David A. Wheeler's Blog

Sat, 14 Oct 2006

Direct Recording Electronic (DRE) Voting: Why Your Vote Doesn’t Matter

Direct Recording Electronic (DRE) voting machines have been installed in many locations across the United States. In a DRE machine, votes are only recorded electronically — there’s no paper that voters check. DREs can be rigged to forge any election, fairly easily, so DREs are completely inappropriate for use in any serious election. In fact, I suspect that vote-rigging has already occurred with DREs, and there is no way to prove otherwise.

In September 2006, Feldman, Halderman, and Felten posted “Security Analysis of the Diebold AccuVote-TS Voting Machine”, showing how trivial it was to completely control a common DRE voting machine. It turned to be trivial to write programs to do vote-stealing. The manufacturer’s reply didn’t really address the issue at all. A report on the Nedap/Groenendaal ES3B voting computer found that anyone given brief access to a different voting machine can gain complete and virtually undetectable control over election results - and how radio emanations from an unmodified ES3B can tell who voted what from several meters away.

On the Secure Coding mailing list (SC-L), Jeremy Epstein noted that election officials’ responses was “amusing and scary”; when shown that DREs could be trivially subverted, instead of forbidding the use of DREs, they ignored the problem and asked why the researchers didn’t attack real systems. That’s a foolish question - anyone who really wanted to control an election would just do it and not tell anyone. The manufacturer of that system claims that all the problems reported by the researchers have been ‘fixed’. I’m willing to believe that some elections were fixed, but if there’s no voter-verifiable paper trail, the machines are not appropriate for real elections. Since they lack a voter-verifiable paper trail, no DRE can be trusted. Period.

I used to do magic tricks, and all magic tricks work the same way - misdirect the viewer, so that what they think they see is not the same as reality. Many magic tricks depend on rigged props, where what you see is NOT the whole story. DREs are the ultimate illusion - the naive think they know what’s happening, but in fact they have no way to know what’s really going on. There’s no way to even see the trap door under the box, as it were… DREs are a great prop for the illusion. Printing “zero” totals and other stuff looks just like a magic show to me - it has lots of pizazz, and it distracts the viewer from the fact that they have no idea what’s really going on.

I’m of the opinion that elections using DREs have already been manipulated. No, I can’t prove that an election has been manipulated, and I certainly can’t point to a specific manufacturer or election. And I sincerely hope that no elections have been manipulated. But there’s a lot of money riding on big elections, and a small fraction of that would be enough to tempt someone to do it. And many people strongly believe in their cause/party, and might manipulate an election on the grounds that it’s for the “greater good” - it need not be about money at all.

It’s crazy to assume that absolutely no one’s subverted a DRE in an election, when it’s so easy and the systems are known to be weak. The whole problem is that DRE designs make it essentially impossible to detect massive fraud, almost impossible to find the perpetrator even if you detected it, and allow a single person to control an entire election (so there’s little risk of a “squeeler” as there is with other techiques to subvert elections). And if an unethical person knows they won’t be caught, it increases the probability of them doing it. Anyone who thinks that all candidates and parties are too honest to do this needs to discover the newspaper and history books. Ballot-stuffing is at least as ancient as ancient Greece, and as modern as Right Now.

These voting systems and their surrounding processes would not meet the criteria for an electronic one-armed bandit in Las Vegas. Yet there’s more at stake. Many people have motives for subverting elections - DREs provide the method and opportunity. The state commissions cannot provide any justifiable evidence that votes are protected from compromise if they use DREs. And that is their job.

For more information about the problems with DREs, see Frequently Asked Questions about DRE Voting Systems. Another interesting article is Bruce Schneier’s “The Problem with Electronic Voting Machines”

There’s a solution, and that’s verified voting - see the verified voting site. The Verified Voting Foundation advocates the use of voter-verified paper ballots (VVPBs) for all elections (so voters can inspect individual permanent records of their ballots before they are cast and so meaningful recounts may be conducted), insists that electronic voting equipment and software be open to public scrutiny, and that random, surprise recounts be conducted on a regular basis to audit election equipment. I would add at least three things: (1) there must be separate voting stations and ballot readers, where the ballot reader totals are the only official votes (this prevents a collusion by the voting station), and (2) there should a standard paper ballot format; this makes it possible to have independent recounts using equipment from different manufacturers, as well as making it possible to mix-and-match vendor equipment (lowering costs for everyone); (3) there should a standard electronic formats for defining elections and producing results, again to make it possible to dramatically reduce costs by enabling mixing and matching of equipment. I also think having 100% of the source code of these systems publicly available for inspection is important - the public must depend on these systems, so the public should be able to know what they are depending on. The Open Voting Consortium (OVC) is a non-profit organization dedicated to the development, maintenance, and delivery of open voting systems for use in public elections. OVC is developing a reference version of free voting software to run on very inexpensive PC hardware, which produces voter-verifiable paper ballots.

I hope that election officials will see the light, and quickly replace DREs with voting systems that could actually be trusted. If not, I think we’re headed for election disputes that will make the year 2000 disputes look like like a picnic. If election officials don’t get rid of DREs, sooner or later we will have an election where one candidate wins even though all the polls will say he/she lost… and then the courts will find out that they’re untrustworthy and do not permit any kind of real audit or recount.

DREs are unfit for use in any elections that matter. They should be decommissioned with prejudice, and frankly, I’d like to see laws requiring vendors to take them back and give their purchasers a refund, or add voter-verified paper systems acceptable to the customer at no charge. (As I noted earlier, the paper needs to meet some standard too, so that you can use counting machines from different manufacturers to prevent collusion.) At no time was this DRE technology appropriate for use in voting, and the companies selling them would have known better had they done any examination of their real requirements. The voters were given a lemon, and they should have the right to get their money back.

path: /security | Current Weblog | permanent link to this entry