A technical analysis of the VVSG 2007 Stefan Popoveniuc George Washington University The PunchScan Project.

Slides:



Advertisements
Similar presentations
I Think I Voted. E-voting vs. Democracy Prof. David L. Dill Department of Computer Science Stanford University
Advertisements

Wombat Voting 1.Designed ( ) 2.Implemented ( ) 3.Deployed (1 x 2011, 2 x 2012)
Will Your Vote Count? Will your vote count? Voting machine choices N.C. Coalition for Verified Voting Joyce McCloy Pros and Cons of voting.
ETen E-Poll ID – Strasbourg COE meeting November, 2006 Slide 1 E-TEN E-POLL Project Electronic Polling System for Remote Operation Strasbourg.
Cryptographic Voting Protocols: A Systems Perspective Chris Karlof Naveen Sastry David Wagner UC-Berkeley Direct Recording Electronic voting machines (DREs)
Wombat Voting Alon Rosen IDC Herzliya July 20, 2012.
VVPAT BY KRISTEN DUARTE & JESSICA HAWKINS. WHAT IS VVPAT? An add-on to electronic voting machines that allows voters to get a printed version of their.
TGDC Meeting, July 2010 Report of the Auditability Working Group David Flater National Institute of Standards and Technology DRAFT.
TGDC Meeting, Jan 2011 Evaluating risk within the context of the voting process Ann McGeehan Director of Elections Office of the Texas Secretary of State.
1 Design by Contract Building Reliable Software. 2 Software Correctness Correctness is a relative notion  A program is correct with respect to its specification.
TGDC Meeting, July 2011 Review of VVSG 1.1 Nelson Hastings, Ph.D. Technical Project Leader for Voting Standards, ITL
Observation of e-enabled elections Jonathan Stonestreet Council of Europe Workshop Oslo, March 2010.
Trustworthy Elections without Paper Ballots Why vote receipts deserve consideration May 26, 2004 C. Andrew Neff, Ph.D. Chief Scientist VoteHere, Inc.
17-803/ ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS / Electronic Voting Session 2: Paper Trails Michael I. Shamos,
Electronic Voting (E-Voting) An introduction and review of technology Written By: Larry Brachfeld CS591, December 2010.
Electronic Ballot Reader Team 01 Rosa Arias Chad Feller Walter Smith.
United States Election Assistance Commission Pilot Program Testing and Certification Manual & UOCAVA Pilot Program Testing and Certification Manual & UOCAVA.
Voting System Qualification How it happens and why.
Ballot Processing Systems February, 2005 Submission to OASIS EML TC and True Vote Maryland by David RR Webber.
12/9-10/2009 TGDC Meeting TGDC Recommendations Research as requested by the EAC John P. Wack National Institute of Standards and Technology
TGDC Meeting, July 2011 Overview of July TGDC Meeting Belinda L. Collins, Ph.D. Senior Advisor, Voting Standards, ITL
Certification of e-voting systems Mirosław Kutyłowski, Poland.
Security of Voting Systems Ronald L. Rivest MIT CSAIL Given at: GWU Computer Science Dept. November 9, 2009.
EAC-requested VVSG Research Overview and Status June 2008 Mark Skall Chief, Software Diagnostics and Conformance Testing Division National Institute of.
Perspectives on “End-to-End” Voting Systems Ronald L. Rivest MIT CSAIL NIST E2E Workshop George Washington University October 13, 2009 Ballot Bob Ballot.
TOWARDS OPEN VOTE VERIFICATION METHOD IN E-VOTING Ali Fawzi Najm Al-Shammari17’th July2012 Sec Vote 2012.
California Secretary of State Voting Systems Testing Summit November 28 & 29, 2005, Sacramento, California Remarks by Kim Alexander, President, California.
Improving U.S. Voting Systems Security Breakout Session Improving U.S. Voting Systems Andrew Regenscheid National Institute.
Andreas Steffen, , LinuxTag2009.ppt 1 LinuxTag 2009 Berlin Verifiable E-Voting with Open Source Prof. Dr. Andreas Steffen Hochschule für Technik.
Usability and Accessibility Working Group Report Sharon Laskowski, PhD National Institute of Standards and Technology TGDC Meeting,
Electronic Voting: The 2004 Election and Beyond Prof. David L. Dill Department of Computer Science Stanford University
Briefing for NIST Acting Director James Turner regarding visit from EAC Commissioners March 26, 2008 For internal use only 1.
12/9-10/2009 TGDC Meeting Auditing concepts David Flater National Institute of Standards and Technology
TGDC Meeting, Jan 2011 Auditability Working Group David Flater National Institute of Standards and Technology r4.
VVSG: Usability, Accessibility, Privacy 1 VVSG, Part 1, Chapter 3 Usability, Accessibility, and Privacy December 6, 2007 Dr. Sharon Laskowski
Panel One Why Audit? Mary Batcher Ernst & Young and Chair of ASA Working Group on Elections.
“The right of citizens of the United States to vote shall not be denied or abridged by the United States or by any state on account of [race, color, or.
How and what to observe in e-enabled elections Presentation by Mats Lindberg, Election Adviser, Organisation for Security and Co-operation in Europe (OSCE)
Oct 15-17, : Integratability and Data Export Page 1Next VVSG Training Voting devices must speak (produce records) using a commonly understood language,
Whatcom Fair Voting Welcomes you Please watch the next slides, and see whether they are “right” Here is your Logic and Accuracy Test.
NIST Voting Program Barbara Guttman 12/6/07
WHY THE vvpat has failed
Next VVSG Training Standards 101 October 15-17, 2007 Mark Skall National Institute of Standards and Technology
WHAT CONSTITUTES A VOTE? Annual Training for County Election Officials
VVPAT Building Confidence in U.S. Elections. WHAT IS VVPAT ? Voter-verifiable paper audit trail Requires the voting system to print a paper ballot containing.
EAC-requested VVSG Research Overview and Status June 2008 Mark Skall Chief, Software Diagnostics and Conformance Testing Division National Institute of.
Creating Accessibility, Usability and Privacy Requirements for the Voluntary Voting System Guidelines (VVSG) Whitney Quesenbery TGDC Member Chair, Subcommittee.
Election Assistance Commission 1 Technical Guidelines Development Committee Meeting Post-HAVA Voting System Requirements – Federal Perspective February.
Auditability and Verifiability of Elections Ronald L. Rivest MIT ACM-IEEE talk March 16, 2016.
Election Assistance Commission 1 TGDC Meeting High Level VVSG Requirements: What do they look like? February, 09, United States.
12/9-10/2009 TGDC Meeting Alternatives to Software Independence Nelson Hastings National Institute of Standards and Technology
Ronald L. Rivest MIT NASEM Future of Voting Meeting June 12, 2017
Do you know who Richard M. Nixon is
Security of Voting Systems
Perspectives on “End-to-End” Voting Systems
Evaluating risk within the context of the voting process
EVoting 23 October 2006.
Recanvass Procedures & Tips
Con Electronic Voting Preston Pope, Zach White, Ankit Shrivastava, Max Alexander.
Election Audit?? What in the world?.
Audit Thoughts Ronald L. Rivest MIT CSAIL Audit Working Meeting
ELECTRONIC VOTING SYSTEMS André Martins Hugo António Miguel Cordeiro
Ronald L. Rivest MIT NASEM Future of Voting December 7, 2017
Improving Reliability of Direct Recording Electronic Voting Systems
Texas Secretary of State Elections Division
Election Security Best Practices
ISI Day – 20th Anniversary
Texas Secretary of State Elections Division
Auditability and Verifiability of Elections
Election Security Best Practices
Presentation transcript:

A technical analysis of the VVSG 2007 Stefan Popoveniuc George Washington University The PunchScan Project

A standard should Say WHAT needs to be done –Performance standard –High level goals –Encourages innovation Not HOW to do it –Design standard –VVPAT –Discourages innovation

Software Independence (SI) Definition –“…an undetected error or fault in the voting system’s software is not capable of causing an undetectable change in election results.” (Introduction 2.4) I.E. check the election, not the equipment High level goal – good intentions

What I will show The software independence definition is subject to multiple conflicting interpretations. IVVR does not fit any of the interpretations. There are real voting systems that actually do satisfy the SPIRIT of the definition.

Pitfalls of the definition The definition is ambiguous because it does not specify –WHO can check Privileged people Anyone –WHEN it can be checked Anytime after the tally is posted When the voter is in the booth (there is no tally) The definition does not mandate audits –Perform an audit if something went wrong –Realize if something went wrong from an audit

How is SI supposed to be interpreted by the VVSG Voters can check a piece of paper Everyone trusts the chain of custody Everyone trusts manual recounts

IVVR is a design standard “it must be possible to audit voting systems to verify that ballots are being recorded correctly” (Introduction 2.4) In many states, at casting time, the official ballot is the electronic record The voter CANNOT check the correct recording of the ballot –But only the correct printing of the IVVR There is no ballot (electronic record) when the voter checks the IVVR

IVVR is not SI There is a huge gap between being able “to verify that ballots are being recorded correctly” and the fact that the tally is correct – not in the spirit of software independence. Simply trust the chain of custody? Not scalable –Custodized as recorded –Counted as custodized. Simply trust the manual recounts? Not scalable A count is meaningful only for the person doing the recount

The spirit of Software Independence Cast as intended Recorded as cast Custodized as recorded –The voters can check it at anytime after casting. Counted as custodized –Anyone can check it at any time after election day

Conclusion Specify a goal that is not susceptible to interpretation (needed: who can check, when it can be checked). Should not specify how to achieve the goal. IVVR is not SI (even for the weakest interpretation). An open problem: not exclude VVPAT systems because they are implemented, but we should encourage any type of system that meets the spirit of the high level requirement