Research

Voting Machines - Absolutely everything is a tradeoff decision

Written by Reflare Research Team | Nov 8, 2019 6:10:00 PM

There is no such thing as pure security. You can only make tradeoff decisions, and in the case of voting machines, those decisions are made very, very publicly. The entire world can watch you make your tradeoffs, and they can ask you to defend those decisions later.

First Published 8th November 2019

Are we ready to vote with our phones?

4 min read  |  Reflare Research Team

Recent media reports coupled with the upcoming 2020 US election cycle have brought the security of voting machines back into public focus. Since the actual security (or lack thereof) of voting machines is well covered, we will take this briefing to illustrate a slightly different point: That everything is a tradeoff decision.

Paper records

The oversimplified take on the security of voting machines is this:

Voting machines can be hacked so there should be a paper trail. With that trail, voting results can be audited so voting machines without a paper trail are bad.

Fair enough. The point is well made and appears to be reasonable on the surface. But there are a ton of issues that go unaddressed.

Who creates the paper trail?

The first and foremost question is how the paper trail is created.

The most common option is for the voting machine to provide a paper printout to the voter. While this seems reasonable, it is also completely useless. There is absolutely nothing stopping someone with control over the machine from counting one way and printing another. Also, gathering receipts from millions of voters is all but impossible. If the receipts are stored in the machine, no security is gained.

The second option is to have voters fill in their choice on paper and then have machines read the results. This creates a real paper trail (after accounting for issues such as smudging and bad penmanship) but also creates a huge issue: OCR technology (the technology that scans images for text and markings) is notoriously flakey. Even for a task as simple as checking your preferred candidate, there will be errors. Some people fill in circles, some do so weakly, some make crosses, some squiggle across lines, and so on. At what point is the margin of error introduced by OCR a bigger problem than the risk of an undetected hack?

This is not a rhetorical question. There is likely a sweet spot where risk can be minimized but at this point in time we haven’t found it and since no one is talking about the issue are unlikely to do so.

The audit problem

But let’s assume that OCR is a perfect technology or can be made into one. This seems like the ideal solution. Paper is created by voters and processed by machines, giving us a solid paper trail and fast processing. Problem solved.

Well, not so fast. In information security, the ability to detect a breach and actually detecting that breach are two very different things. If an attacker were to change 100% of the votes to one candidate, the breach would almost definitely be detected and confirmed even with a very small sample size audit. But if the attacker only changed a single vote, the breach is unlikely to even register. And if manual re-counting of a sample of the paper ballots were to even include that particular ballot, the change would most likely be attributed to human error.

Of course, these are extreme examples. The real threshold where a breach has a 10% chance of being detected exists somewhere. But again, no one is asking what exactly it is. If it’s 0.1%, we’re probably fine. If it is 5%, we are most definitely not fine. Elections are won and lost on much slimmer margins.

So the real question is: How confident are we, that a 5% change of votes would trigger a manual audit of the paper trail?

The lost opportunity problem

The next problem is that of lost opportunity. Vote manipulation is an issue that needs to be addressed but so are low voter turnout, informed voting, vote accessibility, social pressure, intimidation at polling stations and much much more.

Completely paperless voting can potentially solve a lot of the aforementioned issues. Assuming that the technology could be made secure; if low-level communal votes could be held once every 2 weeks and take each voter 30 seconds on their smartphone, how would society change? If the change were to be beneficial, where would the tradeoff be between election security and the benefits of easier voting?

The central security problem

The last problem to keep in mind is that decentralized hardware adds risk to infrastructure. If there are 50,000 voting machines all running their own hardware and software stack that all need to be individually maintained, stored, transported and updated, attacking one of them becomes quite easy. Somewhere, someone is bound to make a mistake like leaving the machine in an insecure location overnight or neglecting to apply updates. At the same time, each individual voting machine is a relatively low-value target.

On the other hand, a central all-digital voting system offers a huge high-value target but can also be secured by the full focus of the best available security team. Which is better? We won’t know until the questions actually get asked and debated.

Summary

Like all security decisions, those relating to voting machines are tradeoffs. Tradeoff decisions need to be discussed so that reasonable solutions can be found. Unfortunately, such discussions are not currently taking place due to oversimplified narratives being accepted by both politicians in charge and the general public.

Complex cybersecurity issues such as voting machine security are unlikely to be efficiently resolved until IT literacy improves over the coming years and decades.