Tag Archives: Electronic voting

Gaming Idol With Dialers

If you’re wondering why Sanjaya Malakar has done surprisingly well in American Idol, here’s one possible answer: dialers.

Dialers are pieces of software usually stealthily installed on a victim’s computer to automatically dial expensive premium telephone numbers. The victim only finds out when they receive their phone bill. In this case, the dialer, openly available on a reputable download site, is a voluntary install designed to automate the voting process in Idol:

Sanjaya War Dialer uses your computers modem to automatically dial the American Idol voting number over and over and over again until you tell it to stop. Automatically cast hundreds or even thousands of votes for Sanjaya with the click of a button. Make Sanjaya win and help us ruin American Idol.

The Sanjaya War Dialer has its own MySpace page where users report on their votes — 600 a hour, for some. The show’s producers are aware of this, and have been lopping off blocks of votes if they seem to be coming from power dialers, as they call them, for several weeks.

Gaming the system by voting for inferior contestants is not new. Vote for the Worst claims to have been around since 2004. And DialIdol.com offers dialers for other shows, including Dancing with the Stars, So You Think You Can Dance, Canadian Idol and Celebrity Duets. DialIdol isn’t so much about gaming the system as predicting who will be voted off by seeing which hotlines are busiest.

Should we be surprised by this? No. It’s not easy to tell how many people are using these dialers, and it would need to be a lot to make it work. But we shouldn’t underestimate the number of people willing to do this, either for fun or because they have money riding on it. And of course they may not need to vote – they only need to stop other people from voting for other contestants. Do we believe American Idol when it talks of 35 million votes? That’s a lot of phone lines.

I would say this: Any kind of voting technology that isn’t transparent and clear is likely to be manipulated, either by smart hackers with something to gain, or by those arranging the voting.

(My colleague Carl Bialik talks about voting and power dialers in his blog a couple of days back. Thanks to Handoko for the Twitter tip.)

Why Is The Bush Campaign Website Blocked?

I know it’s not particularly new, but why is George W Bush’s website inaccessible outside the U.S.?

Netcraft reported last week that the site could not be reached except by users in North America. Even entering the numbered IP address appears to have been blocked. (GeorgeWBush.co.uk works fine, as does GeorgeWBush.org, but then they’re not exactly under Bush’s control.)

Netcraft’s Prettejohn is quoted by the BBC as speculating it could be an effort to ensure the website stays online during the last few days of the election campaign. But what about all the overseas voters? A Bush campaign spokesman is quoted as saying that it was done for security reasons.

To me what is lacking in coverage of this issue is the notion that the blocking may actually have an impact on the election. In 2000 Bush’s victory was certified only after overseas ballots were counted. Of course, many overseas Americans have already voted, but both parties are urging last-minute voters to fill in absentee ballots and fax them home.

AP reports that “The complicated issue of counting absentee ballots also added to the confusing array of new machines and new state voting regulations prompted by the debacle of the last race for the White House.” States, AP says, have “differing and confusing rules about deadlines for such ballots. Some states, for example, allow absentee votes to be counted days after the election, provided they are postmarked by Nov. 2. Others mandate that mailed ballots received after Election Day do not count.” On top of that, election officials in more than a dozen states missed the recommended deadline for mailing absentee ballots overseas, meaning soldiers in Iraq and Afghanistan might not get them in time to vote.

In light of this looming absentee ballot issue, why would Bush’s campaign risk losing votes by closing down the site? One argument is they’re short of money, but I can’t believe that. Another is fear of too much traffic — but then add more servers. Fear of being brought down by a Denial Of Service (DDoS) attack? Makes sense — and it may have been sparked by any earlier outage blamed by some on such an attack. But with both candidates chasing every vote they can it just does not make sense to me.

If it was just blocking the DNS name (georgewbush.com) that would make sense. But why block the IP number too (not originally blocked; it seems to have happened later)? How many users are going to access the website that way? It seems to be a deliberate attempt to block every single overseas user. Which to me means they fear a DDoS attack. Another weird episode.

The Price Of Democracy

An interesting essay by security guru Bruce Schneier (via the brianstorms weblog) on the economics of fixing an election. Put simply: How much is it worth a party to fix an election, and so how much would they be willing to spend on doing it? Put another way, how much should the folk designing an electronic voting system assume will be spent on trying to get past the security software?

Bruce does the math and concludes ”that affecting the balance of power in the House of Representatives is worth at least $100M to the party who would otherwise be losing. So when designing the security behind the software, one must assume an attacker with a $100M budget. Conclusion: The risks to electronic voting machine software are even greater than first appears.”

Scary stuff. Although much of the emphasis of such articles has been on how this might be done in established democracies (and there’s still plenty to worry about there) my worry is how about how voting systems may be exported to the developing world.

Pentagon Scraps Internet Voting Plan

Further to earlier postings about security fears for a new Internet voting system for overseas Americans, AP is quoting an anonymous official as saying the Pentagon has scrapped the plan. CNET attributes the same story to a spokesperson for the Pentagon.

AP quoted the official as saying Deputy Defense Secretary Paul Wolfowitz made the decision to scrap the system because Pentagon officials were not certain they could “assure the legitimacy of votes that would be cast.” CNET quoted a spokesperson as saying pretty much the same thing:  “The action was taken in view of the inability to ensure the legitimacy of the votes cast.” 

About 6 million U.S. voters live overseas, most of them members of the military or their relatives. Pentagon officials had said they still planned to use the system, called SERVE, this fall and would test it during last Tuesday’s South Carolina primary. But the day before the voting the Pentagon called off the South Carolina test. CNET says the Defense Department is not completely dropping the idea: “Efforts will continue to look into all technical capabilities to cast votes over the Internet,” the spokesperson was quoted as saying.

Internet Voting: A Minority Report?

A reader kindly pointed out this New York Times piece on the Internet voting story I posted yesterday, which highlights some other aspects of the case.

While four members of a panel asked to review the SERVE program — designed to allow Americans overseas to vote over the Net — said it was insecure and should be abandoned, the NYT quoted Accenture, the main contractor, as saying the researchers drew unwarranted conclusions about future plans for the voting project. “We are doing a small, controlled experiment,” Meg McLauglin, president of Accenture eDemocracy Services, was quoted as saying.

Another side to this pointed out by the loose wire reader: Accenture says that the four researchers were a minority voice, and that five of the six others ‘would not recommend shutting down the program’. One of the other outside reviewers, Ted Selker, a professor at the Massachusetts Institute of Technology, disagreed with the report, and was quoted by the NYT as saying it reflected the professional paranoia of security researchers. “That’s their job,” he said. In response one of the four naysayers noted that they were the only members of the group who attended both of the three-day briefings about the system.

The reader also makes this observation: “One of their complaints is that the Internet is inherently unsafe, which may be true. I don’t believe that the US Postal Service (which is the current method for transmitting absentee ballots) is inherently safe either. Ever seen a bag of mail sitting in a building lobby waiting for pickup? I have.” Fair enough, but unless the bag contained ballots (something I have seen in, er, less security conscious democracies), I don’t think it’s a fair comparison, since a few tampered or misdirected ballots would not undermine the integrity of the election.

The security compromises in SERVE are likely to be at the server level, where hackers could either alter delivered votes, mimic voter activity, or disrupt legitimate voters from placing their ballot. This could be done on a scale that would undermine the integrity, or at least could be believed to do so. Remember: In an electronic election (where no parallel paper ballot is collected), a claim of largescale tampering is enough to undermine confidence in the result.

My tupennies’ worth? Although the E stands for experiment, I don’t see SERVE as a ‘controlled experiment’. The NYT says the program will be introduced “in the next few weeks” and covers seven states, and a possible 100,000 people this year. That doesn’t sound like an experiment to me. Maybe I’m missing something here, but I don’t really see how you can conduct an experiment in a live voting environment. What happens if there’s a suggestion the system has been compromised, either during or after the vote? I always thought that voting systems were either approved, credible and acceptable or not in public use. Of course it’s fine to have an ‘experiment’ where the only experimental part is, say, the user-aspects of the voting process. But security can surely never be part of an experiment in a live voting situation.

Security experts are paid to be skeptical. If they raise a warning flag as big as this, I think they should be listened to.

“Internet Voting Isn’t Safe”

The e-voting saga continues.

Four computer scientists say in a new report that a federally funded online absentee voting system scheduled to debut in less than two weeks “has security vulnerabilities that could jeopardize voter privacy and allow votes to be altered”. They say the risks associated with Internet voting cannot be eliminated and urge that the system be shut down.

The report’s authors are computer scientists David Wagner, Avi Rubin and David Jefferson from the University of California, Berkeley; The Johns Hopkins University and the Lawrence Livermore National Laboratory, respectively, and Barbara Simons, a computer scientist and leading technology policy consultant. They are members of the Security Peer Review Group, an advisory group formed by the Federal Voting Assistance Program to evaluate a system called SERVE, set up to allow overseas Americans to vote in their home districts. The first tryout is scheduled Feb. 3 for South Carolina’s presidential primary.

The four say that “Internet voting presents far too many opportunities for hackers or even terrorists to interfere with fair and accurate voting, potentially in ways impossible to detect. Such tampering could alter election results, particularly in close contests.” They “recommend shutting down the development of SERVE and not attempting anything like it in the future until both the Internet and the world’s home computer infrastructure have been fundamentally redesigned, or some other unforeseen security breakthroughs appear.”

The authors of the report state that there is no way to plug the security vulnerabilities inherent in the SERVE online voting design. “The flaws are unsolvable because they are fundamental to the architecture of the Internet,” says Wagner, assistant professor of computer science at UC Berkeley. “Using a voting system based upon the Internet poses a serious and unacceptable risk for election fraud. It is simply not secure enough for something as serious as the election of a government official.”

In short, the guys are saying the Internet is just not up to handling something like voting. But they also see the way the SERVE program carries the same flaws as the Diebold and other commercial electronic voting systems that have gotten such bad press in recent weeks (some of the four authors have been in the forefront of exposing those weaknesses). “The SERVE system has all of the problems that electronic touchscreen voting systems have: secret software, no protection against insider fraud and lack of voter verifiability,” says Jefferson. “But it also has a host of additional security vulnerabilities associated with the PC and the Internet, including denial-of-service attacks, automated vote buying and selling, spoofing attacks and virus attacks.”

After studying the prototype system the four researchers said it would be too easy for a hacker, located anywhere in the world, to disrupt an election or influence its outcome by employing any of several common types of attacks familiar to regular readers:

  • A denial-of-service attack, which would delay or prevent a voter from casting a ballot through the SERVE Web site.
  • A “Man in the Middle” or “spoofing” attack, in which a hacker would insert a phony Web page between the voter and the authentic server to prevent the vote from being counted or to alter the voter’s choice. What is particularly problematic, the authors say, is that victims of “spoofing” may never know that their votes were not counted.
  • Use of a virus or other malicious software on the voter’s computer to allow an outside party to monitor or modify a voter’s choices. The malicious software might then erase itself and never be detected.

Electronic Voting And The Criminal Connection

The story of electronic voting machines, and the company that makes many of them, continues to roll along. I wrote in a column a few weeks back (Beware E-Voting, 20 November 2003, Far Eastern Economic Review; subscription required) about Bev Harris, a 52-year old grandmother from near Seattle, who discovered 40,000 computer files at the website of a Diebold Inc subsidiary, Global Elections Systems Inc, beginning a public campaign against a company she believed was responsible for a seriously flawed e-voting system., already in use in several states.

Anyway, now she’s turned up more explosive material, it seems. The Associated Press yesterday quoted her as saying that managers of Global Elections Systems “included a cocaine trafficker, a man who conducted fraudulent stock transactions, and a programmer jailed for falsifying computer records”. The programmer, Jeffrey Dean, AP reports, wrote and maintained proprietary code used to count hundreds of thousands of votes as senior vice president of Global Election Systems Inc. Previously, according to a public court document released before GES hired him, Dean served time in a Washington correctional facility for stealing money and tampering with computer files in a scheme that “involved a high degree of sophistication and planning.”

Needless to say this is all somewhat worrying. When I followed the story I tried to concern myself merely with the technological aspects, which were pretty worrying in themselves; The e-voting system being pushed by Diebold seemed to have too many security flaws to be usable in its present state. But Ms. Harris’ digging seems to reveal a company that is, to put it tactfully, less than thorough in its background checks.

So what’s Diebold’s version? AP quoted a company spokesman as saying that the company performs background checks on all managers and programmers. He also said many GES managers left at the time of the acquisition. “We can’t speak for the hiring process of a company before we acquired it”. Acccording to Ms. Harris’ website, however, that’s misleading. Quoting a memo issued shortly after Diebold bought GES in early 2002, Dean had “elected to maintain his affiliation with the company in a consulting role”. Diebold, the memo says, “greatly values Jeff’s contribution to this business and is looking forward to his continued expertise in this market place”. AP said Dean could not be reached for comment Tuesday afternoon and I cannot find any subsequent report online.

It’s hard to see how Diebold is going to recover from what has been a series of body blows to its credibility in such a sensitive field as voting. The same day as Ms. Harris revealed her latest bombshell, the company announced “a complete restructuring of the way the company handles qualification and certification processes for its software, hardware and firmware”. Diebold hopes the announcement will “ensure the public’s confidence that all of our hardware, software and firmware products are fully certified and qualified by all of the appropriate federal, state and local authorities prior to use in any election”.

Clearly the whole fracas has done serious damage to public confidence in electronic voting. But it’s important to keep perspective. There’s nothing wrong intrinsically with e-voting — it’s a sensible way to speed up the process, make it easier for citizens and, perhaps, to extend the use of such mechanisms to allow the population to have a greater and more regular say in how their lives are governed. But like every technological innovation, it’s got to be done right, by the right people, with the right checks and balances built in, and it can’t be done quickly and shoddily. Most importantly, it’s got to be done transparently, and those involved in building the machines must never be allowed to conceal their incompetence by preventing others from inspecting their work and assessing its worthiness.

For details of Ms. Harris allegations, check out her website Blackbox Voting. A summary of the press conference is here, as are the supporting documents (both PDF files.)

Diebold Confirms Dropping E-voting Suit

 Diebold, the electronic voting company and the subject of a recent Loose Wire column, have confirmed that they’ve decided not to sue folk who published leaked documents about the alleged security breaches of electronic voting. 
 
AP reports (no URL available yet) that a Diebold spokesman promised in a conference call Monday with U.S. District Judge Jeremy Fogel and attorneys from the Electronic Frontier Foundation that it would not sue dozens of students, computer scientists and ISP operators who received cease-and-desist letters from August to October. 
Diebold did not disclose specifics on why it had dropped its legal case, but the decision is a major reversal of the company’s previous strategy. Ohio-based Diebold, which controls more than 50,000 touch-screen voting machines nationwide, had threatened legal action against dozens of individuals who refused to remove links to its stolen data.
 

Update: Diebold Withdraws E-voting Suit?

 Further to my column about e-voting a few weeks back, Diebold, maker of electronic voting machines, has apparently withdrawn its suit against an ISP and some individuals for posting leaked company documents about some of the problems with their system.
Stanford Law School reports that Diebold had filed papers with the court saying it ?has decided not to take the additional step of suing for copyright infringement for the materials at issue. Given the widespread availability of the stolen materials, Diebold has further decided to withdraw its existing DMCA notifications and not to issue any further ones for those materials.?
 
No mention of this yet on the Electronic Freedom Foundation’s website (which is funding legal protection for the ISP) or Diebold’s.

Loose Wire: The State We

Loose Wire: The State We Could Be in

By Jeremy Wagstaff
from the 28 March 2002 edition of the Far Eastern Economic Review, (c) 2003, Dow Jones & Company, Inc.

Voting in your underwear? Sounds an appealing proposition: the chance to exercise your constitutionally protected right without actually having to leave your home. You could be watching Frasier while working out which candidate you want to mess things up for you for the next three/four/25 years, based on criteria such as which one most closely resembles a Teletubby/Frasier’s brother Niles/your Aunt Maudlin.

Yes, the lure of Internet voting is coming around again. In May, soccer enthusiasts will be able to vote for their favourite players in the World Cup via a joint South Korean and Japanese project (mvp.worldcup2002.or.kr; the site is not fully functioning yet). This is just an on-line poll, of course, and doesn’t add much to the mix except to try to introduce a new social group (soccer fans) to the concept of on-line voting. Elsewhere, however, on-line voting is already kicking in: Some towns in Britain are undertaking pilot projects allowing voters to choose their local councillors via the Internet, or even via SMS, in borough elections in May.

I don’t want to be a killjoy, but this kind of thing gives me the heebie-jeebies. The arguments in favour of on-line voting make sense — faster counting, less human error, attracting younger, hipper voters with handphones and Internet connections in their hatbands, higher turnouts, you can vote in your underpants, etc., etc. — until you actually think about it. Computers, we’ve learned since we plugged one PC into another, are notoriously insecure. Viruses are now so sophisticated and prevalent that many security consultants advise their clients to update their anti-virus software every day. What are the chances of a voting system not being a juicy target for people writing these nasty little vermin programs?

Another argument wheeled out in favour of Internet voting is this: The Web is now managing billions of dollars of transactions successfully, so why can’t it handle voting? There’s a simple answer to this, as security consultant Bruce Schneier of Counterpane Internet Security (www.counterpane.com) explains: The whole point of voting is that it’s supposed to be anonymous, whereas any financial transaction has attached to it details of payee, recipient and other important data. This makes it much, much harder to protect any voting system from fraud, much harder to detect any fraud and much harder to identify the guy conducting the fraud. What’s more, if there was evidence of fraud, what exactly do you do in an on-line vote? Revote? Reconduct part of the vote? Chances are that faith in the overall ballot has been seriously, if not fatally, undermined.

Some of these problems could be done away with via ATM-style machines that print out a record of the vote. That could then be used in any recount. But it’s still not enough: As on-line voting expert Rebecca Mercuri points out, there is no fully electronic system that can allow the voter to verify that the ballot cast exactly matches the vote he just made. Some nasty person could write code that makes the vote on the screen of a computer or ATM-machine printout different from that recorded. This may all sound slightly wacky to people living in fully functioning democracies. But (political point coming up, cover your eyes if you prefer) democracies can be bent to politicians’ wills, and one country’s voting system may be more robust than another’s.

Scary stuff. Florida may seem a long way away now, but the lesson from that particular episode must be that any kind of voting system that isn’t simple and confidence-inspiring gives everyone stomach ulcers. The charming notion that the more automation you allow into a system, the more error-free and tamper-proof it becomes, is deeply misguided. The more electronics and automation you allow into the system, the less of a role election monitors can play.

Internet voting, or something like it, may well be the future. I’d like to see it wheeled out for less mission-critical issues, like polling for whether to introduce traffic-calming measures in the town centre, or compulsory kneecapping for spitters, say. But so long as computers remain fragile, untamed beasts that we don’t quite understand, I’d counsel against subjecting democracy to their whim. Even if I am in my underpants.