339: Integrity of the Curling Club
Transcript for Embedded 340: Integrity of the Curling Club with Dan Zimmerman, Christopher White, and Elecia White.
Note: Future transcripts will have timestamps and will use initials instead of names. The formatting is likely to change.
Elecia: Welcome to Embedded. I am Elecia White. I'm here with Christopher White. This week, we'll be talking about voting, not politics, specifically electronic voting, but maybe not the way you think. Our guest is Dan Zimmerman.
Christopher: Hi, Dan. Thanks for joining us today.
Dan: Thanks for having me.
Elecia: Could you tell us about yourself as though it were the first day of class in a course you're teaching?
Dan: Sure. I am a Computer Scientist. My specialty, my research area, is mainly formal methods and software and hardware engineering. I work for a company called Galois and also a company called Free & Fair, which I'm sure we'll talk about both of those more later. I do research.
Elecia: We are going to talk more about the companies you work for and voting as I mentioned. First, we'd like to do lightning round where we ask you short questions, we would like short answers. If we're behaving ourselves, we won't ask you why and are you sure, and all of that. Are you ready?
Dan: Sure.
Christopher: You're going to make me ask this one? Okay.
Elecia: No, you can skip that one.
Christopher: What is purple and commutes?
Dan: Wow. That one was out of left field. A traveling mascot.
Elecia: An abelian grape. Okay, now the second question, the other question to that is, why is that joke funny-ish? Okay, that's just a mathematician joke, huh?
Dan: Yeah.
Elecia: Okay. We'll stop torturing you with that. Chris, why don't you go on to the next one?
Christopher: Should we bring back the dinosaurs and allow them to vote?
Dan: If I were being flippant, I could argue that many of them are already voting. I would say, no. As a result, no.
Elecia: You went to Caltech, which is ...
Dan: Yes.
Elecia: ... where the mythical Chris Knight went in Real Genius.
Dan: Technically, Pacific Tech in Real Genius, but yes.
Elecia: Okay. What were the best slippers that Knight wore?
Dan: That is a good question. There were some ...
Elecia: I'll give you a hint. I'm wearing them right now too.
Dan: ... bunny slippers, I believe.
Elecia: Yes.
Dan: I think those were the ones that stood out most.
Elecia: Yes.
Christopher: What does his T-shirt say in the beginning of the film?
Dan: I don't remember.
Elecia: See, I didn't either.
Christopher: Toxic waste.
Elecia: Would you rather complete one project or start a dozen?
Dan: I'd rather complete one.
Christopher: Do you have a favorite acronym?
Dan: I have a favorite acronym. Right now, I have a couple, actually. They tend to be the ones that I come up with for research projects because I get silly enjoyment out of that. The one that is currently my favorite is, it's called, BESSPIN, B-E-S-S-P-I-N, which is our research project in DARPA's SSITH program, which also has two S's instead of one. It stands for Balancing Evaluation of System Security Properties with industrial needs.
Christopher: I really enjoy reverse engineer acronyms. Let's start with the word you want. Let's figure out how your project can be described in those letters.
Dan: I do that very frequently at Galois, actually.
Elecia: Do you have a favorite fictional robot?
Dan: I've always liked Johnny-Five from Short Circuit.
Christopher: What's a tip everyone should know?
Dan: I don't have a quick answer to that. I mean, one that I think is valuable especially in this day and age is, knowing how to turn off face ID and touch ID on your phone with a button press.
Christopher: Yeah.
Elecia: Okay. That actually does segue nicely into some things about voting. When I initially contacted you, I thought we were talking about electronic voting machines that you go and touch in your polling place. You sent me a little bit of information about electronic voting and how voting should work and what the future of voting is, and it was a lot. Could you explain the acronym E2E-VIV?
Dan: Sure. Let me first say that I'm happy to talk about voting machines that you would go and vote on in a polling place as well. E2E-VIV stands for End-to-End Verifiable Internet Voting. It's actually an extension of other acronym just E2E-V, which is End-to-End Verifiable, which is a concept that has been around for voting systems for, oh, goodness, 30 years or so. Though not implemented in very many places.
Elecia: Okay. The E2E-V, what does it mean and why do we want it?
Dan: End-to-End Verifiable means that if a voter goes and casts a vote, they can do three things. They can verify that the system correctly recorded the vote that they cast. They can verify that the vote that they cast was actually included in the final tally of votes that gets announced at the end of the election. They can verify that the tally is correct, given some data about the entire set of votes in the election that is made publicly available. Thereby, essentially double-checked the outcome of the election as it was announced by the election officials.
Elecia: Okay. How is this a computer science problem?
Dan: It's a computer science problem, mainly because there is cryptography involved to do it well, to do it in a way that preserves the properties that we like having in our election systems that require some pretty sophisticated cryptography.
Elecia: Why don't we all just write names on pieces of paper and shove them into a box? I mean, that's worked for a long time.
Dan: We absolutely can. In fact, in many places they do. The problem is that if I'm shoving pieces of paper into a box, and you're shoving pieces of paper into a box, some people might throw more than one piece of paper into the box. Somebody might dump out half of the box before they count the pieces of paper. Once you put that piece of paper in the box, there's no way for you to know what happened to it.
Elecia: I guess it does imply a level of trust, doesn't it? Once I cast my ballot, I have no way of knowing if ...
Christopher: You can go to the Santa Cruz County voter register and they'll say if your ballot was accepted. There is some tracking.
Elecia: Okay.
Christopher: Whether you believe what the answer they give you, that's a separate issue, but.
Elecia: Yes, because they could say I have it, but they don't necessarily say who I voted for.
Dan: No. It would be a very bad idea for them to be able to tell you who you voted for.
Elecia: Why?
Dan: If election officials can tell who you personally voted for, that information might be available to others as well. For example, you vote in an election for your city council, and you vote for a particular set of council members. Maybe, none of them make it onto the council. The ones that do now know that you didn't vote for them.
If you bring up issues that are important to you, or initiatives that you would like to see them pursue and they know you didn't vote for them, that might affect how they view your input. There are other possible repercussions to this sort of thing too. For example, in employers finding out who you voted for and penalizing you for voting the wrong way, or even your spouse or significant other finding out who you voted for and punishing you for it in some way.
We really want our votes to be completely disconnected from our identities once we put them in the box or throw them in the mail, or whatever mechanism we use to cast them.
Elecia: Okay. Go ahead, Christopher.
Christopher: You also said that another thing that cuts a different way there, it seems like, you also said, verify that your vote was recorded correctly is a goal, doesn't that imply that you could prove to someone that you voted a certain way, which where you could sell your vote or be compelled to vote a certain way?
Dan: Right. That's exactly what we want to avoid. In End-to-End Verifiable Systems, what you're really checking when you check that votes are recorded correctly, you don't actually get to check the specific vote that you cast that actually gets counted. Effectively, what you can do is check that your vote was included in the tally, but not decrypted. I can go into a little bit more detail I guess about how this works.
In a typical, I say typical, there really aren't any of these out there in the world being actively used in person polling places. In a design for an End-to-End Verifiable Election, when you vote, you generate some cryptographic evidence of the way that you voted and you get to take that evidence home, but that evidence is a one way hash.
You can actually verify that a vote with this hash was included in the tally. You can't decrypt it and show it to somebody else to say, "I voted for candidate X. Now, give me my $100 that you promised me."
Christopher: I see.
Dan: Right. You might very well ask, "If I can't decrypt it, what evidence do I have that it was recorded correctly?" Because that was another part of the problem. The idea there is that you can do what's called a Benaloh challenge of the system. It's named for Josh Benaloh, who is the Head Cryptographer at Microsoft Research, who invented this as part of his PhD thesis a number of years ago.
The idea there is, I can go, I can vote, I can cast a ballot and get all the way to the point of being ready to put it in that box. Then say, "You know what, I don't really trust the computer recorded this correctly. I'm going to challenge this ballot." Then, what happens is, you bring the ballot to a poll worker or a different computing station, or whatever mechanism the particular voting system you're using has. It gets marked as a challenged ballot. What happens then is, it doesn't get included in the final tally but it does get decrypted and posted on the internet for everybody to see. You get to keep whatever piece of paper you have, or other documentation you have that says how you voted and you can compare that against the decrypted version.
If you're going to challenge a ballot, what you might do is vote for a completely ridiculous slate of people that you would never vote for under real circumstances. Make sure that the system recorded that correctly. If you do that enough times, if enough people do that, and enough is a very low threshold, it takes very few people to actually get a very high statistical probability about this then, you get a lot of evidence that the computer is recording the votes and doing the encryption correctly because it committed to the encryption of that vote before any notion of whether you are going to challenge it or not.
If it's doing something fraudulent, if it is encrypting things wrong or changing people's votes, that's going to be detected because of the randomness of the challenges and the fact that it didn't know whether you were going to challenge the given ballot or not.
Elecia: Okay. I know a little bit about cryptography. I know a little bit about identification, making sure that you're you, which isn't something we've talked about yet. I understand a little bit about privacy as it pertains to computers and security but I'm already a little lost with the voting thing. I'm not going to want to use a system that I don't understand.
Dan: Yes. You put your finger on one of the really critical things about having a system like this and that is, how do you explain that to people? I don't know whether I did a reasonable job or an unreasonable job in explaining it at a high level just now. Certainly, people aren't going to trust the system unless they can understand how it works.
For something like this to work, essentially what you're going to need is a model of delegated trust, where your average voter is not a cryptographer. In fact, most above average voters are not cryptographers, right? There are not very many cryptographers out there in the world. Maybe they trust their political party, or maybe they trust the League of Women Voters, or maybe they trust the National Rifle Association or the ACLU. Those entities are capable of hiring people who are cryptographers to essentially do independent verification of the cryptography involved.
If you have enough cryptographers inspecting the system that are working on behalf of organizations that people trust, then you can build trust in the system at a broader level. I might not believe that the implementation is doing what it says it's doing, even though I actually do understand a bunch of the cryptography involved. Maybe I didn't build the system, maybe I don't know the people who did.
Trolling through its source code is something that I would hopefully be able to do, but it's going to take a very long time, and there's no reason to believe that I'm going to actually detect anything that might be wrong with it. If a bunch of different organizations have built completely independent verifiers of the cryptography that have nothing to do with the implementation of the original system, they're just based on the same math, then that increases the ability for me to trust the system.
Elecia: Okay. Then, it actually isn't that different from what I do now? I mean, I trust that if I mail my ballot, the Postal Service will deliver it and someone will open it and put it in the stack of things to be counted. Or if I go to a polling station, I trust that when I put my ballot in the box, it's not just going to go into the trash. That chain of trust is already there. We're just trying to trust different people?
Dan: Trying to trust different people or to have it be a more distributed sort of trust, where you're not just trusting one set of election officials. You're trusting everybody who's done ... You don't have to trust everybody who's done an independent verification of the artifacts generated by the system to see that it's correct but if you trust a few of them, that's going to be compelling for you.
Christopher: This might be an unfair question but it assumes good faith on the part of the hired crypto people. You can imagine an organization hiring somebody maybe with credentials, but an agenda to say, "No, this doesn't work." All the other cryptographers say, "Yes, it does." Now, you have the situation where the trust is somewhat muddied.
Elecia: Tarnished.
Dan: That's true. That is definitely a possible problem with this sort of system. Pretty much, the way that you would have to address that would be through some kind of peer review or something. I mean, there are ... the equations for these things are all public.
Christopher: Right.
Dan: Anybody can build one of these things, if they acquire a bit of knowledge about cryptography. You don't have to be a cryptographer to use a cryptographic software library to put together a verifier for something like this. If something is obviously being done wrong with an agenda in mind, I would hope that it would be detected by sufficient members of the public or sufficient members of other election officials to flag it. You're right, of course, if an organization really wants to cast out on some election results, they could do that. The difference is that the mathematics at least is mathematics. There is, in this case, only one right answer either it is correct or it's not.
Christopher: Doing it this way, there's certainly less wiggle room to say, "Oh, these ballots disappeared mysteriously, or maybe they did, maybe they didn't," versus, "I don't like this algorithm." At least you can argue about the algorithm and you can't prove that ballots did not disappear from the box.
Dan: Right, or even things like well, we interpreted the marks that somebody made on this ballot to mean that they were ...
Christopher: Yeah.
Dan: Or this candidate versus that candidate, and depending on who's in the room doing the interpreting, that's an inherently sort of human subjective thing. Whereas, checking the cryptographic evidence for an End-to-End Verifiable Election is a mathematical objective thing.
Elecia: The other part of voting is also an issue of trust, but it goes the other way. Someone has to trust me to be who I am and not, I don't know, a robot voting for favorite robot candidates.
Dan: Indeed. If you walk into a polling place and you are going to cast your vote, then they will cross you off of a voter registration book. In many places, they will check your ID, depending on where you are. The form of identification you're required to present would be different. If you're mailing in a ballot, you have to have a signature on it. They are going to compare that signature to the signature that you put on file when you registered to vote.
Elecia: Oh my god, I was 18. It can't possibly look the same.
Christopher: We re-registered when you voted, you're fine.
Elecia: Okay.
Dan: Yes, my signature has evolved a bit too. They really do throw out ballots based on bad signatures. I think in a recent election this year in New York, there were tens of thousands of ballots that were thrown out for having bad signatures on them effectively. That actually can become a problem because depending on how you're checking the signatures and who's checking the signatures ...
Elecia: Whether they have an agenda.
Dan: Exactly. There are checks in place whether they can be abused or not is another aspect.
Elecia: Okay. Right now, the way that my identity is built for them to trust my vote is one of these things, my signature, my ID, some form of that. If we go to, I mean, is that a good way to do it?
Dan: We don't really have much of an alternative way to do it, at least not in this country. There are places where every citizen has a cryptographic token. Estonia is an example of this. There, if you actually show up somewhere with your ID card, it is a cryptographically secure ID card. Yes, I suppose somebody could have stolen it but they will also compare the picture on it and such. If you're using it to vote online in Estonia, they run their elections on the internet, then you are using your cryptographic token and putting in your private password and essentially authenticating yourself to the system that way. We don't have any infrastructure like that here.
Christopher: Even voter ID laws are very controversial because there's large population that don't have IDs and difficulty getting them.
Dan: Indeed. The idea of a national or even in most states, the idea of a statewide sort of high security cryptographic identifiers distributed to all voting age citizens is a bit of a nonstarter at least the way things stand currently.
Elecia: How will internet voting happen if I have to show my driver's license? I mean, when I hold it up to the screen, nothing happens.
Dan: First, I'm going to say, my initial premise is that internet voting should not happen in the United States anytime soon because [crosstalk] exactly like this. I support doing research into what do we need to make internet voting safe and usable and possible in US elections but that research is a long road and there are a lot of problems that have to be solved.
I mean, identity is one of them. Even things as simple as, how do you trust that what you typed into the web browser actually is what is sent to the system on the other side that's receiving your vote? How do you deal with client side malware? How do you deal with man in the middle attacks? There's all sorts of problems that would need to be solved in order for this to be something that you could even begin to consider for public elections.
For private elections, it's a different story. If you run a curling club, for example, which is a real example. Actually, I'm a member of one here and we did an election over the internet this year. I felt perfectly fine with that, because I really didn't think that there was much in the way of large scale threats to the integrity of the curling club election. We used a reasonable online system for it and everybody was sent their own individual token that they could use to vote one time.
A lot of companies do shareholder elections this way. There are End-to-End Verifiable ways to do that too for private elections. There's a system out there called Helios Voting, which maybe you've heard of and maybe you haven't. It was created by somebody named, Ben Adida. You can find it online. They basically will run End-to-End Verifiable Internet Elections for your organization. You can set one up even for free, I believe, just to experiment with the concept.
There are definitely contexts where it's fine to vote over the internet when the stakes are low. In basically all public elections, the stakes are way too high.
Christopher: You mentioned Estonia is already doing this, are they throwing caution to the wind or is there something about Estonia that's particularly magical?
Dan: There definitely are cultural differences. There is not as big a tradition of things like voter coercion and things like that in Estonia, but there's also robust debate about whether what they're doing is reasonable. There are conferences that occur every year about electronic voting and people present these opposing viewpoints. Some places have decided that the risks are worth the benefits. They've made the tradeoff decision in some ways.
Estonia is one that's gone all in on this sort of stuff. In Switzerland, they've done a lot of work in trying to build out internet voting and they've had some pretty high profile failures. Recently, their system was essentially completely owned very quickly when they did a public intrusion test but they're still pushing ahead with the research side of it. I think that that's a worthwhile thing to do. If we can solve the problems that would make internet voting in public elections a safe thing to do, then those solutions would probably be pretty useful for other things as well.
Elecia: Yeah. I mean, many of these things that you'd have to solve for voting would give you the ability to use some of that for other things. I mean, identity being one of them and being able to understand cryptography to the level of, yes, I can check it and know what one way hash is. You were talking about the research being valuable. One of the things that I saw was your company has been working on a report. Let me see if I got this title right. E2E-VIV Projects, the Future of Voting, End-to-End Verifiable Internet Voting Specification and Feasibility Study.
Dan: Yes, this was a project that we did back in 2015. It was funded by the US Vote Foundation. The US Vote Foundation, basically, they exist to make sure that American voters overseas have the ability to vote in US elections. They wanted to see if we could develop some sort of roadmap for what would we need to accomplish in order to make internet voting available to overseas voters? In this report, we talked about, well, here are the various problems that need to be solved. Here are what the requirements are.
The recommendations of the report basically ended up being that End-to-End Verifiability is essential and there has to be a gradual advance. We can't just say, "All right, now we've come up with an End-to-End Verifiable Internet Voting System, we're going to deploy it, everybody's going to be happy." We have to actually build up people's knowledge and trust in End-to-End Verifiable Systems in general, before trying to take that step.
They should be used in in-person voting first and have people get some experience with them, understand how the auditing processes for them work, understand how the verification stuff works, get some trust in the systems before trying to deploy things on the internet. That they need to be essentially treated as mission and safety critical systems. That they are as critical as the systems that control things like nuclear reactors and aircraft guidance systems and all of these other things where if something goes wrong with the system, either people die or billions of dollars of economic damage happens. We should be treating voting systems as critical systems on that level.
They also have to be broadly usable and accessible. We have to actually get all of these open problems, including things like identity and how to deal with client side malware kind of stealing your keystrokes and telling somebody how you voted, or any of these other things that are threats to the integrity of such a system. We have to actually solve those problems before any kind of deployment should occur. We're nowhere really close to solving most of those problems right now.
Elecia: Some of them are part of the electronic in-person voting?
Dan: Yes.
Elecia: I read this report or paper, I don't know if you've seen it. Security analysis of the Diebold AccuVote TS voting machine. They took apart this machine and it was terrifyingly easy to hack.
Dan: Yes. The current state of in-person voting machines is somewhat frightening, I suppose, is a good word. If you've seen a footage or reports from the DEF CON Vote Hacking Village over the past few years. You'll see that pretty much every single machine that the community that studies these things has been able to get our hands on, has turned out to have fundamental security flaws. Some of which are of the very embarrassing variety like having an open Wi-Fi network with a default password that could be accessed from the parking lot of a polling place and actually change ...
Christopher: Why do they have Wi-Fi at all?
Dan: This is a real system that actually was in use in among other places Virginia, and was decertified ... Guess when?
Christopher: Last week.
Elecia: 2017.
Dan: Actually, a little earlier than that. It was right before the 2016 election base.
Elecia: Decertified, but were they still used?
Dan: They were not used in the 2016 presidential election, no. Not to my knowledge. It's possible that I'm wrong about that. We actually have one of those systems sitting in a room at Galois. The first thing I did when we got it was, I opened it up. It has an exposed USB port. I plugged a keyboard in, I hit Control, Alt, Delete, and then I had administrator access to everything.
Christopher: They're just Windows PCs, right?
Dan: Yup. In this case, it was just a Windows. Yeah, people could have changed votes from the parking lot without ever setting foot into the polling place with these machines. Whether that happened or not, we will probably never know because forensic investigation of electronic voting machines is essentially a thing that never happens. In many cases, it's actually prohibited by the contracts that election this jurisdictions have with the companies that supply the machines.
Christopher: Sounds great.
Dan: In many cases, they don't own the machines, they just lease the machines. You can't even open them up in a lot of cases without having a serviceman or woman from the company come and open it up with a special key, which turns out to be a key that you can buy for $2 at Home Depot.
Christopher: Right. It sounds like a great deal for the voting machine people. They must have some really good salesman.
Dan: They do have ...
Christopher: It will do nothing for you and we can't prove anything that we make works but we can charge you money for it.
Dan: Entrenched interests are powerful, yes.
Elecia: Okay. That seems bad and wrong, but it's easier to take something apart than it is to build it. The report Galois put together was in depth and a lot of building and a lot of good stuff but is there a voting machine I should trust?
Dan: These days, not very many of them have done much to earn trust. Personally, I think, that a pencil and a piece of paper is the best voting machine that we have that's deployed at the moment. There are some that are good. There are some that are or at least not egregiously bad. There are some that are probably going to have their code open sourced at some point in the future like the one in Los Angeles, that they've just developed over the last couple years.
In general, I honestly think that a pen or a pencil and a piece of paper is the most trustworthy thing we have at the moment. Of course, then you still have to trust ballot scanners but there are at least fewer people generally with access to ballot scanners that are used in real elections. The attack surface is a bit smaller.
Christopher: The ballots still exists, somebody could challenge them and rescan them or visibly expect them, yes.
Dan: We can do audits. Risk limiting audits are also an important tool that we have in terms of gaining trust in elections and that's an area that we've also been involved with. In the past, we built the first risk limiting audit system that was used in a statewide election. It was used in Colorado in an off year election in 2017. They audited the results from all 64 of their counties and found no anomalies in the counting that was done by the machines. That was heartening.
Elecia: Microsoft seems to be jumping in the pond, they have this ElectionGuard? Have you heard of it?
Dan: We built it.
Elecia: Oh, well then ...
Christopher: Then, yes, you have.
Elecia: ... you have. Wow.
Dan: As it turns out, yes. Galois and Free & Fair, did the initial implementation of that for Microsoft last year.
Elecia: It's open source, which is not usually a Microsoft thing.
Dan: It is. That was one of the things from the initial project inception that they had said, "We're going to do this. We're going to make it open source. We're doing it to benefit the world, essentially." That was why we were interested in working with them at the time because that's sort of, on the Free & Fair side, we want to build or help to be built sort of open source freely available, at least, for auditing and the like, election technology for everyone. We want to see that stuff get out there.
Whenever there's an effort that is pushing toward that, we tend to be supportive. At Galois, we do similar things. We build a lot of things for public good and we open source a lot of our work as well though sometimes, our clients don't let us.
Christopher: What is ElectionGuard?
Dan: ElectionGuard is a software development kit that implements exactly a set of cryptographic primitives for End-to-End Verifiable paper-based voting.
Christopher: Okay.
Dan: The idea is that by incorporating ElectionGuard into an existing voting system, you could give that system End-to-End Verifiability.
Christopher: That's not necessarily and like you said, it's for paper voting.
Dan: Yes. It is in fact ...
Christopher: It's improving the existing system rather than replacing it with something scary.
Dan: Yes. In fact, it's designed only for use with paper-based voting systems. The idea of using it for internet voting systems, at least when we were involved with the initial implementation was not even a consideration as part of the project.
Elecia: How did you get into this field? It sounds like something that's important to you but you went from CS professor to this?
Dan: I've had an interest in this for a while. Obviously, like most people who were of voting age at that time, I was completely horrified by the events in Florida in 2000.
Elecia: This is the hanging chads.
Dan: The hanging chads and we're going to count things. No, we're not going to count things. Here's how we're going to count things. We're going to change how we're going to count things. The Supreme Court said, "Don't count things." The whole chain of events was just a slow motion disaster. That kind of made me interested in this sort of thing.
One of my colleagues at the time in my lab at Caltech, we were grad students together. He actually ended up going and becoming a professor in Europe, where they were much further along in doing things like electronic and computerized voting systems. Even potentially internet voting systems than what we were in the United States at the time. He started hacking those systems with the permission of the governments involved and would give me updates about the kinds of things that he was up to there. I found that very interesting.
Meanwhile, I was doing my own non-election related computer science work and becoming a professor and teaching things like software engineering and distributed systems and stuff. I didn't have much time for election-related work.
Then, this same friend of mine essentially told me, "Hey, I'm going to this company called Galois. We're doing all sorts of cool work, including some of this selection stuff. Maybe you should come along." I ended up going to work at Galois and then got into it with a bit more fervor in 2014.
Elecia: You mentioned DEF CON, and I think that goes along with the fervor. There is a fairly big group of hackers and activists and such that are interested in this as a problem. Are they black hats or white hats?
Dan: All the ones that I know personally are white hats. I definitely know a bunch of them. I'm sure that there must be black hats out there. Though, I don't think that many of them participate in the voting village sort of thing. Because one of the things about voting village is you tear these machines apart. Then, all of the results that anybody comes up with during that entire time get published. If you're a black hat and you discover something about a voting machine, you're probably not going to want that to be published, because you're going to want to use it for your own benefit in some way.
It's interesting, I understand both sides. You would think that the voting system companies, in a way, would welcome some of this sort of activity as a way of ...
Elecia: Yeah. Find my bugs for me. Find my bugs before they count.
Dan: Exactly as a way of sort of upping their own game. In practice, what happens is, instead they generally do things like threatened lawsuits if you open up the machine on the floor of DEF CON, which, of course, are completely baseless threats, because all of those machines are owned by the people who brought them there, and so they can pretty much do whatever they want with them.
Elecia: I'm surprised they let anybody own the machines, and that they aren't all rented so that they have more control.
Dan: Many of them are, but there are certainly jurisdictions who aren't interested in leasing their equipment right there. They would rather own their equipment. The voting system manufacturers do both.
In the case of one set of machines, we actually acquired a set of precinct counts scanners from the Multnomah Oregon County department of elections back in, I believe, it was 2016 although it might have been '17. It was interesting because these are scanners that were among the most prevalent model that was used nationwide for a long time.
Multnomah County had decided they needed something new. These were fairly old. They were out of date. They wanted to get rid of them. They listed them on one of these government auction sites for the extremely reasonable price of zero dollars as long as you would transport them away.
We got a bunch of these machines and we brought one to DEF CON, the next year. We also had a bit of fun with it in the office and discovered that it was running an extremely old version of the QNX embedded operating system that just happens to be the last version that was freely distributed before they started charging for it and a number of other things where we got to the point where you could just plug something into the exposed ethernet port that these things inexplicably had and actually change some of the programming.
Christopher: Funny because I spent a lot of time 14 years ago, making sure that the medical device I've worked on had no exposed network ports. It just seem like the thing to do on something that could be dangerously hacked. I guess these people just ...
Dan: You would think. As I mentioned, these devices that are used in polling places even now have things like exposed USB ports. In a lot of cases, they epoxy them so that you can't actually plug something in. In some cases...
Elecia: I can get around that.
Christopher: It's a little harder. You can't just walk up and do it.
Dan: I think that it's possible that an election official might notice if you were standing in front of a machine for a long time trying to get the epoxy out. I mean, some of the non-technical sorts of controls that happen in polling places are just as important as some of the technology. The fact that you actually do have election judges watching what people do in the polling place is an important thing.
In some cases, having external connectors is necessary because in order for, for instance, disabled people to vote maybe they need to plug a headset in so that they can hear what's on the ballot. Or maybe they need to plug some kind of control interface in so that they can navigate the display, that's being displayed because they can't use a touchscreen. There are tradeoffs there.
Elecia: The accessibility tradeoff is one that I'm becoming more interested in, over the years. It's dumb to make things harder when many of the accessibility things can make it easier for everyone. Like touchscreens, touchscreens can be miscalibrated that makes it hard for everybody. Having a different method of doing it makes more sense, even if the reason you are doing the different method is because people with shaky hands or blindness or whatever makes it that the touchscreen doesn't work. Are there other accessibility things that are important with voting machines?
Dan: You've definitely hit on one of them. Although, in some cases, the touchscreen issue can be dealt with by just not using such cheap touchscreens.
Elecia: What? Is that an option?
Dan: I mean pretty much up until very recently, all of these devices had 15 year old resistive touchscreens that were very easily miscalibrated. Recently, they've gotten a bit better. I mean, for somebody who is blind, they need to be able to navigate the device by audio. You need to be able to do things like magnify the text or use something higher contrast. There are various different considerations that come into play.
This was actually a fairly important thing in the ElectionGuard work was one of the things that they did was they use used the Xbox adaptive controller as a interface mechanism for this to show that it could be accessible as broadly as they could fake it, which was a very good thing.
Elecia: As long as you sanitize your inputs, you're fine.
Dan: Indeed.
Christopher: Leads me to a question. It sounds like there are some advantages to voting machines, apart from all the controversy and difficulty, some noble goals behind using them. It sounds like the motivation to use the voting machines that we think of and the ones that have been hacked a lot, the cheap ones, by the election districts is different from the work you do.
You're motivated to apply technology to improve the security of elections, improve the auditability and traceability, whereas it seems like the purchase of voting machines was because this will make it easier for us.
Elecia: Yeah. Then, we don't have to hire someone to count. The machine can count.
Dan: I think there's definitely an element of truth to that. It also happens to be the case that the United States, here in the States, we do elections very differently from basically anywhere else in the world. In most countries, you have a general election, there's one or two things on the ballot. Everybody gets the same ballot. Counting it, even by hand is very easy.
Here, while you're in California, so you've seen typical California ballots ...
Christopher: I'm [crosstalk] from 2016. I'll turn it in as soon I finish.
Dan: I lived in Southern California for a decent amount of time and had to vote on just all sorts of crazy things, including whether or not people should eat horse meat. I mean this was a thing that was actually brought up to the entire state to vote on.
If you have 40 different choices to make on your ballot and each race might have 10 or 15 people in it, actually counting that, by hand is also fairly error prone. People are generally not great at doing repetitive boring tasks. Computers are amazing at doing repetitive boring tasks. Having the computers count actually is a really good idea as long as you can get it to the point where you can trust if they're counting correctly.
Elecia: Yeah, the Scantrons in California, at least the absentee Scantrons that I'm familiar with, they're really easy to use for me. It's a little boggling for me to think about, there are places in the US where you can't do absentee ballots unless you have a really good reason, as opposed to, I'm too lazy to go to the polling place and stand in line, which I think is a fantastic reason. Why ...
Dan: I would agree.
Elecia: Having seen this environment, are there reasons for the arbitrariness of the voting jurisdictions and how this all works in each ...
Christopher: Yeah [inaudible] how the effort was constructed?
Dan: Yeah. One of the things here, right, is that there isn't one way of doing federal elections, because the elections are all run by states and counties, and so there are thousands instead of one.
Congress actually does have the power in the constitution to set specific rules about how federal elections happen. It's a power that they've generally been reluctant to use, mainly because I think people would see it as federal government overreach. Depending on where in the country you are, it might be, oh, they're trying to rig the election so that these people can win. Or, oh, they're trying to take control of the process and take away our rights. These are the sorts of things you might hear.
I mean, here in Oregon, where I'm sitting, we've been voting exclusively by mail with the exception of people who have disabilities that prevent them from voting by mail, they still have places that they can go. We've been doing that for a very long time. I find it extremely convenient. I get to sit, fill out the ballot at my leisure, mail it back in or drop it in the drop box. I have a decent amount of time to do that. Nobody is waiting behind me trying to get access to the machine that I'm using.
I'm not sure what the motivations are for not moving in that direction in more places. I have, obviously, my own thoughts about what those are, but I don't particularly want to get political here.
Christopher: There are some argument that the diversity of systems has a benefit, because I could see somebody say, "If we had one single federal system with the same counting methods and the same computers or whatever, it's much easier to hack an entire nationwide federal election" versus "Well, it's very hard to rig an election where there's 10,000 counties all doing it their own way."
Dan: That is definitely a point that I've heard made. There may be some merit to that.
Elecia: We didn't agree with you at all.
Christopher: I'm not saying that's necessarily my opinion. I'm putting that out.
Dan: There may be some merit to that. Especially given the way a lot of these systems are designed and implement it.
Elecia: Is it badly?
Dan: I would argue that if you had one nationwide system that was implemented as poorly, I suppose as the ones that are out there, that unquestionably would be a bad thing. If you had one nationwide system that was implemented well, that might be an improvement over the current situation. Regardless, we're not going to end up with one nationwide counting system because of the way that US elections work.
Elecia: 10,000 different jurisdictions all with their own rules.
Christopher: It's more than that. I was trying to come up with a relative ...
Dan: Yeah.
Elecia: I mean, our voting is different than people five miles one way or the other, because we're in a different part of the county.
Christopher: The ballots ...
Dan: Your voting is different in the sense that you're voting on different things.
Elecia: Yeah. I think our technology is different.
Christopher: I don't think so, I think, California has ...
Dan: At a county level, these things generally don't go any more granular than the county level. I usually think of it as about 3000 different jurisdictions. Then, when you talk about the number of different ballot styles that you need in each jurisdiction. In Los Angeles County, they have probably thousands of different ballot styles, between all the different languages that they have to print and all the different cities that need things on the ballot and all the different districts for various water and power and whatever else. That is a lot of complexity to deal with. It's understandable that you would want computers to take some of the load off of that.
Elecia: Yeah, it is. Okay. I have one random question before I ask Chris if he has any other questions. You taught at Harvey Mudd, which is our alma mater, where we went to school.
Dan: Yes.
Elecia: There is a rivalry with Caltech, which is where you got your degree or both your ... all of your degrees of bachelor, masters, PhD. You went from the enemy to Harvey Mudd. I wondered, is that rivalry entirely one sided?
Dan: Not entirely. First, I've also taught at Caltech as it happens. I think ...
Elecia: Whose students are better? There's only one right answer.
Dan: I actually really, really enjoyed my time teaching at Harvey Mudd. It was probably the best teaching experience I've ever had. Part of that was because the students were amazing and I got to teach the courses I wanted to teach, as opposed to when I taught at Caltech, it was right after I graduated and they're like, "We need somebody to teach this." I said, "Okay, well, I can do that." It's not the same as teaching something that you really want to.
I think from the Caltech side, I think Caltech views MIT more as rivalry to the point of doing things like flying cannons across the country.
Elecia: Yes, that was our cannon. Damn it.
Dan: Let's perhaps agree to disagree on it.
Elecia: Yes.
Christopher: I still think the best prank that Mudd ever pulled was putting the parentheses around Pasadena City College on the ...
Elecia: On the freeway sign.
Christopher: ... the Caltech sign.
Dan: That is that is excellent. I agree.
Elecia: For people who have never seen the sign it's Caltech, Pasadena City College. Next exit. If you put parentheses around the Pasadena City College, implication is there and hilarious for some of us.
Dan: Yes. No, I agree. It is hilarious.
Elecia: Dan, it's been really interesting to talk to you. Do you have any thoughts you'd like to leave us with?
Dan: I think that on the subject of election technology, I think, that there is a lot of good work left to do in terms of improving these machines, both the in-person and the speculative far future internet sort of voting. I think it's important that people actually do that work.
For anybody listening who is interested in this topic one of the best ways to learn about the unique constraints of the election realm is to actually volunteer to be a poll worker, perhaps not this year, because there are some unique considerations this year. It's a really good way to actually get some firsthand knowledge about how the system actually works beyond just filling out your own ballot in whatever way you do it and submitting it and often submitting it into a black hole and then you get the election results later.
Elecia: One of our listeners, Tom Anderson, made that same point that it was really interesting and helped him understand the system better. I totally agree. I say, if you can do it this year, maybe it is a good year to do it, but only if you're comfortable.
Dan: Right. If you if you feel safe doing it, actually jurisdictions are really in very bad need of people this year because a lot of people don't feel safe doing it.
Elecia: Our guest has been Dan Zimmerman, principal researcher at Galois and principal to computer scientist at Free & Fair.
Christopher: Thanks, Dan. This was really fascinating.
Dan: Thank you.
Elecia: Thank you too, Christopher, for producing and co-hosting. Thank you very much to our Patreon supporters for Dan's mic and the Slack group for their questions and links. Of course, thank you for listening.
You can find links on the open source Microsoft ElectionGuard, the reports about how to do elections in the future from Galois and from a number of other sources, and just all sorts of links. You'll also find the contact link if you want to say hello to us.
Now, a quote to leave you with. This one is from Abraham Lincoln. "Elections belong to the people. It's their decision. If they decide to turn their back on the fire and burn their behinds, then they will just have to sit on their blisters."
Embedded is an independently produced radio show that focuses on the many aspects of engineering. It is a production of logical elegance and embedded software consulting company in California. If there are advertisements in the show, we did not put them there and do not receive money from them. At this time, our sponsors are Logical Elegance and listeners like you.
Transcript is done by Rev.com.