BRAD BLOG reader "Plumb Bob" left this comment recently, following our short piece on concerns about the results of last week's Mayoral race in Chicago:
This alleged rigging of a lottery drawing reported today:
http://arstechnica.com/t...to-score-winning-ticket/So if one guy can do it with all the security measures (and lottery dollars are government money) and only get caught because he can't figure out how to cash the ticket...He did this for a measly $14 mil; what's a state wide or national election worth? Either in dollars for the mercenary, or in effort for the true believers?Explain again how electronic voting is secure? This sure looks like a contrary proof to me.
"Plumb Bob" is, of course, absolutely right.
But there's far more to this story that should be used as a huge takeaway for those partisans and profiteers who continue to push not just for electronic voting, but for Internet Voting, even as a recent Internet Voting scheme in Australia's New South Wales was found to be vulnerable to manipulation and has resulted, as predicted, in an election with some 66,000 votes that many feel may have been tampered with.
Insider access
After the disputed 2004 Presidential election, a private panel calling themselves the "Commission on Federal Election Reform" was formed by some highly placed George W. Bush operatives. The scheme was meant to look a lot like the official blue-ribbon National Commission on Federal Election Reform, created by Congress after the disputed 2000 Presidential election to offer recommendations on how to avoid a similarly disastrous election in the future.
The 2000 commission was co-chaired by former Presidents Gerald Ford and Jimmy Carter. The phony 2004 commission was co-chaired by Bush-family consigliere James A. Baker III (the man who successfully convinced the U.S. Supreme Court that millions of Florida votes in 2000 should never be counted); for a patina of officialdom, President Carter was somehow hoaxed into joining him as co-chair.
The purpose of the Baker/Carter Commission was not to make recommendations to avoid serious problems that occurred in several states during the 2004 Presidential election, most notably in Ohio, but to distract from those problems by putting forward a recommendation for polling place Photo ID restriction laws nationally. Indeed, the commission's "findings" are still cited [PDF] by partisans today in support of restrictive Photo ID laws.
As we reported, often exclusively at the time of the commission's creation and work, the entire matter was a sham. Nonetheless, among the findings put forward by the fake commission's final report [PDF] was that it was not voters who were most likely to game the system with fraud, but election insiders.
"The greater threat to most systems comes not from external hackers, but from insiders who have direct access to the machines," the report noted. "There is no reason to trust insiders in the election industry any more than in other industries, such as gambling, where sophisticated insider fraud has occurred despite extraordinary measures to prevent it."
That's right. It's almost always the insiders who have the access to game these systems most easily and with the least likelihood of detection.
Lottery insider
In the lottery scheme cited by "Plumb Bob," prosecutors charge, according to Ars Technica, that it was an indeed an insider, the head of computer security for a state lottery association, who "tampered with lottery computers prior to him buying a ticket that won a $14.3 million jackpot."
According to prosecutors, the alleged perpetrator, 51-year old Eddie Raymond Tipton, "inserted a thumbdrive into a highly locked-down computer that's supposed to generate the random numbers used to determine lottery winners," before then purchasing the winning ticket at a local convenience store:
In court documents filed last week, prosecutors said there is evidence to support the theory Tipton used his privileged position inside the lottery association to enter a locked room that housed the random number generating computers and infect them with software that allowed him to control the winning numbers. The room was enclosed in glass, could only be entered by two people at a time, and was monitored by a video camera. To prevent outside attacks, the computers aren't connected to the Internet. Prosecutors said Tipton entered the so-called draw room on November 20, 2010, ostensibly to change the time on the computers. The cameras on that date recorded only one second per minute rather than running continuously like normal."Four of the five individuals who have access to control the camera's settings will testify they did not change the cameras' recording instructions," prosecutors wrote. "The fifth person is defendant. It is a reasonable deduction to infer that defendant tampered with the camera equipment to have an opportunity to insert a thumbdrive into the RNG [Random Number Generator] tower without detection."
If the prosecutors are correct, it means that even a highly secured, glass enclosed computer room with 24-hour-a-day security cameras, very limited access and rules requiring at least two people must enter at once, were not able to defeat a determined insider. If a multimillion dollar lottery system that runs 365 days a year and is manned by a full-time staff of security professionals can be defeated, how is it even possible that anyone could imagine under-funded local election officials could defeat an electronic scheme to defraud an election?
Why Internet Voting cannot work
Electronic voting and computerized tabulators are already bad enough, but no matter how many times Internet Voting schemes are proven to be hackable, there are those who continue to push for such systems anyway.
Even while worldclass computer scientists and security experts continue to advise against it in no uncertain terms, and repeatedly demonstrate how such schemes can be manipulated (by both outsiders and, far more easily, by insiders), profiteers and (often) partisans continue to call for Internet Voting and continue to pretend that it can be done securely.
Late last month, just before a new Internet Voting scheme made by a company named iVote was set to be used in Australia's New South Wales, a "major security hole" was discovered that, according to the Australian Broadcasting Company's report, "could allow an attacker to read or change someone's vote."
"The analogue would be pulling someone's postal vote envelope out of the post, pulling out their vote and finding out how they intended to vote and then putting a different ballot in instead," said one of the researchers, University of Melbourne computer scientist Dr. Vanessa Teague, who discovered the vulnerability. "They could potentially do this in an automated way to a very, very large number of votes," she explained, and voters would never know it had happened.
Following the New South Wales election at the end of March, as UK's SC Magazinereports, "As many as 66,000 votes in the New South Wales state election 2015 could have been tampered with."
The magazine, which describes itself as a publication "for IT security professionals", cites a comment from the Schneier on Security blog noting that those taking advantage of the vulnerabilities of iVote's system "could already have helped certain powerful people remain in power. Votes could be switched, polls could be manipulated, the media could be fooled and democracy destroyed."
Naturally, the officials responsible for deploying the system in the first place were incensed at the revelations and attempted to attack the motives of the computer scientists, forcing the non-profit, non-partisan Verified Voting Foundation, for whom the scientists serve in a volunteer advisory capacity, to respond in kind.
In an open letter to the director of the New South Wales Electoral Commission, Verified Voting President Pam Smith was forced to remind him that "There are many unsolved problems with Internet voting that make it infeasible to carry out securely at this time."
"There's no way to independently confirm [an Internet Voting system's] correct functioning and that the outcomes accurately reflect the will of the voters while maintaining voter privacy and the secret ballot," Smith writes. She also adds: "The US National Institute of Standards and Technology (NIST), the federal agency directed by the US Congress to examine and set standards for online voting, has concluded that secure Internet voting is currently not feasible" and that "senior cyber security officials at the US Department of Homeland security have warned that online voting is inadvisable and premature."
While Teague and the University of Michigan's Dr. Alex Halderman alerted NSW officials of the vulnerability in time to make last minute changes to the system, there is no way to know if other vulnerabilities still existed. Thus, weeks later, SC Magazine's report on 66,000 votes cast in the election which "could have been tampered with."
Once again: 'Democracy's Gold Standard'
What happened in New South Wales reminds us, once again, that Internet Voting can't be done securely. But, even if it is, somehow, done securely --- and can somehow also be kept secure even from insiders, as the lottery story reminds us --- the even bigger problem remains that nobody can know if an Internet election has been carried out securely. That inability to know erodes confidence in democratic elections as badly as if they actually had been manipulated by outsiders or insiders alike.
So, to sum up: Internet elections cannot be made secure, particularly from insiders who, no matter what, can get away with gaming the system (in ways that are very likely to go undetected by the public) and, even if any particular election has been kept secure, the public needs to know that it has been kept secure.
Oh, and --- since so many Internet Voting profiteers try to offer this particular angle to offer (false) assurance to the public --- the ability to verify that your own vote has been recorded accurately by the system does not assure election results are accurate or offer any real confidence to that end to voters.
That's true for a number of reasons, but in brief: A system that allows you to check how your vote was recorded would a) also allow you to sell your vote and b) may show you how you voted, but can't assure that the final reported results of the election actually included the vote as you intended it. In other words, you can be shown anything in regard your own personal vote, but a system that doesn't let everyone, after an election, to assure that every vote was counted as cast by every voter, is a system that fails the needs of a truly democratic election in which the public can have full confidence.
After covering this beat for more than a decade, so far, the only system we've been able to find that meets those basic requirements is a system which includes hand-marked paper ballots, counted publicly by hand, at each precinct, with results posted decentrally at the polling place before those hand-marked paper ballots are moved anywhere. We call it "Democracy's Gold Standard".
Anything short of that is either a scam, or a system that undermines the most basic values of electoral democracy.
Shares