[lit-ideas] Buggy voting machinery

• From: Teemu Pyyluoma <teme17@xxxxxxxxx>
• To: lit-ideas@xxxxxxxxxxxxx
• Date: Tue, 20 Apr 2004 00:18:45 -0700 (PDT)

(Catching up on old mail...)
--- Judith Evans <judyevans@xxxxxxxxxxxxx> wrote:
> {Hey, people: there's a new dodgy election mechanism
> in Florida... .)
> 
As a computer professional, I sometimes wonder why
society trains and employs us if they won't listen
when pretty much every one of us says that a computer
technology, such as fully computerized voting systems,
are a really bad idea. Not only are they chronicly
unreliable, it is not simply a matter of ironing out
bugs, they are also expensive and unnecessary.

Nerfdom is articulating this in mumber of ways, which
all seem to fall to def ears. Here is one example that
uses the methdology of assigning a cost to what is
being protected and the benefit to attacker for
breaching security, to point out the obvious. From
Crypto-Gram
(http://www.schneier.com/crypto-gram-0404.html#4)

Stealing an Election

There are major efforts by computer security
professionals to convince government officials that
paper audit trails are essential in any computerized
voting machine. They have conducted actual examination
of software, engaged in letter writing campaigns,
testified before government bodies, and collectively,
have maintained visibility and public awareness of the
issue.

The track record of the computerized voting machines
used to date has been abysmal; stories of errors are
legion. Here's another way to look at the issue: what
are the economics of trying to steal an election?

Let's look at the 2002 election results for the 435
seats in the House of Representatives. In order to
gain control of the House, the Democrats would have
needed to win 23 more seats. According to actual
voting data (pulled off the ABC News website), the
Democrats could have won these 23 seats by swinging
163,953 votes from Republican to Democrat, out of the
total 65,812,545 cast for both parties. (The total
number of votes cast is actually a bit higher; this
analysis only uses data for the winning and
second-place candidates.)

This means that the Democrats could have gained the
majority in the House by switching less than 1/4 of
one percent of the total votes -- less than one in 250
votes.

Of course, this analysis is done in hindsight. In
practice, more cheating would be required to be
reasonably certain of winning. Even so, the Democrats
could have won the house by shifting well below 0.5%
of the total votes cast across the election.

Let's try another analysis: What is it worth to
compromise a voting machine? In contested House races
in 2002, candidates typically spent $3M to $4M,
although the highest was over $8M. The outcomes of the
20 closest races would have changed by swinging an
average of 2,593 votes each. Assuming (conservatively)
a candidate would pay $1M to switch 5,000 votes, votes
are worth $200 each. The actual value is probably
closer to $500, but I figured conservatively here to
reflect the additional risk of breaking the law.

If a voting machine collects 250 votes (about 125 for
each candidate), rigging the machine to swing all of
its votes would be worth $25,000. That's going to be
detected, so is unlikely to happen. Swinging 10% of
the votes on any given machine would be worth $2500.

This suggests that it is necessary to assume that
attacks against individual voting machines are a
serious risk.

Computerized voting machines have software, which
means we need to figure out what it's worth to
compromise a voting machine software design or code,
and not just individual machines. Any voting machine
type deployed in 25% of precincts would register
enough votes that malicious software could swing the
balance of power without creating terribly obvious
statistical abnormalities.

In 2002, all the Congressional candidates together
raised over $500M. As a result, one can conservatively
conclude that affecting the balance of power in the
House of Representatives is worth at least $100M to
the party who would otherwise be losing. So when
designing the security behind the software, one must
assume an attacker with a $100M budget.

Conclusion: The risks to electronic voting machine
software are even greater than first appears.

This essay was written with Paul Kocher. 

So let's (a) a programmer working  for a voting
machine manufacturer really hates Bush. And (b) let's
further assume someone offers him a couple million
dollars to make a slight change to the program that
swings the votes in favour of Kerry. And also (c) 
that he is clever enough to rig the software in such a
way that he can say it was just a programming error, a
bug, if caught. 

There are also other fun scenarios. Let's assume only
a, that someone hates Bush and is in a position to
influence the voting machinery, and that Bush wins a
thight election. He then turns into a whistleblower
claiming that his company was paid to rig the vote.
How will he be proven wrong if there is no paper
trail? Or how about an election official knowingly
distributing malfunctioning machinery to certain
districts? And so on.



Cheers,
Teemu
Helsinki, Finland


        
                
__________________________________
Do you Yahoo!?
Yahoo! Photos: High-quality 4x6 digital prints for 25¢
http://photos.yahoo.com/ph/print_splash
------------------------------------------------------------------
To change your Lit-Ideas settings (subscribe/unsub, vacation on/off,
digest on/off), visit www.andreas.com/faq-lit-ideas.html

• References:
  • [lit-ideas] Re: NYTimes.com Article: Wal-Mart, a Nation Unto Itself
    • From: Judith Evans

Other related posts:

• » [lit-ideas] Buggy voting machinery

1. Home
2. lit-ideas
3. Archive
4. 04-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---