Didier Stevens

Monday 11 June 2007

Some e-voting observations

Filed under: Vulnerabilities — Didier Stevens @ 16:52

Last Sunday, we had federal elections here in Belgium. I’m glad to see that the electronic voting system I used is designed to minimize voter coercion.

The secret ballot prevents coercion (being forced to vote for a certain person or party): if the voter can’t produce evidence of how he voted, he can lie to the coercer about his vote without risk. Some political parties want to change the process of the secret electronic ballot and include a paper trail. This is not a good idea, it will make coercion much more effective, as the voter will have an official paper with his vote.

The ubiquitousness of mobile phones equiped with a camera gives coercers a new opportunity to require proof from the persons they are coercing. The coercer just has to instruct his victim to take a picture of his ballot. The Belgian electronic ballot is designed to prevent this. When you’ve casted your vote, you’ll see a screen like this one:

The 2 buttons at the bottom of the screen allow you to:

  • left button: go back a screen and change your vote
  • right button: confirm your vote

Once you have confirmed your vote, the next screen doesn’t display how you voted. So if one is coerced and has to deliver proof, one just has to take a picture of the vote one was coerced into, and then back out from the screen and change ones vote. The only workaround I see is for the coercer to demand a video of the complete voting process, in stead of a picture of the ballot.

I’ve made a video of my voting last Sunday, and it turned out to be rather difficult to do. First of all, I was standing very close to the screen and I clumsily managed to film only the bottom of the screen. Secondly, the brightness of the CRT screen (black letters on a white background) makes it very hard to read my ballot on the video. This could also be an anti-coercion mechanism, taking legible pictures of a white screen is very hard.

This is an advantage that our electronic ballot has over our paper ballot, it is more effective against voter coercion.

You can find a simulation of the Belgian electronic ballot here:

10 Comments »

  1. Interesting… I must ask – is Belgian e-voting software open sourced? If no, who reviews the software to ensure that it is fair? And is that verification process public, and are the test results easily available to the general public?

    Here in US the e-voting machines are running proprietary software and hardware, and are tested by licensed private companies in a secretive, non-public process. The company that makes them goes to great lengths to prohibit any independent entities not affiliated with them to test or examine their machines.

    It has been shown that their hardware uses insecure, cheap locks, and that their software can be easily altered by simply plugging a modified memory card into it, and rebooting.

    It’s a fucking mess around here. With such insecure, easily hackable machines, produced by private companies, running closed code, voter coercion is really a secondary concern here.

    I’m just wondering if you guys came up with a better system than we did. :)

    Comment by Luke — Tuesday 12 June 2007 @ 15:24

  2. I don’t know if it’s open source, but the source code is available on an official site (I just found this out yesterday): http://www.ibz.rrn.fgov.be/index.php?id=627&L=0

    I’ve read about all the issues with Diebold machines a while back, and I started to ask myself the same questions you’re asking. But until know, I was not very actively looking for answers. This will probably change now that I’ve the source code. But of course, the source code is only one part of the voting system. For example, it appears to be running on DOS, and DOS is not the first thing I think about when you ask me for a secure OS.

    Comment by Didier Stevens — Tuesday 12 June 2007 @ 16:57

  3. Oh boy… DOS? That might be nasty. No user permissions, funky memory model, archaic kernel. Definitely doesn’t sound like a modern, robust tamper-proof voting system. :(

    Comment by Luke — Tuesday 12 June 2007 @ 20:57

  4. In some parts of Belgium, we still use paper and pencil to vote, and to be honest I still find it the best way … Bruce Schneier has some very interesting articles in his monthly Crypto-Gram indicating the pro’s and con’s of the electronic voting. Also the SANS weekly newsletter has already published a few articles and comments on the electronic voting system.

    Independent of the Source Code Review, there will always be items for discussion with the current system of electronic voting. As a user of the system, you can never be assured that the vote you entered on the screen is really captured on the card, even ignoring the fact that this card also have to be read correctly by the card reader. If I vote on a paper ballot, I see literally that I have elected party X and nothing or nobody can change this if correct procedures are in place (which is still the case in Belgium with a lot of people involved in voting, counting and controlling the system).

    If there is a problem or an issue with the counting, one can ask a recount. With paper ballots this is rather straight-forward and everybody can testify the correctness. The current way of electronic voting has no such possibility.

    And no, I’m really not against the electronic voting system but I think it’s time to rethink the way this is done. There are some examples that also provide a paper trail of your vote

    Comment by Koen Dreelinck — Wednesday 13 June 2007 @ 12:00

  5. It’s still possible: if you feed the voting machine a magnetic card already carrying a vote (the one you just cast), it will clearly show you who you’ve voted for.

    Comment by Joske — Saturday 23 June 2007 @ 14:01

  6. This is interesting. And does the screen that shows your vote, after reinserting the card, allow you to change your vote?

    Comment by Didier Stevens — Saturday 23 June 2007 @ 15:04

  7. No, it won’t allow you to change your vote. It just shows the voted names in a gray background color.

    Comment by Joske — Saturday 23 June 2007 @ 17:03

  8. For a voting machine, DOS sounds good to me. It’s much smaller and simpler to audit than something like Unix or Windows.

    cjs@cynic.net

    Comment by Curt Sampson — Thursday 12 July 2007 @ 10:25

  9. So coercion is the latest pro for elo voting?
    a) You can do paper voting twice (foto-ing the 1st trial), by devalidating the 1st paper after the foto and ask for a 2nd one. So coercion can be ruled out as well in paper.
    b) Bush (jr.) was elected twice by dubious voting machines on Florida and then Ohio (more Bush votes than legal participants in some Ohio districts etc.). So this WAS fraud.
    c) Let it be DOS, or Unix or whatever. Nobody will be able to verify the whole package, in all districts.
    Who could possibly check multiplying/exponentiating 512-bit numbers modulo the RSA modulus or whatever is behind the voting algorithm. Plainly 8almost) nobody.
    d) After the fact, the is no paper trail, no electronic trail, nothing. Neither the voter, nor the party members present in the stands, nor anybody else can do anything with the result than believe. I am computer scientist and catholic, but my belief in God is somewhat firmer than that in those voting machines.
    e) What good is elo voting anyway? (potential harm we have already seen) Faster? Yeah, knowing the Prime Minister 5 min after closing instead of after 30 min… No coercion? Also fightable in paper … so what???

    Comment by Charles — Thursday 25 October 2007 @ 15:47

  10. So you have done a) here in Belgium? How long did it take you?

    And BTW, shrub was put into power by Corporate America, not by dubious voting machines. See? I can also write oversimplifications.

    Comment by Didier Stevens — Thursday 25 October 2007 @ 16:27


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 227 other followers

%d bloggers like this: