; he recounts that story in his book Brave New Ballot. Do we have the right processes today? Look at these pictures, from the ITU and the BBC about the start of an election: the ballot boxes are shown to be empty before the voting starts. What are the high-assurance electronic equivalents? Remember that processes can be attacked with technology; see the "Stuffer's ballot box" for an old example. And remember that I said "high assurance"; what really happens when the buttons are pressed to show that a voting machine has been cleared?
Ironically, for all that I'm a security expert, my real concern with electronic voting machines is ordinary bugs in the code. These have demonstrably happened. One of the simplest cases to understand is the counter overflow problem: the voting machine used too small a field for the number of votes cast. The machine used binary arithmetic (virtually all modern computers do), so the critical number was 32,767 votes; the analogy is trying to count 10,000 votes if your counter only has 4 decimal digits. In that vein, the interesting election story from 2000 wasn't Florida, it was Bernalillo County, New Mexico; you can see a copy of the Wall Street Journal story about the problem here.
Our voting machines are badly broken. Fixing them means accepting the technological limitations and designing a system around them, not asserting that they do not exist. It also means fixing what technical problems we can.
Update: Matt Blaze's blog now discusses the review, too. (Matt was one of the reviewers and couldn't speak publicly until his report was released.)