Most people remember that first time walking up to a table with two or three surly, old women, handed the archaic punch card and proceeding into the voting booth. It is wonderful when we are all able to participate in the democratic process, and choose our governmental officials. This is the main factor that separates America from many other countries, the ability to choose those who are our leaders. The United States was founded on the idea that the public should have the power of self-rule, and so, paper ballots were created. Punch card systems use a card and a small clipboard-sized device for recording votes. Voters punch holes in the cards (with a supplied punch device) opposite their candidate or ballot issue choice. After voting, the voter may place the ballot in a ballot box, or the ballot may be fed into a computer vote-tabulating device at the precinct. With most people’s lives revolving around technology and there is a push for the government to move to a more advanced type of voting technology. Part of this is due to the problems associated with the 2000 presidential election. The legitimacy of the vote was brought into question because several irregularities are thought to have helped George Bush. "These included the notorious Palm Beach butterfly ballot, which produced an unexpectedly large number of votes for third-party candidate Patrick Buchanan, and a purge of some 50,000 alleged felons from the Florida voting rolls that included many voters who were eligible to vote under Florida law." (Wikipedia 1) Many people still are still arguing over which candidate actually should have won the election, George Bush or Al Gore. Proponents contend that electronic voting machines will alleviate the problems, which opponents suggest that they will introduce quite a few new problems.

Design flaws contributed a great deal to the 2000 election foul up. "Not only does it appear that perhaps 4.000 people made the error of punching the second hole on the ballet in the mistaken belief that the second hole represented the second candidate, more than 19,000 people made the error of punching more than one hole, since both were directly alongside their candidate." (Tognazzini 1) The way the ballots were designed is as such: the punch holes ran vertically down the center and on either side ran the candidates names. This confused many voters into voting for a different candidate than they wanted. This a major point of argument for the proponents of an electronic ballot. The voting machine would be infinitely simpler for the user than the simple punch card ballot. All that would be required from the user would be a simple touch the desired candidate on a computer screen, which lists all possible candidates. Tabulating the votes would be painless as well, all of the remote terminals at the polling places would automatically upload the votes to a central database, and the winner could quickly be declared. Standing at an automatic teller machine to cast presidential ballots may seem like a good idea, however what seems to be a rather simple operation is in fact, and significantly more complex.

One of the largest problems for proponents to touch screen ballots is the lack of an auditable paper trail. The current implementations of touch screen balloting machines do not produce anything for the voter to check to make sure that his or her vote was cast correctly. Instead, the vote is immediately uploaded to the central server to tabulate results. "…it's not possible to do a true recount with the systems because they produce nothing tangible when a vote is cast; a recount means pressing a button and coming up with the same results. Representative Robert Wexler, a Florida Democrat, has filed a federal lawsuit claiming that the sleek new systems bought by 15 counties--including those of hanging-chad fame like Palm Beach, Broward and Miami-Dade--are unconstitutional because votes can't truly be retallied there, as they can in the rest of the state." (Novak 2) A manual punch card makes it very easy to see who is being voted for by a quick inspection.

We must now consider the integrity of the corporation constructing the voting terminals. The ability to control who is elected president of the United States is an awesome power. As with all other well-informed Americans, employees of the voting machine companies have political interests and support their choice of candidates. "A few voting company employees have been implicated in bribery or kickback schemes involving election officials—Diebold’s chief executive, for example, is a top fund-raiser for President Bush." "Diebold's chairman, Walden O'Dell, set the company up for recrimination when he wrote in a fund-raising letter to Ohio Republicans last year that he was "committed to helping Ohio deliver its electoral votes to the President next year." O'Dell, who has raised more than $100,000 for President Bush, said he did not mean that he would use his machines to cheat in the election. But his statement helped fuel mushrooming conspiracy theories that evoting-machine vendors might precook election counts." (Novak 3) How are we, the voting public supposed to know whether the election machine companies are pushing their own agenda to get their choice of candidates elected? Public dissemination of the source code, the actual programming code used in the systems could help to alleviate this problem. However, for Diebold, one of the big manufacturers of electronic voting systems, that has turned out to be a nightmare. "In January 2003, voting activist Bev Harris was holed up in the basement of her three-story house in Renton, Washington, searching the Internet for an electronic voting machine manual, when she made a startling discovery. Clicking on a link for a file transfer protocol site belonging to voting machine maker Diebold Election Systems, Harris found about 40,000 unprotected computer files. They included source code for Diebold's AccuVote touch-screen voting machine, program files for its Global Election Management System tabulation software, a Texas voter-registration list with voters' names and addresses, and what appeared to be live vote data from 57 precincts in a 2002 California primary election." (Novak 1) After discovering these source code files, Harris further found, "that she could enter the vote database using Microsoft Access—a standard program often bundled with Microsoft Office—and change votes without leaving a trace. Diebold hadn’t password protected the file or secured the audit log, so anyone with access to the tabulation program during an election—Diebold employees, election staff or even hackers if the county server were connected to a phone line—could change the votes and alter the log to erase the evidence." (Zetter 1) It is a scary proposition, that a "53 year old mother of five" (Zetter 2) who merely attempting to research an electronic voting manual could decide the election from her home computer.

We must now consider the case of Jeffery Liss: "Jeffrey Liss had finished making his selections on Maryland's Democratic-primary ballot and strolled out of the polling place at Chevy Chase Elementary School on the morning of March 2, Super Tuesday. On the sidewalk, he spied a campaign poster for Senator Barbara Mikulski, who is running for her fourth term. Funny, he thought, he did not remember voting in the Senate race.

Liss went back inside to talk to an election official. And another, and another. He was told he must have overlooked the Senate race on the electronic touch-screen voting machine. But Liss, a lawyer, finally persuaded a technician to check the apparatus. Sure enough, it wasn't displaying the whole ballot. According to voter complaints collected by Mikulski, who won in the primary, her race didn't appear on ballots in at least three Maryland counties." (Novak 1) In a presidential election, this would not be a problem, right? That it would not be possible for a voting machine to just leave out an entire race on the ballot? If at least three entire counties missed a part of the ballot, that nobody had enough sense to fix, how much integrity do the voting machine companies have? And how much should we trust that they are not going to rig an election so their candidate of choice, their puppet, or even their chief executive officer does not win this race.

In the forefront of many news sources is the threat imposed by hackers and the like. There are always stories circulating about how an internet hacker stole somebody’s credit card numbers or stole their identity, and the other havoc that ensues. We can be sure that if hackers want to steal somebody’s identity, then the next challenge is to choose the president or other governmental leaders. Hackers are, if anything, persistent, so they would take the time necessary to rig an election. One may be wondering how much time it would take to alter the election results. The current standard for the voting terminals relies on 56-bit static key DES (data encryption standard, the standard cipher used by the United States government) (Kohno 15). The relative security of an encryption cipher is based on the key length of the cipher, which determines the total possible number of encryption keys possible. The more possible keys, the greater the security because each key much be used to try to decrypt the text. 56 bit DES uses 56 bit keys, which means there are 256 (72057594037927936) possible keys. According to Data Communications, it only took just over twenty-two hours to crack some text encrypted using 56 bit DES in 1999. Moreover, only 2 years previous, it took about 2300 hours. Therefore, in a short two years the time required decreased by over 99%. Considering the current rate at which computer speeds have been increasing recently, it is reasonable that a few hackers could easily crack the simple DES cipher used. What makes it worse is that they are using static key DES (Kohno 15), which means that the same password is used on each terminal, so the cipher only needs to be cracked one time, and then the hackers have access to all of the results and could easily change the outcome of the election.

To rectify the insecurity of the cipher, another encryption cipher must be implemented which employs a greater amount of security. The National Institute of Standards and Technology (NIST) recently announced that DES would be replaced as the advanced encryption standard (AES) by Rijndael algorithm, a symmetric block cipher that can process data blocks of 128 bits, using cipher keys with lengths of 128, 192, and 256 bits. Rijndael was designed to handle additional block sizes and key lengths; however, they are not adopted in this standard. Rijndael specifies key lengths of 128 bits, with 3.4028 x 1038 possible keys, 192 bits, with 6.2771 x 1057 possible keys, and 256 bits, with 1.1579 x 1077 possible keys. "In the late 1990s, specialized "DES Cracker" machines were built that could recover a DES key after a few hours. In other words, by trying possible key values, the hardware could determine which key was used to encrypt a message. Assuming that one could build a machine that could recover a DES key in a second (i.e., try 255 keys per second), then it would take that machine approximately 149 thousand-billion (149 trillion) years to crack a 128-bit AES key. To put that into perspective, the universe is believed to be less than 20 billion years old." (NIST 1) One may wonder whether instead of changing ciphers, merely the key length could be changed, and that is impossible due to inherent limitations of the cipher itself. In order for a cipher to work effectively, it must be able to encrypt the plaintext to some unintelligible cipher text. There must then be some function complementary to the encryption function to return the cipher text to plaintext. Using a key length different than is called for in the definition of the encryption function allows the user to encrypt the plaintext, but then there is no way to return the cipher text to plaintext.

The final issue we tackle is the use of smartcards in relation to voting machines. A smartcard is a plastic credit card sized card with a computer microchip in it. The general concept is that the smart card can contain quite a bit of information therefore may be used to store all of the votes cast by one person during the election. In order to preserve the anonymity voters who cast ballots, the identity of the voter is not stored except for those who choose not to vote on any particular issue or race. (Kohno 9) We should look at this question from two perspectives. First, we will assume that the adversary knows the Diebold source code. We believe this is a reasonable assumption since, as recently exhibited, source code cannot always be kept secret. However, we will also examine this for the case where the adversary does not know the Diebold source code. If the adversary knows the Diebold source code, then the adversary will know the protocol between the smartcard and the voting terminal. The adversary's goal in this case is to make his own smartcard that tricks the voting terminal into believing that it is a legitimate smartcard when it is really an "attack smartcard" or "homebrew smartcard." We observe that a computer-savvy adversary with a few hundred dollars could produce his own attack smartcard. The adversary does not have to work for Diebold or their third-party smartcard vendor. How would such an adversary go about producing such an attack smartcard? By purchasing a user-programmable smartcard and a smartcard reader/writer and programming it appropriately. The adversary would know how to program the smartcard since he can deduce the protocol between the smartcard and the terminal from the source code. On the other hand, what if the adversary does not know the Diebold source code? By inserting a "wire-tap device" between the voting terminal and the smartcard, an adversary could learn enough about the protocol between the terminal and the smartcard to create his or her own smartcards for use by some conspirator later in the day. Diebold does point out that such an attack might be risky since the adversary might get caught. Of course, all it takes is one malicious poll worker/volunteer to ensure that an adversary is not caught. Subsequently, that adversary could share his knowledge with others, compromising the entire election’s results. The current implementation of the voting machines allows for such an attack because "upon reviewing the Diebold code, we observed that the smartcards do not perform any cryptographic operations." (Kohno 9) In other words, everything that is stored on the smart cards is stored in a human readable format.

How can smart cards be used to invalidate the election results? When a poll worker initially gives a voter a smart card, and he or she inserts it into the voting booth, it is labeled as active. Upon inserting it into the machine, a command is issued to the card to deactivate it. Therefore, an adversary could bring a large number of cards to the polling place which they have "activated" themselves, but figuring out the protocol used by the voting booth. With the stack of smart cards, they would be able to vote as many times as they have cards. Even more simply, they could program a card to ignore completely the deactivation command, in which case, the user could vote an infinite number of times. Not only at a single polling place, but could go to multiple places on the same day, voting a great number of times. In Diebold’s implementation, there are two types of smart cards in addition to the regular voter’s card, there is an administrator’s and an ender’s card. The administrator card may be used to access many administration functions of the machine. An ender card is used to end an election on a machine. (Kohno 10) All that must be changed on a regular voter card to make it an administrator or ender card is to change a single variable on it, something very simple for our adversary to accomplish. If he or she were able to change the variable, then with the administrator card, he or she would be able to access all sorts of administrative controls of the voting booth. With the ender card, he or she would be able to end the election on any booth, and be able to shut down an entire polling place, and considering how close the 2000 election ended up, the 2004 election could be seriously affected by a single polling place. The only reasonable conclusion is either to quit using smart cards at all, or to implement high-grade encryption on them.

We have analyzed then pros and cons of using the touch screen voting terminals. Through this discussion, it has turned out that there are too many more problems with the terminals than there are reasons to use them. When the implementation is changed to make a more secure terminal, then we should investigate more to determine whether it is safe enough to be used for the election. We cannot currently endorse their use, though. Unfortunately, many counties have already decided to start purchasing and using them due to the Help America Vote Act which provided a great deal of money for states to update their equipment used for elections. Many of these counties will be using the insecure terminals for the upcoming election.

Anotated Works Cited

"Fast Cracking." Data Communications. 01 Apr. 1999: 17. EBSCOhost. 24 July 2004.

The article was relevant because it helped to support my case that the encryption used by the terminals is insecure. The source was a little older than I had wanted, but I could not find a more current source to work with. Based on other data in the article, I was able to make conservative assumptions about how the information would be today. The source was reliable because it is from a magazine whose sole purpose is electronic communications.

Kohno, Tadayoshi, et al. Analysis of an Electronic Voting System. 24 July 2004 http://www.avirubin.com/vote.pdf.

The essay was written as a comment on the Diebold’s source code from the voting terminals. Computer scientists who came across the source code wrote it. They were biased against Diebold, which helped to prove my point against the terminals. It was published by the IEEE Symposium on Security and Privacy 2004, and by the Johns Hopkins University, both well known, reliable sources.

Novak, Viveca. "The Vexations of Voting Machines." Time. 03 May 2004: 42-45. EBSCOhost. 24 July 2004.

The article speaks directly about my paper, and so is very relevant. It is current in that it is only 2 months old. Time magazine is generally held to be a reliable source.

United States. National Institute of Standards and Technology. Advanced Encryption Standard (AES), Questions and Answers. 28 Jan. 2002. 25 July 2004 http://cscrc.nist.gov/CryptoToolkit/aes/aesfact.html.

The article was published by the National Institute of Standards and Technology, a federal agency whose mission is to develop and promote measurement, standards, and technology to enhance productivity, facilitate trade, and improve the quality of life. This article describes a standard which they defined, so it is reliable. It is a bit of an older source, however, the information is not going to change.

"U.S. Presidential Election, 2000." Wikipedia. 24 July 2004 http://en.wikipedia.org/wiki/U.S._presidential_election,_2000.

This article helped with some background information from the 2000 presidential election. It is possible it is not reliable as it is editable by anybody with access to a computer, however, it is generally a reliable encyclopedia.

Zetter, Kim. "How E-Voting Threatens Democracy." Wired 29 Mar. 2004. 24 July 2004 http://www.wired.com/news/evote/0,2645,62790,00.html.

Published by Wired magazine, a magazine which covers technological issues, is usually a reliable source. It is rather current, it was published only three months ago. It spoke directly about my topic, and helped to refute argument for the voting terminals.