Since Wednesday, the Dutch group "We don't trust voting computers" has caused a bit of unrest with their report and tv appearance on the security of the NEDAP/Groenendaal voting computer. Interesting to read, a mix of fun (at least for those with a little feeling for technology) and scariness, with a typical "Rop Gongrijp" sense of humor over it. And quite relevant, with Dutch elections for Parliament coming up on November 22.
The hacker group claimed that these voting computers could be reprogrammed for other things, even for playing chess. Jan Groenendaal of NEDAP/Groenendaal wants to call those things "voting machines" rather than "voting computers", and challenged them to prove their point. So the report contains a description of how they turned the "machine" into a simple chess computer.
The report then continues to disprove Groenendaal's claim that "hackers stand absolutely no chance". They outline several ways in which the system can be adapted or reprogrammed to steal votes, even based on party names, robust enough to work over election cycles. And their "CDA detector" is a simple proof of concept invasion into voter privacy: with a cheap radio scanner, you can "listen" to voting computer. CDA, the only Dutch party with an accented letter in the name, causes an audible difference, so you can "hear" when someone votes for that party. In the tv program (in Dutch), it is shown that the security around the storage of the voting computers is quite poor too, and would allow for quite large-scale tempering with the machines.
For me, there are some worrying concerns in this debate:
- The Dutch computers are already quite "old" and don't really allow to implement contemporary concepts of computer security. But it's scary that the company producing them does not seem willing to acknowledge this. He states that there is a high level of "consumer trust" in these computers, so no need to worry. On the contrary, all the more reason to worry! Reading his reactions to the action group's claims made me shiver...
- The laws are inadequate in describing the security of the systems, and the law makers have too little knowledge or interest in this area. The voting computers pass all Dutch legal requirements. There is a physical lock on the computer, and there is a password to get maintenance access to the computer. But if you can use a bent paperclip, or buy a single key for all 8000 computers via the internet (around 1 euro), and you have to type the Dutch word for "SECRET" as the password, there is something terribly wrong. There are European guidelines for the security of these systems, but apparently the Dutch computer doesn't comply with these.
Although the research was (and still continues to be) done for the Dutch situation specifically, the voting computers are in use in several other countries (although Ireland declined to use them after a security assessment), and the concerns about understanding of security and legal regulations easily translate to other countries (including the US) with other voting computer systems.
In the meantime, the "We don't trust voting computers" have threatened to take the minister responsible for elections to court if he doesn't take action soon. And they have a special page recruiting whistle blowers, with instructions on how to be a whistle blower (in Dutch) to gather more information. To be continued...