Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber 1 Electronic Voting Week.

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 1 Electronic Voting Week 11 - March 29, 31

History of Voting “Ballots” from Italian ballotta, meaning “little ball” Ancient: clash of spears, balls in urns, division by groups, wooden tickets (tabellæ) American colonies: voting aloud to public official 1857: Australia introduces secret paper ballot 1888: Australian ballot introduced in U.S. (KY, MA) 1892: Mechanical lever machine to “protect mechanically the voter from rascaldom” 1960s: Punched cards 1970s: Optical scan 1978: Direct-recording electronic systems 2000: Internet voting in primaries 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Voting Jurisdictions Voting in the U.S. is conducted by the states –50 states + DC + territories –Supervised generally by Secretaries of State –Delegated to 3170 counties ~10,000 voting jurisdictions (cities, school boards, …) ~200,000 precincts (avg. 60-70 per county) > 1,400,000 poll workers (avg. 7/precinct, 440/cty) 150 million registered voters, 105 million actually vote Federal government has very little power over elections 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

PENNSYLVANIA

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Pennsylvania Voting Methods 2004 Optical Punch Card Lever DRE Paper Mixed N/A SOURCE: ELECTIONLINE.ORGELECTIONLINE.ORG ALLEGHENY COUNTY

Allegheny County CITY OF PITTSBURGH

5 th Ave. (Precincts)

Pittsburgh East End Wards and Precincts 14 th City Ward 5 th Ave.

Pittsburgh East End Political Districts 8 th City Council District

Pittsburgh East End Political Districts 11 th County Council District

Pittsburgh East End Political Districts 23 rd Pennsylvania House District

Pittsburgh East End Political Districts 43 rd Pennsylvania Senate District

Pittsburgh East End Political Districts 43 rd Senate23 rd House 8 th City Council11 th County Council

Functions of a Voting System 1. Authenticate voter 2. Present candidates and issues to voter 3. Capture voter’s preferences 4. Transport preferences to counting location 5. Add up vote totals (tabulation) 6. Publish vote totals (reporting) 7. Provide audit mechanism But: vote must be secret CS ISSUES SECURITY PRIVACY HCI SOFTWARE ENGINEERING 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Authentication In each precinct, only registered voters are allowed to vote Need a registration system before the election Need authentication mechanism on Election Day –Only registered voters vote –No one can impersonate a voter –Each voter can only vote once In this course, we will not discuss voter registration

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Voting System Requirements Secrecy Security Accuracy Auditability Accessibility to disabled Protective counter (votes cast since manufacture) Public counter (votes cast today) Conform to state voting provisions (e.g. write-ins) Meet Federal standards

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 17 Election tasks Registering voters Validating/authenticating voters Distributing/collecting ballots Tallying votes How are these tasks accomplished in the elections in which you have participated?  Government elections  Stock holder elections  Student government elections  Professional society elections

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 18 Desirable properties of secret ballot elections Accuracy Privacy Verifiability Invulnerability (Democracy) Convenience Flexibility Mobility Trustworthy

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 19 Votes cannot be altered Validated votes cannot be eliminated from the final tally Invalid votes will not be counted in the final tally Accuracy

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 20 Privacy Neither election authorities nor anyone else can link any ballot to the voter who cast it No voter can prove that he or she voted in a particular way

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 21 Invulnerability (to ballot box stuffing) Only eligible voters can vote Each eligible voter can vote only once  The accuracy property ensures that ballots are not lost or altered after being submitted to the ballot box  The invulnerability property ensures that only valid ballots are accepted into the ballot box

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 22 Verifiability Anyone can independently verify that all votes have been counted correctly  Weaker version: voters can verify that their own votes were counted correctly  Achieved through audit trails and/or cryptographic verification

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 23 Convenience Voters can cast their votes quickly, in one session, and with minimal equipment or special skills

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 24 Flexibility A variety of ballot question formats are permitted including open ended questions

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 25 Mobility There are no restrictions on the location from which a voter can cast a vote

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 26 Trustworthy Voter feels that  Vote was counted  Vote was private  Nobody else can vote more than once  Nobody can alter others’ votes People believe that the machine works correctly and that its behavior cannot be modified These have to do with perception It is also important that these perceptions are true

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS U.S. Voting Methods 2000-2004 Punched-card (32%) Optical scan (28%) Lever (16%) DRE (12%) Paper (1%) Indeterminate: (11%) PUNCHED CARD OPTICAL LEVER DRE ? 2000 PAPER Optical scan (34%) DRE (31%) Lever (14%) Punched-card (14%) Paper (1%) Indeterminate: (6%) DRE CARD OPTICAL LEVER ? 2004

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 29 Paper (.6%) Advantages  Simple  Captures voter intent  Not subject to equipment malfunctions Disadvantages  Time consuming to count  Does not prevent over votes or under votes  Many ballot fraud schemes involving paper ballots Ballot box stuffing Ballot invalidation Pre-marked ballots Ballot theft

New York Times, April 4, 1855 BALLOT BOXES DESTROYED INJURIES IN RIOTS MORE BALLOTS CAST THAN NAMES ON THE POLL LIST

Florida’s Solution “The ballots shall first be counted, and, if the number of ballots exceeds the number of persons who voted … the ballots shall be placed back into the box, and one of the inspectors shall publicly draw out and destroy unopened as many ballots as are equal to such excess.” F.S. §102.061F.S. §102.061 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Why Do We Use Voting Machines? To prevent fraud –Lever machine (1892) “To protect mechanically the voter from rascaldom” Faster, more accurate counting

Lever Machines

Punch Card Voting Will be used by about 14% of the U.S. in 2004 Will be used in 69 of 88 counties in Ohio (PA only has 67 counties) Began in the 1960s with the IBM Porta-Punch By 2000 was used in 37% of the U.S., until Florida

Chads SOURCE: PETER SHEERINPETER SHEERIN

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 48

Buchanan Vote by County (Florida, 2000) GRAPH COURTESY OF PROF. GREG ADAMS CARNEGIE MELLON & PROF. CHRIS FASTNOW CHATHAM COLLEGE SOURCE: PROF. GREG ADAMSPROF. GREG ADAMS Broward (Fort Lauderdale) Miami-Dade Hillsborough (Tampa) Pinellas (St. Petersburg-Clearwater) Orange (Orlando) LINEAR FIT WITHOUT PALM BEACH, BROWARD, MIAMI-DADE (PURPLE ANNOTATIONS ADDED) 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Datavote Uses a die to punch a clean hole Employed in a small fraction of punch card counties

Recount When a ballot is handled, it can be changed The voter’s intent must be determined Suppose only one of four corners is detached. It is a vote? Dimpled chad, pregnant chad: how to count? 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Punched-Card Problems Can’t see whom you’re voting for Registration of card in ballot frame Must use stylus: no positive feedback on punch Hanging chad: chad that is partially attached to the card –How may corners? –Hanging chad causes count to differ every time Dimple: chad that is completely attached but shows evidence of an attempt to punch –Dimple can turn into a vote on multiple readings 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Mark-Sense, Optical Scan (34%) Scanning methods –Visible light –Infrared Issues: –Dark/light marks –Some scanners require carbon-based ink –Voter intent may not be captured by machine Machine does not see what the human sees 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

SOURCE: SANTA BARBARA COUNTY AN OPTICAL SCAN BALLOT

SOURCE:

Precinct Count v. Central Count Precinct count –Voter marks ballot, inserts into machine –Machine rejects overvoted (and maybe undervoted) ballots Central count –Marked ballots are transported to a central location for counting –No opportunity for correction of overvotes/undervotes 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

ES&S Model 650 Central Tabulator SOURCE: ES&SES&S Ballots counted centrally, away from voter. No overvote/undervote notification

Optical Scan Vote Reading Is it reliable? Is voter intent captured? Can it be manipulated? Infrared v. visible light –Problem: machine “sees” marks differently from voter What is a valid vote?valid vote 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

DRE Systems DRE means “direct recording electronic” There is no document ballot Voter votes by interacting directly with a machine, not by marking a piece of paper “Electronic voting system” means a system in which one or more voting devices are used to permit the registering or recording of votes and in which such votes are computed and tabulated by automatic tabulating equipment. The system shall provide for a permanent physical record of each vote cast. Pa. Elec. Code. 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

A Well-Designed e-Voting Machine READ-ONLY MEMORY READ-ONLY MEMORY RANDOM ACCESS MEMORY WRITE-ONCE MEMORY INTERNAL PAPER TRAIL VOTER CHOICES PROPRIETARY OPERATING SYSTEM (NOT WINDOWS) BALLOT SETUP DATASOFTWARE FROM A TRUSTED SOURCE (NOT THE VENDOR) 16-HOUR BATTERY NO PORTS, NO CONNECTORS, NO MODEM, NO WIRELESS, NO INTERNET TOTALS REPORT SIGNED BY ELECTION JUDGES WRITE-ONCE MEMORY TO COUNTY BOARD MACHINE SEALED WITH PAPER TRAIL

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Help America Vote Act of 2002 Payments to states to replace paper and level machines: $3 billion Establishes Election Assistance CommissionElection Assistance Commission Reforms the standards process (National Institute of Standards and Technology)National Institute of Standards and Technology Provisional voting Statewide registration systems Complaint procedure

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS The Problem Voters do not trust DRE systems Why? –Numerous irregularities around the country –“Black box” phenomenon –Reports by computer security specialists –Warnings by computer scientists –Jurisdictions rushing to replace old systems –Secretive vendor behavior –Public awareness of computer vulnerabilities –Newspaper editorials, e.g. New York Times

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS The Problem Are DRE systems untrustworthy? –Some are, some aren’t DRE systems used for 25 years without a single verified incident of tampering –Much more difficult to alter computerized records than paper –Proprietary operating systems –Redundant encrypted memories –Testing None of this matters. Perception governs What to do?

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Statutory Requirements HAVA Sec. 301(a)(2)(i): “The voting system shall produce a permanent paper record with a manual audit capacity for such system.” Maryland Election Law 9-102(c): “Standards for certification.- The State Board may not certify a voting system unless the State Board determines that: (1) the voting system will: … (vi) be capable of creating a paper record of all votes cast in order that an audit trail is available in the event of a recount”

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Paper Trail Proposal Allow each voter to see her choices on paper before casting a vote If the choices are incorrect, they can be corrected The paper becomes the official ballot If there is a discrepancy between the paper record and the computer record, the paper governs Why? Because that’s the one the voter verified

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Paper Trail Advantages Demonstrates to the voter that the machine captured her choices correctly Creates a sense of security among voters

Paper Trail Disadvantages No guarantee vote was counted, will ever be counted or paper will be in existence if a recount is ordered Massive paper handling and security problem Slow counting –Sacramento experiment 06/04: took an average of 20 minutes per ballot to tabulate and verify results –Recounting California would take 450 years Accessibility issues Voter confusion –Must remember a lengthy ballot Machines questioned when nothing is wrong Increased demand for recounts Creates doubt among voters (CalTech-MIT Report) 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Voting Problems Machine won’t operate Machine fails during the election Intruder tampers with paper records –Stuffing, removal, alteration Machine captures choices incorrectly Intruder alters vote totals after election Machine maliciously or erroneously switches votes NOT ADDRESSED BY PAPER TRAIL SOLVED BY PAPER TRAIL DEPENDS ON PHYSICAL SECURITY OF PAPER TRAIL

Avante Vote-Trakker Paper Trail NJ021111002026 482961 Feb 26, 2001 President / Vice President GEORGE WASHINGTON, Andrew JACKSON US Senator John HANCOCK House of Representative Ben Franklin County Clerk JohnQuincy ADAMS Board of Chosen Freeholders Paul REVERE Board of Chosen Freeholders William HTAFT Board of Chosen Freeholders Theodore ROOSEVELT Public Question 1 Yes Public Question 2 No Public Question 3 Yes Thank you for voting! SOURCE: AVANTE 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Populex 1.Voter gets blank paper ballot, inserts in machine. 2.Voter removes touchscreen stylus. 3.Voter uses stylus to make selections on the touchscreen. NO INTERNAL COMPUTER RECORD OR COUNT, ONLY PAPER OUTPUT. 4.When voter is finished, machine prints a bar code and corresponding “punch” numbers which contain the voter’s selections on the paper ballot. 5.Voter verifies the ballot in privacy using a computerized read station. The voter then submits the ballot to an election judge to be counted. COUNTING IS BY BAR CODE. SOURCE: POPULEX

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Voter Verifiability Having each voter be able to verify that 1.her vote was understood by the machine 2.her vote was counted by the machine 3.her vote was counted as part of the final tally 4.no unauthorized votes were counted Paper trails provide (1), but not (2), (3) or (4) Systems exist that provide all four

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 89 Evaluating information sources Don’t believe everything you read! News sources are usually a reporter's interpretation of what someone else did Conference and journal papers are first hand reports of research studies that have been peer reviewed  but journals usually have more review than conferences Technical reports are usually first hand reports of research studies that have not been peer reviewed (yet)  Look for subsequent conference or journal publications Web sites and books are anything goes, but books at least have an editor (usually) When possible, cite research results and technical information from peer reviewed sources Research and Communication Skills

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 90 Research and Communication Skills Organizing a research paper Decide up front what the point of your paper is and stay focused as you write Once you have decided on the main point, pick a title Start with an outline Use multiple levels of headings (usually 2 or 3) Don’t ramble!

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 91 Research and Communication Skills Typical paper organization Abstract  Short summary of paper Introduction  Motivation (why this work is interesting/important, not your personal motivation) Background and related work  Sometimes part of introduction, sometimes two sections Methods  What you did  In a systems paper you may have system design and evaluation sections instead Results  What you found out Discussion  Also called Conclusion or Conclusions  May include conclusions, future work, discussion of implications,etc. References Appendix  Stuff not essential to understanding the paper, but useful, especially to those trying to reproduce your results - data tables, proofs, survey forms, etc. These sections may be different in your papers

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 92 Research and Communication Skills Road map Papers longer than a few pages should have a “road map” so readers know where you are going Road map usually comes at the end of the introduction Tell them what you are going to say in the roadmap, say it, (then tell them what you said in the conclusions) Examples  In the next section I introduce X and discuss related work. In Section 3 I describe my research methodology. In Section 4 I present results. In Section 5 I present conclusions and possible directions for future work.  Waldman et al, 2001: “This article presents an architecture for robust Web publishing systems. We describe nine design goals for such systems, review several existing systems, and take an in- depth look at Publius, a system that meets these design goals.”

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 93 Research and Communication Skills Use topic sentences (Almost) every paragraph should have a topic sentence  Usually the first sentence  Sometimes the last sentence  Topic sentence gives the main point of the paragraph First paragraph of each section and subsection should give the main point of that section Examples from Waldman et al, 2001  In this section we attempt to abstract the particular implementation details and describe the underlying components and architecture of a censorship-resistant system.  Anonymous publications have been used to help bring about change throughout history.

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 94 Research and Communication Skills Avoid unsubstantiated claims Provide evidence for every claim you make  Related work  Results of your own experiments Conclusions should not come as a surprise  Analysis of related work, experimental results, etc. should support your conclusions  Conclusions should summarize, highlight, show relationships, raise questions for future work  Don’t introduce new ideas in discussion or conclusion section (other than ideas for related work)  Don’t reach conclusions not supported by the rest of your paper

Electronic Voting in 2004 From the evoting viewpoint, the 2004 election was not very interesting 1444 reports to the Election Incident Reporting System Reports fell into three categories: –Fantasies (allegations of fraud with no evidence) –Misunderstandings (truthful but misinterpreted allegations) –Genuine problems Problems exist that were not reported, e.g. voter privacy problems 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

UniLect Patriot SOURCE: UNILECTUNILECT VOTING MACHINE BALLOT SETUP UNIT PRECINCT CONTROLLER

Carteret County, NC Alleged by manufacturer to have a capacity of 10,500 ballots Used in Carteret County for early voting Real capacity was only 3,005 But 7,537 people voted early Machine produces a warning when full, but does not prevent voting 4,532 votes were permanently lost

Carteret County, NC What happened? Machine had redundant ballot storage in machine and on memory pack But capacity was exceeded Many fixes available –Don’t allow voting when machine is full! –Increase capacity so it is huge –Paper trail would have solved the problem No FEC Standards covering capacity 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Craven County, NC First election night tally showed 11,283 more votes for President than the 40,534 people first thought to have voted in the county Some precincts were counted twice Found by a reporter on Nov. 3 One race was affected: County Board of Commissioners District 5 seat (1067-944) Problem would have been discovered in the canvass 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Franklin County, OH A computer error with a voting machine cartridge gave President Bush 3,893 extra votes. Unofficial results gave Bush 4,258 votes to Kerry's 260 votes in Precinct 1B. Records show only 638 voters cast ballots in that precinct. Calls were received Thursday from people who saw the error when reading the list of poll results on the election board's Web site. After Precinct 1B closed, a cartridge from one of three voting machines at the polling place generated a faulty number at a computerized reading station. The reader also recorded zero votes in a county commissioner race. 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Franklin County, OH County elections director said the error would have been discovered when the official canvass for the election is performed later this month. The cartridge was retested Thursday and there were no problems. He couldn't explain why the computer reader malfunctioned. Workers checked the cartridge against memory banks in the voting machine Thursday and each showed that 115 people voted for Bush on that machine. With the other machines, the total for Bush in the precinct added up to 365 votes. 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Orleans Parish, LA Sequoia machines failed to boot up on election day and local election officials had no backup plan. EFF attorneys filed a complaint in Civil District Court attempting to force election officials in the Parish of New Orleans to keep polls open late. The NAACP also filed a complaint urging polls to remain open late to accommodate disenfranchised voters. The machines that failed in New Orleans were older Sequoia AVC Edge machines and 80 incidents of failure were recorded across a number of precincts. 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Boulder County, CO A printing error that distorted bar codes on paper ballots is being blamed for delays that made this one of the last counties in the nation to report election results. The county clerk's office and officials at a Denver printing company are examining flaws in thousands of ballots that slowed the vote count to a crawl. County Clerk Linda Salas said Monday the bad ballots were distributed at random, cropping up in some precincts, but not in others. The exact number of bad ballots is still unknown, Salas said. Scanners rejected ballots with the bad bar codes, requiring election judges to tally those votes race by race. 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Boulder County, CO Voting equipment was tested before the election. But the printing error occurred only on actual ballots that went to voters, not the test ballots, Salas said. Adding to the delays were attempts to figure out why the scanners were rejecting some ballots. Technicians from Hart Intercivic, which makes the scanners, and Kodak, which makes the lenses, examined the machines before the bar code error - which was not visible to the naked eye - was caught, Salas said. 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Thurston County, WA Elections staff recounted an estimated 81,000 ballots first tallied Election Day after learning that computer software wasn't set up properly for the first count. No errors were caused in tabulating the ballots the first time, Thurston County Auditor Kim Wyman said. The mistake did make it impossible to know exactly how many poll- site ballots were cast in each precinct of the county. A dozen staff members worked into the evening, recounting the ballots after properly setting software on the machines. They needed the data as part of their routine effort to confirm that machine-vote totals equal the totals in poll books An "F2 key" was not punched when elections workers set up the vote-counting machines prior to Tuesday's election, Wyman said. 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Paper Trail Problems Clark County, NV (Las Vegas) + Reno 5 machines at a Reno polling place malfunctioned at the same time due to a failure to change paper. The problem backed up lines and caused the site to stay open until about 10 p.m., three hours past closing. In Reno, at least two voters complained that their votes were erroneously recorded. Machines, which resemble ATMs or computers, began to work again after they were shut down and restarted. Two machines malfunctioned at separate polling places in Las Vegas. Audits of random machines to be completed by all 17 Nevada counties by Tuesday. 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 114 Electronic voting Poll site voting, no networking  Already in use today in the form of Direct Recording Electronic (DRE) machines Poll site voting via networked voting machines Poll site voting via networked PCs Kiosk voting - voting via networked PCs or voting machines at kiosks, not necessarily at traditional polling places Vote from home (or anywhere else)

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 115 Enthusiasm for evoting growing Despite increasing realization of problems Technology solves all sorts of other problems, why not voting? People like the vision of voting in their PJs Belief that evoting will increase voter turnout

Internet Voting Benefits Convenience –Accessibility in all weather, all ages –Vote anywhere, maybe even from cellphone –Availability of candidate information Maybe lower operating cost (maybe not) –if regular polling places are eliminated 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Internet Voting Risks Digital divide –People without Internet access –People without computer skills Security, trust Casual environment Open to the world 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Internet Voting Security Risks Bugs Backdoors to manipulation Malicious code COTS (Commercial Off-the-Shelf Software), e.g. Windows, may contain exploits Insider attacks –Compromising results –Compromising privacy Client attacks –Operator (for Internet cafes) –Worms, viruses, ActiveX, spyware 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Internet Voting Security Risks Denial of Service –DDOS attacks on server –Selective disenfranchisement Spoof websites –Fake “official” site – captures voting credentials, issues fake acknowledgement, then casts real vote differently Promotion of coercion –Automated credential-selling –Installation of watcher software 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 121 Gauging election risks and threats Risks and threats vary depending on:  Type of election (public vs. private)  Consequences of a successful attack  Value of election outcome to potential adversaries  Expertise, skill & resources needed to disrupt  Level of motivation of potential attackers  Amount of disruption needed to sway the election or call its outcome into doubt  Consequences of a perception of unfair outcome

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 122 Internet voting in public elections Social issues:  Vote coercion  Vote sale  Vote solicitation (click here to vote, banner ads) Technical issues:  Securing the platform  Securing the communications channel  Assuring availability of the network  Registration issues, one vote per person, no dead voters  Authentication in each direction  Maintaining equitable costs (no poll tax, e.g. smartcard reader)

Can cryptography help? Yes – using “mix-nets” (Chaum) and “voter- verified secret ballots” (Chaum; Neff) Official ballot is electronic not paper. Ballot is encrypted version of choices. Ballots posted on public bulletin board. Voter gets paper “receipt” so she can: –Ensure that her ballot is properly posted –Detect voting machine error or fraud SOURCE: RON RIVEST 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Voter needs evidence That her vote is “cast as intended”: That her ballot is indeed encryption of her choices, and what her ballot is. This is extremely challenging, since She can’t compute much herself She can’t take away anything that would allow her to prove how she voted So: she takes away evidence that allows her (as she exits polling site) to detect whether cheating occurred, and receipt to prove what her ballot is. SOURCE: RON RIVEST 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Everyone needs evidence That votes are “counted as cast”: That mix-servers (“mixes”) properly permute and re-encrypt ballots. This is challenging, since Mixes cannot reveal the permutation they applied to ballots That trustees properly decrypt the permuted ballots This is relatively straightforward, using known techniques. This is “universal verifiability” SOURCE: RON RIVEST 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 126 Voter’s Private Key Tallier’s Public Key Voter’s Public Key BALLOT Tallier’s Private Key Voter Tallier Validator * Tallier and validator can collude to violate privacy BALLOT A Simplistic Voting Protocol

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 127 Sensus A design and prototype implementation of an electronic voting system Based on Fujioka, Okamoto, Ohta (FOO) protocol Implemented in C and Perl on a Unix system This is one example of the many electronic voting protocols References  Fujioka, A, Okamoto, T., and Ohta, K. A practical secret voting scheme for large scale elections. In Advances in Cryptology - AUSCRYPT '92, Springer-Verlag, Berlin. 1993, pp. 244-251.  Cranor, L. and Cytron, R. Sensus: A Security-Conscious Electronic Polling System for the Internet. Proceedings of the Hawai`i International Conference on System Sciences, January 7-10, 1997, Wailea, Hawai`i, USA. http://lorrie.cranor.org/pubs/hicss/ http://lorrie.cranor.org/pubs/hicss/

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 128 Blind Signatures Allow someone to sign a document without knowing what they are signing Like signing the outside of an envelope with carbon paper and a document inside

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 129 Blind Signatures All arithmetic is mod n Blinding (performed by voter):  choose a random blinding factor r  compute and present for signing: m x re where m is the message, e = encryption (public) key Signing (performed by validator):  compute ( m x re )d d = decryption (private) key  this is equal to r x md Unblinding (performed by voter):  compute r x md /r = md

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 130 The Sensus Polling Protocol Pollster - the user’s agent - trusted by user Validator - validates ballots (without seeing content of ballots) Tallier - counts validated ballots and reports results (without knowing which voter voted which ballot) Registrar - registers voters

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 131 The Pollster prepares the ballot Presents ballot questions to user and records answers Generates key pair and seals ballot Blinds sealed ballot Signs blinded, sealed ballot

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 132 ValidatorPollster Tallier blinded, sealed ballot ID number signature 1 The Sensus Polling Protocol

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 133 ValidatorPollster Tallier 1 signed, blinded, sealed ballot 2 The Sensus Polling Protocol

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 134 ValidatorPollster Tallier 1 2 sealed ballot, signed by validator 3 The Sensus Polling Protocol

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 135 ValidatorPollster Tallier 1 3 2 sealed ballot, signed by tallier receipt # 4 The Sensus Polling Protocol

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 136 ValidatorPollster Tallier 1 4 3 2 receipt # key to unseal ballot 5 The Sensus Polling Protocol

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 137 ValidatorPollster Tallier 1 4 3 2 5 The Sensus Polling Protocol

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 138 Sensus assumptions Communication occurs over an anonymous channel Machines (along with secrets on them) are secure (including users’ machines!) Messages are not likely to arrive at validator and tallier in the same order Strong encryption Election is not disrupted due to denial of service attacks, power outages, etc. Can we count on these assumptions to be true?

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 139 Even if these assumptions hold If voters abstain, validator may submit ballots for them  These invalid ballots may be detected, but not corrected Voters can prove how they voted (and sell their votes) Only weak verifiability (voters can verify their votes but not third-party)

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber http://lorrie.cranor.org/courses/sp05/ 140 Homework 7 discussion ApplyYourself.com  Hackers?  Ethical?  Rejected?

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber 1 Electronic Voting Week.

Similar presentations

Presentation on theme: "Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber 1 Electronic Voting Week."— Presentation transcript:

Similar presentations

About project

Feedback

Log in

Auth with social network:

Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber 1 Electronic Voting Week.

Similar presentations

Presentation on theme: "Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber 1 Electronic Voting Week."— Presentation transcript:

Similar presentations

About project

Feedback