It's been a while
since I wrote anything substantial. This is due mostly to
extraordinarily poor time management on my part, combined with an
unhealthy fixation on social media *cough*Twitter*cough*which seems
designed to inhibit both the writing and reading of anything longer than
a double-spaced, narrow-margined college term paper paragraph. However,
anyone who knows me will have heard me talk (scream is a more accurate
description, probably) about the desperate need to open source the
voting machines, and that is a topic which simply cannot be expressed
adequately in a series of profanity-ridden tweets, no matter how
cleverly constructed. And so, here I am.
To understand what's at stake, I'm afraid I must subject you to a tiny bit of math first:
In the 2000 Presidential election, George W. Bush beat Al Gore by 537 votes (2,912,790 to 2,912,253) out of a total of 5,963,110 cast in the state of Florida. That's an ALMOST 0.01%, or one hundredth of one percent margin. Florida is a winner-take-all state in the electoral college, and so all of that state's 25 electoral votes went to Bush, which pushed him to 271 votes, and the presidency. If we flip the full .01% of the votes in that election from Bush to Gore, Al Gore would have won. Regardless of your satisfaction with the outcome of that election, it should be manifestly clear that the paramount consideration in any election should be the accurate counting of every vote.
Enter the voting machine.
Theoretically, the voting machine is able to solve just this problem. It's a computer, right? It counts perfectly every time! You push the button and beep-boop it rings you up and off you go, confident that your representation in the republic is secured. Only it isn't. Why?
To answer this question I want to take you back in time even further now. That time is World War II, and the object of our attention is the Enigma Machine.
The Enigma Machine was Germany's ultimate cryptography tool. Cryptography, loosely defined, is the study and practice of securing your communications so that nobody but you and people whom you trust can read them. There are many ways of achieving this goal, some more effective than others. For example, take the galactically famous "secret decoder ring" found in cereal boxes for almost as long as you could find actual cereal in boxes. It's a ring with two different listings of every character in the alphabet, one in the normal order, and one in a scrambled order, so that each letter appears only once on each list, and each letter appears next to a DIFFERENT letter in the alphabet, so that, for example, A maps to H, B maps to Q, and so on. In order to use the ring, you compose the message you want to send, and then translate each letter in the message using the ring, replacing the normal-ordered letter on the list with the out-of-order letter. The end result of this task is a garbled message which is opaque to anyone without the ring. To decode the message, you reverse the translation, going from the garbled list to the normal list. When you're done, voila, there is the original message.
There are, of course, many problems with this approach.
Firstly, our decoder ring was available in just about every goddamn box of cracker jacks in the world for a while, so if little Johnny had the cash for one, your messages were only as secure as your method of transmission of the message. Once Johnny got his hands on it, (say, by beating up poor little Timmy Twaddlehammer, whom you had entrusted with the message because you knew full well his alcoholic mother didn't EVER buy him cracker jacks), the jig was up, and he'd tell EVERYONE about your crush on Susie Salamanderfeldt.
Secondly, and only slightly more difficultly, even without access to a decoder ring an examination of an intercepted message would result in noticing patterns of letters, and if you applied a bit of time and elbow grease it wouldn't take you long to figure out which letters were supposed to go where. There are many other problems, but it should suffice to say now that a simple substitution cypher isn't very interesting, or very secure.
But Enigma - oh, Enigma was VERY interesting, and much more difficult to break than a decoder ring. The Enigma machine was, at the time, the ultimate decoder ring. I won't go into the mechanics of Enigma or the effort that it took to break it - if you're truly interested, start at the Wikipedia entry and then start following the citations. It's a fascinating story. The part of the story that's pertinent is not that Enigma was unbreakable, however - it's that the Germans BELIEVED Enigma to be unbreakable. Their intelligence and security was a closed information system, a feedback loop which depended on and reinforced the idea that Enigma was perfectly secure. It wasn't. And because it wasn't, many people, including President Eisenhower, credited the breaking of Enigma with shortening WWII by as many as 2 years.
What in the hell does this have to do with voting machines? I'm glad you asked.
The voting machines are nothing more than computers. They display a screen full of information with a way for you to interact with that information in the form of checking boxes. If that sounds a little like a web site to you, it's not a coincidence. Nearly everyone has interacted with the web enough to need no training whatsoever on such an interface, so it represents a perfectly logical choice for a massive deployment of technology which requires quick acceptance into the mainstream. The mechanics of a typical e-voting machine are simple: the voting machine records the individual votes on cards with memory chips on them, and those cards are collected and then inserted into another machine, which counts the votes (in some cases, the machines themselves have modems on them which can transmit the vote tallies to a central authority, and the cards used by individual voters theoretically can be used for verification).
However, the software running on these voting machines is written by humans, and is therefore not guaranteed to be perfect. In fact it is guaranteed to NOT be perfect, and so these machines are designed with a way to install updates on them, in order to correct the imperfections along the way. It's a common feature of hardware systems - hell, even your TV probably does it by now (if you've ever seen a "firmware update", this is exactly what's going on), and it's made easier if your device connects to the internet, as the updates can be downloaded and applied at any time. This is enormously convenient and a powerful way to keep improving devices once they get out into the wild - but it also represents a massive security problem.
Why? Because it means that the software running on such devices can be altered at any time, by anyone with the knowledge to do it. If you have the know-how it's possible for you to apply a firmware update to a TV which will cause it to be unable to tune to any channel except QVC. Or perhaps it will randomly change channels on you; you want to watch tennis, but the TV wants you to watch Oprah. This is clearly a bad situation, one we want to avoid at all costs, right? So, how do we avoid it? How do we know that the software running on the TV works, and that the update won't make things worse when it's supposed to make things better?
Here's where we go back to cryptography for just a moment longer, to talk about digital signatures. A digital signature functions for computers similarly to the way that your signature functions for you - it's a verification that the thing which has been signed, like a contract, was looked at and approved by you. Anyone seeing that contract will see your signature and know you approved it. How do you know the contract wasn't altered after you signed it? This is why you sign everything in triplicate. It's not just because lawyers like watching us sign shit, it's to protect you from dishonest people who would alter your contract with the painter to say that you agreed to pay them $10,000 to paint the house instead of just $1,000. Multiple copies of the contract guarantee that any changes can be challenged in court.
For computers a digital signature is similar. A digital signature is a way of approving of the contents of a file on a computer, but it's also a way to GUARANTEE that the contents of the file were not altered, in the same way that signing a thousand copies of your contract with the painter does. When you apply a digital signature to a file, what happens is that the entire contents of the file are scanned, and an algorithm is applied which generates a token that UNIQUELY identifies the contents of that file. Any time the signature algorithm is applied to the same file, it generates EXACTLY the same signature. Any time the signature is applied to some OTHER file a DIFFERENT signature is GUARANTEED to be generated. In this way it is possible for a file to be electronically transferred as many times as possible, and so long as the signature continues to match, you are guaranteed that the contents have not been altered. This solves our TV problem nicely. When firmware updates are applied to television sets, they contain digital signatures which verify that the software which was generated by the manufacturer is the same software that is being applied to the TV.
And since voting machines are so much more important than TVs, you'd think that the same care is taken with the software which is installed on them, right?
Yeah, no - there's no verification of the software that's on the voting machines - it's not signed, it's not monitored in any way except by the companies which produce the machines. What's worse, is that NOBODY outside of those companies EVER gets to see the code which is running on the machines. The companies have, in fact, fought tooth and nail against anyone ever seeing that code, arguing that if anyone knows the code, then it will be rendered that much easier to hack. This type of thinking is known as "Security Through Obscurity" - if nobody knows how it works, nobody can break it. However, a famous computer security aphorism states "Security through obscurity is no security at all."
And now we reel Enigma back into the conversation - Enigma was broken, despite the lengths to which the Nazis went to keep it secret. It relied on nobody being able to figure out the methodology by which the encryption was achieved; Security Through Obscurity writ large. Similarly, the companies responsible for arguably the most important software in the world are using the worst possible methodologies to protect that software. Even worse, that software has never been independently verified to do exactly what it is that's required in the first place. There are standards, but they are terribly lax with regard to security, and obviously written by people with no clear understanding of the issues. So, we have software running on voting machines which has never been audited, and can be changed at any time at the whim of the companies which produce them.
What could possibly go wrong?
Let's just say, for example, that you wanted to rig an election. And let's also say that you knew the vote was going to be very close in an important state. And all you needed to do was to switch a few votes - a theoretically statistically insignificant .01% of the vote. With the current system in place, it is not only possible that this has already happened, it's LIKELY. After all, what are the possible negative repercussions? Nothing whatsoever. Nothing is verified, and it is impossible to prove that anything went wrong, or that anything was changed, since there is NO paper trail to go along with the electronic tally in the case of a recount. Not one vote on any of the memory cards can be mapped back to a single voter. Not one vote on any of those cards can be guaranteed to be the same vote that was cast by the person who used that card. Sound crazy? It is - but this is the exact current state of American voting "technology".
You see the problem.
The solution to this is a software paradigm known as "Open Source". Open Source is exactly what it says it is - you release the software source code, the code responsible for driving the voting machines, to the entire world, making it open to everyone who wants see exactly what the voting machines are doing. In this way, it would be impossible for the companies writing the software to sneak in any "vote changing" code. Similarly, it would lay bare any security flaws. Why is this good, you might wonder? Because vulnerabilities caught are vulnerabilities FIXED. When the entire world is looking at your software, then there won't be a single security problem which is hidden away. Flaws will be found and addressed before the software ever has a chance to get into production. The most secure encryption software in the world is OpenSSL, which is the encryption software that runs on every browser in western civilization. It's an open source project - you can download the source code and see exactly how it is that the thing is encrypting your credit card number when you send it to QVC.com to buy that set of porcelain corgis. But knowing how it's done in no way means you can crack it. Encryption algorithms have gotten so sophisticated that cracking the encryption would take many computers many years to break even one OpenSSL-encrypted transaction. When security flaws are found with OpenSSL, they are published and addressed immediately. OpenSSL has been cracked a few times, but every time this happens it is patched within a small number of days to fix it. In this way it stays ahead of the hacker population in as much as it is possible to do this.
We must implement this paradigm with the voting machine software IMMEDIATELY. It is utterly unconscionable that the software which runs the most important elections in the world isn't rigorously tested and shown to be fault-free before it is put into production. Furthermore, when the software is installed on the machines, it MUST be digitally signed, and every vote which it generates must also be digitally signed so that it can be guaranteed that :
A) The software running on the voting machines at the time of the election was the same that was verified, certified, signed, and installed for that election, and
B) Every vote cast was generated with that same version of the software, to do away with the chance that a trojan horse was installed on the voting machine at the same time.
In addition, A paper trail or some other sort of hard trail MUST be available and secured in the event that an electrical disturbance takes place which causes the electronic tally to become corrupted or otherwise unavailable. There must ALWAYS be a way to verify the vote count in every election - that there isn't can speak only to incredible laziness or a spectacular mendacity on the part of the voting machine companies. And, by the way, Diebold and Hart Intercivic, both voting machine companies with a significant footprint in this election year, are owned by men who have raised money for GOP candidates. Those machines are currently slated to be used in 13 states, including Ohio, California, and Pennsylvania. Why is nobody screaming about this obvious conflict of interests? This is more important than credit cards, more important than television, more important than EVERYTHING. It's absurd beyond measure that we don't treat it this way.
To understand what's at stake, I'm afraid I must subject you to a tiny bit of math first:
In the 2000 Presidential election, George W. Bush beat Al Gore by 537 votes (2,912,790 to 2,912,253) out of a total of 5,963,110 cast in the state of Florida. That's an ALMOST 0.01%, or one hundredth of one percent margin. Florida is a winner-take-all state in the electoral college, and so all of that state's 25 electoral votes went to Bush, which pushed him to 271 votes, and the presidency. If we flip the full .01% of the votes in that election from Bush to Gore, Al Gore would have won. Regardless of your satisfaction with the outcome of that election, it should be manifestly clear that the paramount consideration in any election should be the accurate counting of every vote.
Enter the voting machine.
Theoretically, the voting machine is able to solve just this problem. It's a computer, right? It counts perfectly every time! You push the button and beep-boop it rings you up and off you go, confident that your representation in the republic is secured. Only it isn't. Why?
To answer this question I want to take you back in time even further now. That time is World War II, and the object of our attention is the Enigma Machine.
The Enigma Machine was Germany's ultimate cryptography tool. Cryptography, loosely defined, is the study and practice of securing your communications so that nobody but you and people whom you trust can read them. There are many ways of achieving this goal, some more effective than others. For example, take the galactically famous "secret decoder ring" found in cereal boxes for almost as long as you could find actual cereal in boxes. It's a ring with two different listings of every character in the alphabet, one in the normal order, and one in a scrambled order, so that each letter appears only once on each list, and each letter appears next to a DIFFERENT letter in the alphabet, so that, for example, A maps to H, B maps to Q, and so on. In order to use the ring, you compose the message you want to send, and then translate each letter in the message using the ring, replacing the normal-ordered letter on the list with the out-of-order letter. The end result of this task is a garbled message which is opaque to anyone without the ring. To decode the message, you reverse the translation, going from the garbled list to the normal list. When you're done, voila, there is the original message.
There are, of course, many problems with this approach.
Firstly, our decoder ring was available in just about every goddamn box of cracker jacks in the world for a while, so if little Johnny had the cash for one, your messages were only as secure as your method of transmission of the message. Once Johnny got his hands on it, (say, by beating up poor little Timmy Twaddlehammer, whom you had entrusted with the message because you knew full well his alcoholic mother didn't EVER buy him cracker jacks), the jig was up, and he'd tell EVERYONE about your crush on Susie Salamanderfeldt.
Secondly, and only slightly more difficultly, even without access to a decoder ring an examination of an intercepted message would result in noticing patterns of letters, and if you applied a bit of time and elbow grease it wouldn't take you long to figure out which letters were supposed to go where. There are many other problems, but it should suffice to say now that a simple substitution cypher isn't very interesting, or very secure.
But Enigma - oh, Enigma was VERY interesting, and much more difficult to break than a decoder ring. The Enigma machine was, at the time, the ultimate decoder ring. I won't go into the mechanics of Enigma or the effort that it took to break it - if you're truly interested, start at the Wikipedia entry and then start following the citations. It's a fascinating story. The part of the story that's pertinent is not that Enigma was unbreakable, however - it's that the Germans BELIEVED Enigma to be unbreakable. Their intelligence and security was a closed information system, a feedback loop which depended on and reinforced the idea that Enigma was perfectly secure. It wasn't. And because it wasn't, many people, including President Eisenhower, credited the breaking of Enigma with shortening WWII by as many as 2 years.
What in the hell does this have to do with voting machines? I'm glad you asked.
The voting machines are nothing more than computers. They display a screen full of information with a way for you to interact with that information in the form of checking boxes. If that sounds a little like a web site to you, it's not a coincidence. Nearly everyone has interacted with the web enough to need no training whatsoever on such an interface, so it represents a perfectly logical choice for a massive deployment of technology which requires quick acceptance into the mainstream. The mechanics of a typical e-voting machine are simple: the voting machine records the individual votes on cards with memory chips on them, and those cards are collected and then inserted into another machine, which counts the votes (in some cases, the machines themselves have modems on them which can transmit the vote tallies to a central authority, and the cards used by individual voters theoretically can be used for verification).
However, the software running on these voting machines is written by humans, and is therefore not guaranteed to be perfect. In fact it is guaranteed to NOT be perfect, and so these machines are designed with a way to install updates on them, in order to correct the imperfections along the way. It's a common feature of hardware systems - hell, even your TV probably does it by now (if you've ever seen a "firmware update", this is exactly what's going on), and it's made easier if your device connects to the internet, as the updates can be downloaded and applied at any time. This is enormously convenient and a powerful way to keep improving devices once they get out into the wild - but it also represents a massive security problem.
Why? Because it means that the software running on such devices can be altered at any time, by anyone with the knowledge to do it. If you have the know-how it's possible for you to apply a firmware update to a TV which will cause it to be unable to tune to any channel except QVC. Or perhaps it will randomly change channels on you; you want to watch tennis, but the TV wants you to watch Oprah. This is clearly a bad situation, one we want to avoid at all costs, right? So, how do we avoid it? How do we know that the software running on the TV works, and that the update won't make things worse when it's supposed to make things better?
Here's where we go back to cryptography for just a moment longer, to talk about digital signatures. A digital signature functions for computers similarly to the way that your signature functions for you - it's a verification that the thing which has been signed, like a contract, was looked at and approved by you. Anyone seeing that contract will see your signature and know you approved it. How do you know the contract wasn't altered after you signed it? This is why you sign everything in triplicate. It's not just because lawyers like watching us sign shit, it's to protect you from dishonest people who would alter your contract with the painter to say that you agreed to pay them $10,000 to paint the house instead of just $1,000. Multiple copies of the contract guarantee that any changes can be challenged in court.
For computers a digital signature is similar. A digital signature is a way of approving of the contents of a file on a computer, but it's also a way to GUARANTEE that the contents of the file were not altered, in the same way that signing a thousand copies of your contract with the painter does. When you apply a digital signature to a file, what happens is that the entire contents of the file are scanned, and an algorithm is applied which generates a token that UNIQUELY identifies the contents of that file. Any time the signature algorithm is applied to the same file, it generates EXACTLY the same signature. Any time the signature is applied to some OTHER file a DIFFERENT signature is GUARANTEED to be generated. In this way it is possible for a file to be electronically transferred as many times as possible, and so long as the signature continues to match, you are guaranteed that the contents have not been altered. This solves our TV problem nicely. When firmware updates are applied to television sets, they contain digital signatures which verify that the software which was generated by the manufacturer is the same software that is being applied to the TV.
And since voting machines are so much more important than TVs, you'd think that the same care is taken with the software which is installed on them, right?
Yeah, no - there's no verification of the software that's on the voting machines - it's not signed, it's not monitored in any way except by the companies which produce the machines. What's worse, is that NOBODY outside of those companies EVER gets to see the code which is running on the machines. The companies have, in fact, fought tooth and nail against anyone ever seeing that code, arguing that if anyone knows the code, then it will be rendered that much easier to hack. This type of thinking is known as "Security Through Obscurity" - if nobody knows how it works, nobody can break it. However, a famous computer security aphorism states "Security through obscurity is no security at all."
And now we reel Enigma back into the conversation - Enigma was broken, despite the lengths to which the Nazis went to keep it secret. It relied on nobody being able to figure out the methodology by which the encryption was achieved; Security Through Obscurity writ large. Similarly, the companies responsible for arguably the most important software in the world are using the worst possible methodologies to protect that software. Even worse, that software has never been independently verified to do exactly what it is that's required in the first place. There are standards, but they are terribly lax with regard to security, and obviously written by people with no clear understanding of the issues. So, we have software running on voting machines which has never been audited, and can be changed at any time at the whim of the companies which produce them.
What could possibly go wrong?
Let's just say, for example, that you wanted to rig an election. And let's also say that you knew the vote was going to be very close in an important state. And all you needed to do was to switch a few votes - a theoretically statistically insignificant .01% of the vote. With the current system in place, it is not only possible that this has already happened, it's LIKELY. After all, what are the possible negative repercussions? Nothing whatsoever. Nothing is verified, and it is impossible to prove that anything went wrong, or that anything was changed, since there is NO paper trail to go along with the electronic tally in the case of a recount. Not one vote on any of the memory cards can be mapped back to a single voter. Not one vote on any of those cards can be guaranteed to be the same vote that was cast by the person who used that card. Sound crazy? It is - but this is the exact current state of American voting "technology".
You see the problem.
The solution to this is a software paradigm known as "Open Source". Open Source is exactly what it says it is - you release the software source code, the code responsible for driving the voting machines, to the entire world, making it open to everyone who wants see exactly what the voting machines are doing. In this way, it would be impossible for the companies writing the software to sneak in any "vote changing" code. Similarly, it would lay bare any security flaws. Why is this good, you might wonder? Because vulnerabilities caught are vulnerabilities FIXED. When the entire world is looking at your software, then there won't be a single security problem which is hidden away. Flaws will be found and addressed before the software ever has a chance to get into production. The most secure encryption software in the world is OpenSSL, which is the encryption software that runs on every browser in western civilization. It's an open source project - you can download the source code and see exactly how it is that the thing is encrypting your credit card number when you send it to QVC.com to buy that set of porcelain corgis. But knowing how it's done in no way means you can crack it. Encryption algorithms have gotten so sophisticated that cracking the encryption would take many computers many years to break even one OpenSSL-encrypted transaction. When security flaws are found with OpenSSL, they are published and addressed immediately. OpenSSL has been cracked a few times, but every time this happens it is patched within a small number of days to fix it. In this way it stays ahead of the hacker population in as much as it is possible to do this.
We must implement this paradigm with the voting machine software IMMEDIATELY. It is utterly unconscionable that the software which runs the most important elections in the world isn't rigorously tested and shown to be fault-free before it is put into production. Furthermore, when the software is installed on the machines, it MUST be digitally signed, and every vote which it generates must also be digitally signed so that it can be guaranteed that :
A) The software running on the voting machines at the time of the election was the same that was verified, certified, signed, and installed for that election, and
B) Every vote cast was generated with that same version of the software, to do away with the chance that a trojan horse was installed on the voting machine at the same time.
In addition, A paper trail or some other sort of hard trail MUST be available and secured in the event that an electrical disturbance takes place which causes the electronic tally to become corrupted or otherwise unavailable. There must ALWAYS be a way to verify the vote count in every election - that there isn't can speak only to incredible laziness or a spectacular mendacity on the part of the voting machine companies. And, by the way, Diebold and Hart Intercivic, both voting machine companies with a significant footprint in this election year, are owned by men who have raised money for GOP candidates. Those machines are currently slated to be used in 13 states, including Ohio, California, and Pennsylvania. Why is nobody screaming about this obvious conflict of interests? This is more important than credit cards, more important than television, more important than EVERYTHING. It's absurd beyond measure that we don't treat it this way.