How to steal an election

I found an interesting article today on /. that lays out in some detail the problems with “state of the art” direct recording electronic (DRE) voting machines. There is a lot of good information in this article for those of us interested in using technology to support the elections process AND make elections more secure.

Some of the information on the Diebold AccuVote TS (a popular DRE voting unit) just floored me…

The GEMS database stores all of the votes collected from precinct accumulators, and it’s used to do the vote tabulation for a county. Because it’s so sensitive, you might think it would be tightly secured. But you’d be wrong.

The GEMS database is a vanilla, unencrypted Microsoft Access database that anyone with a copy of Access can edit. So if you have physical access to the GEMS server’s filesystem (either locally or remotely), then it’s not too hard to just go in and have your way with the vote totals. If Access isn’t installed on a particular GEMS server, just install it from a CD-ROM, or connect remotely from a laptop and edit the database that way.

Access?!?! No wonder people are so paranoid about DRE voting, and insistent on a verifiable paper trail. I’ve thought a lot about security in the telephone-based voting project I am working on, and I hope to use some of the points made in this article as context to describe why I think my system will be much more secure. (Particularly since I’ll be using a real database on the backend.)

I don’t want to get too far ahead of myself – I’ve still got to finish the $#@^% thing – but one of the things I have spent the most time on so far has been security related features.

More to come – stay tuned.

5 thoughts on “How to steal an election

  1. Just a couple of questions:
    Are you planning a speech recognition or dtmf driven voting system?
    How will you identify voters?
    How do you stop people voting more than once?

  2. The plan is to build a speech-enabled voting system.

    Speech is particularly important for the verification of votes. The system will accept a caller’s vote by matching their utterance against a grammar (as you would expect) and incrementing a vote count in a database table. However, It will also record their utterance on successful grammar match and store it as a separate audio file. The audio files can be used to validate election results in the database table, much like the proposals that call for a verifiable voting record (i.e., a paper trail) of votes submitted in a voting booth.

    Callers will use identification numbers that can be assigned by election authorities when they register, or in preparation for an election. Each voter will have a unique ID number. The first thing they do when they call into the system is log in using their ID.

    When a caller places a vote, and their vote is finalized, their status in the database of eligible voters will be changed from “has not voted” to “already voted”, so they won’t be able to vote more than once.

    When I finished with the beta version, I plan on doing a lot of writing on the security aspects that I have tried to incorporate. Much more to come on this subject.

  3. I presume the ID is typed in using DTMF.

    But what’s missing is the verification. I could steal someone’s ID, ring the system and cast their vote. There’s no verification, as in a driver’s licence or a passport.

    And of course, if someone speaks unclearly you have all the fun and games of the confirmation dialogs.

    What advantages would it have over traditional voting?

    Are you thinking of incorporating speaker recognition?

  4. The ID could be entered in using speech, with a fall back to DTMF if not recognized. The default “inputmodes” setting on most platforms is both dtmf and speech, so either would be acceptable.

    To you your point about verification, I’d make several observations. Driver’s licenses and passports can (and often are) faked. Moreover, some jurisdictions in the U.S do not require these forms of ID at a polling places. In some places, a voter ID card (usually some form of paper, without a picture) is all that is needed. Since these are mailed in many jurisdictions in bulk at roughly the same time (usually before a primary election), all one would need to do is walk along a street and pilfer these from the neighbors.

    Using a phone-based system, we can accept an ID more securely by doing several things:

    * Checking the ANI of the caller to see if it matches the phone number on record for that voter (even though this can be spoofed, it’s worth checking — who said fraudsters aren’t lazy sometimes).

    * Asking the caller to further verify their identity — last four digits of their SSN, zip code of their address, birth year, etc.

    * Placing a verification call back to the voter after the initial call is complete. This would allow the voter another chance to confirm their vote, and pretty much guarantee the identity of the caller. In other words, after a voter places a call to the system and votes, the system ends the call and then calls them back at the phone number of record for that voter (i.e,, their home phone). The system them asks them to confirm their vote one more time. A thief may be able to steal an ID number and spoof my ANI, but if he/she is actually in my home to receive a verification call back, I’ve got bigger problems than voter fraud.

    All of this is explained in a bit more detail here: http://vote.nist.gov/ecposstatements/phone_voting_whitepaper.doc

    Having said all of this, the system I envision is not for every voter. It is meant primarily for voters with visual or other disabilities that have challenges traveling to polling places.

    I’m interested in speaker verification, but until it becomes a standard part of the VoiceXML spec, I probably won’t include it in the system I’m building. Worth a look down the road.

  5. The call back is a nice idea – though as you say in the paper, this works best for home phones rather than behind a PBX. Contract cell phones would work even better, as they generally aren’t shared.

    I’m hoping they’ll put speech rec in VoiceXML 3.0, along with a whole bunch of other things!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s