In addition, DEF CON attendees often criticize machine vendors for keeping their codes secret. Not only is Prime III open-source, but Gilbert’s BMD, with its transparent shell and auto-reboot after each vote, presents a unique challenge.
The DEF CON culture has disappointed some observers. “At some point, you have to move beyond criticism,” said Amber McReynolds, former chief elections officer for the City and County of Denver and current member of the Postal Service Board of Governors. and move on to effective solutions. Otherwise, she says, you run the risk of having your research weaponized by people who are inclined to discredit the entire system. “I would like to see the community of election security professionals think more carefully about the downstream impact of their comments and work on election officials, as well as on democracy in general.”
By September, Gilbert still had not heard from Hursti. In fact, no one agreed to test the machine.
When Undark contacted the experts Gilbert had initially contacted, they offered different explanations for his silence. One said he was retired. One second was in the hospital. Hursti said that Gilbert emailed his personal account, which is not the official account for DEF CON Vote Village. When asked if he would include the machine in next year’s event, Hursti did not respond to repeated messages from Undark. The day before the publication of this story, he wrote to clarify that Gilbert’s machine would be welcome at next year’s conference, provided he adheres to a number of DEF CON policies, including that hackers are not required to sign non-disclosure agreements.
Appel declined to test the machine, saying he did not have the resources to thoroughly test it. But he saw video of active equipment and listen to Gilbert give Presentations on the new model. It’s a good design idea, he said, and the lack of a hard drive provides less attack surface for hackers to exploit. The device, he added, is solving a problem with ballot-marking devices that no one has really tried to solve.
Still, Appel said, he remains skeptical of the very idea of uncontrollability. And he imagined situations in which Gilbert’s design could be the founder. In one blog post published last April, he wrote, for example, that the system relies heavily on human voters being prompted to review their ballots. Appel suggests a sophisticated hack that could simply get rid of that prompt. “This creates the opportunity for deliberate misprints in a way that we know voters are not very aware of,” he wrote.
Appel offers another scenario: say a voter tells a pollster that the machine misprinted the name on the ballot. Gilbert was prepared for this situation: the main disk could be compared with the disk in the machine to detect if there was a cheat code. Suppose that the pollster could execute that plan perfectly in the confusion of Election Day, and it shows that the machine has been tampered with. What then?
It is unclear whether Gilbert’s machine will be used more widely. Dan Wallach, a computer scientist at Rice University, says the machine is a promising step forward. However, he still expressed concern about the durability of the machine’s parts. Appel points out that any new technology will face problems in scaling up mass production and training requirements as well as for voters and staff to poll.
