Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University.

Slides:



Advertisements
Similar presentations
I Think I Voted. E-voting vs. Democracy Prof. David L. Dill Department of Computer Science Stanford University
Advertisements

Electronic Voting Systems
Security Through the Lens of Failure J. Alex Halderman.
ELECTRONIC VOTING (HK) FEBRUARY 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Voting: The Technology of Democracy Michael I. Shamos, Ph.D., J.D.
Law and Data: Voting Technology and the Law Henry E. Brady Class of 1941 Monroe Deutsch Professor of Political Science and Public Policy, University of.
The Battle for Accountable Voting Systems Prof. David L. Dill Department of Computer Science Stanford University
Making Sure Every Vote Counts in the Digital Era: The Need for Standards Mandating Voter-Verified Paper Ballots Sarah Rovito 2007 WISE Intern August 3,
Good or Bad?.  One of the closest contests in US history  Florida was the pivotal state  Neither Democrat Al Gore nor Republican George W. Bush had.
Will Your Vote Count? Will your vote count? Voting machine choices N.C. Coalition for Verified Voting Joyce McCloy Pros and Cons of voting.
1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.
Analysis of an Electronic Voting System
TGDC Meeting, Jan 2011 Evaluating risk within the context of the voting process Ann McGeehan Director of Elections Office of the Texas Secretary of State.
By Varun Jain. Introduction  Florida 2000 election fiasco, drew conclusion that paper ballots couldn’t be counted  Computerized voting system, DRE (Direct.
1 J. Alex Halderman Security Failures in Electronic Voting Machines Ariel Feldman Alex Halderman Edward Felten Center for Information Technology Policy.
Election Observer Training 2008 Elections Certification & Training Program
Observation of e-enabled elections Jonathan Stonestreet Council of Europe Workshop Oslo, March 2010.
© VoteHere, Inc. All rights reserved. November 2004 VHTi Data Demonstration Andrew Berg Director, Engineering.
Midterm Exam. Problem 1: Short Answer Access Control –Subject, object, rights Common Criteria –Government Assurance Standard Originator Controlled Access.
Presentation by Christine McElroy
17-803/ ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS / Electronic Voting Session 2: Paper Trails Michael I. Shamos,
CMSC 414 Computer and Network Security Lecture 8 Jonathan Katz.
August 6, 2007Electronic Voting Technology 2007 On Estimating the Size and Confidence of a Statistical Audit Javed A. Aslam College of Computer and Information.
Electronic Voting (E-Voting) An introduction and review of technology Written By: Larry Brachfeld CS591, December 2010.
Electronic Voting: The 2004 Election and Beyond Flashback: Florida 2000.
Electronic Voting Linh Nguyen. Electronic Voting  Voting Technologies  The Florida 2000 Election  Direct Recording Electronic Devices (DREs)‏ - Diebold.
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS What’s Right With Electronic Voting? Michael I. Shamos, Ph.D., J.D. Institute.
Voting Machines Failing the World The true issue for these electronic voting machines is that the government has not been a full out supporter of this.
Voting System Qualification How it happens and why.
TESTING THE SECRUITY OF ELECTRONIC VOTING SYSTEM Presented By: NIPUN NANDA
Ballot Processing Systems February, 2005 Submission to OASIS EML TC and True Vote Maryland by David RR Webber.
Data and Applications Security Secure Electronic Voting Machines Lecture #30 Dr. Bhavani Thuraisingham The University of Texas at Dallas April 23, 2008.
Requirements for Electronic and Internet Voting Systems in Public Elections David Jefferson Compaq Systems Research Center Palo Alto, CA
October 22, 2008 CSC 682 Security Analysis of the Diebold AccuVote – TS Voting Machine Feldman, Halderman and Felten Presented by: Ryan Lehan.
Chapter 7: The Electoral Process Section 2
1 J. Alex Halderman Legal Challenges in Security Research J. Alex Halderman Center for Information Technology Policy Department of Computer Science Princeton.
TOWARDS OPEN VOTE VERIFICATION METHOD IN E-VOTING Ali Fawzi Najm Al-Shammari17’th July2012 Sec Vote 2012.
E-Voting Dissent Sara Wilson, Katie Noto, John Massie, Will Sutherland, Molly Cooper.
Electronic Voting Ronald L. Rivest MIT Laboratory for Computer Science.
Digital Democracy: A look at Voting Machines Presented by Justin Dugger April 2003.
Taking Total Control of Voting Systems: Firmware Manipulations on an Optical Scan Voting Terminal Nicolas Nicolaou Voting Technology Research (VoTeR) Center.
California Secretary of State Voting Systems Testing Summit November 28 & 29, 2005, Sacramento, California Remarks by Kim Alexander, President, California.
CSC 382/582: Computer SecuritySlide #1 CSC 382/582: Computer Security Voting Security.
EE515/IS523 Think Like an Adversary Lecture 8 Usability/Software Failures Yongdae Kim.
Andreas Steffen, , LinuxTag2009.ppt 1 LinuxTag 2009 Berlin Verifiable E-Voting with Open Source Prof. Dr. Andreas Steffen Hochschule für Technik.
Georgia Electronic Voting System Testing and Security Voting Systems Testing Summit November 29, 2005.
Electronic Voting: The 2004 Election and Beyond Prof. David L. Dill Department of Computer Science Stanford University
Objectives Analyze how the administration of elections in the United States helps make democracy work. Define the role of local precincts and polling places.
Online voting: a legal perspective
Senate Bill 223 Public Confidence in Elections. Current Law State Board certifies and decertifies voting equipment. Decertification could be a four year.
Idaho Procedures M100 OPTICAL SCAN PRECINCT TABULATOR.
“The right of citizens of the United States to vote shall not be denied or abridged by the United States or by any state on account of [race, color, or.
Political Process 3.6 Politics and Government. E- voting Electronic voting systems for electorates have been in use since the 1960s when punched card.
Electronic Voting R. Newman. Topics Defining anonymity Need for anonymity Defining privacy Threats to anonymity and privacy Mechanisms to provide anonymity.
WHY THE vvpat has failed
Electronic Voting: Danger and Opportunity
WHAT CONSTITUTES A VOTE? Annual Training for County Election Officials
VVPAT Building Confidence in U.S. Elections. WHAT IS VVPAT ? Voter-verifiable paper audit trail Requires the voting system to print a paper ballot containing.
Ronald L. Rivest MIT NASEM Future of Voting Meeting June 12, 2017
EVoting 23 October 2006.
E-voting …and why it’s good..
Con Electronic Voting Preston Pope, Zach White, Ankit Shrivastava, Max Alexander.
Improving Reliability of Direct Recording Electronic Voting Systems
Election Security Best Practices
ISI Day – 20th Anniversary
E Voting Josh Gold.
Election Security Best Practices
Chapter 7: The Electoral Process Section 2
Chapter 7: The Electoral Process Section 2
Chapter 7: The Electoral Process Section 2
Chapter 7: The Electoral Process Section 2
Presentation transcript:

Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University

Joint work with … Joe CalandrinoAri FeldmanEd Felten

2000 Recount Debacle Legislative response: Help America Vote Act Provided $3.9 billion to states to upgrade voting machines by November 2006

DREs to the Rescue? Direct Recording Electronic – Store votes in internal memory

DREs are Computers Bugs Rootkits Viruses Attacks =

Diebold’s History of Secrecy Prevented states from allowing independent security audits – hid behind NDAs, trade secret law Source code leaked in 2003, researchers at Johns Hopkins found major flaws Diebold responded with vague legal threats, personal attacks, disinformation campaign Internal s leaked in 2003 reveal poor security practices by developers Diebold tried to suppress sites with legal threats

We Get a Machine (2006) Obtained legally from an anonymous private party Software is 2002 version, but certified and used in actual elections First complete, public, independent security audit of a DRE

Research Goals Conduct independent security audit Confirm findings of previous researchers (Hursti, Kohno et al.) Verify threats by building demonstration attacks Figure out how to do better Who wants to know? Voters, candidates, election officials, policy makers, researchers

16 MB Flash 128 KB EPROM SH3 CPU 32 MB RAM 2 PCMCIA Slots Boot Jumper Table

Software Problems One Example: DES-CBC K (BallotID:VoteBitmap), CRC-16(…)

Our Findings Malicious software running on the machine can steal votes undetectably, altering all backups and logs [Feldman, Halderman & Felten 2007]

Correct result: George 5, Benedict 0

Our Findings Malicious software running on the machine can steal votes undetectably, altering all backups and logs Anyone with physical access to the machine or memory card can install malicious code in as little as one minute [Feldman, Halderman & Felten 2007]

The Key

Our Findings Malicious software running on the machine can steal votes undetectably, altering all backups and logs Anyone with physical access to the machine or memory card can install malicious code in as little as one minute Malicious code can spread automatically and silently from machine to machine in the form of a voting machine virus [Feldman, Halderman & Felten 2007]

Voting Machine Virus

Viral Spread

Joe CalandrinoAri Feldman Bill ZellerHarlan YuAlex Halderman Debra Bowen California “Top-to-Bottom” Study

HartSequoiaDiebold California “Top-to-Bottom” Results

Voters prefer it Faster reporting Fewer undervotes Improved accessibility Potentially increased security* E-Voting Advantages

Electronic + Paper Records Touch-screen (DRE) machine, plus voter-verifiable paper trail Hand-marked paper ballot, machine-scanned immediately

Failure Modes Paper Ballots Physical tampering “Retail” fraud After the election Redundancy + Different failure modes = Greater security Electronic Records Cyber-tampering “Wholesale” fraud Before the election But…Redundancy only helps if we use both records!

How to Use Paper Records? Use a machine to count the paper records Count all the paper records by hand Check a random subset of paper records by hand …but which subset? Too risky Too expensive

Standard Approach Pick some precincts randomly. Hand-count paper records. Should match electronic records.

Statistical Auditing’s Goal Establish, with high statistical confidence, that hand-counting all of the paper records would yield the same winner as the electronic tally.

Audit Example Alice: 55% Bob: 45% Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper For 95% confidence, hand-audit 60 precincts Cost: about $100,000

An Alternative Approach Precinct-based auditing Ballot-based auditing

100 marbles, 10% blue6300 beads, 10% blue How large a sample do we need?

Audit Example Alice: 55% Bob: 45% Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper For 95% confidence, hand-audit 60 precincts Cost: about $100,000 ballots $1,000

Why Not Ballot-based? Voting Machine Alice Bob Alice ● Alice ○ Bob ○ Alice ● Bob ● Alice ○ Bob Need to match up electronic with paper ballots. Compromises the secret ballot!

Secret Ballot Prevents coercion and vote-buying Requirements: Nobody can tell how you voted. You can’t prove to anyone how you voted. You can be confident in these properties.

Serial Numbers Voting Machine 1 Alice 2 Bob 3 Alice 1 ● Alice ○ Bob 2 ○ Alice ● Bob 3 ● Alice ○ Bob

“Random” Identifiers Voting Machine Alice Bob Alice ● Alice ○ Bob ○ Alice ● Bob ● Alice ○ Bob

Machine-Assisted Auditing [Calandrino, Halderman & Felten 2007] = ○ Alice ● Bob 1 1 Bob 2 Alice Bob Alice: 510 Bob: 419 ○ Alice ● Bob Step 1. Check electronic records against paper records using a recount machine.

Machine-Assisted Auditing [Calandrino, Halderman & Felten 2007] = ○ Alice ● Bob 1 1 Bob 2 Alice Bob Alice: 510 Bob: 419 ○ Alice ● Bob

= 321 Bob 716 Alice Machine-Assisted Auditing [Calandrino, Halderman & Felten 2007] ○ Alice ● Bob 1 1 Bob 2 Alice Bob = ○ Alice ● Bob 321 ● Alice ○ Bob 716 ○ Alice ● Bob 1 Step 2. Audit the recount machine by selecting random ballots for human inspection.

We can use a machine without having to trust it! Machine-Assisted Auditing As efficient as ballot-based auditing, while protecting the secret ballot. Machine RecountManual Audit

Doing Even Better Key idea: Probability of auditing a ballot should depend on how that ballot is marked Full algorithm accounts for: multi-candidate races multi-seat races undervotes and overvotes write-ins

Doing Even Better Alice: 55% Bob: 45% Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper Goal: Reject hypothesis that ≥ 5% of ballots are marked electronically for Alice but on paper for Bob. Only need to audit ballots marked for Alice.

Evaluation 2006 Virginia U.S. Senate race 0.3% margin of victory We want 99% confidence Precinct- based Machine- assisted Content- sensitive # ballots1,141,9002,3391,179 # precincts1,2521,351853

Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University

Proposed Legislation H.R. 811: Voter Confidence and Increased Accessibility Act Voter-verifiable paper record and random manual audits Access to voting software and source code, to verify security Additional money for states Rep. Rush Holt