Hack-A-Vote

Graduate and undergraduate students at Rice University are learning how easy it is to wreak havoc on today's voting machines. As part of an advanced computer science class, students do their best to rig a voting machine in the classroom.

Here's how it works: The class is split into two teams. In phase one, the teams play unscrupulous programmers at a voting machine company. Their task is to make subtle changes to the Hack-A-Vote's software that will alter the election's outcome but that can't be detected by election officials. In the second phase, the teams play software regulators who certify the code submitted by the hacking team.

The results prove it's easy to insert subtle changes to the voting machine. If someone has access and wants to do damage, it's a straightforward hack. The good news is the regulator team often find the hack. Often, but not always.

Worse: In real life, finding the hack would probably be too late. Real voting-machine software is larger and more complex than the Hack-a-Vote machine. "We have little reason to believe that the certification and testing process used on genuine voting machines would be able to catch the kind of malice that our students do in class," says Dan Wallach, Director of Rice's Computer Security Lab tests. "If this happened in the real world, real votes could be compromised and nobody would know."

Dan Wallach is a blogger at Freedom To Tinker. Andrew Appel of Princeton blogs there too. His latest post is about the New Jersey Superior Court prohibiting the scheduled release of a report on the security and accuracy of the Sequoia AVC Advantage voting machine:

Last June, Judge Linda Feinberg ordered Sequoia Voting Systems to turn over its source code to me (serving as an expert witness, assisted by a team of computer scientists) for a thorough examination. At that time she also ordered that we could publish our report 30 days after delivering it to the Court—which should have been today. Three weeks after we delivered the report, on September 24th Judge Feinberg ordered us not to release it. This is part of a lawsuit filed by the Rutgers Constitutional Litigation Clinic, seeking to decommission of all of New Jersey's voting computers. New Jersey mostly uses Sequoia AVC Advantage direct-recording electronic (DRE) models. None of those DREs can be audited: they do not produce a voter verified paper ballot that permit each voter to create a durable paper record of her electoral choices before casting her ballot electronically on a DRE. The legal basis for the lawsuit is quite simple: because there is no way to know whether the DRE voting computer is actually counting votes as cast, there is no proof that the voting computers comply with the constitution or with statutory law that require that all votes be counted as cast.

Julia Whitty is Mother Jones' environmental correspondent, lecturer, and 2008 winner of the Kiriyama Prize and the John Burroughs Medal Award.

Comments

Given that the contract for these machines went to a friend of W I think it's unrealistic to think they haven't built a 'back door' into them.
Given the history of Republicans cheating at elections it might even be unRepublican not to have tweaked them thus...

Posted by: Fair Trade on 10/08/08 at 3:50 AM Respond

While I agree with Fair Trade that Diebold probably has a backdoor in their voting maching programs, I'm not as concerned about them tweaking the results of the election as I once was. The next president and congress have a hell of a mess to clean up; the economy, Iraq, Afghanistan, global warming, etc., and they aren't going to be able to do it without making some hard and unpopular decisions. I think the Repubs might just cut their losses this time around and set up a campaign to sabotage any policies the Dems come up with, then use that "failure" as a rallying standard for the next elections.

Posted by: R.Stolle on 10/10/08 at 12:47 PM Respond

It's not only fair to do this, but necessary.

The worst of possibilities is a voting system that can be hacked only by the "priests." This is especially so, if the priests who make and (potentially alter) these machines are partisan in their own right. Which they most definitely are. The heads of these companies have come out supporting the RepubliCon agenda.

A public who buys and votes on machines made by such people is just ASKING for their votes to be altered to fit the priorities of those most familiar with the machines.

In the short run, letting young hackers at the machines will alert voters to how fragile their voting franchise is. In the long run, it should spur the development of unhackable (or nearly so) systems, like, um...paper ballots?

I refuse to entrust my vote to a machine of any kind, period. I simply will not use them. If you want your vote to count (and want to encourage your poll officials to use the most secure voting technology) you should also refuse to use any machine, and demand a paper ballot instead.

Yes, counting takes longer with paper, and (sometimes) the count can be confusing. But hold that up against the near-certainty over time, of someone hacking these machines and altering the vote, and I think the choice is clear.

Politics is, in large part, the art of deception. If there are loopholes, or opportunities to cheat, sooner or later someone will do so. And it could (will) happen at a time when it matters most; such as the present election.

Simple is best. Stick with paper!

Posted by: Dan Mortenson on 10/29/08 at 9:15 PM Respond