THE BLOG

An Interview With David Wagner

09/12/2007 07:42 am ET | Updated May 25, 2011

The following piece was produced through OffTheBus, a citizen journalism project hosted at the Huffington Post and launched in partnership with NewAssignment.Net. For more information, read Arianna Huffington's project introduction. If you'd like to join our blogging team, sign up here If you're interested in other opportunities, you can see the list here.

Kirsten Anderson conducted the following interview as part of her piece Every Vote Counts (Hopefully)

David Wagner is an associate professor of computer science, at the University of California, Berkeley. An expert on computer security and security issues pertaining to electronic voting, Wagner is a member of the ACCURATE Center, a project devoted to research on improving voting technology. He is on the Election Assistance Commission's Technology Guidelines Development Committee.

KA: When could an attack on a voting system take place?

DW: It could happen at any time. I have heard concerns about all of these: the potential for an insider or rogue software developer at a voting manufacturer to insert malicious logic into the code of the machine; the potential for the legitimate software to be replaced by malicious software when it is distributed; the potential for an insider at a county to introduce malicious software onto the PCs at the county central location; the potential for an outsider to subvert the security of voting machines and introduce malicious software while the machines are stored at polling places before or after the election.

Have you read the reports from the [California top-to-bottom review] http://www.sos.ca.gov/elections/elections_vsr.htm? It's worth taking a look--at least at the executive summaries of the reports from the re teams and the source code teams.

We found that the three systems we examined had serious security problems that could expose the systems to attack. One of the most severe is the potential for a single individual, with no special access, to introduce malicious code--a computer virus--onto a single voting machine while it was stored overnight at a polling place. That malicious software could then spread virally throughout the country, infecting all of the voting machines in the county. The computer virus might mis-record or mis-count votes, or might just render the machines unusable for voting so that voters were unable to vote on election day. The red teams found that, for some of the systems, it would be possible for a voter to introduce malicious code onto a DRE machine while the voter was in the process of voting on that machine, and it might even be possible for a voter to do that without being noticed or getting caught. These are by no means the only risks but they are serious.

KA: Just to clarify: Are the security issues of DREs due mostly to the fact that they are portable and work off memory cards? As opposed, for example, to ATMs, which are built into the wall of a building and don't have start-up cards each time they're used.

DW: Well, I think it's more than that. There are several reasons. One reason is that the DREs have to be used throughout the county and it is difficult to ensure their physical security, e.g., when they are stored overnight (polling places are places like schools, gyms, people's garages--not high-security locations). Another reason is that software is invisible: there is no good way to know what software may be installed on a DRE or what it may be doing. Another issue in the systems we saw is that the DRE machines are new, more complex, try to do more, whereas the optical scan systems are older, simpler, more mature, and seem to have fewer problems. Another big contributing factor is that the DRE systems we examined did not seem to be designed to be secure. They didn't use sound engineering practices. They didn't follow accepted design principles. In many cases it looked like security was an afterthought, at best.

But perhaps the biggest issue has to do with auditing. I think there needs to be some way to verify that the computer recorded and counted the votes correctly. With optically scanned paper ballots (where the voter fills in the bubble on a paper ballot), we have a good way to do those kinds of audits: election officials keep the paper ballots, and we can always choose a sample of those paper ballots, manually compare them, and cross-check the manual counts against the computer's counts. With paperless DRE systems, there is no way to do that, so there is no way to verify the accuracy of the vote totals: you just have to take it on faith (you have to take the computer's word for it, and you have no way to detect error or fraud in the computer's count). DRE systems that produce a voter-verified paper audit trail (VVPAT) are better, because if voters check the VVPAT records carefully enough, it is possible to cross-check the paper trail against the electronic counts. However, one possible disadvantage of DRE systems with VVPAT is that no one knows how carefully voters will verify the paper trail in practice and so this introduces some uncertainty about how effective audits will be.But at the end of the day the ability to audit these systems is critical.

KA: Speaking of ATMS: It seems like they're the favorite comparison whenever people talk about DREs and how well they should work, as in "I use my ATM all the time and that works--why shouldn't I trust voting via DRE?" Is, perhaps, part of the problem with DRE voting machines the idea that everyone is trying to graft them onto ATM-like architecture? Should someone trying to create the ideal DRE be looking at a completely new model?

DW: ATMs look superficially similar, because the user interface looks similar to a voting machine. However, voting turns out to be much more challenging than building a secure ATM. That's because of the secret ballot. With an ATM, there is no requirement to keep your identity secret. The ATM can (and does) keep all sorts of logs about your name and account number and the transaction, and can provide you with a receipt to take home showing you what transactions you made, and so on. In the case of any dispute, the bank can go back to all of those log entries and it is usually possible to figure out what went wrong. In contrast, voting is secret, so voting machines absolutely must not record any information about the identity of the voter who cast each ballot. If there is any dispute about whether the voting machine recorded your ballot correctly on its internal electronic memory, there may be no way to go back and resolve that dispute.

I don't think voting system manufacturers made the mistake of trying to graft voting onto an ATM-like architecture. That's not the problem. The problem is that building a trustworthy, paperless DRE machine is an incredibly hard problem--it's beyond the current state of the art in computing, and may remain so for the foreseeable future. Even if you bolt on a paper trail, building a secure DRE is still a challenging task.

KA: Is it unrealistic to even think there's an absolutely secure system out there? Everyone right now seems to think that optical scanners are the answer, but they have security issues, too. Instead, should we be working towards laws that institute safe checks such as mandatory random audits or something like that?

DW: I think most security experts believe that the best system that's out there right now is optically scanned paper ballots with routine manual audits. That system isn't perfect--as we know all too well, any time you have paper, that itself introduces an opportunity for fraud in the handling and counting of the paper ballots--but many of those issues can be mitigated through appropriate procedures. If used appropriately, paper ballots can provide very good security. One reason is that these optically scanned paper ballot systems generate two records: an electronic record of the ballot at the time it was scanned, and the paper record of the voter's intent. This allows you to cross-check those records and build a combined system that is more secure than either alone would be.

That kind of system is by no means optimal, but I think it's probably as good as you can do with what's currently out there. Also it needs to be supplemented for accessibility. There are several approaches to accessibility out there but none of them are ideal and accessibility is very important.

Audits are essential. Unfortunately only about 13 states in the nation both have a paper trail and perform routine, mandatory audits. The Brennan Center recently put out an excellent report on the subject of audits. I personally believe that audits are critical. California performs mandatory manual audits after every election and I think everyone else should be doing that too.

KA: Most people seem to just dismiss the idea of online voting as completely unworkable, with too many security issues to even contemplate it. Considering all the problems with other forms of voting, though, is it really that much worse?

DW: I was one of a group of computer scientists who wrote [a report on an Internet voting system] www.servesecurityreport.org that was developed here in the US, and I think our report still stands as a definitive report on the problems facing Internet voting. I have not yet seen anyone come up with any way to address the security problems we identified with Internet voting and I believe it would require either some new breakthrough or a wholesale change to our computing infrastructure.

One of the problems with Internet voting is that it exposes the potential for a single individual anywhere in the world, perhaps not even on US soil and not subject to US law, to attack elections and change votes en masse. Internet voting systems also tend to be subject to worms, viruses, and phishing attacks.

There have been several pilot studies and trials of Internet voting but pilot studies are not a good way to evaluate the security of a new system. If the election is not hacked during a pilot study, what can you conclude? Either that the attackers couldn't hack the election, or (more likely) that they couldn't be bothered or didn't have enough incentive to. If I was a bad guy who knew a way to hack the election, I wouldn't attack a small-scale pilot and tip my hand; I'd wait for the voting system to be used on a large scale in an important election and then attack.

The above piece was produced through OffTheBus, a citizen journalism project hosted at the Huffington Post and launched in partnership with NewAssignment.Net. For more information, read Arianna Huffington's project introduction. If you'd like to join our blogging team, sign up here. If you're interested in other opportunities, you can see the list here.