Voting Machine Audit Detection

TL;DR

Yes, a voting machine can potentially know it’s being audited, depending on the audit method and how the machine is designed. This guide explains why, and what steps can be taken to prevent this from compromising the integrity of the audit.

Understanding the Problem

Voting machines often have logging capabilities. If an audit process triggers specific events that are logged (e.g., a special diagnostic mode is activated, memory is read in a particular sequence), the machine’s software could detect this and potentially alter its behaviour or log data. This is especially true for audits that aren’t fully independent of the machine’s core system.

Steps to Prevent Audit Detection

1. Choose Independent Audits: The most effective approach is to use audit methods that don’t rely on the voting machine’s internal software or hardware. Examples include:
   
   • Manual Recounts: Physically counting paper ballots (if available).
   • Risk-Limiting Audits (RLAs): A statistical method to verify election outcomes with a high degree of confidence, often using hand counts of randomly selected ballots.
2. Hardware Security Modules (HSMs): Use an HSM to manage cryptographic keys and sensitive operations. The audit process should interact directly with the HSM, bypassing the voting machine’s software as much as possible.
   

   # Example: Using a command-line tool to access the HSM for key verification
   hsm_tool --verify-key --key-id election_key

3. Secure Boot and Measured Boot: Implement secure boot to ensure only trusted software runs on the machine. Measured boot logs the chain of trust, providing a record of what was loaded. The audit process can verify this log.
   

   Note: This requires careful configuration and protection of the root of trust.

4. Tamper-Evident Seals & Physical Security: Ensure machines are physically secure with tamper-evident seals. Any breach of these seals should invalidate the audit results.
5. Audit Logging Review: If logging *must* be used within the machine for audit purposes, carefully review all logs before and after the audit.
   
   • Look for unexpected entries or anomalies that might indicate detection of the audit process.
   • Compare timestamps to known audit events.
6. Code Review & Static Analysis: Thoroughly review the voting machine’s source code (if available) and perform static analysis to identify potential vulnerabilities related to audit detection.
   

   Note: This is a complex process requiring specialized expertise.

7. Differential Auditing: Run multiple, independent audits using different methods. Compare the results to identify discrepancies that might indicate manipulation or detection of an audit.
   
   • For example, compare a manual recount with the machine’s reported totals and RLA results.
8. Network Isolation: If the voting machine is connected to a network, isolate it during the audit process to prevent remote access or communication that could be used for detection.
   

   # Example: Using firewall rules to block all incoming and outgoing traffic except for essential services
   firewall-cmd --zone=public --add-rich-rule='rule family="ipv4" destination address="voting_machine_ip" reject'

9. Memory Forensics: After the audit, perform memory forensics on the voting machine to look for evidence of tampering or altered logs.

Important Considerations

• Transparency: Make the audit process as transparent as possible to build public trust.
• Independent Verification: Ensure that audits are conducted by independent parties with no vested interest in the election outcome.
• Regular Updates: Keep voting machine software and security measures up-to-date to address known vulnerabilities.