Friday, Aug. 3, 2007 | The other day I heard from Matt Bishop, a computer scientist at the University of California, Davis.
Bishop led the study released last week that, like a good horror film, illustrated some fearsome — yet still fictional — scenarios about our much-discussed electronic voting machines.
Suspicions abound about the machines. And California Secretary of State Debra Bowen shares those concerns. Bishop’s study gave some critics of digital voting the kind of substance they’d been looking for: Yes, in fact, these little electronic machines can be manipulated to change votes. An adept computer geek — possibly employed by supporters of a candidate or initiative — can indeed stuff ballot boxes virtually.
That’s a nauseating thought. It’s a two-part terror really: Not only is a voter’s voice lost when her vote is criminally changed, but she doesn’t even know. So if you fear it happening, you not only have to fear that it did happen and that this one fundamental right at the foundation of our society was violated but you worry as well that you’ll never really know.
But I’ve been a little annoyed with the discussion.
Bishop was hired by Bowen to pick and prod at the machines to find any way possible to manipulate them.
And when he and his team found those ways, another round of paranoia began — as did the cries for a complete abandonment of electronic voting.
That just doesn’t make sense to me. Bishop’s study seems like an infinitely helpful way to find the holes in voting security and close them.
But is it really a reason to abandon the machines?
Think about it this way: The secretary of state gave these computers to these computer experts and asked them to figure out how to break into them and virtually stuff the ballot boxes. How is that any different than putting a bunch of locksmiths and safe manufacturers into a room with a vault and giving them all the time in the world to try to break into the room where the election ballots are stored?
Anyway, I decided to ask Bishop about this and I thought I’d share our Q&A that happened over e-mail:
Scott Lewis: Do you think the problems and holes you discovered are uncorrectable? I mean, do you see your effort as one of constructive criticism that can be usefully employed to ensure an acceptable level of security for the voting process? Or do you see it as a condemnation of the electronic voting system in general — one it cannot recover from?
Matt Bishop: I see the effort as one of providing technical data to Secretary Bowen as — part of — her top to bottom review. We hope that whatever she decides, the vendors and election officials will use the results to improve the election process. So we see it as a constructive exercise, not a destructive one.
SL: How much damage do you think one person, without privileged access to the boxes, could do to an entire election?
MB: The answer to that question depends on the procedural controls in place. Also, the issue is not one of having privileged access to the boxes; it’s whether one acquires privileged access to the boxes.
In other words, voting is too precious of an action to leave up to that. So, now, back to our Q&A.)
SL: Isn’t security through obscurity what we rely on for paper ballots? Lock them away, restrict access, etc?
MB: No. That’s blocking access. “Security through obscurity” in that context would be storing the ballots in an unlocked room and not telling anyone where the room is, because you believe they would never find it and so don’t need to lock it. A better defense would be to layer things — don’t tell people where the room is, but also keep it locked. Then if someone does figure out where the room is, they still need to get through the lock. “Obscurity” is not your only security mechanism (layer); the other one is the lock, so you are not providing security through obscurity.
SL: While I know you didn’t compare the two voting systems, does the potential influence of one hacker vastly outweigh the potential influence of one ballot box stuffer?
MB: The points of vulnerability are different. The ballot box stuffer needs access to the ballot boxes. The computer attacker needs access either to the individual voting systems (in the polling station) or at Election Central. One concern, however, is a “viral attack”: if the attacker can inject malware onto a voting station that copies itself onto the cards used to transport results back to Election Central, and if that malware is then triggered, it could infect other cards. See the red team’s Diebold report, p. 12-13 for a discussion of this. In that sense, if that attack were to work, then one could corrupt machines for a future election. You’d need to have very good procedural controls to limit the damage caused by this type of attack! I’m not sure how someone could do anything similar with paper ballots.
SL: I guess you can tell I’m trying to answer the question of whether we already live with — and have been comfortable with — the risks electronic voting machines simply present in a new way.
MB: And that’s the key question: not are the e-voting machines vulnerable, but is an election process that uses these machines more vulnerable than one that uses paper? Unfortunately, I don’t know the answer. I’m not sure anyone does yet, either.