Microsoft Research has revealed a potential flaw in verifiable e-voting machines through which fraudsters could easily use discarded ballot receipts as a guide for altering votes. Fortunately, the researchers also offered a solution — linking new receipts to previous ones with cryptographic hashes — but that alone won’t make e-voting entirely secure, they cautioned.
Unlike the first generation of controversial e-voting machines, which lacked printing capabilities and suffered other back-endinsecurities, new models from such companies as Scantegrity, Prêt à Voter, VeriScan, Helios, and MarkPledge can print out receipts. Not only can voters check the printouts to confirm their votes were cast correctly, they can also later compare their receipts against published election data.
The problem with the new generation of verifiable voting machines, according to the report (PDF), is that most people are highly unlikely to retain their receipts for future vote verification. However, ill-intentioned individuals could get their hands on those receipts — by rummaging through garbage cans at voting centers, for example, or through social engineering techniques — then use insider connections to change votes to their preferred candidate.
Using the discarded receipts as a guide for changing votes would be ideal, as they would represent voters with no intention of verifying their votes later. “Suppose that it is known that 5 percent of voters are expected to verify their receipts in an election,” the report says. “With a standard design, an insider that randomly alters 10 ballots would escape detection about 60 percent of the time.”
The mitigation to this “trash attack,” according to the report, is to tweak the voting machines such that each voter receives a receipt and each one includes a cryptographic hash of the voting data from the previously cast ballot. “The idea of a running hash is certainly not new. Hash chains are a common cryptographic tool and are found in many protocols,” according to the report.
What that would mean: If Voter A and Voter B were to cast votes one after the other from the same machine, Voter B’s receipt would include proof of whom he voted for as well as proof of whom Voter A had selected — again, in cryptographic hash form, so Voter B would not actually know Voter A’s identity nor whom he voted for. If an insider got his hands on Voter A’s receipt and was able change A’s vote, that insider would risk the fact that Voter B’s receipt could be used to verify Voter A’s original vote intent. That risk would be present for every single printed receipt, making it far riskier and more difficult to get away with voter fraud.