Graduate and undergraduate students at Rice University are learning how easy it is to wreak havoc on today’s voting machines. As part of an advanced computer science class, students do their best to rig a voting machine in the classroom.
Here’s how it works: The class is split into two teams. In phase one, the teams play unscrupulous programmers at a voting machine company. Their task is to make subtle changes to the Hack-A-Vote’s software that will alter the election’s outcome but that can’t be detected by election officials. In the second phase, the teams play software regulators who certify the code submitted by the hacking team.
The results prove it’s easy to insert subtle changes to the voting machine. If someone has access and wants to do damage, it’s a straightforward hack. The good news is the regulator team often find the hack. Often, but not always.
Worse: In real life, finding the hack would probably be too late. Real voting-machine software is larger and more complex than the Hack-a-Vote machine. “We have little reason to believe that the certification and testing process used on genuine voting machines would be able to catch the kind of malice that our students do in class,” says Dan Wallach, Director of Rice’s Computer Security Lab tests. “If this happened in the real world, real votes could be compromised and nobody would know.”
Dan Wallach is a blogger at Freedom To Tinker. Andrew Appel of Princeton blogs there too. His latest post is about the New Jersey Superior Court prohibiting the scheduled release of a report on the security and accuracy of the Sequoia AVC Advantage voting machine:
Last June, Judge Linda Feinberg ordered Sequoia Voting Systems to turn over its source code to me (serving as an expert witness, assisted by a team of computer scientists) for a thorough examination. At that time she also ordered that we could publish our report 30 days after delivering it to the Court—which should have been today. Three weeks after we delivered the report, on September 24th Judge Feinberg ordered us not to release it. This is part of a lawsuit filed by the Rutgers Constitutional Litigation Clinic, seeking to decommission of all of New Jersey’s voting computers. New Jersey mostly uses Sequoia AVC Advantage direct-recording electronic (DRE) models. None of those DREs can be audited: they do not produce a voter verified paper ballot that permit each voter to create a durable paper record of her electoral choices before casting her ballot electronically on a DRE. The legal basis for the lawsuit is quite simple: because there is no way to know whether the DRE voting computer is actually counting votes as cast, there is no proof that the voting computers comply with the constitution or with statutory law that require that all votes be counted as cast.
Julia Whitty is Mother Jones’ environmental correspondent, lecturer, and 2008 winner of the Kiriyama Prize and the John Burroughs Medal Award.