Depending on the election system being used, tabulation can be performed in a number of ways:
- In central count opscan systems, the ballots get shipped back to election central, so we have to actually scan them and then tabulate the results.
- In DRE and precinct count opscan systems, pre-counted results come back from the precinct and simply need to be aggregated and the winners declared.
It's best to take each of these separately.
Central Count Optical Scan
Most plausible CCOS failures are non-malicious:
it's pretty hard for an end-user to mount any kind of
attack on the scanning system proper or than denial
of service. Obviously, the attacker could tamper with
their ballot (treat it with acid, glue, or somesuch)
to damage the scanner, but it's not clear what this
would buy you other than delaying the count.
[This isn't to say that there isn't plenty of room
for manipulating paper ballots, just that you would
probably find it more profitable to do outside
of election central, which is presumbly subject to fairly restricted
access.]
On the other hand, plenty of stuff can still go wrong. First, ballots don't always scan correctly. If you're lucky, the scanner will just reject the ballot and then it will need to be manually counted. Often the voter's intent is clear, but if it's not, there's no real opportunity for the voter to correct it, and their vote just gets lost. Other than that, the sheet feeder in the scanner can mangle the ballot in various ways, causing inconvenience, manual counting, etc.
That said, if an attacker does manage to take control of the CCOS scanner, the consequences are fairly serious. As with any other piece of computerized election equipment, the attacker can cause it to return any result that he wants. On the other hand, the scanner very rarely needs to be connected to any other piece of computer equipment, so the risk can be minimized with proper controls.
PCOS and DRE
With PCOS and DRE, results get communicated back from the field
one of two ways: either on some sort of memory card or on
summary results tapes. The big concern with memory cards is
that they can serve as a vector for viral spread from compromised
precinct machines. For instance, the TTBR Diebold report
describes such an attack. As usual, if the EMS is
compromised, the attacker can cause it to report any results
it chooses. This includes, of course, misreporting any
results fed into it from the central count optical scanner.
An even more serious concern is that if the same EMS is
used for ballot preparation and machine initialization
then it can serve as a viral spread vector: the attacker
infects a machine in the field, the virus spreads to the
EMS, which then compromises every polling place machine.
([HRSW08]
has a lot more discussion of this form of attack, as well
as countermeasures.)
The data doesn't have to be sent back on memory cards, of course. DREs and opscans typically print out results/summary tapes with the vote totals. These can be manually keyed into the EMS. This mostly controls the viral threat, but now you have to worry about a whole array of errors on the paper tape. As this post by Ed Felten indicates, the quality of the results tapes is pretty low and when coupled with the usual human errors, there's a lot of possibility for the wrong data to end up in the EMS. (This isn't to say that there can't be errors on the memory cards as well, especially with the Premier system which uses some super-old tech; Sequoia and Hart use PCMCIA flash drives, which are just old tech.) In principle, this might get detected by comparison of the precinct-level results tapes, which (at least in Santa Clara County) get posted publicly elsewhere, but I don't know if anyone actually double checks that stuff in practice.
Visibility
Of course, almost none of these issues are obvious to voters:
you just vote, but you have no real way of knowing if your
vote was counted or not (this is deliberate, for vote
privacy reasons). And of course it's even harder to
verify that any issues have been handled correctly.
Next: attack vectors.
Leave a comment