Top Scoops

Book Reviews | Gordon Campbell | Scoop News | Wellington Scoop | Community Scoop | Search


Scoop Blogwatch: Hacking Your Vote

Scoop Blogwatch: Hacking Your Vote

If you were hired to create some software to count votes in an election, how would you do it? What considerations would you have and how would you implement them. What would be your security considerations?

Think for a moment before reading on, and we'll compare your thoughts with what's actually out there. The results may surprise you.

Disclaimer: This is my personal blog and my opinions are my own and not necessarily that of my employer.

No, This Is Not All About Touch Screens
There has been some major upset in the last few years about touch-screen voting systems and how easy they are to hack - but I don't want you to focus on that, for now. The interesting thing is when you bring up "voting software" most people think these systems are what you're talking about.

In this case I'm more interested in how you would implement vote-counting software - the thing used to count the votes when cards are passed through a reader and tallied. Take 10 minutes or so and specifically think about:

  • Voting audit trails
  • Counting accuracy
  • Security
  • Tampering prevention

You keep on musing while we take a break to describe the election process and how votes are counted today...

How Your Vote Is Counted
Every county has the jurisdiction to implement an election as it sees fit, under the guidelines of the Federal Elections Commission (FEC). This means that every county in the US can buy and use "certified" systems from companies such as Diebold, ES&S, and Sequoia.

One of the biggest sellers out there (the state of Maryland paid $50 Million US for this one) is the Diebold's Accu-vote. It consists of a battery of optical readers (one for each polling place) and memory cards for storing election results. It also comes with a license for GEMS, their vote-tallying and reporting software; one license per county for use by the Supervisor of Elections.

On the day that you vote, your ballot gets put into an officious looking black box with the other ballots. At the end of the day your ballot is pushed through one of these readers, and your vote is stored on one of these memory cards:

Once all of the ballots from a polling place are collected and read, a tape is printed by the optical reader that has the results on it, including a full count of the ballots read in. The election workers from that polling place sign the ticket and off it goes to the Department of Elections.

The next step in the voting chain is that the Election Supervisor (or one their appointees) takes the memory cards from each polling place and methodically plugs them into a computer running GEMS, the vote-counting software. GEMS reads the information from the cards and once all the cards are read, a final report is printed out and the Supervisor certifies the results and the election.

Seems simple enough right? Have an idea how you might implement this system?

The Diebold System
In 2003, Bev Harris (the then-housewife and now-founder of wanted to know more about the election software that was being used in her home town near Seattle, WA. She got on the internet and ran Google search after Google search until suddenly...

... when I found that Diebold Election Systems had been storing 40,000 of its files on an open web site, an obscure site, never revealed to public interest groups, but generally known among election industry insiders, and available to any hacker with a laptop, I looked at the files. Having a so-called security-conscious voting machine manufacturer store sensitive files on an unprotected public web site, allowing anonymous access, was bad enough, but when I saw what was in the files my hair turned gray. Really. It did.

The contents of these files amounted to a virtual handbook for vote-tampering: They contained diagrams of remote communications setups, passwords, encryption keys, source code, user manuals, testing protocols, and simulators, as well as files loaded with votes and voting machine software

Turns out that Diebold kept their CVS system up on a public FTP site, with no security. Oops.

She downloaded every file she could find, which included requirements, diagrams, code, and binary files. Of particular interest to her was GEMS - the software that tallies the votes for the county.

Go to the full story

© Scoop Media

Top Scoops Headlines


Scoop HiveMind Project: Universal Basic Income - Are We Up For It?

This is an opportunity for you as one of the 4 million potential funders and recipients of a Universal Basic Income to collectively consider the issue:
1. Is UBI is a desirable policy for New Zealand; and
2. How should a UBI system work in practice. More>>


Lyndon Hood: National Announces Plan To Hit Youth With Big Mallets

The National party has announced its youth justice policy, which includes a controversial plan for recidivist serious youth offenders to be hit over the head with a comically large rubber mallet. More>>


Lyndon Hood: This ->

It's been brought to my attention that Labour's new campaign slogan is "Let's do this". A collective call to action. A mission. I myself was halfway out of the couch before I realised I wasn't sure what it was I was supposed to do. More>>


Scoop Hivemind Report: What New Zealanders Think About Affordable Housing

Ordinary citizens have had very few venues where they can debate and discuss as to what they believe has led to the crisis in affordable housing and how we might begin to address this. The HiveMind on affordable housing was about redressing the balance. More>>


New Hivemind Exploration: Opening The Election - Freshwater Quality

This is an opportunity for you as one of the 4 million guardians of our common water resources to help us find mutually agreeable solutions to the critical task of collectively managing these resources for health and sustainability. More>>