I worked as an election judge in the 2012 general election in Arapahoe County, Colorado. We had these exact machines. What isn't pictured is the physical security performed with them.
Typically, tamper seals that are identifiable as broken are placed on all access doors (including the power switch, data load slots, etc), access panels, and openings on the device. All seals were verified in tact before and after the election, and no voter was ever permitted in the back of the access panel where the firmware update would take place.
Before the machine starts, it gives a "zero" report which is verified independently by poll watchers, and confirms candidate choices are in place as needed. When the polls are closed, we seal everything again before the machines are sent back for reporting (at which point the seals are checked and verified prior to dumping results).
If this was really a damaging hack, the protective counter & live counters would show different numbers than what the machine read, but that didn't happen. It very clearly was tampered with, which means these physical measures would counteract any unwanted firmware updates during an election. It's preposterous to think that election judges aren't actively verifying seals during election day and making sure nobody is tampering with them.
> It's preposterous to think that election judges aren't actively verifying seals during election day and making sure nobody is tampering with them.
I've been an election worker around the country and have never been in a jurisdiction that did seal checks during the election - only once at the beginning and once at the end. Granted, I've never been in a jurisdiction using DREs, but still.
I agree physical security is a defense here, but this just reiterates, to me, how dangerous DRE voting machines are.
But you're assuming that all the officicials dealing with the machines have the same moral standards as you.
It's not necessarily the voters that need to be watched...
Exactly. You could tamper with most systems if you had that much physical access, including paper counts. Which is why there are procedures in place to minimize that potential.
Plus an attack like this would be isolated to the single machine (not that it wouldn't be bad, but it wouldn't be applied in a distributed fashion).
What happens if they find tampering of the seals? Does all the votes of that particular machine become questionable?
If someone were to tamper with the seals on many of the machines, and they target precincts that tilt heavily in favor of one party or the other, couldn't they theoretically invalidate a lot of ballots that are likely to help their opponents?
Suppose the election ends, and it's time to verify the seals. Oops, they are broken. Now what?
All the seals can do is cast doubt on the results. You can't bring back the voters to try again. Even if you could, time has passed and they might vote differently. You could toss out the results, but that affects things too.
If you toss out the results, an example attack is: break the seals in areas with undesired voters
Similar attacks can be done if you call voters back. Maybe this allows for more-favorable hours or different media exposure.
Why can you not just do paper voting with simple ballots, like in Canada?
Yes, you have 10x the people, but just get 10x the human counters and scrutineers. Counting is parallelizable.
We run elections and get accurate, verifiable results in the same day.
Ours aren't as nasty as yours are, and we still have better anti-fraud than you do, since every paper ballot can be counted, as many times as needed. And since the thing which is counted is the same physical thing which can be audited, we can always verify the results if anything goes wrong.
You've had some problems with your ballots 16 years ago, and we're not sure why you haven't fixed this by now. After all, you've gotten people to the moon and robots to Mars--surely you'd want a fair, verifiable presidential election? (Especially when one of the two candidates is, frankly, terrifying to all your friends around the world.)
Why can you not just do paper voting with simple ballots, like in Canada?
As much as I like Canada's easily audited voting system, there's a good reason for the US to not use a simple way of counting votes: They don't have simple ballots. Rather than just voting for one MP, as we do, a typical American might be asked to vote for a President, a Senator, a Representative, yes/no on 17 state propositions, a State Senator, a State Representative, the BART Director, the City College of San Francisco Board of Trustees, the San Francisco Public Schools Board of Education, a Superior Court Judge, and yes/no on 25 city measures.
In order for those to be counted the same way as we do in Canada, you'd need to hand the voter a book of 51 ballots and have them dropped into 51 separate boxes...
Exactly, more people counting is not a problem. It's actually a good thing. Why not get more people involved in the electoral process? It's beyond me why anyone would want to undermine this.
Plus, I don't get the mail in states. What's up with that? Why mess with a process that works?
In Florida in 2000, we had these old voting machines where the voter would go into the booth, hit a bunch of buttons, and submit the vote. The voting card in the back would fall. There were often errors on them via ineffective button pushes, incorrect push, last minute mind change, and it would result in dubious votes. Some votes were discarded. There is no doubt that sometimes the vote went to the wrong candidate.
During the very close presidential election of 2000, these voting machine issues clearly showed the need for electronic voting machine booths with the added feature of instant vote count.
The current problems that are appearing are temporary and fleeting. With enough time and research these problems will become obsolete and resolved.
But your point of paper ballots requiring greater participation of people is interesting. Indeed, when more people participate even in mundane and simple tasks, there is a healthy feeling that spreads among the community.
> Why can you not just do paper voting with simple ballots, like in Canada?
Some places do - voting is handled at the state and county level, not federal. For example. I vote on paper in the county where I live.
> You've had some problems with your ballots 16 years ago, and we're not sure why you haven't fixed this by now.
Those were paper ballots, what you see now is largely an attempt to avoid similar multi-day challenges and recounts due to hanging chads and ambiguous markings on paper ballots.
I think it's high time we start taking these concerns seriously. If state actors can accomplish stuxnet, then hacking a voting system seems well within the realm of technical possibility.
Fortunately, there are pretty simple policies we can enact to prevent fraud and give faith in elections (both in America, as well as other countries). If you care, I'd perhaps start at https://www.verifiedvoting.org/
They don't even need to throw the election. Two or three machines with absurd results in favor of Clinton or Trump would be enough to push the county into civil unrest.
verifiedvoting.org looks like a good resource for taking action. If you're interested in learning more about verifiable/auditable voting systems, Wikipedia has some useful references:
The disturbing thing is that Stuxnet is more sophisticated than what it would take to control most voting machines. I think NSA type agencies for many countries and corporate espionage departments complete more complicated tasks every day.
I bet you that's the main reason they don't want to open-source it for independent verification -- you would find code so dirty and hackable that you would wonder which state actors actually did NOT hack.
It is also worth pointing out that while this is labor intensive it can be
- scaled reasonably down. Which allows polling places staffed by fewer people.
- allows a higher number of voting stations as only a low tech physical curtain is needed to ensure privacy.
- throughput is primarily limited by identity verification which takes a cross check of ID document and voting notification card that is mailed to any eligible person once they reach their 18th birthday.
Democracy must not only be done, but also seen to be done. Trust in that most essential of democratic processes - vote counting - must be absolute.
Approaching vote counting as a mere technical problem that can be solved with enough technical safeguards misses the point. You cannot just ask a democracy to beta test vote counting and fix the bugs post-election - that will kill trust in the process.
Politics is polarised enough as is and you will find demagogues who will latch on to anything to reduce the legitimacy of an election.
It shouldn't even be up for discussion that trust and legitimacy are the most important goals in vote counting. Stick to paper voting and only introduce e-voting in parallel and not as the authoritative and final vote counting solution.
I wonder why countries don't use India's simple and scalable electronic voting systems. The latest ones have voter verified paper audit trails. They even have pooling systems to prevent counts from any single voting booth become known to prevent voter intimidation.
Really what it seems is that we need more audits on machines. If democracy is to be a pivotal part of our election process we need to release the source code of these machines to ensure that we find and solve problems.
Seems like a decent place to apply formal verification as well to show the machines are bug free. Voting machines are critically high impact if they have bugs and (famous last words) the complexity of the software seems low.
Is there any way you can prevent hacks like this that require physical access? I guess cryptographically signing the updates, adding tamper proof seals and requiring multiple people to approve updates would help. The general mantra however is that once a hacker has physical access to your machine all bets are off.
Also, what happens if there's a random hardware/software glitch where incrementing one vote actually increments 10 votes? Is this checked for? How much reliance is there on the software and hardware being error free?
We definitely have seals, but for technical solutions, look at how Apple secures their devices. Signed firmware updates, public key crypto, and a well thought chain of trust solve these issues.
The problem is that the actual poll creation is done on a per county basis. I don't know how you would do this in such a way that every random county an precinct in America could have signing keys, firmware updates, etc., just sitting around ready to roll to build elections with.
[+] [-] Shank|9 years ago|reply
Typically, tamper seals that are identifiable as broken are placed on all access doors (including the power switch, data load slots, etc), access panels, and openings on the device. All seals were verified in tact before and after the election, and no voter was ever permitted in the back of the access panel where the firmware update would take place.
Before the machine starts, it gives a "zero" report which is verified independently by poll watchers, and confirms candidate choices are in place as needed. When the polls are closed, we seal everything again before the machines are sent back for reporting (at which point the seals are checked and verified prior to dumping results).
If this was really a damaging hack, the protective counter & live counters would show different numbers than what the machine read, but that didn't happen. It very clearly was tampered with, which means these physical measures would counteract any unwanted firmware updates during an election. It's preposterous to think that election judges aren't actively verifying seals during election day and making sure nobody is tampering with them.
[+] [-] gergles|9 years ago|reply
I've been an election worker around the country and have never been in a jurisdiction that did seal checks during the election - only once at the beginning and once at the end. Granted, I've never been in a jurisdiction using DREs, but still.
I agree physical security is a defense here, but this just reiterates, to me, how dangerous DRE voting machines are.
[+] [-] helthanatos|9 years ago|reply
[+] [-] slim|9 years ago|reply
[+] [-] pmoriarty|9 years ago|reply
[+] [-] wybiral|9 years ago|reply
Plus an attack like this would be isolated to the single machine (not that it wouldn't be bad, but it wouldn't be applied in a distributed fashion).
[+] [-] mixologic|9 years ago|reply
If someone were to tamper with the seals on many of the machines, and they target precincts that tilt heavily in favor of one party or the other, couldn't they theoretically invalidate a lot of ballots that are likely to help their opponents?
[+] [-] tropo|9 years ago|reply
All the seals can do is cast doubt on the results. You can't bring back the voters to try again. Even if you could, time has passed and they might vote differently. You could toss out the results, but that affects things too.
If you toss out the results, an example attack is: break the seals in areas with undesired voters
Similar attacks can be done if you call voters back. Maybe this allows for more-favorable hours or different media exposure.
[+] [-] revelation|9 years ago|reply
I think I see the problem.
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] peterarmstrong|9 years ago|reply
This all sounds complicated and insecure.
Why can you not just do paper voting with simple ballots, like in Canada?
Yes, you have 10x the people, but just get 10x the human counters and scrutineers. Counting is parallelizable.
We run elections and get accurate, verifiable results in the same day.
Ours aren't as nasty as yours are, and we still have better anti-fraud than you do, since every paper ballot can be counted, as many times as needed. And since the thing which is counted is the same physical thing which can be audited, we can always verify the results if anything goes wrong.
You've had some problems with your ballots 16 years ago, and we're not sure why you haven't fixed this by now. After all, you've gotten people to the moon and robots to Mars--surely you'd want a fair, verifiable presidential election? (Especially when one of the two candidates is, frankly, terrifying to all your friends around the world.)
Love, Canada
[+] [-] cperciva|9 years ago|reply
As much as I like Canada's easily audited voting system, there's a good reason for the US to not use a simple way of counting votes: They don't have simple ballots. Rather than just voting for one MP, as we do, a typical American might be asked to vote for a President, a Senator, a Representative, yes/no on 17 state propositions, a State Senator, a State Representative, the BART Director, the City College of San Francisco Board of Trustees, the San Francisco Public Schools Board of Education, a Superior Court Judge, and yes/no on 25 city measures.
In order for those to be counted the same way as we do in Canada, you'd need to hand the voter a book of 51 ballots and have them dropped into 51 separate boxes...
[+] [-] galtwho|9 years ago|reply
Works fine for them. Why are other countries not going the same way.
There is a move in India to get all voting machines to print out your choice which the voter can drop into a ballot box.
Not sure if that is implemented yet. Surely something like that will work fine.
[+] [-] blazespin|9 years ago|reply
Plus, I don't get the mail in states. What's up with that? Why mess with a process that works?
[+] [-] emodendroket|9 years ago|reply
Many districts use paper ballots with optical scanners but this is totally up to the discretion of the county/state.
[+] [-] nashashmi|9 years ago|reply
During the very close presidential election of 2000, these voting machine issues clearly showed the need for electronic voting machine booths with the added feature of instant vote count.
The current problems that are appearing are temporary and fleeting. With enough time and research these problems will become obsolete and resolved.
But your point of paper ballots requiring greater participation of people is interesting. Indeed, when more people participate even in mundane and simple tasks, there is a healthy feeling that spreads among the community.
[+] [-] djrogers|9 years ago|reply
Some places do - voting is handled at the state and county level, not federal. For example. I vote on paper in the county where I live.
> You've had some problems with your ballots 16 years ago, and we're not sure why you haven't fixed this by now.
Those were paper ballots, what you see now is largely an attempt to avoid similar multi-day challenges and recounts due to hanging chads and ambiguous markings on paper ballots.
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] omginternets|9 years ago|reply
[+] [-] alexandercrohde|9 years ago|reply
Fortunately, there are pretty simple policies we can enact to prevent fraud and give faith in elections (both in America, as well as other countries). If you care, I'd perhaps start at https://www.verifiedvoting.org/
[+] [-] empath75|9 years ago|reply
[+] [-] grzm|9 years ago|reply
https://en.wikipedia.org/wiki/End-to-end_auditable_voting_sy...
I also found this slide deck from Ron Rivest interesting:
Auditability and Verifiability of Elections ACM-IEEE talk March 16, 2016
https://people.csail.mit.edu/rivest/pubs/Riv16x.pdf
[+] [-] code_duck|9 years ago|reply
[+] [-] joering2|9 years ago|reply
[+] [-] hackaflocka|9 years ago|reply
If stuxnet is possible, a voting machine should be a piece of cake.
[+] [-] mpweiher|9 years ago|reply
In Germany, we get
(a) a paper ballot
(b) a pen
Works perfectly. And quickly.
[+] [-] rblatz|9 years ago|reply
[+] [-] heisenbit|9 years ago|reply
- scaled reasonably down. Which allows polling places staffed by fewer people.
- allows a higher number of voting stations as only a low tech physical curtain is needed to ensure privacy.
- throughput is primarily limited by identity verification which takes a cross check of ID document and voting notification card that is mailed to any eligible person once they reach their 18th birthday.
[+] [-] noir-york|9 years ago|reply
Approaching vote counting as a mere technical problem that can be solved with enough technical safeguards misses the point. You cannot just ask a democracy to beta test vote counting and fix the bugs post-election - that will kill trust in the process.
Politics is polarised enough as is and you will find demagogues who will latch on to anything to reduce the legitimacy of an election.
It shouldn't even be up for discussion that trust and legitimacy are the most important goals in vote counting. Stick to paper voting and only introduce e-voting in parallel and not as the authoritative and final vote counting solution.
[+] [-] sfifs|9 years ago|reply
https://en.m.wikipedia.org/wiki/Electronic_voting_in_India
[+] [-] tribby|9 years ago|reply
[+] [-] jakeogh|9 years ago|reply
[+] [-] godelski|9 years ago|reply
[+] [-] seanwilson|9 years ago|reply
[+] [-] seanwilson|9 years ago|reply
Also, what happens if there's a random hardware/software glitch where incrementing one vote actually increments 10 votes? Is this checked for? How much reliance is there on the software and hardware being error free?
[+] [-] Shank|9 years ago|reply
The problem is that the actual poll creation is done on a per county basis. I don't know how you would do this in such a way that every random county an precinct in America could have signing keys, firmware updates, etc., just sitting around ready to roll to build elections with.
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] imode|9 years ago|reply
as if I needed more of a reason to say "wow, this is rigged", now I see this!
I can't imagine how well this will go. november is a cake walk. january is where the fun starts.
[+] [-] based2|9 years ago|reply
[+] [-] top_post|9 years ago|reply
[+] [-] rsobers|9 years ago|reply