Friday, October 29, 2010

Frightening Experiment with Touch Screen Voting

Professor Doug Jones of the University of Iowa experimented with setting up a touch screen voting machine to flip votes for Obama and McCain. He then had people "cast their votes" on the machine, and interviewed them about the experience.

Click here for complete paper.

One thing we did in our experiment was to ask a number of user satisfaction questions as a followup. An important question in this batch was: "Are you confident that the machine correctly recorded your vote?" The majority of voters were very confident. Curiously, this confidence did not go down much when we rigged the machine to flip the votes for McCain and Obama.

Why? First, note that half the voters did not notice this switch (emphasis added). People felt strongly about their presidential preference, but people, in general, are not very good at proofreading. The summary screen that comes up at the end of the voting session clearly showed McCain for the Obama voters and visa versa, yet they did not notice.

Among people who did notice, the usual reaction was "Huh?" and then they went back to fix the problem. In general, people assume that the machine is right and assume that it was their error, not the machine's dishonesty. Only a small fraction of our voters
(or more properly, experimental subjects) commented on the fact that we'd flipped their votes.

This has important consequences for the real world. Most people do not complain when there is a problem. They assume that it was their mistake and go back and fix it. I assume that things would be different if the machine did not let them fix the vote flip, but if the machine lets them fix it, the fact that some voters are complaining suggests that there may be far more voters who notice the problem and are silent, and that even more voters may have had their votes flipped but didn't notice the problem.

Friday, October 8, 2010

Absolutely Devastating

Absolutely Devastating Testimony on Internet Voting

Prof. J. Alex Halderman of the University of Michigan describes his group's ability to take complete control of Washington, DC's test of internet voting security.

Wednesday, October 6, 2010

Internet Voting comments by David Jefferson of Verified Voting

(Feel free to forward in full with attribution to David Jefferson of Verified Voting.)

University of Michigan Prof. Alex Halderman has now released some details about his successful attack on the District of Columbia's proposed Internet voting system which has been under test for the last week. (See It is now clear that Halderman and his team were able to completely subvert the entire DC Internet voting system remotely, gaining complete control over it and substituting fake votes of their choice for the votes that were actually cast by the test voters. What is worse, they did so without the officials even noticing for several days.

Let there be no mistake about it: this is a major achievement, and supports in every detail the warnings that security community have been giving about Internet voting for over a decade now. After this there can be no doubt that the burden of proof in the argument over the security of Internet voting systems has definitely shifted to those who claim that the systems can be made secure.

Computer security and election experts have been saying for over 10 years that the transmission of voted ballots over the Internet cannot be made safe with any currently envisioned technology. We have been arguing mostly in vain that:

1) Remote attack: Internet voting systems can be attacked remotely by any government, any criminal syndicate, or any self aggrandizing individual in the world.

2) Effective defense virtually impossible: There are innumerable modes of attack, from very easy to very sophisticated, and if anyone seriously tried to attack an Internet election the election officials would have essentially no chance at successfully defending. The election would be compromised

3) Attackers may change votes arbitrarily: An attack need not just prevent people from voting (bad as that would be), but could actually change large numbers of votes, allowing the attackers to determine the winner.

4) Attacks may be undetected: An attack might go completely undetected. The wrong people could be elected and no one would ever know.

Prof. Halderman demonstrated all of these points:

1) Remote attack: His team of four conducted their attack remotely, from Michigan, via the Internet, without ever getting near Washington, D.C.

2) Effective defense virtually impossible: Although they were restricted from most modes of attack (which would be illegal even in this test situation), they still succeeded in completely owning (controlling) the voting system within about 36 hours after it was brought up, even though they had only 3 days of notice of when it would start. They happened to use one particular small vulnerability that they identified, but they are quite confident that they could have penetrated in other ways as well. Most likely they were the only team to even attempt to attack the system seriously; yet in a real election with something important at stake multiple teams might attack. The fact that the only team that even tried succeeded so quickly is a demonstration lots of other groups from around the world could also have done it.

3) Attackers may change votes arbitrarily:They not only changed some of the votes, they changed them all, both those cast before they took control of the system and those cast afterward. There is no way that officials can restore the original votes without the attackers' help.

4) Attacks may be undetected:The attack was not detected by the officials for several days, despite the fact that they were looking for such attacks (having invited all comers to try) and despite the fact that the attackers left a "signature" by playing the Michigan Fight song after every vote was cast!

This successful demonstration of the danger of Internet voting is the real deal. It doesn't get any better than this, people.

Alex Halderman, his graduate students Eric Wustrow and Scott Wolchok, and their colleague Dawn Isabel, all deserve enormous credit, congratulations, and thanks.