Embedded - 339: Integrity of the Curling Club
Episode Date: July 30, 2020Dan Zimmerman (@dmz) spoke with us about voting, voting machines, building trust in software, and transparency. Dan works for Galois (https://galois.com/ , @galois) and Free and Fair (https://freeandf...air.us/, @free_and_fair). He worked on the US Vote Foundation’s E2E-VIV Project on the Future of Voting. The artifacts from that project are on github: github.com/GaloisInc/e2eviv. Dan (and Galois) worked with Microsoft on ElectionGaurd, a suite of tools to help make elections end-to-end verifiable, The tools are open source: github.com/microsoft/electionguard The Helios verifiable online election system is also open source: github.com/benadida/helios-server We failed to talk about the DARPA SSITH and FETT programs but if you are still reading the show notes, they might be of interest. We also didn’t talk about the National Academies report on Securing the Vote.
Transcript
Discussion (0)
Welcome to Embedded. I am Iliasio White. I'm here with Christopher White. This week, we'll be talking about voting, not politics, specifically electronic voting, but maybe not the way you think. Our guest is Dan Zimmerman.
Hi, Dan. Thanks for joining us today.
Thanks for having me. Could you tell us
about yourself as though it were the first day of class in a course you were teaching?
Sure. So I am a computer scientist, and my specialty, my research area is mainly formal methods and software and hardware engineering.
I work for a company called Yawa and also a company called Free and Fair, which I'm sure
we'll talk about both of those more later. And I do research. So we are going to talk more about
the companies you work for and voting, as I mentioned.
But first, we'd like to do lightning rounds where we ask you short questions. We would like short
answers. And if we're behaving ourselves, we won't ask you why and are you sure and all of that.
Are you ready? Sure. You're going to make me ask this one? No, you can skip that one.
What is purple in commutes?
Wow, that one was out of left field.
A traveling mascot.
An abelian grape.
Okay, now the second question, the add-on question to that is, why is that joke funny-ish?
Okay, just a mathematician joke, huh?
Yeah.
Okay, we'll stop torturing you with that.
Chris, why don't you go on to the next one?
Should we bring back the dinosaurs and allow them to vote?
If I were being flippant, I could argue that many of them are already voting.
I would say no, and as a result, no.
You went to Caltech, which is where the mythical Chrisris knight went in real genius technically pacific tech in real
genius but yes okay what were the best slippers that knight wore
that is a good question. And I'm having...
I'll give you a hint.
I'm wearing them right now, too.
I believe.
Yes.
And I think those were the ones that stood out most.
Yes.
What does his T-shirt say in the beginning of the film?
I don't remember.
See, I didn't either.
Toxic waste.
Ah.
Would you rather complete one project or start a dozen? I'd rather complete one.
Do you have a favorite acronym? I have a favorite acronym right now. I have a couple, actually.
They tend to be the ones that I come up with for research projects because I get silly enjoyment out of that. So the one that is
currently my favorite is Bespin, B-E-S-S-P-I-N, which is our research project in DARPA's SITH
program, which also has two S's instead of one. And it stands for Balancing Evaluation of System
Security Properties with Industrial Needs. I really enjoy back reverse engineered acronyms.
Start with the word you want. Figure out how your project can be described in those letters.
I do that very frequently at Galois, actually.
Do you have a favorite fictional robot?
I've always liked Johnny Five from Short Circuit.
What's a tip everyone should know?
I don't have a quick answer to that.
I mean, one that I think is valuable, especially in this day and age, is knowing how to turn off face ID and touch ID on your phone with a button press.
Yeah.
Okay.
That actually does segue nicely into some things about voting.
When I initially contacted you, I thought we were talking about electronic voting machines that you go and touch in your polling place.
But you sent me a little bit of information about electronic voting and how voting should work and what the future of voting is.
And it was a lot.
Could you explain the acronym E2E-VIV?
Sure. Let me first say that I'm happy to talk about voting machines that you would go and vote on in a polling place as well.
That E2E-VIV stands for End-to-End verifiable internet voting. It's actually an extension of a other acronym,
just E2EV, which is end-to-end verifiable, which is a concept that has been around
for voting systems for, oh goodness, 30 years or so, though not implemented in very many places.
Okay, so the E2EV, what does it mean and why do we want it?
So end-to-end verifiable means that if a voter goes and casts a vote,
they can do three things. They can verify that the system correctly recorded the vote that they cast.
They can verify that the vote that they cast was actually included in the final tally of votes that
gets announced at the end of the election. And they can verify that the tally is correct given some data about the entire set of votes in the election that is
made publicly available and thereby essentially double check the outcome of the election as it
was announced by the election officials. Okay. How is this a computer science problem?
It's a computer science problem mainly because there is cryptography involved.
To do it well, to do it in a way that preserves the properties that we like having in our election systems, it requires some pretty sophisticated cryptography.
Why don't we all just write names on pieces of paper and shove them into a box?
I mean, that's worked for a long time.
Oh, we absolutely can.
And in fact, in many places they do.
The problem is that if I'm shoving pieces of paper into a box and you're shoving pieces of paper into a box, some people might
throw more than one piece of paper into the box. Somebody might dump out half of the box before
they count the pieces of paper. You know, once you put that piece of paper in the box, there's
no way for you to know what happened to it. I guess it does imply a level of trust, doesn't it?
Once I cast my ballot, I have no way of knowing if...
Well, you can go to the
Santa Cruz County Voter Register
and they'll say if your ballot was accepted.
There is some tracking.
Oh, okay.
Now, whether you believe what
the answer they give you,
that's a separate issue.
Yes, because they could say I have it,
but they don't necessarily say
who I voted for.
No, and it would be a very bad idea
for them to be able to tell you who you voted for. Why? Well, if election officials can tell
who you personally voted for, that information might be available to others as well. So, for example, you know,
you vote in an election for your city council, and you vote for a particular set of council members,
and maybe none of them make it onto the council. And the ones that do now know that you didn't
vote for them. So, if you bring up issues that are important to you or initiatives
that you would like to see them pursue and they know you didn't vote for them, that might affect
how they view your input. There are other possible repercussions to this sort of thing too. For
example, employers finding out who you voted for and penalizing you for voting the wrong way. Or, you know, even your spouse or significant other finding out who you voted for and punishing you for it in some way. So we really want our votes to be completely disconnected from our identities once we put them in the box or throw them in the mail or, you know,
whatever mechanism we use to cast them.
Okay.
So, go ahead, Christopher.
Well, you also said another thing that cuts a different way there, it seems like.
You also said verify that your vote was recorded correctly is a goal.
Doesn't that imply that you could prove to someone that you voted a certain way, which
you could sell your vote or be compelled to vote a certain way?
Right.
That's exactly what we want to avoid.
So in end-to-end verifiable systems, what you're really checking when you check that
votes are recorded correctly, you don't actually get to check the specific vote
that you cast that actually gets counted. So effectively, what you can do is check that your
vote was included in the tally, but not decrypted. I can go into a little bit more detail, I guess, about how this works.
So in a typical, well, I say typical, there really aren't any of these out there in the world being actively used in in-person polling places.
But in a design for an end-to-end verifiable election, when you vote, you generate some cryptographic evidence of the way that you voted. And you get to take that evidence home, but that evidence is a one-way hash. So,
you can actually verify that a vote with this hash was included in the tally.
But you can't decrypt it and show it to somebody else to say, well, you know, I voted for candidate
X, now give me my $100 that you promised me. But you might very well ask, well, if I can't decrypt
it, what evidence do I have that it was recorded correctly? Because that was another part of the
problem. And the idea there is that you can do what's called a Benelow challenge of the system. It's named for Josh Benelow, who is the head cryptographer at Microsoft Research, who invented cast a ballot and get all the way to the point of being
ready to put it in that box and then say, you know what, I don't really trust that the computer
recorded this correctly. I'm going to challenge this ballot. So then what happens is you bring
the ballot to a poll worker or a different computing station or whatever mechanism the
particular voting system you're using has, and it gets marked as a challenged ballot.
And what happens then is it doesn't get included in the final tally, but it does get decrypted and
posted on the internet for everybody to see. And you get to keep whatever piece of paper you have or other documentation you
have that says how you voted, and you can compare that against the decrypted version.
So if you're going to challenge a ballot, what you might do is vote for a completely ridiculous
slate of people that you would never vote for under real circumstances. Make sure that the system
recorded that correctly. If you do that enough times, if enough people do that, and enough is
a very low threshold, it takes very few people to actually get a very high statistical probability
about this, then you get a lot of evidence that the computer is recording the votes and doing the encryption correctly,
because it committed to the encryption of that vote before any notion of whether you were going to challenge it or not.
So if it's doing something fraudulent, if it is encrypting things wrong or changing people's votes, that's going to be detected because of
the randomness of the challenges and the fact that it didn't know whether you were going to
challenge a given ballot or not. Okay. I know a little bit about cryptography. I know a little
bit about identification, making sure that you're you, which isn't something we've
talked about yet. And I understand a little bit about privacy as it pertains to computers and
security. But I'm already a little lost with the voting thing. I'm not going to want to use a
system that I don't understand. Yes, you've put your finger on one of the really critical things about having a system like this, and that is, how do you explain it to people?
I don't know whether I did a reasonable job or an unreasonable job in explaining it at a high level just now.
But certainly, people aren't going to trust the
system unless they can understand how it works. So for something like this to work, essentially,
what you're going to need is a model of delegated trust, where your average voter is not a
cryptographer. In fact, most above-average voters are not cryptographers, right? There are people who are cryptographers to essentially do independent verification of the cryptography involved. system that are working on behalf of organizations that people trust, then you can build trust
in the system at a broader level, right?
Like, I might not believe that the implementation is doing what it says it's doing, even though
I actually do understand a bunch of the cryptography involved.
Maybe I didn't build the system.
Maybe I don't know the people who did.
Trolling through its source code is something that I would hopefully be able to do,
but it's going to take a very long time, and there's no reason to believe that I'm going to actually detect anything that might be wrong with it. But if a bunch of different organizations
have built completely independent verifiers of the cryptography that have nothing to do with
the implementation of the original system, they're just based on the same math, then that increases
the ability for me to trust the system. Okay. And that actually isn't that different from what I do
now. I mean, I trust that if I mail my ballot, the Postal Service will deliver it and someone will open it and put it in the stack of things to be counted.
Or if I go to a polling station, I trust that when I put my ballot in the box, it's not just going to go into the trash.
So that chain of trust is already there.
We're just trying to trust different people?
Trying to trust different people or to have it be a more distributed sort of trust where,
you know, you're not just trusting one set of election officials, you're trusting everybody who's done, well, you don't have to trust everybody who's done an independent verification
of the artifacts generated by the system to see that it's correct.
But if you trust a few of them, that's going to be compelling for you.
This might be an unfair question, but that assumes good faith on the part of the hired crypto people.
You can imagine an organization hiring somebody,
maybe with credentials, but an agenda,
to say, no, this doesn't work.
And all the other cryptographers say, yes, it does,
but now you have the situation where the trust is somewhat muddied.
Harnessed.
That's true.
And that is definitely a possible problem
with this sort of system.
Pretty much the way that you would have to address that would be through some kind of peer review or something.
I mean, there are – the equations for these things are all public. Anybody can build one of these things if they acquire a bit
of knowledge about cryptography, right? You don't have to be a cryptographer to use a cryptographic
software library to put together a verifier for something like this. So if something is
obviously being done wrong with an agenda in mind, I would hope that it would be detected by sufficient members of at least, is mathematics, right? There is, in this case, only one right answer. Either it is correct or it's not. Doing it this way, there's certainly less
wiggle room to say, oh, these ballots disappeared mysteriously, or maybe they did and maybe they
didn't, versus I don't like this algorithm, and at least you can argue about the algorithm when
you can't prove that ballots did or did not disappear from a box. Right, or even things like,
well, you know, we interpreted the marks that somebody made on this ballot to mean that they were voting for this candidate versus that candidate. And, you know, depending on who's in the room during doing the interpreting, that's an inherently sort of human subjective thing. Right. Whereas checking the cryptographic evidence for an end-to-end verifiable election is a mathematical, objective thing.
The other part of voting is also an issue of trust, but it goes the other way.
Someone has to trust me to be who I am and not, I don't know, a robot voting for favorite robot candidates.
Indeed. And if you walk into a polling place and you are going to cast your vote,
then they will, you know, cross you off of a voter registration book. In many places,
they will check your ID depending on where you are. The form of identification you're
required to present would be different. If you're mailing in a ballot,
you have to have a signature on it. They are going to compare that signature to the signature that
you put on file when you registered to vote. Oh my god, I was 18. It can't possibly look the same.
You've re-registered when you moved. You're fine. Oh, okay.
Yes, my signature has evolved a bit too. But they really do throw out ballots based on bad signatures. I think in a recent election this year in New York, there were tens of thousands of ballots that were thrown out for having bad signatures on them, effectively.
That actually can become a problem, right? Because depending on how you're
checking the signatures and who's checking the signatures.
And whether they have an agenda.
Exactly. But there are checks in place. You know, whether they can be abused or not is another
aspect. Okay, so right now, the way that my identity is built for them to trust my vote is one of these things, my signature, my ID, some form of that. If we go to, I mean, is of an alternative way to do it, at least not in this country.
There are places where every citizen has a cryptographic token.
Estonia is an example of this.
And there, you know, if you actually show up somewhere with your ID card, it is a cryptographically secure ID card. And yes, I suppose somebody could have
stolen it. But, you know, they will also compare the picture on it and such. If you're using it to
vote online in Estonia, they run their elections on the internet, then you are, you know, using
your cryptographic token and putting in your private password and essentially authenticating yourself to the system that way.
But we don't have any infrastructure like that here.
And even voter ID laws are very controversial because there's large populations that don't have IDs and have difficulty getting them.
Indeed. Right, so the idea of a national, or even in most states,
the idea of a statewide sort of high-security cryptographic identifiers
distributed to all voting age citizens is a bit of a non-starter,
at least the way things stand currently. How will internet voting happen
if I have to show my driver's license? I mean, when I hold it up to the screen, nothing happens.
Well, first I'm going to say my initial premise is that internet voting should not happen in the United States anytime soon because it's exactly
like this, right? You know, I support doing research into what do we need to make internet
voting safe and usable and possible in U.S. elections. But that research is a long road, and there are
a lot of problems that have to be solved. I mean, identity is one of them, but even things as simple
as how do you trust that what you typed into the web browser actually is what is sent to the system
on the other side that's receiving your vote, right?
Like, how do you deal with client-side malware? How do you deal with, you know, man-in-the-middle attacks? How do you, you know, there's all sorts of problems that would need to be solved in order
for this to be something that you could even begin to consider for public elections. Now, for private elections, it's a different story,
right? If you run a curling club, for example, which it's a real example, actually, I'm a member
of one here, and we did an election over the internet this year. And I felt perfectly fine
with that, because I really didn't think that there was much in the way of large-scale threats to the
integrity of the curling club election. You know, we used a reasonable online system for it,
and everybody was sent their own individual token that they could use to vote one time.
You know, a lot of companies do shareholder elections this way, and there are end-to-end
verifiable ways to do that, too, for private elections.
There's a system out there called Helios Voting, which maybe you've heard of and maybe you haven't.
It was created by somebody named Ben Adida, and you can find it online. And they basically will run
end-to-end verifiable internet elections for your organization. You can set one up even for free, I believe, just to experiment with the concept. You know, so there are definitely contexts where it's fine to vote over the internet, right, when the stakes are low. But in basically all public elections, the stakes are way too high.
You mentioned Estonia is already doing this.
Are they throwing caution to the wind, or is there something about Estonia that's particularly magical?
Well, there definitely are cultural differences.
There is not as big a tradition of things like voter coercion and things like that in Estonia.
But there's also robust debate about whether what they're doing is reasonable. There are conferences that occur every year about electronic voting, and people present these opposing viewpoints.
And some places have decided that the risks are worth the benefits, right?
They've made the tradeoff decision in some ways.
So Estonia is one that's gone all in on this sort of stuff.
In Switzerland, they've done a lot of work in trying to build out internet voting, and they've had some pretty high-profile failures.
Not recently, their system was essentially completely owned very quickly
when they did a public intrusion test.
But they're still pushing ahead with the research side of it.
And I think that that's a worthwhile thing to do, right?
If we can solve the problems that would make internet voting
in public elections a safe thing to do,
then those solutions would probably be pretty useful for other things as well.
Yeah. I mean, many of these things that you'd have to solve for voting would give you the ability to use some of that for other things.
I mean, identity being one of them and being able to understand cryptography to the level of, yes, I can check it and know what a one-way hash is.
You were talking about the research being valuable.
One of the things that I saw was your company has been working on a report.
Let me see if I got this title right.
E2E-VIV Project, the Future of Voting and end verifiable internet voting specification and feasibility study.
Yes, this was a project that we did back in 2015.
It was funded by the U.S. Vote Foundation.
The U.S. Vote Foundation, basically, they exist to make sure that American voters overseas have the ability to vote in U.S. elections.
And so they wanted to see if we could develop some sort of roadmap for what would we need to accomplish in order to make Internet voting available to overseas voters.
And in this report, we talked about, well, here are the various problems that need to be solved.
Here are what the requirements are. And the recommendations of the report basically ended up being that
end-to-end verifiability is essential. And there has to be a gradual advance. Like, we can't just
say, all right, now we've come up with an end-to-end verifiable internet voting system. We're going to deploy it. Everybody's going to be happy. We have to actually build up people's knowledge and trust in end-to- first and have people get some experience with them,
understand how the auditing processes for them work, understand how the verification stuff works,
get some trust in the systems before trying to deploy things on the internet,
that they need to be essentially treated as mission and safety critical systems, right? That they are as critical as the systems that control things like nuclear reactors and aircraft guidance systems and all of these other things where if something goes wrong with the system, either people die or billions of
dollars of economic damage happens, right? We should be treating voting systems as critical
systems on that level. They also have to be broadly usable and accessible. And we have to
actually get all of these open problems, including things like identity and how to deal with client
side malware, kind of stealing your keystrokes and telling somebody how you voted, or any of
these other things that are threats to the integrity of such a system. We have to actually
solve those problems before any kind of deployment should occur. And we know we're
really close to solving most of those problems right now.
But some of them are part of the electronic in-person voting.
Yes.
I read this report or paper, I don't know if you've seen it. Security analysis of the Diebold AccuVote TS voting machine. And they took apart this machine and it was terrifyingly easy to hack. The current state of in-person voting machines is somewhat frightening, I suppose, is a good word. Village over the last few years, you'll see that pretty much every single machine that the community
that studies these things has been able to get our hands on has turned out to have fundamental
security flaws, some of which are of the very embarrassing variety, like having an open Wi-Fi
network with a default password that could
be accessed from the parking lot of a polling place and actually change. Why do they have Wi-Fi
at all? This is a real system that actually was in use in, among other places, Virginia,
and was decertified, guess when? Last week. 2017. and actually a little earlier than that it was right
before the 2016 election based uh but certified but were they still used they were not they were
not used in the 2016 presidential election no not to my knowledge i it's possible that i'm wrong
about that we actually have one of those systems systems sitting in a room at Gala.
And the first thing I did when we got it was I opened it up.
It has an exposed USB port. I plugged a keyboard in.
I hit Control-Alt-Delete, and then I had administrator access to everything.
They're just Windows PCs, right?
Yep. In this case, it was just a Windows PC.
Yeah. They're just Windows PCs, right? Yep. In this case, it was just a Windows PC.
But yeah, people could have changed votes from the parking lot without ever setting foot into the polling place with these machines.
Whether that happened or not, we will probably never know, because forensic investigation of electronic voting machines is essentially a thing that never happens.
In many cases, it's actually prohibited by the contracts that election jurisdictions have with the companies that supply the machines.
Sounds great.
In many cases, they don't own the machines. They just lease the machines. So, you know, you can't even open them up in a lot of cases without having, you know,
a serviceman or woman from the company come and, you know, open it up with a special key,
which turns out to be a key that you can buy for $2 at a Home Depot.
Right.
It sounds like a great deal for the voting machine people. They must have some really
good salesmen.
They do have some really good salesmen. They do have some really good salesmen.
We'll do nothing for you, and we can't prove anything that we make works,
but we'll charge you money for it.
Entrenched interests are powerful.
Yes.
Okay, so that seems bad and wrong,
but it's easier to take something apart than it is to build it.
And the report Galois put together was in-depth and a lot of building and a lot of good stuff.
But is there a voting machine I should trust?
So these days, not very many of them have done much to earn trust.
Personally, I think that a pencil and a piece of paper is the best voting machine that we have that's deployed at the moment.
There are some that are good.
There are some that are, or at least not egregiously bad.
There are some that are probably going to have their code open sourced at some point in the future, like the one in Los Angeles that they've just developed over the last couple years. But in general, I honestly think that a pen or a pencil and a piece of paper
is the most trustworthy thing we have at the moment. Of course, then you still have to trust
ballot scanners. But there are at least fewer people generally with access to ballot scanners
that are used in real elections.
And so the attack surface is a bit smaller.
And the ballots still exist. Somebody could challenge them and re-scan them or
visibly inspect them.
Yes.
And we can do audits. Risk-limiting audits are also an important tool that we have in terms of
gaining trust in elections. And that's an area
that we've also been involved with in the past. We built the first risk-limiting audit system that
was used in a statewide election. It was used in Colorado in an off-year election in 2017. And they audited the results from all 64 of their counties and found no anomalies in the counting that was done by the machines.
So that was heartening.
Microsoft seems to be jumping in the pond.
They have this election guard.
Have you heard of it?
We built it.
Oh, well, then then yes, you have.
You have. Wow.
As it turns out, yes, Galois and Free and Fair did the initial implementation of that for Microsoft last year.
It's open source, which're doing it to benefit the world, essentially. That's sort of on the free and fair side. You know, we want to build or help to be built sort of open source, freely available, at least, you know, for auditing and the like election technology for everyone.
You know, we want to see that stuff get out there.
And so whenever there's an effort that is pushing toward that, we tend to be supportive.
At Galois, we do similar things.
We build a lot of things for public good, and we open source a lot of our work as well, though sometimes our clients don't let us.
So what is ElectionGuard? So Election Guard is a software development kit that implements exactly a set of cryptographic primitives for end-to-end verifiable paper-based voting.
Okay.
Right? So the idea is that by incorporating Election Guard into an existing voting system, you could give that system end-to-end verifiability.
And that's not necessarily, like you said, it's for paper voting.
Yes.
It's improving the existing system rather than replacing it with something scary.
Yes. In fact, it's designed only for use with paper-based voting systems. The idea of using
it for internet voting systems,
at least when we were involved with the initial implementation, was not even a consideration as
part of the project. So how did you get into this field? It sounds like something that's
important to you, but you went from CS professor to this? So I've had an interest in this for a while.
You know, obviously, like most people who were of voting age at that time, I was completely horrified by the events in Florida in 2000.
This is the hanging chads.
The hanging chads and we're going to count things.
No, we're not going to count things. Here's how we're going to count things. We're going to change how we're in my lab at Caltech, we were grad students together.
He actually ended up going and becoming a professor in Europe where they were much further along in doing things like electronic and computerized voting systems and and even potentially internet voting systems,
than what we were in the United States at the time. And so he started sort of
hacking those systems with the permission of the governments involved,
and would give me updates about the kinds of things that he was up to there.
And I found that very interesting. But meanwhile, I was doing,
you know, my own sort of non-election related computer science work and becoming a professor
and teaching things like software engineering and distributed systems and stuff. And so I didn't
have much time for election related work. And then this same friend of mine essentially told me,
hey, I'm going to this company called Galois, and we're doing all sorts of cool work,
including some of this election stuff. Maybe you should come along. And so I ended up
going to work at Galois and then got into it with a bit more fervor in 2014.
You mentioned DEF CON, and I think that goes along with the fervor.
There is a fairly big group of hackers and hacktivists and such that are interested in this as a problem are they
black hats or white hats
um all the ones that i know personally are white hats
and and i and i definitely know a bunch of them i'm sure that there must be black hats out there, though I don't think that many of them participate in the voting village sort of thing.
Because one of the things about the voting village is you tear these machines apart, and then all of the results that anybody comes up with during that entire time get published.
And so if you're a black hat and you discover something about a voting machine,
you're probably not going to want that to be published because you're going to want to use it
for your own benefit in some way, right? But it's interesting because the – well, I understand both sides, right?
You would think that the voting system companies, in a way, would welcome some of this sort of activity as a way –
Yeah, find my bugs for me. Find my bugs before they count.
Exactly, as a way of sort of upping their own game, right?
But in practice,
what happens is instead they generally do things
like threaten lawsuits
if you open up the machine
on the floor of DEF CON,
which of course are
completely baseless threats
because all of those machines
are owned by the people
who brought them there. And so they can pretty much do whatever they want with them.
I'm surprised they let anybody own the machines and that they aren't all in leasing their equipment, right?
They would rather own their equipment.
And so the voting system manufacturers do both. from the Multnomah, Oregon County Department of Elections back in, I believe it was 2016,
although it might have been 17. And it was interesting because these are scanners that
were among the most prevalent model that was used nationwide for a long time. And Multnomah County had decided
they needed something new. These were fairly old. They were out of date. So they wanted to get rid
of them. And they listed them on one of these government auction sites for the extremely
reasonable price of zero dollars, as long as you would transport them away.
So we got a bunch of these machines and we brought one to DEF CON the next year.
And we also had a bit of fun with it in the office and discovered that it was running
an extremely old version of the QNX embedded operating system that just happened to be
the last version that was freely distributed before they started charging for it.
And a number of other things where we got to the point where you could just plug something
into the exposed Ethernet port that these things inexplicably had and actually, you
know, change some of the programming.
Funny, because I spent a lot of time 14 years ago making sure that the medical device I worked on had no exposed network ports. It just seemed like the thing to do on something that could
be dangerously hacked. I guess these people just... You would think. But as I mentioned, these devices that are used in polling places even now have things like exposed USB ports. In a lot of cases, they epoxy them so that you can't actually plug something in.
I could get around that.
Well, it's a little harder. You can't just walk up and do it. that happen in polling places are just as important as some of the technology, right? Like, you know, the fact that you actually do have election judges
watching what people do in the polling place is an important thing.
But in some cases, you know, having external connectors is necessary because in order for,
for instance, disabled people to vote,
you know, maybe they need to plug a headset in so that they can hear what's on the ballot.
Or maybe they need to plug a, you know, some kind of control interface in so that they can navigate the display that's being displayed because they can't use a touchscreen.
So there are, you know, there are trade-offs there.
The accessibility trade-off is one that I'm becoming more interested in over the years
because it's dumb to make things harder
when many of the accessibility things can make it easier for everyone.
Like touchscreens.
Touchscreens can be miscalibrated.
That makes it hard for everybody.
Having a different method of doing it makes more sense,
even if the reason you are doing the different method
is because people with shaky hands or blindness
or whatever makes it that the touchscreen doesn't work.
Are there other accessibility things that are important with voting machines?
Well, I mean, you've definitely hit on one of them. Although in some cases, the touchscreen issue can be dealt with by just not using such cheap touchscreens.
What? Is that an option? I mean, pretty much up until very recently, all of these devices had, you know, 15-year-old resistive touchscreens that were very easily
miscalibrated. And recently, they've gotten a bit better. But there are, I mean, for somebody who is blind, they need to be able to navigate the device by audio.
And, you know, you need to be able to do things like magnify the text or use something higher contrast.
You know, there are various different considerations that come into play.
This was actually a fairly important thing in the election guard work,
was one of the things that they did was they used the Xbox Adaptive Controller as an interface mechanism for this
to show that it could be accessible
as broadly as they could make it,
which was a very good thing.
And as long as you sanitize your inputs, you're fine.
Indeed.
Leads me to a question. So it sounds like there are some advantages Indeed. to use the voting machines that we think of and the ones that have been hacked a lot,
the cheap ones, by the election districts is kind of different from the work you do.
You're motivated to apply technology to improve the security of elections, improve the auditability
and traceability, whereas it seems like the purchase of voting machines was because this will make it easier for us. Yeah, then we don't have to hire someone to count.
Right. The machine can count.
I think that's, you know, there's definitely an element of truth to that.
It also happens to be the case that the United States, you know, here in the United States,
we do elections very differently
from basically anywhere else in the world, right? Like, in most countries, you know, you have a
general election, there's one or two things on the ballot, everybody gets the same ballot,
and counting it even by hand is very easy.
Here, while you're in California,
so you've seen typical California ballots.
Still reading my one from 2016. I'll turn it in as soon as I finish.
I lived in Southern California for a decent amount of time and had to vote on just all
sorts of crazy things, including whether or not people should eat horse
meat. I mean, this was a thing that was actually brought up to the entire state to vote on.
And so if you have, you know, 40 different choices to make on your ballot, and each race might have 10 or 15 people in it. Actually counting that by hand is also fairly
error-prone, right? People are generally not great at doing repetitive, boring tasks.
Computers are amazing at doing repetitive, boring tasks. And so having the computers count actually
is a really good idea as long as you can
get it to the point where you can trust that they're counting correctly.
I mean, yeah, the Scantrons in California, at least the absentee Scantrons that I'm familiar
with, they're really easy to use for me. And it's a little boggling for me to think about, well, there are places in the U.S.
where you can't do absentee ballots unless you have a really good reason, as opposed to I'm too
lazy to go to the polling place and stand in line, which I think is a fantastic reason.
I would agree.
Having seen this environment, are there reasons for the arbitrariness of the voting jurisdictions and how this all works in each?
Yeah, the last 200, how the government was constructed.
I guess so.
Well, yeah, so one of the things here, right, is that there isn't one way of doing federal elections, right, because the elections are all run by states and counties.
And so there are thousands instead of one.
Congress actually does have the power in the Constitution to set specific rules about how federal elections happen. It's a power that they've generally been reluctant to use,
mainly because I think people would see it as federal government overreach.
And, you know, depending on where in the country you are, it might be, oh, they're trying to rig
the election so that these people can win, or, oh, they're trying to take control of the process and take away our rights.
These are the sorts of things you might hear.
I mean, here in Oregon, where I'm sitting, we've been voting exclusively by mail.
With the exception of people who have disabilities that prevent them from voting
by mail, they still have places that they can go. But we've been doing that for a very long time.
And I find it extremely convenient. I get to sit, fill out the ballot at my leisure,
you know, mail it back in or drop it in the drop box. I have a decent amount of time to do that. Nobody is waiting
behind me trying to get access to the machine that I'm using. I'm not sure what the motivations are
for not moving in that direction in more places. I have, you know, obviously my own thoughts about what those are, well, it's very hard to rig an election where there's 10,000 counties
all doing it their own way.
That is definitely a point that I've heard made.
There may be some merit to that.
I like how he didn't agree with you at all.
I'm not saying that's necessarily my opinion.
I'm putting that out there may be some merit to that um especially given the way a lot of these systems are designed
and implemented right um badly i would i would argue that if you had one nationwide system that
was implemented as um poorly i suppose as funds that are out there, that would unquestionably be a bad thing.
But if you had one nationwide system that was implemented well, that might be an improvement
over the current situation. Regardless, we're not going to end up with one nationwide counting
system because of the way that U.S. elections work.
10,000 different jurisdictions, all with their own rules.
It's more than that. I was trying to come up with a round.
Yeah. I mean, our voting is different than the people five miles one way or the other.
Because we're in a different part of the county
well but well you're voting your voting is different in the sense that you're voting
on different things yeah but i think our technology is different i don't think so
the county level is these things generally don't go any more granular than the county level
so so i usually i usually think of it as about
3,000 different jurisdictions. But then when you talk about the number of different ballot styles
that you need in each jurisdiction, right? In Los Angeles County, they have probably thousands
of different ballot styles between all the different languages that they have to print
and all the different cities that need things on the ballot and all the different districts for
various water and power and whatever else. And that is a lot of complexity to deal with. And so,
it's understandable that you would want computers to take some of the load off of that.
Yeah, it is.
Okay, I have one random question before we, well, before I ask Chris if he has any other questions.
You taught at Harvey Mudd, which is our alma mater, where we went to school.
Yes. And there is a rivalry with Caltech,
which is where you got your degree,
all of your degrees,
bachelor, master's, PhD.
And so you went from the enemy to Harvey Mudd.
And I wondered,
is that rivalry entirely one-sided?
Not entirely.
So first, I've also taught at Caltech, as it happens.
Whose students are better?
There's only one right answer. I actually really, really enjoyed my time teaching at Harvey Mudd.
It was probably the best teaching experience I've ever had. And part of that was because the students were amazing and I got to teach the
courses I wanted to teach as opposed to, you know, when I taught at Caltech, it was right after I
graduated and they're like, we need somebody to teach this i said okay well i can do that
but it's not the same as as teaching something that you really want to
um but i think so i think from the caltech side i think caltech views mit more as the primary
rivalry um you know to the point of doing things like
flying cannons across the country.
Yes, that was our cannon, damn it.
Well,
let's perhaps agree to disagree on it.
Yes.
I still think the best prank that Mudd ever pulled
was putting the parentheses around Pasadena City College on the Caltech sign.
That is excellent. I agree.
So for people who have never seen the sign, it's Caltech Pasadena City College next exit.
And so if you put parens around the Pasadena City College, implication is there and hilarious for some of us.
Yes. No, I agree. It is hilarious.
Well, Dan, it's been really interesting to talk to you. Do you have any thoughts you'd like to leave us with? I think that on the subject of sort of election technology, I think that there is a lot of good work left to do in terms of improving these sorts of machines and both the in-person and sort of the speculative far future internet sort of voting.
And I think it's important that people actually do that work. And so,
you know, for anybody listening who is interested in this topic, you know, one of the best ways to
learn about sort of the unique constraints of the election realm is to actually volunteer
to be a poll worker. Perhaps not this year, because there are some unique considerations this year,
but it's a really good way to actually get some firsthand knowledge about
how the system actually works beyond just filling out your own ballot
in whatever way you do it and submitting it,
and often submitting it into a black hole,
and then you get the election results later.
One of our listeners, Tom Anderson, made that same point that it was really interesting and
helped him understand the system better. So I totally agree. And I say, if you can do it this
year, maybe it is a good year to do it, but only if you're comfortable.
Right. If you feel safe doing it, actually, you know, jurisdictions are really in very bad need of people this year because a lot of people don't feel safe doing it.
Our guest has been Dan Zimmerman, principal researcher at Galois and principled computer scientist at Free and Fair.
Thanks, Dan.
This was really fascinating.
Oh, thank you.
Thank you to Christopher
for producing and co-hosting.
Thank you very much
to our Patreon supporters
for Dan's mic
and the Slack group
for their questions and links.
And of course,
thank you for listening.
You can find links
on the open source
Microsoft Election Guard,
the reports about how to do elections in the future
from Galois and from a number of other sources,
and just all sorts of links.
You'll also find the contact link
if you want to say hello to us.
And now a quote to leave you with,
this one from Abraham Lincoln.
Elections belong to the people.
It's their decision.
If they decide to turn their back on the fire and burn their behinds, then they will just have to sit on their blisters.
Embedded is an independently produced radio show that focuses on the many aspects of engineering.
It is a production of Logical Elegance, an embedded software consulting company in California.
If there are advertisements in the show, we did not put them there and do not receive money from them.
At this time, our sponsors are Logical Elegance and listeners like you.