In Nevada County, California, my wife and I are glad to have the option of receiving our ballot by mail, having about a month to study it and fill it out, then hand-delivering it ourselves directly to Clerk-Recorder Greg Diaz’s office at the Rood Center in Nevada City.
We delivered ours about a week ago.
We’ve had the impression that this is the most secure method of voting in this county.
But according to the information I found this morning on the Verified Voter website, our votes are still vulnerable in several serious ways, mostly related to the technology in use at the polling places and at the clerk-recorder’s office itself.
The technologies in use in California vary from county to county, with about a dozen counties using paper-only ballots, as the following map illustrates:
According to the California Secretary of State’s webpage, the technology in use in Nevada County is called the Hart Intercivic, and it is used statewide in only three other counties (Humboldt, San Mateo and Yolo). The Intercivic belongs to the class of voting technologies called “DREs” (Direct-Recording Electronic).
The Secretary of State’s webpage explains DREs this way:
All direct recording electronic (DRE) voting machines used after January 1, 2006, must have an accessible voter-verified paper audit trail, pursuant to California Elections Code Section 19250. All voters voting on an electronic voting machine should review and verify their ballot choices on this printed paper record, prior to finalizing and casting their ballot. Once the ballot is cast, this paper record of the ballot is retained inside the voting machine as part of the election audit trail to verify the accuracy of the votes recorded. In accordance with California law, voters do not get a printed paper record of their vote choices.
So, what’s the problem?
Here’s what Verified Voter has to say about the Hart Intercivic eScan in use in Nevada County:
Unsecured network interfaces Network interfaces in the Hart system are not secured against direct attack. Poll workers can connect to JBCs or eScans over the management interfaces and perform back-ofﬁce functions such as modifying the device software. The impact of this is that a malicious voter could potentially take over one or more units in a precinct and a malicious poll worker could potentially take over all the devices in a precinct. The subverted machines could then be used to produce any results of the attacker’s choice, regardless of voter input. We emphasize that these are not bugs in the Hart software, but rather features intentionally designed into the system which can be used in a fashion for which they were never intended.
Vulnerability to malicious inputs Because networked devices may be connected to other, potentially malicious devices, they must be prepared to accept robustly any input provided by such devices. The Hart software routinely fails to check the correctness of inputs from other components, and then proceeds to use those inputs in unsafe ways. The most damaging example of this is that SERVO, which is used to back up and verify the correctness of polling place devices can itself be compromised from those same devices. This implies that an attacker could subvert a single polling place device, through it subvert SERVO, and then use SERVO to reprogram every polling place device in the county. Although we have tested some individual components of this attack, we did not have time to conﬁrm it in an end-to-end test.
No or insecure use of cryptography The standard method for securing network communication of the type in use in the Hart system is to use a cryptographic security protocol. However, we iound a notable lack of such techniques in Hart’s system. Instead, communications between devices generally happen in the clear, making attack far easier. Cryptography is used for MBBs, but the key management involves a single county-wide symmetric key that, if revealed, would allow an attacker to forge ballot information and election results. This key is stored insecurely in vulnerable polling-place devices, with the result that compromise of a single polling place device enables an attacker to forge election MBBs carrying election results for any device in the county.
Failure to protect ballot secrecy Hart’s system fails to adequately protect ballot secrecy. A poll worker or election ofﬁcial with access to the raw ballot records can reconstruct the order in which those votes were cast. Combined with information about the order in which voters cast their votes, this can be used to reconstruct how each voter voted.
All electronic voting technologies statewide and nationwide share one pernicious feature: they are all proprietary.
How has it come to pass that our vote — what Thom Hartmann calls “the beating heart of democracy” — has been privatized?
A national DRE standard should be implemented and include the requirement that all electronic voting machines will be open-source (the internal hardware design and software program should be freely available for public inspection and review).
In truth, voting technology nationwide should be part of the publicly-owned and regulated commons.
- “How IHacked an Electronic Voting Machine“
- “Argonne National Lab Vulnerability Assessment Team“
- How Hart Intercivic is Connected to Bain Capital: