1 / 53

What’s Right With Electronic Voting?

What’s Right With Electronic Voting?. Michael I. Shamos, Ph.D., J.D. Institute for Software Research School of Computer Science Carnegie Mellon University. Electronic Voting Horror Stories. Questions. Is electronic voting secure? Is there anything good about it?

cookl
Download Presentation

What’s Right With Electronic Voting?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. What’s Right WithElectronic Voting? Michael I. Shamos, Ph.D., J.D. Institute for Software Research School of Computer Science Carnegie Mellon University

  2. Electronic Voting Horror Stories

  3. Questions • Is electronic voting secure? • Is there anything good about it? • If not, why do we use it? • Why can’t we just vote with paper ballots? • Do paper trails solve the problems?

  4. My Background • Computerized voting system examiner for • Massachusetts (2006- ) • Pennsylvania (1980-2000, 2004- ) • Texas (1987-2000) • Delaware (1989) • West Virginia (1982) • Nevada (1995) • Performed 119 voting system examinations • Testified before Congress 4 times • Taught voting system testing at NIST • Expert witness in 5 electronic voting cases

  5. Outline • Voting in the U.S. • Voting system requirements • Voting methods (opscan, DRE) • Problems with electronic voting • Rating different voting methods

  6. Pennsylvania Counties ALLEGHENY COUNTY BLUE, GREEN, PURPLE, YELLOW: electronic RED: optical scan SOURCE: ELECTIONLINE.ORG

  7. Allegheny County Allegheny River Ohio River CITY OF PITTSBURGH = CMU Monongahela River

  8. 5th Ave. (Precincts)

  9. 14th City Ward Pittsburgh East End Wards and Precincts 5th Ave.

  10. Pittsburgh East End Political Districts 11th County Council 8th City Council 23rd House 43rd Senate

  11. U.S. Voting History Colonies: Voice voting to officials in public Early 1800s: Handwritten paper ballots 1850 - today: Rampant paper ballot fraud 1888: Secret paper (Australian) ballot in U.S. 1892: Lever machine to“protect mechanically the voter from rascaldom” 1960s: Punched cards 1970s: Optical scan 1978: Direct-recording electronic systems 2000: Florida! 2002: Help America Vote Act (HAVA) 2006: Widespread electronic voting

  12. Paper Ballots Australian (secret) ballot (U.S., 1888) SOURCE: DOUGLAS W. JONES

  13. Voting System Functions • Present the correct ballot clearly to each voter • including disabled & foreign language • must warn of overvotes • Capture the voter’s choices unambiguously • binary (yes/no) is best • Record the voter’s choices securely • prevent tampering • Tabulate and report the correct totals • Provide an audit mechanism • permanent paper record

  14. Principal Methods of U.S. Voting • The Help America Vote Act (HAVA, 2002) banned • Punched-card voting (implicitly) • Lever machines (implicitly) • Hand-counted paper ballots (mostly) • We are left with • Optical scan, counted at precinct • Optical scan, counted centrally (with restrictions) • Direct-recording electronic (DRE)

  15. Full Opscan Ballot (Too Big to Fit) • Marin County, CA (2006) • 30 races, 98 candidates • 30 propositions • 3 sheets, 6 sides • Paper trail would be 6 feet long for each voter • 10 contests per foot, 60 contests

  16. COMPLETE THE ARROW: Optical Scan Problems • Issues: • Dark/light marks, wrong ink • Printing trickery • Voter intent? • Marks are not binary • Machine does not see what the human sees • Visible v. infrared • Disabled can’t vote without an assistive device (ballot marker)

  17. What Constitutes a Vote? • To avoid a repeat of Florida 2000, HAVA required all states to define “what constitutes a vote” • They all did it differently SOURCE: HAWAII ADMIN. REGS. §2-51-85.2

  18. Legal/Constitutional Requirements • Voter secrecy • We can’t tell how she voted • She can’t prove how she voted • Overvote warning • Security against tampering • Permanent paper record of each vote cast, with audit capacity • Disabled accessibility • Alternative language accessibility+ LOTS of state requirements (> 100)

  19. Electronic Voting Demo

  20. COUNTY OFFICE BUILDING AT CLOSE OF POLLS: TOTALS TAPE PRODUCED, SIGNED BY JUDGES THIS IS THE OFFICIAL RETURN Electronic Voting • Voter interacts with a computer to select and record her choices • No “document ballot” POLLING PLACE MEMORY CARDREMOVED MEMORY CARD SENT TO COUNTY FULL BALLOT RECORDED ON 1. MULTIPLE INTERNAL MEDIA; AND 2. PAPER; AND 3. REMOVABLE MEMORY DEVICE (PCMCIA CARD) UNOFFICIAL VOTETOTALS PRODUCED, GIVEN TO MEDIA WEEKS LATER: OFFICIAL CANVASS BASED ON OFFICIAL RETURNS TOTALS TAPE POSTED IN POLLING PLACE COPY OF TAPE SENT TO COUNTY RANDOMIZED AUDIT TRAIL PRINTED – CAN BE USED FOR RECOUNT

  21. TOTALS REPORT POSTED AT PRECINCT OFFICIALRESULTS TOTALS PRINTED OUT AT PRECINCT, SIGNED BY JUDGES TOTALS REPORTS SENT TO COUNTY CANVASS BY COUNTY ELECTIONS BOARD WINNERS CERTIFIED ELECTRONIC MEDIA SENT TO TABULATION CENTER RESULTS TABULATED, RELEASED TO PRESS ELECTION NIGHT WEEKS LATER Determining Winners with DREs VOTERS VOTE UNOFFICIAL ONLY! ELECTION DAY

  22. Tarrant County Canvass, 3/7/06

  23. SYSTEM TESTED TO NIST STANDARDS BY INDEPENDENT TESTING AUTHORITY (ITA) SYSTEM SUBMITTED FOR FEDERAL QUALIFICATION ITA CREATES “WITNESS BUILD” OF SYSTEM SYSTEM DEVELOPED BY VENDOR SYSTEM TESTED TO STATE STANDARDS AND FOR HAVA COMPLIANCE BY EXAMINER SYSTEM SUBMITTED FOR STATE CERTIFICATION SECRETARY OF STATE CERTIFES SYSTEM COUNTY BUYS SYSTEM, RECEIVES SOFTWARE FROM ITA COUNTY PERFORMS ACCEPTANCE TESTING PARTIES NOTIFIED 40 DAYS IN ADVANCE OF ELECTION SETUP PRE-ELECTION LOGIC AND ACCURACY TESTING (PUBLIC) COUNTY SETS UP MACHINES FOR ELECTION (PUBLIC) SYSTEM READY FOR ELECTION MACHINES ARE SEALED Examining/Testing Voting Machines SYSTEM NOW “FEDERALLY QUALIFIED” SYSTEM NOW “STATE CERTIFIED” SYSTEM READY FOR ELECTION SETUP

  24. Voter Verification • Was my vote recorded properly? • Was my vote counted? • What can I do if I think it wasn’t? • Will my vote be around in case of a recount? • Was everyone who voted authorized? • Optical scan voting solves (1) • DRE voting is auditable, but not voter-verified

  25. VVPAT • VVPAT = voter-verified paper audit trail • Produce a paper document that the voter can view before casting the ballot to verify that the vote was captured correctly • Retain the paper document to be used for a recount, if necessary. DEMO • The VVPAT provides proof that the vote was recorded properly (at least on the paper) • VVPAT SHOULD list all candidates presented to voter, even ones that were not voted for

  26. VVPAT Problems • No secrecy: ballots recorded sequentially • Blind voters can’t read it • Long paper trail, e.g. 6 feet per voter • Can’t count it (8 weeks in Cuyahoga County, OH) • Sacramento, CA: 20 minutes per ballot, 4 people each • Recounting CA would take 8000 man-years • Mandatory 5%? 400 man-years in one week = 20,000 people • University of Maryland: 1-3% of voters verified • Cuyahoga County, OH primary May 2006 • 10% of paper records found illegible, tampered with or completely missing

  27. Counting the VVPAT SOURCE: ELECTION SCIENCE INSTITUTE

  28. Counting the VVPAT SOURCE: ELECTION SCIENCE INSTITUTE

  29. Counting the VVPAT SOURCE: ELECTION SCIENCE INSTITUTE

  30. The Hursti II Attack • Harri Hursti (2/06), repeated by Felten (9/06) • Attack on Diebold touchscreen units • Given access to the machine, its software can be replaced quickly, i.e., a few minutes • Not a bug, but a “feature” to permit rapid upgrade • Can the intrusion be detected? • Can the exploit be disabled?

  31. Machine Reliability • The 2002 Federal standards require a mean time between failures (MTBF) of at least 163 hours • Under the exponential failure model, 10% of voting machines will fail within 18 hours! Unacceptable! • In practice, 20% of VVPAT machines fail on Election Day • “Failure” does not mean loss of votes, but inability to continue voting

  32. Comparison of Voting Methods

  33. Comparison of Voting Methods

  34. Comparison of Voting Methods

  35. Comparison of Voting Methods

  36. Comparison of Voting Methods

  37. Q A &

  38. 8th City Council District Pittsburgh East End Political Districts

  39. 11th County Council District Pittsburgh East End Political Districts

  40. 23rd Pennsylvania House District Pittsburgh East End Political Districts

  41. 43rd Pennsylvania Senate District Pittsburgh East End Political Districts

  42. Pennsylvania Voting Methods (2006) ALLEGHENY COUNTY PAGED DRE FULL-FACE DRE DRE & OPTICAL OPTICAL ES&S 100 & iVotronic ES&S 650 AutoMark ES&S iVotronic Danaher 1242 Hart InterCivic eSlate Hart InterCivic eScan/eSlate ES&S 100 AutoMark Sequoia Advantage Diebold TSx Sequoia Edge Advanced WinVote SOURCE: ELECTIONLINE.ORG

  43. Pennsylvania Voting Systems (2006) HART ESLATE DRE ES&S iVOTRONIC TOUCHSCREEN SEQUOIA EDGE TOUCHSCREEN ES&S 650 OPTICAL ES&S iVOTRONIC + M100 OPTICAL DIEBOLD TSX TOUCHSCREEN SEQUOIA ADVANTAGE FULL-FACE DRE HART ESLATE + ESCAN DANAHER 1242 FULL-FACE DRE ADVANCED WINVOTE ES&S iVOTRONIC + M100 + AUTOMARK

  44. What’s the Best Voting Method? • HAVA requires • vote verification, correction §301(a)(1)(A)(i) • overvote warning §301(a)(1)(A)(iii) • permanent paper record §301(a)(2)(B)(i) • disabled accessibility §301(a)(3)(A) • alternative language accessibility §301(a)(4) • States require • secrecy • security • reliability • usability

  45. MOST STATES REQUIRE NO STATES REQUIRE (except coercion is a crime) Desirable Voting System Characteristics • Secret • Accurate • Eligible voters • Vote once only • Tamper-proof • Reliable • Auditable • No vote-buying (receipt-free) • Verifiable • Non-coercible • Transparent

  46. Voting System Requirements • Accuracy • Secrecy • Security • Auditability • No take-home receipts • No identifiable ballots • Pennsylvania law: “No ballot which is so marked as to be capable of identification shall be counted.” 25 P.S. §3063(a) • Conformance with state law

  47. Federal Requirements (2006) • Overvote warning • Permanent paper record • Correct ballot before casting • Disabled accessibility • Multiple languages and alphabets (LA County: 12)

More Related