Tuesday, October 4, 2022

Governments can ensure EVMs are tamper-proof but won’t

If the much-touted Voter Verifiable Paper Audit Trail (VVPAT) system is itself prone to manipulation like electronic voting machines (EVMs), are there practical alternatives that can make the election process quicker while preserving its integrity? The answer is yes and better still, the process doesn’t involve the use of paper.

The person who made the recommendations is a highly accomplished computer scientist with a very strong research focus on EVM security. It may say a lot about governments and EVM manufacturers that the recommendations of Michael Shamos, Distinguished Career Professor in the School of Computer Science at Carnegie Mellon University in the United States, have not been adopted. Shamos, who has served as an expert witness in more than 160 cases involving computer technology and since 1980, has conducted over 120 voting system examinations for seven states, has made at least three important recommendations.

The first is that EVMs must be architecturally separated into two distinct devices: a panel whose only function is to display the ballot and capture voter choices, and a tabulation and recording device, which accepts input from the panel and performs computations.  His recommendation is that the panels and tabulation devices be supplied by different manufacturers.

“Now suppose we feed the output of the panel to two different devices simultaneously. One is the tabulation machine; the other is an audit device made by yet a third manufacturer and programming by an independent body, such as an accounting firm or public interest group not affiliated with the tabulation manufacturer. The audit device displays the voter’s choices on a screen of its own for verification. The voter views the audit screen, and if it is correct, presses a “VOTE” button.  Both the tabulation device and the audit device make redundant read-only records of each ballot image.  At the end of the election, all the records are compared. If they are different in any respect whatsoever, the results from that machine are called into question and an investigation is launched.  An examination of the software installed in the two devices should reveal whose records are the reliable ones,” Shamos writes in an academic paper titled “Paper v. Electronic Voting Records ÔÇô An Assessment.”

His assessment is that for as long as there is no collusion between the audit device manufacturer and the tabulation manufacturer, no amount of tampering with either machine will go unremedied: “The prospect of tampering identically with both, since their software systems would be completely different, is too small to consider seriously. The audit device could easily be outfitted so disabled voters could verify their votes.”

EVM manufacturers are notoriously secretive, claiming that their software is a trade secret. Giving a public lecture on “The Voting Machine War”, David Dill, a professor of Computer Science at Stanford University in the US posed: “Why am I always being asked to prove these systems aren’t secure? The burden of proof ought to be on the vendor. You ask about the hardware. ‘Secret.’ The software? ‘Secret.’ What’s the cryptography? ‘Can’t tell you because that’ll compromise the secrecy of the machines.’… Federal testing procedures? ‘Secret’! Results of the tests? ‘Secret’! Basically, we are required to have blind faith.”

Having studied the source codes of voting systems for over 30 years, Shamos says that the software-as-trade-secret mantra is a myth. His theory is that EVM manufacturers “don’t want the public to see how bad their code is”, don’t want to make matters easy for competitors and hide security measures which, if disclosed, would provide a roadmap for hackers.

“They all do the same thing, albeit in somewhat different ways,” Shamos asserts in his paper. “No vendor’s software is a significant selling point providing any competitive advantage over other systems ÔÇô jurisdictions focus on the hardware. All the software has facilities for setting up elections, storing the candidate and party names in a database, presenting ballot choices to the voter, tabulating and storing the results and possibly transmitting them after the election. The systems vary in ease of use and capacity, but they do not contain trade secrets for the simple reason that every aspect of election setup and balloting is well-known to all.”

On such basis, he suggests that the ballot setup, display, tabulation and reporting sections of voting system code should not be kept secret.

What he sees as “the ultimate protection against malicious code” is to keep candidate and party names segregated from the software so it cannot perform any meaningful manipulation. A machine programmed to move votes from one party to another will be stymied if it is unable to determine the party with which a candidate is affiliated or even which candidate is associated with a given ballot position.

“This can be done by presenting the candidate and party names and issue text in the form of graphic files that can only be read by a human being. The only thing the software can do is faithfully record the numbers of the ballot positions that were selected. Of course, since it also knows no candidate names, it can only report results by ballot position. To defeat such a countermeasure the software would have to contain a complete optical character recognition algorithm,” Shamos says.

He acknowledges the possibility of a conspiracy in which a tamperer’s confederate could, while voting, provide information via touchscreen selections or the write-in panel that could inform the software of the particular voting positions to manipulate. He notes though that such an act would have local effect only, since it would take one confederate for each voting machine involved. 

“It would not be feasible to perform manipulation on a large scale with such a scheme.”


Read this week's paper