back to article You can easily secure America's e-voting systems tomorrow. Use paper – Bruce Schneier

While various high-tech solutions to secure electronic voting systems are being touted this week to election officials across the United States, according to infosec guru Bruce Schneier there is only one tried-and-tested approach that should be considered: pen and paper. It's the only way to be sure hackers and spies haven't …

  1. Mark 85 Silver badge

    Use paper...

    He and others have been saying for as long as there have been voting machines. He and they are right as there's no trail to verify the machines haven't been tampered with via hackers or even local election officials.

    1. GnuTzu Silver badge

      Re: Use paper...

      But, but, but... WiFi enabled IoT that can be accessed and managed with smart phone apps from the Internet are everywhere. Surely, that means it's a good thing, right??? AAAAAARRRRRRRRRGGGGGG!!!!!!!!!!! Seriously, the people who sell the crap, get away with their crap, because they somehow were able to put the crap in a shiny box, and people like shiny boxes--even when their full of crap. And, that means those who buy voting systems are under the same delusion as the entire consumer market that somehow the shiny crap is better than pen and paper. Wake up people!!! (And, don't call me Shirly.)

    2. jgarbo
      Pirate

      Re: Use paper...

      Oh dear. Pen & paper are obvious. But how do we then rig the election in favor of our psychopathic warmongering idiot? Wake up! This is serious, not democratic.

  2. Ptol

    There's a long history of paper based voting systems being hacked too. Slipping in extra ballot boxes prefilled with votes for your prefered candidate is as old as the hills, along with plenty of modern variations.

    1. Allan George Dyer Silver badge

      And there is an equally long history of checks being put in place to deal with those hacks. There are simple procedures for counting and verifying the identity of ballot boxes and checking the number of votes they contain matches the number cast at that polling station, to counter the example you gave. Counts are conducted by public officials, who would be prosecuted and loose their permanent job if caught cheating, and watched by scrutineers: representatives of each candidate. Sometimes, there are international observers doing the same.

      The beauty of the paper-based system is that everything can be verified by the eyeball Mk.I, no need to calculate the cryptographic hash of whatever (anyway, you're trusting a program to do that for you). The voter can look at their own ballot paper before they put it in the box, the counters and scrutineers can look at it during the count, there is no easy way to modify papers en mass and it can all be counted again tomorrow, using different officials, if necessary.

      Hacking a paper ballot can be done, but it takes massive collusion and suppression of the opposition. An electronic election can be stolen by one person with the right keys, from anywhere, untraceably, leaving no evidence that anything happened.

    2. DougS Silver badge

      Sure there are potential exploits against paper

      Auditing techniques can sniff out ballot stuffing attacks, but even if you assume they can't or that the auditers can be corrupted...

      The important thing is that ballot stuffing requires one or more people with physical access to the ballots, in every single precinct where you want to "stuff". You can't hack paper from halfway around the world, or compromise 10,000 precincts at the same time. Ballot stuffing doesn't scale the way hacking does, and you only have to get caught once and have someone spill the beans for the whole scheme to unravel.

      Plus the US has a really great defense against ballot stuffing even if you assume every person in the government of an entire state is corrupt and makes laws against audits - the electoral college. If one party has such control over a state that they could successfully attempt this, that party would win the delegates for that state anyway so there's nothing to be gained at least not on a national level.

      1. Charles 9 Silver badge

        Re: Sure there are potential exploits against paper

        What about at the state level, since it's the state legislatures that draw up the districts that then determine how the Representatives sent to Washington are voted? Remember, the Census is coming up, and after that the states get the results which in turn are used to draw up the maps.

        As for being able to corrupt so many districts at once, you underestimate the sheer size of the two major political parties in the US. Otherwise, a third party with a lot of backing would've wedged its way in by now.

        1. DougS Silver badge

          Re: Sure there are potential exploits against paper

          Well once again if you own state government enough to totally own the voting process, your party has strong enough control that it would win even in a fair election. Just by less.

          1. Charles 9 Silver badge

            Re: Sure there are potential exploits against paper

            Less isn't enough. Most legislatures require an overwhelming majority (say two-thirds) to be able to make any permanent changes to the government (such as amend the Constitutions and other foundational documents). And each state they pwn will make it easier to do the same to the US Congress (which is currently too even to do the same thing).

            1. SotarrTheWizard

              Re: Sure there are potential exploits against paper

              I disagree. An election attack can be made via critical nodes. When elections are run at the county level, you need but to merely control the count in critical counties, and delay final results until all non-crtitical results are in. The Commonwealth of Virginia is the exemplar here, in each of the major statewide elections for over 10 years, the voting districts inside the Beltway and in the Tidewater area, all heavily urbanized and the first areas one would expect to report. . . .never do.

              The Opposition candidate is always 1-2 points ahead. . . . .and then an hour with no changes, and suddenly Arlington and Hampton Roads report, and BOOM! their candidate pulls ahead by about 5% over the greatest possible margin of error. . . .

              It's cynical. but your vote does not count so much as who ***counts*** the votes. . .

              1. Charles 9 Silver badge

                Re: Sure there are potential exploits against paper

                "the voting districts inside the Beltway and in the Tidewater area, all heavily urbanized and the first areas one would expect to report. . . .never do."

                And, therefore, having the most people in them, which in turn means they have the most votes to count as well as the most logistics to negotiate. I know of this firsthand as I happen to BE an urban Virginian.

                You may be interested to know that HR and NorVA don't always see eye to eye, but since NorVA has more people and is right next door to the nation's capital, they tend to have more clout. The only reason HR can maintain some say is because it's a military nexus (they house Naval Station Norfolk, THE biggest military base in the US). Neither can directly influence the capital of Richmond, as it happens to be plumb in between them (two hours northwest of HR, three-plus hours south of NorVA). Also, eastern Virgina tends to have very different views from that of the more-rural western Virginia (especially in such matters as transportation, where the two sides' priorities vastly differ though for logical reasons), so seeing a sudden pullaway when the most populous, most divergent parts of the Commonwealth get counted is expected.

      2. katrinab Silver badge

        Re: Sure there are potential exploits against paper

        If the auditors are appointed by all of the candidates, then, they will be individually biased, but it won’t be possible to corrupt all of them.

        So you would have one democrat, on republican, one libertarian, etc, all attending the sealing of the ballot box, and attending the opening of it and the counting of the votes.

    3. nematoad Silver badge

      Aye, there's an old saying from I think the 19th century.

      "Vote early, vote often."

      Added to which you have personation where someone uses another persons vote and the good old standby ballot box stuffing.

      Plenty of ways to rig an election if you want too. Alternatively you could try electing a head of government using only the votes from a tiny unrepresentative minority.

      Wonder who just did that?

      1. DougS Silver badge

        People voting more than once is even less realistic way to compromise an election. That requires a lot of dedicated people and NO ONE making the conspiracy known. If one of them talks and fingers the person organizing them, its game over.

        If you want to compromise an election in that way you don't do it on election day, you do it via absentee ballots. Far easier since you have plenty of time to do it instead of trying to crowd it all into a single day.

        This is why voter ID as "fraud prevention" is so stupid. There aren't huge numbers of imposters voting on election day, there are cameras in and around most polling places and it would be trivial to be caught even after the fact (i.e. if you voted using someone else's name and then they showed up and were told they were marked in the rolls as having already voted) You'd do it via absentee ballots, like the crooks in North Carolina's 9th district who were caught doing this in the last election (and it sounds like they'd been doing this for other elections in the past too) None of the voter ID plans address absentee voting at all.

  3. Bubba Von Braun

    Paper works. Having been an election official here in AU, I have been part of the process.

    To the point raised slipping in extra ballots wont work. The polling place has say 3000 ballots issued to it. We need to account for them this is done throughout the day. At close of voting the ballot boxes are opened in by voting officials, and counted in-front of scrutineers from the various candidates.

    Once tallied the results are phoned through and all the ballots and materials are packaged and sealed, delivered to the returning office for that district. These ballots are counted again at least twice in the following weeks to verify the counts.

    Its this accounting that picked up 1300 missing senate ballot papers in WA. And to ensure integrity of the vote, a fresh senate election was held for that state.

    The key difference between Australia and the USA, is we have a totally independent organization for managing boundaries, enrollments, the count. So no gerrymandering, its all based on population and voting is mandatory. If an official shows the slights bent/bias they would be removed very quickly.

    All done with pencil and paper

    1. batfink Bronze badge

      Yes the Australian Electoral Commission is a wonderful organisation and should be an example to other countries in how to do it right.

      However I wouldn't agree that it eliminates gerrymandering entirely. It's notable that (particularly at State level) when a new government comes in, they immediately call for "fairer" boundary redistributions, and then ensues a lot of shouting and waving of arms while politicians of various stripes argue with the AEC about where the boundaries should actually go. Yes the electorates are based on numbers of voters (UK please take note), but having *this* suburb in Electorate A instead of neighbouring Electorate B can have an effect on the outcome. However, it's the independent AEC that makes the final decision, and the variations tend to be small. Unlike, say, the US where it seems to be partisan local committees or individuals making that decision - any USAians here to confirm/deny?

      But having said all that, yes the Aussie way of doing it is probably as good as you're going to get.

      1. Robert Halloran

        The US Constitution leaves management of elections to the states; the state legislative houses draw up the district boundaries based on the decennial census, typically to the advantage of the majority party at the time. Some states have been dragged into court for blatant gerrymandering to maximize their party's representation across those districts, with mixed results. In some states, the problems left behind by racial discrimination mean the boundaries must be vetted by the Feds to ensure minorities have a fair shake at the polls.

        1. batfink Bronze badge

          Thanks Robert. Sounds like basically open season to rig the next election the way the incumbents want. Best of luck!

        2. Mike 16 Silver badge

          Some States

          For "majority party", please read "party holding a majority in the legislature, and governors office, no matter what they had to do to arrange that, and regardless of the will of the actual majority of voters".

          California has a fairly rigorous procedure for redistricting to forestall some of the most blatant abuses, but this is not because the legislature, in its benign majesty, set those rules. It is because California also has the referendum, where a sufficiently large number of voters have signed a petition to get a measure on the ballot, and a sufficiently large number of voters have approved it once on the ballot.

          All is not rainbows and unicorns, and some fairly pernicious referenda have passed, and been locked in because they set a larger majority for their repeal than they were approved by in the first place (still a few bugs in the system), but some legit reforms (the purpose for which the referendum was designed) have occurred.

          The major issue in the U.S. is that getting a even a slightly bent state government to allow its voters to limit its power is a non-starter. Even more so with SCOTUS disinclined to interfere with that particular form of States Rights. Don't go looking for a corrupt state to allow its voters the referendum if they don't already have it, and don't be surprised if states that do have it make "modifications" to rules to limit those pesky citizens actually accomplishing much.

          Even with the best of intentions, the party that allows fair elections in its state has unilaterally surrendered some power to its possibly less scrupulous opponents, and between senate rules, electoral college, and a hands-off SCOTUS, this is unlikely to end well.

          1. Carpet Deal 'em Bronze badge

            Re: Some States

            Don't go looking for a corrupt state to allow its voters the referendum if they don't already have it, and don't be surprised if states that do have it make "modifications" to rules to limit those pesky citizens actually accomplishing much.

            Given that the South Dakota legislature sat in emergency session for the sole purpose of repealing the results of one(on corruption, of all things), I'd say we're well past "don't be surprised".

        3. rnturn

          Actually...

          ``In some states, the problems left behind by racial discrimination mean the boundaries must be vetted by the Feds to ensure minorities have a fair shake at the polls.''

          Much, if not all, of the oversight of State election laws by the Feds -- that was part of the Voting Rights Act -- was blown up by the Supreme Court.

  4. Anonymous Coward
    Anonymous Coward

    Encryption

    US: "We need backdoors in everything STAT! It's for law enforcement purposes."

    Russia: "MwaHahahaha *ahem* comrade."

    Plus it's not like other hackers aren't going to take advantage of this too.

    Good job we're not considering allowing it in the UK... wait...

  5. Chris G Silver badge

    Trust

    What makes Bruce think the Aussies and Brits trust their governments more than the US?

    It's more a case of our Governments refusing to listen to any good advice.

    1. Christoph Silver badge

      Re: Trust

      I very definitely trust the current UK government.

      Exactly what I trust them to do is not suitable for posting in a public forum.

      1. A random security guy

        Re: Trust

        Have they done anything in the last 1 year?

        1. Ken Hagan Gold badge

          Re: Trust

          Yes. They have slaved day and night to make sure that nothing is done to stop the handcart continuing its slow but steady progress towards Hell.

    2. batfink Bronze badge

      Re: Trust

      Agreed.

      Sorry Brucie - as someone who has lived (and voted) in both Aus and UK I can attest that people in those countries don't trust the fuckers as far as we can throw them either.

      It just means that the right combination of ignorance, greed, lust for power, and security theatre has got the legislation through Parliament in both countries.

      1. Peter Gray

        Re: Trust

        Yes, Australia and the UK don't trust their politicians, but are many people at the point of buying firearms to protect themselves from them? I realize this is a minority in the US, but the impression I get is that it is a minority that is steadily growing, and their level of distrust seems to be greater than anywhere else (that isn't already in a state of revolt)

  6. Neil Barnes Silver badge
    Holmes

    Americans just don’t trust their governments as much as the UK and Australia

    Americans must trust their government very little indeed. I'm not sure anyone in the UK trusts the current government as far as they could throw it, House of Parliament and all the benches included.

    1. Charles 9 Silver badge

      Re: Americans just don’t trust their governments as much as the UK and Australia

      The US was FOUNDED on a distrust of government. Thus why the government was made the way it was. The Founding Fathers just happened to underestimate either American greed or American stupidity.

  7. Ordinary Donkey

    Didn't they already decide not to do that?

  8. Peter Galbavy

    But surely there are environmental benefits? Imagine how many trees could be saved if dictators in notionally democratic banana republics - like, say the USA - didn't have to stuff ballot boxes with pre-filled paper ballots all the time and instead just changed the totals online?

    1. Allan George Dyer Silver badge

      But if you source the ballots from sustainable forests, and bury them afterwards, you're building a carbon store and fighting global warming.

  9. chroot

    What about other applications?

    If paper is the only secure way to vote, why can we rely on electronic services for banking, government services, etc? Or shouldn't we?

    1. Will Godfrey Silver badge
      Pint

      Re: What about other applications?

      Well I don't. I check my bank balance every week, against the paper receipts I collect with all purchases.

      On the rare occasions I buy online I keep a copy of the webpage until the goods have arrived and payment confirmed.

      I'm usually supping one of these while checking.

    2. Anonymous Coward
      Anonymous Coward

      Re: What about other applications?

      Desire and will.

      A dictator printing off fake money (or electronically) collapses the economy.

      A dictator faking an election, stays in power.

      Not equal in scope or result.

      1. Anonymous Coward
        Anonymous Coward

        Re: What about other applications?

        What if the dictator WANTS to collapse the economy, so as to snap up the pieces and then tot off ahead of the pitchforks?

    3. pmb00cs

      Re: What about other applications?

      Because banking and voting are two entirely different problem spaces.

      With banking the bank needs to know that *I* allowed the transaction, and they know who *I* am. so as long as they can reconcile the details of the person authorising the payments with my identity all is good. It's a problem that requires two parties who know each other to be able to authenticate intention through a third party.

      With voting the entire population needs to know how many people within the population voted for each candidate without knowing who each specific person voted for. So we need to validate numbers without recourse to validating identity after the fact. Although you need to identify yourself in the polling booth this is only to prove you have a right to vote, and haven't already done so. Once you get your ballot your identity becomes meaningless.

      Put another way, with banking I don't give a fuck if you trust that I paid the shop or not, as long as my bank does. With voting I care deeply that we all agree on the results, but don't know who we each voted for.

  10. Pascal Monett Silver badge

    Bruce Schneier is my kind of guy

    Finally, someone with indisputable authority confirms what I've always been saying on the subject : paper for ballots. How unfortunate that this is happening in the USA, where corrupt people hold the keys to change. It is crazy to witness a group of people so openly corrupt and contemptuous of the rules of their own country, and nothing can be done about it.

    Well, not until the next election, that is. Which will be held via electronic voting boxes. How curious would it be if Trump got re-elected in a landslide, hmm ? Like, 90% of the votes. I wonder what people would think about that ?

    1. batfink Bronze badge

      Re: Bruce Schneier is my kind of guy

      Only 90%? Amateur!!

      It should be more like 120%. Just ask any proper banana republic leader.

  11. Dr_N Silver badge

    Instant Gratification

    Paper or punch/mark cards don't fill the need for on-the-night results to feed the 24/7 news cycle.

    1. Neil Barnes Silver badge

      Re: Instant Gratification

      Of course they do. They provide *hours* of punditry while the experts debate what the result would be if they could believe the exit polls, then the results next morning, then more hours of pundits explaining why the polls were wrong.

      Paper ballots are *made* for 24 hour TV.

      (Anyone would think the results would be different if you stopped up all night to watch, instead of just waiting for the morning news...)

    2. Mog_X

      Re: Instant Gratification

      Here in the UK most of the results after an election have been made within six hours of the polls closing - some constituencies have an unofficial race to make the first declaration.

      In the US there should be a delay, as people would still be voting on the west coast as the first results come in from earlier time zones.

    3. DanceMan

      Re: Instant Gratification

      "Paper or punch/mark cards don't fill the need for on-the-night results"

      Bullshit. Here in Canada in at least some of our elections, the paper ballot is inserted by the voter into an optical reader to tabulate the results. The paper ballots remain available for a recount.

      1. Anonymous Coward
        Anonymous Coward

        Re: Instant Gratification

        Then the optical reader can be hacked. Back to the same dilemma.

        1. Allan George Dyer Silver badge

          Re: Instant Gratification

          @AC - "Back to the same dilemma."

          No quite. The paper was verified by the voter when they voted, and it still exists so a manual check could be performed. With proper checks, you could have the same reliability as a wholly paper system...

          I'd suggest choosing n polling stations randomly, then each candidate chooses an additional n polling stations, and perform a manual verification for those. If there is any discrepancy with the optical reader results for those polling stations, re-count the whole election manually.

          1. Charles 9 Silver badge

            Re: Instant Gratification

            "No quite. The paper was verified by the voter when they voted."

            Who actually DOES that, plus what's to stop a Kansas City Shuffle so that the paper matches the machine? Some organizations are big enough to both make a scheme that elaborate AND ensure there are no squealers?

  12. Claptrap314 Silver badge

    Hacking paper is HARD (relatively)

    I've worked 30 elections in Texas. I now live in Washington state.

    First, like any Republic, voting fraud exists. There is no way to prevent it. The problem is how do you make it hard to steal elections without being caught. Others have posted most of the steps taken to safeguard a scantron paper system. You can get around them, but it takes a LOT of manpower. And that creates a LOT of people who can talk about it. As mentioned, electronic voting creates entirely new avenues to introduce fraud. As it happens, they also scale.

    A note about gerrymandering: The US Supreme court's understanding of "one man, one vote" combined the relationship between our censuses and our district lines MANDATES weird boundary lines for congressional districts. As mentioned, the States are the primary sovereigns for elections, per the US constitution. The exceptions are the guarantee of a republican form of government, and the fourteenth amendment, which ensures the right to vote in federal elections. I am of a mind to invoke these regarding paper ballots & gerrymandering, but I've yet to see congress touch an issue without making it worse.

    1. disgruntled yank Silver badge

      Re: Hacking paper is HARD (relatively)

      Weird boundary lines? Iowa, where a non-partisan commission handles the redistricting has fairly non-weird lines. A couple of censuses ago, there was a congressman from North Carolina who joked that he could drive down an interstate with his doors open and hit everyone in his district. See https://www.politico.com/magazine/gallery/2014/08/the-art-of-the-gerrymander/002007-028572.html

  13. A random security guy

    Physical security

    There is a reason why all governments use special couriers to send specially secured documents. One time pads are still being used.

  14. disgruntled yank Silver badge

    By the way

    comp.risks has been beating this drum for a long time.

  15. mildy bemused

    Hacking an election as an engineering problem

    For a term paper for Masters in Cybersecurity course I looked at hacking the 2016 election as an engineering problem - what is the minimum it would take to alter the vote tally. For Ohio, the example I used, I concluded from published information that it would mean altering the tally on 18 servers.

    This was entirely theoretical and I did not confirm it with the Ohio Secretary of State but here is the approach: reduce the problem space to the 7 swing states with the largest number of electoral college votes. I chose Ohio as an example because they publish detailed information about voting patterns. Reduce the problem space further because in Ohio it's only 18 of the 88 counties that matter. In Ohio, the results from the polling stations are tabulated by each county before the aggregate is reported to the Ohio Secretary of State. Hence 18 servers.

    Attacking the voting machines themselves doesn't scale as well. If they're not accessible over a wireless link, they have to be compromised before voting day (you can not do it covertly during the vote) which means getting into the storage facilities where the thousands of voting machines are kept or the thousands of polling stations the night before.

    There is one flaw in my analysis which might indicate that something was wrong and it has nothing to do with how the election is run or secured. I'll leave it as an exercise for the student to figure it out.

    I was discussing this with an FBI agent last week and he pointed out that there is a paper record. But half of the machines in Ohio print out the paper record! The voter gets a slip like a till receipt but anyone here check a shop receipt to see if it matches the amount that was just charged to your credit card? My interest in a transaction ends with the display on the terminal I just stuck my credit card in.

    Of course, the way the voting officials ensure that the voting machines have not been tampered with using a plastic seal - available in several colors at a modest price on Amazon.

    1. Charles 9 Silver badge

      Re: Hacking an election as an engineering problem

      "Attacking the voting machines themselves doesn't scale as well."

      So you attack a chokepoint: like the manufacturer, where the mole strategy HAS been used in the past.

    2. Anonymous Coward
      Anonymous Coward

      Re: Hacking an election as an engineering problem

      Attacking the voting machines themselves doesn't scale as well. If they're not accessible over a wireless link, they have to be compromised before voting day (you can not do it covertly during the vote) which means getting into the storage facilities where the thousands of voting machines are kept or the thousands of polling stations the night before.

      Part of the problem is that big if in there.

  16. Trollslayer Silver badge

    And we think the UK government is bad

    OK, it is but nowhere as bad as the US.

  17. This post has been deleted by its author

  18. Roq D. Kasba

    Obligatory Tom Scott

    https://www.youtube.com/watch?v=w3_0x6oaDmI

    Didn't see it elsewhere

  19. Kev99

    For years in Ohio the local elections boards would tally the votes at the local courthouse and then phone in the results to the Ohio Secretary of State. Later, the SoS allowed them to fax the results. Since Ohio required there always be at least two people of opposing parties watching the elections from the casting of the first vote to the sending in the results the chances of hanky-panky were greatly limited.

    I personally believe there are two reasons why everyone thinks electronic voting is good. One, the fools think the internet is perfectly safe and secure and ignoring the fact that a net is just a bunch of holes held together with string. The second reason is to appease the news hounds who want the results immediately even though the results are not official until several days after the polls close. In Ohio I believe that's ten days.

  20. Dr. Mouse Silver badge

    xkcd FTW

    https://xkcd.com/463/

    and

    https://xkcd.com/2030/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019