[E-voting] The very best and most convincing technical criticisms

Adrian Colley aecolley at spamcop.net
Fri Apr 22 04:41:00 GMT 2005

On Thu, Apr 21, 2005 at 11:52:15PM +0100, Dave Madden wrote:
> Possible. It would certainly be useful for advocates of the ICTE
> position to have a useful and simple list of technical criticisms. Only
> the very best and most convincing - anything that can be countered by
> false but superficially attractive arguements is worthless.

Well, anything that comes from biased sources (such as, for instance,
ICTE or Shane Hogan and Robert Cochran) can be dismissed falsely but
superficially.  Let's see what I can find in the report of the
Commission on Electronic Voting, who presumably have more credibility
than we do.

To start with, how about this one: the count software computed
45 * 52 / 180 => 12 and no remainder, and consequently made an error in
transferring a surplus (source: CEV First Report, Appendix 2E - Part 1,
section 4, pp. 205-207).

To go on with: the developers had seen the bug in the past but failed
several times to fix it, and (in the opinion of the CEV's experts) the
problem ``was in fact not properly understood'' by the developers
(source: CEV First Report, Appendix 2B, section 3.3, pp. 135-136).

An old favourite of mine: "One possible alteration, for example, would
be to enable a voter to press buttons in a specific sequence during
polling that would cause the machine to alter preferences in favour of a
particular candidate from that point on.  The danger that machine
software can be altered is explicitly highlighted by PTB ["Test Report
2", PTB, 17-09-2003]: "an exchange of the ROM chips including fraudulent
presentation of the correct checksum cannot be avoided by software but
by means of sealing only".'' (source: CEV First Report, Appendix 2A -
Part 1, section 2.2, p. 96).  The PTB were happy that the seals on the
machine were secure, but the CEV's experts disagreed: ``The
Programming/Reading Unit seals peeled back easily without damage.
Inside, the system is composed of some standard EPROMs and a 68000
computer with standard 7400H TTL logic.  The seals on the voting machine
peeled back equally easily.  Four Philips head screws had to be removed.
The voting machine uses the same circuit board as the
Programming/Reading Unit, only with different peripherals plugged into
the numerous (11!) connectors.'' (source: CEV First Report, Appendix 2C,
section 11, p. 189).

To labour the point about the tamperability of the voting machines,
here's an extract from section 4.2.2 of Appendix 2B of the CEV First
Report, at p. 139-140:

``The controlling program inside the voting machine could be modified to
  affect the vote.  The program has a "checksum" which protects it
  against accidental changes, but does not protect against deliberate
  tampering.  Anyone with appropriate technical knowledge and access to
  the voting machines could modify the program and at the same time
  yield the same checksum.  It also appears that the program is being
  continually modified by the manufacturer to fix minor bugs.  At any
  stage a programmer could introduce rogue "trojan" software.  See
  Appendix D.

``In practice it took a technician about 40 seconds to open the machine
  from the back.  We observed that the controlling program chips are
  actually socketed for ease of access.  Therefore there is little to
  prevent removal and substitution of the program (see Appendix C).  We
  estimate that 2 minutes of unauthorised access would be sufficient to
  switch programs.  [...]  However there are paper seals that were
  broken in the process of gaining access.  This offers some hope that
  tampering would be detected.  We do not know what processes are in
  place to check these seals for tampering.  On the face of it, it would
  seem quite easy to cover the broken seals with pre-prepared
  substitutes that would fool the naked eye.  For access it would be
  sufficient perhaps to break only one of the two, and perhaps cut the
  second with the [sic] pen-knife.''

The "corrupt insider" threat isn't ignored by banks, so presumably it's
something to worry about in elections, too: ``As noted above, such a
segregation of duties is largely absent in the system proposed.  In our
opinion, it is a fundamental characteristic of good control procedures
and for the reasons outlined is increasingly important in the context of
the proposed voting system.  In our opinion, a voter, independently or
publicly verifiable audit trail is the most effective means of assuring
the accuracy of voting, as it would add transparency and provide an
audit trail for subsequent verification of the result.  Under the
proposed system, transparency and auditability have been sacrificed for
secrecy.'' (source: CEV First Report, Appendix 2F, "Executive Summary",
p. 228).

Finally, there's a particular technical attack which I didn't know about
until reading the full CEV report, but which in hindsight may
conceivably have happened: ``So theoretically, it would be possible to
program two ballot modules with the same ID.  Any voting machine could
be used to enter votes on the duplicate module prior to Election Day.
Someone could then exchange modules either before the `close polling
statement' was printed (this would involve breaking the seal), or else
exchange both module and statement en route to the count centre.  Either
action would be uncovered by comparing the number of voters counted
manually by election staff with the number printed on the `close polling
statement'.'' (source: CEV First Report, Appendix 2A - Part 1, section
4.2, p. 105).

Could that have happened in the 2002 pilots?  It's less likely than a
UFO landing, but just for fun let's play the hypothetical game.  What
kind of evidence might we see if such an attack had taken place?
 - broken or improperly-applied seals around ballot modules;
 - machines either not inspected or entered into service regardless;
 - missing, broken, mishandled, or counterfeit ballot modules;
 - mismatch in voter/votes reconciliation;
 - nothing else.

Here are some quotes from the document "J Fitzpatrick Post Election
Report June 2002", sent by the Dublin Returning Officer to the head of
the Franchise Section of the DoEHLG, released to Joe McCarthy under FOIA
in April 2004, and sent to ICTE by Joe.

``The seals to be placed over the module in the machines were unsuitable
  in that rather than being protective seals, they were simply sticky
  labels.  We found that these were easily removed and transferred to
  another machine.'' [bad seals -- no security any more, but who cares?]

``Box165. Error 35701 . Nedap engineer visit and found ballot module
  not fully inserted in connector? Plugged in and all ok.'' [obviously
  not too securely sealed in place, then]

``In Dublin West one module was found to have been left in the election
  office in Glasnevin.   This was a module that had been programmed for
  a spare machine which was carried around by an inspector for the
  day.'' [given that a voting machine can be used to reinitialize and
  stuff a ballot module, how many witnesses followed this machine around
  with the inspector?]

``In Dublin North one module was also found to be missing but was
  discovered within two or three minutes having been left with the
  incoming envelopes and not passed on to the readers.'' [perhaps
  swapped covertly with a spare, and then "found" in the envelope pile]

``In future the count area should be given much more room and the public
  kept from the count operation.'' [he means because they get to see the
  process in action; but if the public are crowding the count _and_
  ballot modules are going missing, then it's possible that someone is
  switching them]

``In the end it was decided to perform the count without reconciling
  the stations as it proved impossible to do so on the night.'' [it was
  also decided to announce the result without mentioning the
  discrepancies; the reconciliation statements, dated 05 September 2002,
  show that Dublin North had 1294 more votes than voters, and that
  Dublin West had 716 more voters than votes]

``taxi collection of ballot modules meant that first ones read in at
  11.20 ? next time allow individual presiding officers who are very
  local to count to deliver themselves ? this might speed up start and
  also enable a steady flow to build up prior to larger taxi
  deliveries?'' [so we're happy with transporting ballot modules in
  taxis and allowing would-be tamperers over 140 minutes to defeat the
  seal on a ballot module?]

Later that year, a similar document, "J Fitzpatrick Nice Referendum
Report Nov 2002" was written and found its way to us by the same route.
Remember, it's all hypothetical; a _real_ attacker would have waited
until the system was deployed nationwide and accepted by the public.

``Secondly, the seal on the current version of the machine is on the
  side of the unit and in transit three machines had broken seals after
  journeys.'' [if you need to break a security seal, you _always_ make
  it look like it was caused by an innocent accident]

``The seal on one machine was broken but the module seal was intact and
  no votes had been recorded. We advised the Presiding Officer to use
  the machine.'' [apparently the seal is just a placebo, even though the
  security analysts were told that these seals will all be in place]

``We found one module where the number stored in the module was
  different to that printed on it.'' [you'd expect this if the module
  had been used as a clone and later erased]

``We also found three modules that could not be programmed plus one
  module that was blocked because the power had been interrupted during
  programming.   Roy Loudon was able to fix two of these modules but the
  other two are still unusable.'' [the report doesn't mention whether or
  not the modules were rescanned after the vendor was allowed to access
  them during a real referendum, but surely they wouldn't have missed
  such an important detail]

So, all the elements were there: unprotected ballot modules, untracked
spare ballot modules, massive (and I mean MASSIVE) discrepancies which
the officials do not even claim to have resolved until after the result
was announced, and even an untracked spare voting machine.  Thankfully
it was only a pilot, and nobody would risk tampering with a pilot.  It
would be scandalous if those warning signs were ignored after the system
had been rolled out nationwide.


GPG 0x43D3AD19 17D2 CA6E A18E 1177 A361  C14C 29DB BA4B 43D3 AD19

More information about the E-voting mailing list