As I write this today is election day in the US. For reasons that may seem absurd to those non-US folks reading this, we have multiple types of voting machines here. Some places use electronic touch screens, some have paper ballots where voters fill in bubbles or complete an arrow with a pencil. Those paper ballots are then scanned by a computer and remain in a pile in a locked box below the scanner. There are other machines, too.
I thought I’d do a quick google for how secure are voting machines. I got 2.3 million hits. All the ones I actually read said that there were vulnerabilities in electronic voting. This is not surprising, but it is really unacceptable in a major republic.
I read about voting machines that took simple keys to open. So simple, in fact, that a screwdriver or another key of the same size would unlock the compartment where the electronics were located. The attacker could then presumably reprogram the computer inside the machine.
Some issues were due to faulty machines, of course. Some were due to poor design, too.There were stories of voting machines that took so many votes, they threw out some due to lack of memory. Some just failed to record some votes.
The consensus seems to be that hacking the machines is easy. The data are encoded, but apparently not encrypted. On many machines there is no paper trail. Why are the machines so easy to hack?
The issues were recognized as early as 1975 when predecessors to the Federal Election Commission and the National Institute of Standards and Technology reported on a number of the issues. Subsequently a list of voluntary standards was created.
We now have the Election Assistance Commission to help with voluntary standards. You can visit their website. Under “Voting System Testing and Certification” they have a list of Certified Systems. Some of the systems appear to have been certified in early 2012 so we should be OK for this election, right? Or is certification to 2005 standards not enough? Or are some states using uncertified systems? Since the standards are voluntary, it seems that not all states require them (this may be slightly dated – 2010 – but the idea is clear). News reports today indicate that in at least some cases new, untested software was installed in the machines at the last minute.
I could probably go on for quite a while. The point is that there is no standard, not everything is tested and lots of people seem to know that the system is insecure. While I am not one for lots of regulation, it would seem to me that good security practices, such as those participants learn in Learning Tree Course 468, would be a good start in this issue. In the Comments below, list what you think we need to do.