Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University

Joint work with … Joe Calandrino Ari Feldman Ed Felten

2000 Recount Debacle Help America Vote Act Legislative response: Provided $3.9 billion to states to upgrade voting machines by November 2006

Direct Recording Electronic – Store votes in internal memory DREs to the Rescue? Direct Recording Electronic – Store votes in internal memory

DREs are Computers Viruses Rootkits Bugs Attacks =

Diebold’s History of Secrecy Used NDAs to prevent states from allowing independent security audits Source code leaked in 2003, researchers at Johns Hopkins found major flaws Diebold responded with vague legal threats, personal attacks, disinformation campaign Internal emails leaked in 2003 reveal poor security practices by developers Diebold tried to suppress sites with legal threats

We Get a Machine (2006) Obtained legally from an anonymous private party Software is 2002 version, but certified and used in actual elections First complete, public, independent security audit of a DRE

Research Goals Conduct independent security audit Confirm findings of previous researchers (Hursti, Kohno et al.) Verify threats by building demonstration attacks Figure out how to do better Who wants to know? Voters, candidates, election officials, policy makers, researchers

Removable Flash Memory Card SH3 CPU 32 MB SDRAM 128 KB EPROM 16 MB Flash Removable Flash Memory Card

Our Findings Malicious software running on the machine can steal votes undetectably, altering all backups and logs [Feldman, Halderman & Felten 2007]

Correct result: George 5, Benedict 0

Our Findings Malicious software running on the machine can steal votes undetectably, altering all backups and logs Anyone with physical access to the machine or memory card can install malicious code in as little as one minute [Feldman, Halderman & Felten 2007]

The Key Jukebox by Flickr user shil (CC) Minibar by Flickr user *0ne* (CC) Commonly available key Easy-to-pick lock Key photo on web site

Our Findings Malicious software running on the machine can steal votes undetectably, altering all backups and logs Anyone with physical access to the machine or memory card can install malicious code in as little as one minute Malicious code can spread automatically and silently from machine to machine in the form of a voting machine virus [Feldman, Halderman & Felten 2007]

Voting Machine Virus

Viral Spread

California “Top-to-Bottom” Study Bill Zeller Alex Halderman Harlan Yu Joe Calandrino Debra Bowen Ari Feldman

California “Top-to-Bottom” Results Hart Sequoia Diebold

WHAT TO DO?

E-Voting Advantages Voters prefer it Faster reporting Fewer undervotes Improved accessibility Potentially increased security*

WE CAN DO BETTER!

Electronic + Paper Records Touch-screen (DRE) machine, plus voter-verifiable paper trail Hand-marked paper ballot, machine-scanned immediately

Failure Modes Paper Ballots Electronic Records Physical tampering “Retail” fraud After the election Electronic Records Cyber-tampering “Wholesale” fraud Before the election Redundancy + Different failure modes = Greater security

Proposed Legislation H.R. 811: Voter Confidence and Increased Accessibility Act Voter-verifiable paper record and random manual audits Access to voting software and source code, to verify security Additional money for states Rep. Rush Holt In time for 2008 election. Rush Holt, PhD physics.

How to Audit Redundancy only helps if we use both records! Electronic records fast and cheap to tally. Paper records very expensive and slow to tally. But: verified by voter

How to Use Paper Records? Use a machine to count the paper records Too risky Count the paper records by hand Too expensive Check a random subset of paper records by hand …but which subset?

Standard Approach Pick some precincts randomly. Hand-count paper records. Should match electronic records.

Statistical Auditing’s Goal Establish, with high statistical confidence, that hand-counting all of the paper records would yield the same winner as the electronic tally.

Audit Example For 95% confidence, hand-audit 60 precincts Alice: 55% Bob: 45% Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper For 95% confidence, hand-audit 60 precincts Cost: about $100,000

An Alternative Approach Precinct-based auditing Ballot-based auditing

100 marbles, 10% blue 6300 beads, 10% blue How large a sample do we need?

Audit Example ballots For 95% confidence, hand-audit 60 precincts Alice: 55% Bob: 45% Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper ballots For 95% confidence, hand-audit 60 precincts Cost: about $100,000 $1,000

Why Not Ballot-based? Need to match up electronic with paper ballots. Voting Machine Alice Bob ● Alice ○ Bob ○ Alice ● Bob Need to match up electronic with paper ballots. Compromises the secret ballot!

Secret Ballot Prevents coercion and vote-buying Requirements: Nobody can tell how you voted. You can’t prove to anyone how you voted. You can be confident in these properties.

Serial Numbers Voting Machine 1 ● Alice ○ Bob 2 ○ Alice ● Bob 1 Alice 3 ● Alice ○ Bob

“Random” Identifiers Voting Machine 325631 ● Alice ○ Bob 218594 810581 ● Alice ○ Bob

Machine-Assisted Auditing Alice: 510 Bob: 419 ○ Alice ● Bob ○ Alice ● Bob 1 1 Bob Alice ... 929 Bob = Step 1. Check electronic records against paper records using a recount machine. [Calandrino, Halderman & Felten 2007]

Machine-Assisted Auditing = ○ Alice ● Bob 1 1 Bob Alice ... 929 Bob Alice: 510 Bob: 419 [Calandrino, Halderman & Felten 2007]

Machine-Assisted Auditing ○ Alice ● Bob 321 ● Alice ○ Bob 716 ○ Alice ● Bob 1 ○ Alice ● Bob 1 1 Bob Alice ... 929 Bob = 321 Bob 716 Alice = Step 2. Audit the recount machine by selecting random ballots for human inspection. [Calandrino, Halderman & Felten 2007]

Machine-Assisted Auditing Machine Recount Manual Audit We can use a machine without having to trust it! As efficient as ballot-based auditing, while protecting the secret ballot.

Evaluation 2006 Virginia U.S. Senate race 0.3% margin of victory We want 99% confidence   Precinct-based Machine-assisted # ballots 1,141,900 2,339 # precincts 1,252 1,351 Jim Webb (D) and George Allen

Doing Even Better Only need to audit ballots marked for Alice. Bob: 45% Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper Goal: Reject hypothesis that ≥ 5% of ballots are marked electronically for Alice but on paper for Bob. Only need to audit ballots marked for Alice.

In General … Key idea: Probability of auditing a ballot should depend on how that ballot is marked Full algorithm accounts for: multi-candidate races multi-seat races undervotes and overvotes write-ins

Evaluation 2006 Virginia U.S. Senate race 0.3% margin of victory We want 99% confidence   Precinct-based Machine-assisted Content-sensitive # ballots 1,141,900 2,339 1,179 # precincts 1,252 1,351 853

E-Voting: Opportunity Used correctly, new technology can make voting cheaper, faster, and more reliable. Where possible, should design technology so that we don’t need to trust it. Research points the way… Making rapid progress—on some problems. In practice, we have a long journey ahead.

Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University