J. Alex Halderman, Professor of Computer Science and Engineering at the University of Michigan, claims to have identified a critical privacy flaw in the election infrastructure sold by Dominion Voting Systems in the United States.
Halderman, a non-partisan analyst whose work has been cited by both left and right wing news sources, shared the website DVSorder.org on his social media channels on Friday.
1/ Colleagues and I have found a serious privacy flaw that affects Dominion ICP and ICE ballot scanners. We've already informed Dominion, CISA, EAC, and state officials, and we've created a site to help officials and the public understand the issue:https://t.co/ErwqtixOVC
— J. Alex Halderman (@jhalderm) October 14, 2022
What Is Affected and Where?
DVSorder is a privacy flaw that affects Dominion Voting Systems (DVS) ImageCast Precinct (ICP) and ImageCast Evolution (ICE) ballot scanners, which are used in parts of 21 states. Under some circumstances, the flaw could allow members of the public to identify other peoples’ ballots and learn how they voted.
The states potentially affected are: California, Alaska, Minnesota, Arizona, New Mexico, Kansas, Missouri, Illinois, Florida, Georgia, Tennessee, Virginia, New Jersey, New York, Ohio, Michigan, Wisconsin, Iowa, Vermont, Massachusetts, and Pennsylvania, as well as the territory of Puerto Rico.
Can This ‘Flip the Votes’?
The researchers explain:
This vulnerability is a privacy flaw and cannot directly modify results or change votes. Nevertheless, the secret ballot is an important security mechanism, and some voters—especially the most vulnerable in society—may face real or perceived threats of coercion unless the privacy of their votes is strongly protected.
Many jurisdictions publish data from individual voted ballots, such as cast-vote records (the votes from each ballot) or ballot images (scans of each ballot). This data is usually supposed to be randomly shuffled, to protect voters’ privacy. The DVSorder vulnerability makes it possible to unshuffle the ballots and learn the order they were cast. This sometimes makes it possible to determine how specific individuals voted.
How Does This Flaw Work?
The technical details are as follows:
When a ballot is cast on a Dominion ICP or ICE scanner, it is assigned a random-looking “record ID” number, which uniquely identifies each ballot within a batch from a particular machine. After voting is complete, data from the scanner gets loaded into a central computer called an election management system (EMS). The EMS shuffles the ballots to mask the order in which they were cast, but each ballot is still labeled with the original record ID.
Unfortunately, the Dominion ICP and ICE scanner software is flawed such that ballot record IDs are assigned in a predictable manner. This allows anyone to unshuffle the ballot images or cast vote records and learn the order in which they were cast.
They conclude: “All versions of the Dominion ICP and ICE for which we have located public ballot-level data appear to be vulnerable to DVSorder, including versions that have been certified by the U.S. Election Assistance Commission (EAC). The problem is specific to the ICP and ICE; ImageCast Central scanners and ImageCast X DREs do not appear to suffer from the flaw. (The ImageCast Central (ICC) intentionally labels ballots in the order they are scanned.)”
As a fix, the researchers suggest “sanitizing ballot-level data before publishing it makes the data just as safe to release as if the DVSorder vulnerability did not exist. However, even if jurisdictions sanitize the data they make public (or if they do not publish any ballot-level data), the flaw still carries risks. For instance, unsanitized data could be stolen in a data breach or accessed by malicious insiders, who could exploit the flaw to learn how people voted.”
Will It Affect the Mid Terms?
Yes, the flaw does have the potential to affect the mid term elections. According to Halderman and his team:
Completely mitigating these risks will require Dominion to change the ICP and ICE firmware to use a secure method of generating ballot IDs. The U.S. Election Assistance Commission (EAC) has informed us that Dominion plans to correct the flaw in future firmware versions. However, our understanding is that no patches will be available until after the November election, at least for federally certified versions of Dominion systems. Election officials should contact Dominion for further information and to inquire as to patch availability.
You can read more at DVSorder.org