Could Crypto Resolve the Voting Machine Controversy?

Today, Diebold touts the improved efficiency of its remodeled AccuVote-TSX voting consoles. "Every cast ballot is immediately encrypted and redundantly stored within the AccuVote-TSX voting station to secure ballot information," a Diebold sales brochure reads. "Wireless ballot accumulation capability can accelerate the tabulation process and enable the secure collection of encrypted post-election data from multiple voting stations to a single voting station for subsequent transmission to a central election server."

In 2003, Dr. Jones' Iowa study found the repeated use of a single, factory-determined encryption key -- a simple, eight-character sequence which he actually published on the University Web site -- to be one of AccuVote-TS' key vulnerabilities. Would the TSX model be susceptible to the same problem?

In June 2005, the California Secretary of State's office evaluated the TSX model for use in its statewide elections. A 22-page staff report found that, although supervisor keys were now selectable by the administrator, the Admin key itself continued to be a single key set by the factory.

"Because the encryption key for the AccuVote-TSx's Administrator card is set by the factory," the staff report reads, "the system could be vulnerable to fraud or manipulation if the same encryption key is used to encode Administrator cards for multiple jurisdictions or elections. For this reason, the vendor should be required to issue these cards with unique encryption keys for each jurisdiction and for each election."

Despite that finding, the staff did recommend the TSX for certification.

If Diebold's voting systems are indeed guilty of applying encryption to protect the wrong areas of the voting cycle, then what exactly are the "right areas?" This was the question posed in a masters' thesis by MIT student Ben Adida last August.

One of the schemes Adida suggests is a radically different kind of information network, which bears no correspondence to anything Diebold - or perhaps anyone else - presently produces. Some scientists call this system prkt b voter. Here, the consoles which acquire the voters' selections transmit these votes to no less than a public bulletin board system. These votes are encrypted using session keys generated at the time of voting.

"On this bulletin board," Adida writes, "the names or identification numbers of voters are posted in plaintext, so that anyone can tell who has voted and reconcile this information against the public registry of eligible voters. Along with each voter's name, the voter's ballot is posted in encrypted form, so that no observer can tell what the voters chose."

At first, it's clear to everyone who voted, but not what for. Each voter casts an encrypted ballot, proof of whose integrity is provided to each voter by means of a receipt. As Adida describes, "By comparing the codes on the receipt with those on the screen of the machine, [the voter] can be certain that the machine properly encoded her vote. In addition, since [the voter] can easily claim, at a later point, that a different confirmation code appeared on the screen, she cannot be coerced."

After all votes are cast and verified, election workers then convert the votes into their decrypted counterparts, which result in elements where it's clear what was voted for, but not who did the voting. Like the Heisenberg Uncertainty Principle applied to politics, you can always accurately measure who voted or what for, but never both simultaneously.

How this may improve the system, Adida argues, is that it creates a controlled hand-off point between cast and tallied ballots, where individual human beings may be held accountable. "Any observer can verify the processing of these encrypted votes into an aggregate, decrypted tally," Adida writes. By contrast, with current systems, a blind handoff takes place, with at least one person involved who does not -- who cannot -- know either element.

The integrity of the voter process has come under close scrutiny itself. As researchers from the University of Newcastle (UK) wrote, "In a possible attack, the [Web bulletin board] arranges for the voter to see a correct record of her ballot receipt, which, in collusion with the mix-net, has been deleted or altered. As a result the voter could mistakenly believe that her vote has been accurately counted."

In a "mix-net" system, messages between given senders and recipients are clouded together in such a way that their routing cannot be independently ascertained. Like the new judging system for figure skating, this could arguably provide "security through obscurity."

As computer security expert Bruce Schneier wrote in 2004, "Software used on [direct-record electronic voting] machines must be open to public scrutiny. This also has two functions. One, it allows any interested party to examine the software and find bugs, which can then be corrected. This public analysis improves security. And two, it increases public confidence in the voting process. If the software is public, no one can insinuate that the voting system has unfairness built into the code."

"The bad guys don't care whether you use encryption," Ed Felten wrote, "they care whether they can read and modify your data. They don't care whether your door has a lock on it; they care whether they can get it open. The checkbox approach to security works in press releases, but it doesn't work in the field."