In addition, DEF CON members routinely criticize machine vendors for keeping their code secret. Not only is the open source Prime III, but Gilbert’s BMD, with its transparent casing and auto-reboot after every vote, poses a unique challenge.
The DEF CON culture has disappointed some observers. “At some point, you have to move beyond constant criticism and move into productive decisions,” says Amber McReynolds, former election director for the city and county of Denver and current member of the Postal Service Board of Governors. Otherwise, she says, you run the risk of your research being used as a weapon by people seeking to discredit the entire system. “I would like the election security community to be more mindful of the subsequent impact of their comments and their work on election officials, as well as on democracy in general.”
By September, Gilbert still hadn’t heard from Hearsty. In fact, no one agreed to test the car.
When Undark contacted the experts Gilbert had originally contacted, they offered various explanations for their silence. One said he had retired. The second was in the hospital. Hursty said that Gilbert sent the email from his personal account and not from the official DEF CON’s Voting Village account. Asked if he would include the car in next year’s event, Hirsty did not respond to repeated messages from Undark. The day before the story was published, he wrote to clarify that Gilbert’s car would be welcome at next year’s convention, provided he followed certain DEF CON rules, including that hackers were not required to sign non-disclosure agreements.
Appel refused to test the car, saying he did not have the resources to test it thoroughly. But he saw video devices in action and heard Gilbert presentation on the new model. According to him, it was a good design idea, and the lack of a hard drive gives a hacker less opportunity to attack. He added that this device solves a problem with ballot marking devices that no one has yet tried to solve.
However, Appel said he is skeptical about the very idea of being unhackable. And he imagined scenarios in which, he said, Gilbert’s plan could collapse. AT Blog post published last April, for example, he wrote that the system relies heavily on human voters being asked to review their votes. A clever hack, as Appel suggested, could simply remove that prompt. “This provides an opportunity to deliberately seal in a way that we know voters don’t see very well,” he wrote.
Appel cited another scenario: say a voter tells a polling station worker that the machine printed the wrong name on the ballot. Gilbert prepared for this scenario: You can compare the master disk with what’s in the machine to detect fraudulent code. Suppose a polling station worker is able to execute this plan perfectly during the turmoil on Election Day, and this shows that the machine has been tampered with. What then?
It is not clear if the Gilbert machine will find wider application. Dan Wallach, a computer scientist at Rice University, said the machine was a promising step forward. However, he expressed concern about the durability of the machine’s parts. Appel noted that any new technology will face scaling issues for mass production and will require training for voters and poll workers.