Microsoft Research has revealed a potential flaw in verifiable e-voting machines through which fraudsters could easily use discarded ballot receipts as a guide for altering votes. Fortunately, the researchers also offered a solution -- linking new receipts to previous ones with cryptographic hashes -- but that alone won't make e-voting entirely secure, they cautioned.
Unlike the first generation of controversial e-voting machines, which lacked printing capabilities and suffered other back-end insecurities, new models from such companies as Scantegrity, Prêt à Voter, VeriScan, Helios, and MarkPledge can print out receipts. Not only can voters check the printouts to confirm their votes were cast correctly, they can also later compare their receipts against published election data.
The problem with the new generation of verifiable voting machines, according to the report (PDF), is that most people are highly unlikely to retain their receipts for future vote verification. However, ill-intentioned individuals could get their hands on those receipts -- by rummaging through garbage cans at voting centers, for example, or through social engineering techniques -- then use insider connections to change votes to their preferred candidate.
Using the discarded receipts as a guide for changing votes would be ideal, as they would represent voters with no intention of verifying their votes later. "Suppose that it is known that 5 percent of voters are expected to verify their receipts in an election," the report says. "With a standard design, an insider that randomly alters 10 ballots would escape detection about 60 percent of the time."
The mitigation to this "trash attack," according to the report, is to tweak the voting machines such that each voter receives a receipt and each one includes a cryptographic hash of the voting data from the previously cast ballot. "The idea of a running hash is certainly not new. Hash chains are a common cryptographic tool and are found in many protocols," according to the report.
What that would mean: If Voter A and Voter B were to cast votes one after the other from the same machine, Voter B's receipt would include proof of whom he voted for as well as proof of whom Voter A had selected -- again, in cryptographic hash form, so Voter B would not actually know Voter A's identity nor whom he voted for. If an insider got his hands on Voter A's receipt and was able change A's vote, that insider would risk the fact that Voter B's receipt could be used to verify Voter A's original vote intent. That risk would be present for every single printed receipt, making it far riskier and more difficult to get away with voter fraud.
Notably, the authors of the report stress that their fix would still not ensure fully secure and verifiable e-voting system, but rather would provide a lower-cost Band-Aid. "A complete verifiable election system has many components, including a voter interface, a back-end tallying process, a public verification process, and a dispute resolution process," wrote Microsoft researcher Josh Benaloh and DecisionSmith's Eric Lazarus.
This Microsoft Research report offers a fine example of how electronic-voting systems have improved to a degree, but it also shows that there's a lot of work to be done to make e-voting truly secure and verifiable. The fact that so many lawmakers have continued to drag their feet on this issue, even in light of documented controversies surrounding e-voting over the past several years, suggests at best an abysmally high level of technical ignorance among elected officials. At worst, it implies a general disregard for the democratic process on which this country was founded, a high level of corruption, or some combination thereof.
This story, "E-voting remains insecure, despite paper trail," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.