Arguably, the most important change in society in the past few decades has been the automation of important tasks with computers, and the formation of a worldwide network of these computers that allows their storage and computing resources to be combined. It seems that almost every aspect of the modern world relies on technology in some way. This raises a natural question: if we can cause a package to show up at our door by pressing the right combination of buttons on a computer, pay for our groceries with a self-checkout machine, buy tickets at an electronic kiosk, and even deposit checks by taking a picture of them with a mobile phone, why is it that the main method of voting in important elections still involves going to a local building and filling out a piece of paper? While it would be incredibly convenient to elect the president by sending a vote by text message or logging into a website at home, the unfortunate reality is that not all problems are easily solved with technology. Given the current state of technology, electronic voting, especially online voting, is not secure enough to be considered a safe alternative to the traditional method of paper ballots.
The most common form of electronic voting today is the Direct Recording Electronic voting machine, or DRE. These are specialized computers with either a touchscreen or button interface that run a program that displays a ballot. The votes are counted by software on the machine and the results are stored on a memory card and printed on paper. In the 2012 U.S. presidential election, 39 percent of votes were cast with a DRE machine (Kalb). It is imperative that a machine that has become such an integral part of our democracy be as secure as possible. Unfortunately, numerous studies have shown that DREs are frighteningly vulnerable to hacking and tampering.
A fundamental flaw with DREs is their verifiability, or their ability to be checked and demonstrated to be true. It is quite easy for any voter to understand how paper ballots work. This simplicity and transparency is incredibly important for voters to trust in the election. A DRE voting machine introduces a sea of black boxes that the average voter may not be able to comprehend. The electorate cannot be expected to simply trust that the manufacturers of DREs have made secure devices. Of course, the software could be made open source, but what percentage of people would be able to read and understand the source code, and would take the time to do so? Furthermore, even releasing the source code and using a checksum to verify that that code is running on the actual machine does not necessarily prevent tampering with the hardware. It may be possible that the touchscreen itself could send incorrect touch coordinates to the program.
There are numerous examples of DREs being manipulated. In 2006 an independent study at Princeton showed the relative ease with which a standard DRE machine from the Diebold company could be compromised (Feldman). The machine installs software from a memory card. The slot for the card is covered with a metal panel that is kept in place with a lock. The study revealed that the same key was used for many different machines, and that the keys were easily copied. In addition, the lock itself was cheap and able to be picked in seconds. This allowed the research team to insert a memory card with malicious software. The machine now functioned normally, except that a certain number of votes were stolen from one candidate and given to another. The virus could tell whether or not the machine was in test mode, and only manipulated votes during the actual election. The software was able to modify every single piece of data relating to the final vote count, including the results stored in memory and the printed results, so there would be no way to tell that fraud had taken place. The team found that as long as the attacker was able to get their code onto the machine, they could make it quite sophisticated and include many parameters about how many votes to steal, how to calculate this number based on date and time, etc. Perhaps the most dangerous aspect of this attack is that it can be spread to multiple machines even if the machines are not part of a network. The virus loaded onto the machine could not only install itself on the machine from a memory card, but it could also copy itself onto any other memory card inserted into the machine. In many polling places the same card is used to program multiple machines, so only one needs to be infected in order for the virus to spread to the others when they are programmed before the election. Some DREs prevent this kind of attack by ensuring that the CPU only executes instructions coming from the ROM containing the election software, as opposed to the RAM into which a virus may be loaded. Of course, even this approach was foiled by a research team which found a way to use the instructions in the ROM to carry out any computational task (Hao).
The software running on DREs is not the only target. Each voter is given an electronic chip card that allows them to cast their vote. Theoretically, this card is inserted into the machine and allows one vote per person. However, the company Symantec discovered that it is relatively easy to manipulate the chip in the card. They were able to create a small, easily concealed device costing only 15 dollars that could reprogram the card within the voting booth (Varner). This would allow for digital ballot stuffing. In addition to intentional attacks, there are several examples of unintentional software glitches in which votes were lost (VerifiedVotes).
Once the election is over, tallying the final results presents even more problems. How are the results from each machine combined? The results for one machine are stored on the memory card, or possibly a USB stick inserted into the machine. Simply removing this storage to transport the data opens up many opportunities for someone to change the information stored on it. The data could also be transmitted over a network, which would be vulnerable to similar attacks as online voting, which will be discussed later in this paper. Finally, the physical machines could be transported in some sort of sealed packaging to a central counting location. This is impractical and is not normally done. The final counting program is yet another black box, and in this case not every voter is present to see it in action. It would be even harder to make publicly verifiable than the program running on each individual DRE machine.
Even after a DRE machine has been decommissioned and put in a landfill it still poses problems. Some DREs are thrown away still containing real election data. Due to the logical way in which votes are stored, it is possible to reverse engineer how people voted from old DREs in conjunction with polling place records (Hao).
The wide variety of these attacks and bugs attests to the increased complexity of an electronic voting system over a paper ballot system. The software, screen, and memory components, as well as all the supply chains for these intricate parts introduce an incredible number of possible failure points. The overall research suggests that, unsurprisingly, electronic voting machines are plagued by the same issues found in the rest of the computer world. In many applications these vulnerabilities are acceptable or at least easy to deal with if exploited. However, elections are far too important to society to accept this kind of risk. Paper ballots work well because society has hundreds of years of experience dealing with the traditional methods of election fraud. It is much harder for attacks to scale if the attacker cannot exploit the resources of computers.
One important requirement of an election is auditability. An election must be auditable, so the results can be verified through a recount. This raises even more problems for DREs. How can a recount be done if the votes are cast by pressing a screen? One common solution goes back to the reliability of paper. A Voter Verified Paper Audit Trail, or VVPAT, consists of a secondary machine connected to the DRE. When a vote is cast, it is recorded electronically and send to the VVPAT machine, which prints the vote on a slip of paper behind a window. With this added step, even if the voter does not trust the internals of the machine, they can see their vote printed out and stored. The main idea is that if there is any doubt in the results stored in the computer’s memory, the VVPAT machine can be unlocked and the collected paper slips can be counted. While this approach improves the security of DRE voting machines, it has some flaws. Even though the printer is a simpler device, it is ultimately susceptible to the same black box problems as the DRE to which it is connected. One plausible attack relies on the fact that many voters do not even look at the paper slip due to poor interface design. A combination of awkward location, different visual layout from the DRE screen, and inadequate instructions means that many voters do not truly verify their vote or lack the patience to notify election officials of potential mistakes (Selker). The printer could simply be made to print out incorrect ballots and rely on the hope that not enough people will contest what is printed and demand a reprint. Research suggests that approximately one third of incorrect receipts would be noticed by the voters (Selker). Besides relying on human factors, attackers could simply have the VVPAT machine print out extra ballots while the booth is unoccupied to match up with numbers from malicious software on the DRE itself.
Assuming that a VVPAT can provide an accurate paper representation of the votes cast, can these receipts be reliably audited? Research suggests that the nature of VVPAT ballots makes doing an actual recount expensive and prone to errors. A mock election audit at Rice University found that almost half of all participants produced incorrect election results, sometimes with error levels of almost 20 percent (Goggin).
The thermal printer of the VVPAT machine is known to cause technical difficulties. The reality is that the maintenance requirements for VVPAT machines during an election increase the likelihood of human error. Election staff must constantly ensure that the machine is working correctly throughout the day and provide enough paper for all the votes. A 2006 study of VVPAT systems found that a full 10 percent of the paper spools were “destroyed, blank, illegible, or missing”(Goggin). Theoretically higher quality printers could be used, but VVPAT systems are already quite expensive. Given all these issues, it is important to think about what the VVPAT is really accomplishing. Use of a VVPAT system is predicated on the idea that trust in the election results ultimately relies on what appears on paper ballots. In this sense, the full DRE-VVPAT system is a multi-thousand dollar digital pencil that is far less reliable that its cheap, simple predecessor.
In addition to voting with machines within a polling station, many have suggested voting online as a method of simplifying the process and improving voter turnout. While it would make it easier for the voter, those tasked with designing and running the system would face enormous security risks, far more serious than those relating to DRE machines. Firstly, some studies show that the option of online voting may not actually increase voter turnout, or at least that no causal link can be established (Kitsing) Even if online voting provides some marginal improvement to the voter’s experience, the convenience is not worth the security risks.
It is natural to wonder why so many other transactions involving sensitive information are done online, but voting is not. One reason is that voting is incredibly important for democracy and in the case of electing leaders of powerful countries, the results affect the entire world. Consider the thousands of cyberattacks that occur every day, and then consider the incentive to influence the outcome of an election. This goes beyond stealing user information or getting money through ransomware. To control the outcome of an election is to control society on a much larger scale than most cybercriminals. Allowing online voting would open up the possibility not just of fraud by those with physical access to the voting hardware, but of foreign entities remotely hijacking the election, which would inevitably happen given the stakes. Another difference with voting is the requirement for anonymity. If it is possible to find out how a particular person voted, people can sell their votes. Even worse, they can be coerced to vote a certain way. Online banking handles sensitive information and large amounts of money, but if misconduct is suspected, you can simply look over the transaction history and see the money flow. In the case of voting, a person’s vote should be completely dissociated from them once it is cast. This becomes hard to do online, since each voter is generally given some sort of login information related to their voter registration that they use to cast their vote.
...(download the rest of the essay above)