While some attention is focused on the risks inherent in placing untested software patches on county election tabulators, another election technology is being aggressively deployed throughout Ohio. That technology, the e-pollbook, appears to reduce lines at the polls, increase convenience and be a more modern way to verify voter identity and precinct location. The technology as deployed brings with it new possibilities for tampering with elections and whole new vectors for cyber attack.
What is most alarming is the potential for this technology to compromise the secrecy of the ballot. E-pollbooks could allow people with access, from election officials and private contractors to Ohio Secretary of State John Husted, to know how you voted.
An e-pollbook is basically an Android tablet running custom software with a custom database. Instead of the old cumbersome poll books, this appears to be simple. The tablet has a touchscreen, it has a stylus to sign your name and it can compare your signature with the signature on file. It can verify that you are registered to vote, print a receipt, direct you to the correct machine for your precinct if you are in a multi-precinct polling place or direct you to the correct polling place if that place has changed.
More than one e-pollbook can be operated in a single polling place, and they can communicate with and update each other via Bluetooth.
The devices, as manufactured by Election Systems and Solutions (ES&S), can also communicate via Bluetooth directly with the actual polling machines in order to transmit the correct ballot style for each voter to the machine. While doing this, they are also communicating via the internet with the central county registration servers, updating them as to who voted in order to keep people from voting twice.
If no internet is available they can create their own wi-fi hotspot via any cellular network. There is a backup server for the main server and both of those are in turn backed up to a cloud service provided by Amazon.
This scheme creates a host of vulnerabilities. There is now a direct line of communication between a cloud computing service and individual voting machines. That line of communication can be attacked via cellular intercept, via Bluetooth, via the internet, via a thumb drive, or via an SD card. Access to the cloud means trusted access to the database and thus all the functions downstream. Access to the main registration server means access to the backup server. Access to a single polling place means access to the entire county.
A little creativity and any person with a Bluetooth-enabled device within range becomes a potential attacker to an entire county's voter registration system on Election Day. Many people will come and go from every polling place on Election Day. Any of them could have a smartphone pre-programmed to make the attack in their pocket.
Polling site locations are made public prior to Election Day, therefore attacks can be made from the network infrastructure of the host building. An attacker could compromise the hosting network days or weeks beforehand and make their attack remotely.
Because wi-fi hotspots can be used via cellular networks, the cellular network becomes a vector of attack. Because the polling location is known, the cellular base station used would also be known.
Thus a cellular base station could be compromised in order to make an attack days or week before the election.
If the malicious attacker is any person with access, such as a poll worker, election official or contractor, they could compromise any machine at any point and use it for a much easier attack directly on the voting or verification process.
Because the verification process includes signature verification and updating, any unethical poll worker, election official or malicious attacker could violate a voter’s privacy and engage in identity theft. The registration database is a list of names, birth dates, addresses, social security numbers, driver’s license numbers, addresses and voting history linked with actual signatures. An attacker listening in could scoop these points of data up even though they are encrypted, and decrypt them later without fully compromising the whole voting network.
The most chilling aspects of this new technology, which is really a set of cobbled-together existing products, are their potential for direct voter suppression and ballot compromise by election officials when combined with ES&S's election night reporting software patch.
The election night reporting patches record and/or report precinct level data every 15 minutes. The e-pollbooks constantly update. Many voting precincts have only a single machine and it takes some time for each voter to choose. Combining data on who voted when from the e-pollbook with a running tally from each precinct would allow someone with access to undermine the secrecy of the ballot with a reasonable degree of certainty. This compromise can happen at the level of a race, which includesballot initiatives as well as state and federal candidates. Thus a county commissioner in a small rural county can know who voted for them and who did not. A club owner can know who voted for or against them getting a liquor license if they have the right connections.
Voter suppression is an even more insidious possibility. The voter registration database includes the date when someone last voted. If that last vote was cast in a primary, the database includes their party affiliation. An election official or contractor seeking to rig a race can use the election night reporting software to see how many votes they need to steal. With the e-pollbook database, they can know who has not yet voted, is likely to vote, and how they are likely to vote. This enables selectively suppressing voters by simply updating the database to show that the targeted voters drew an absentee ballot. They then show up to the polls, a poll worker sees they have “voted” and turns them away.