UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS What’s Right With...

UNIVERSITY LECTURE SERIES OCTOBER 12, 2006

COPYRIGHT © 2006 MICHAEL I. SHAMOS

What’s Right WithElectronic Voting?

Michael I. Shamos, Ph.D., J.D.Institute for Software ResearchSchool of Computer ScienceCarnegie Mellon University



Electronic Voting Horror Stories



Questions

• Is electronic voting secure?• Is there anything good about it?• If not, why do we use it?• Why can’t we just vote with paper ballots?• Do paper trails solve the problems?



My Background

• Computerized voting system examiner for– Massachusetts (2006- )– Pennsylvania (1980-2000, 2004- )– Texas (1987-2000)– Delaware (1989)– West Virginia (1982)– Nevada (1995)

• Performed 119 voting system examinations• Testified before Congress 4 times• Taught voting system testing at NIST• Expert witness in 5 electronic voting cases



Outline

• Voting in the U.S.• Voting system requirements• Voting methods (opscan, DRE)• Problems with electronic voting• Rating different voting methods



Pennsylvania Counties

SOURCE: ELECTIONLINE.ORG

ALLEGHENYCOUNTY

BLUE, GREEN, PURPLE, YELLOW: electronicRED: optical scan

http://www.electionline.org/interactiveMap_result.jsp?state=PA&stateText=Pennsylvania&topicText=Voting%20System%20Used&topic_string=22:votingsystemtypemain

Allegheny County

CITY OFPITTSBURGH

= CMU

Ohio River

AlleghenyRiver

MonongahelaRiver

5th Ave.

(Precincts)

Pittsburgh East End Wards and Precincts

14th City Ward

5th Ave.

Pittsburgh East End Political Districts

43rd Senate23rd House8th City Council11th County Council



U.S. Voting HistoryColonies: Voice voting to officials in public

Early 1800s: Handwritten paper ballots

1850 - today: Rampant paper ballot fraud

1888: Secret paper (Australian) ballot in U.S.

1892: Lever machine to“protect mechanically the voter from rascaldom”

1960s: Punched cards

1970s: Optical scan

1978: Direct-recording electronic systems

2000: Florida!

2002: Help America Vote Act (HAVA)

2006: Widespread electronic voting



Paper Ballots

Australian (secret) ballot (U.S., 1888)

SOURCE: DOUGLAS W. JONES



Voting System Functions

• Present the correct ballot clearly to each voter– including disabled & foreign language– must warn of overvotes

• Capture the voter’s choices unambiguously– binary (yes/no) is best

• Record the voter’s choices securely– prevent tampering

• Tabulate and report the correct totals• Provide an audit mechanism

– permanent paper record



Principal Methods of U.S. Voting

• The Help America Vote Act (HAVA, 2002) banned– Punched-card voting (implicitly)– Lever machines (implicitly)– Hand-counted paper ballots (mostly)

• We are left with– Optical scan, counted at precinct– Optical scan, counted centrally (with restrictions)– Direct-recording electronic (DRE)



Full Opscan Ballot (Too Big to Fit)

• Marin County, CA (2006)• 30 races, 98 candidates• 30 propositions• 3 sheets, 6 sides• Paper trail would be 6 feet long for each voter

– 10 contests per foot, 60 contests



Optical Scan Problems

• Issues:– Dark/light marks, wrong ink– Printing trickery – Voter intent?

• Marks are not binary• Machine does not see what

the human sees– Visible v. infrared

• Disabled can’t vote without an assistive device (ballot marker)

COMPLETE THE ARROW:



SOURCE: HAWAII ADMIN. REGS. §2-51-85.2

What Constitutes a Vote?

• To avoid a repeat of Florida 2000, HAVA required all states to define “what constitutes a vote”

• They all did it differently



Legal/Constitutional Requirements

• Voter secrecy– We can’t tell how she voted– She can’t prove how she voted

• Overvote warning• Security against tampering• Permanent paper record of each vote cast, with

audit capacity• Disabled accessibility• Alternative language accessibility

+ LOTS of state requirements (> 100)



Electronic Voting Demo

Electronic Voting• Voter interacts with a computer to select and record her choices• No “document ballot”

POLLINGPLACE

FULL BALLOT RECORDED ON1. MULTIPLE INTERNAL MEDIA; AND2. PAPER; AND3. REMOVABLE MEMORY DEVICE (PCMCIA CARD)

COUNTYOFFICE

BUILDING

AT CLOSE OF POLLS:TOTALS TAPE PRODUCED,SIGNED BY JUDGES

THIS IS THE OFFICIAL RETURN

TOTALS TAPE POSTEDIN POLLING PLACE

COPY OF TAPE SENTTO COUNTY

RANDOMIZED AUDITTRAIL PRINTED – CANBE USED FOR RECOUNT

MEMORYCARDREMOVED

MEMORYCARD SENTTO COUNTY

UNOFFICIAL VOTETOTALS PRODUCED,GIVEN TO MEDIA

WEEKS LATER:OFFICIAL CANVASSBASED ON OFFICIALRETURNS



Determining Winners with DREs

VOTERSVOTE

ELECTION DAY

ELECTRONICMEDIA SENT

TO TABULATIONCENTER

RESULTS TABULATED,RELEASED TO PRESS

ELECTION NIGHT

TOTALSPRINTED OUT AT

PRECINCT,SIGNED BY

JUDGES

TOTALSREPORT

POSTED ATPRECINCT

TOTALSREPORTS SENT TOCOUNTY

UNOFFICIALONLY!

WEEKS LATER

CANVASS BYCOUNTY

ELECTIONSBOARD

WINNERSCERTIFIED

OFFICIALRESULTS





Tarrant County Canvass, 3/7/06

Examining/Testing Voting Machines

SYSTEM DEVELOPED BY VENDOR

SYSTEM SUBMITTED

FOR FEDERAL QUALIFICATION

SYSTEM TESTED TO NIST STANDARDS BY

INDEPENDENT TESTING AUTHORITY (ITA)

ITA CREATES“WITNESS BUILD”

OF SYSTEM

SYSTEM NOW “FEDERALLY QUALIFIED”

SYSTEM SUBMITTED FOR STATE

CERTIFICATION

SYSTEM TESTED TO STATE STANDARDS

AND FOR HAVA COMPLIANCE BY

EXAMINER

SECRETARY OF STATE CERTIFES

SYSTEMSYSTEM NOW

“STATE CERTIFIED”

COUNTY BUYS SYSTEM,

RECEIVES SOFTWARE FROM ITA

COUNTY PERFORMS

ACCEPTANCE TESTING

PARTIES NOTIFIED 40 DAYS IN

ADVANCE OF ELECTION SETUP

SYSTEM READY FOR ELECTION SETUP

COUNTY SETS UP MACHINES FOR ELECTION

(PUBLIC)

PRE-ELECTION LOGIC AND ACCURACY

TESTING (PUBLIC)

MACHINES ARE SEALED

SYSTEM READY FOR ELECTION



Voter Verification

1. Was my vote recorded properly?

2. Was my vote counted?

3. What can I do if I think it wasn’t?

4. Will my vote be around in case of a recount?

5. Was everyone who voted authorized?

• Optical scan voting solves (1)• DRE voting is auditable, but not voter-verified



VVPAT

• VVPAT = voter-verified paper audit trail• Produce a paper document that the voter can view

before casting the ballot to verify that the vote was captured correctly

• Retain the paper document to be used for a recount, if necessary. DEMO

• The VVPAT provides proof that the vote was recorded properly (at least on the paper)

• VVPAT SHOULD list all candidates presented to voter, even ones that were not voted for

http://www.sequoiavote.com/demo.php?lang=vv



VVPAT Problems• No secrecy: ballots recorded sequentially

• Blind voters can’t read it

• Long paper trail, e.g. 6 feet per voter

• Can’t count it (8 weeks in Cuyahoga County, OH)

• Sacramento, CA: 20 minutes per ballot, 4 people each

• Recounting CA would take 8000 man-years– Mandatory 5%? 400 man-years in one week = 20,000 people

• University of Maryland: 1-3% of voters verified

• Cuyahoga County, OH primary May 2006• 10% of paper records found illegible, tampered with

or completely missing



Counting the VVPAT

SOURCE: ELECTION SCIENCE INSTITUTE

http://www.electionscience.org/



Counting the VVPAT





Counting the VVPAT





The Hursti II Attack

• Harri Hursti (2/06), repeated by Felten (9/06)• Attack on Diebold touchscreen units• Given access to the machine, its software can be

replaced quickly, i.e., a few minutes• Not a bug, but a “feature” to permit rapid upgrade

• Can the intrusion be detected?• Can the exploit be disabled?



Machine Reliability

• The 2002 Federal standards require a mean time between failures (MTBF) of at least 163 hours

• Under the exponential failure model, 10% of voting machines will fail within 18 hours! Unacceptable!

• In practice, 20% of VVPAT machines fail on Election Day

• “Failure” does not mean loss of votes, but inability to continue voting



Comparison of Voting Methods

DRE, NO VVPAT

DRE WITH VVPAT

(CURRENT)

PRECINCT OPSCAN (PCOS)

PCOS & BALLOT MARKER

Security 7

Secrecy 9

Accessibility 9

Usability 9

Reliability 6

TOTALS




DRE, NO VVPAT

DRE WITH VVPAT

(CURRENT)



Security 7 9

Secrecy 9 2

Accessibility 9 5

Usability 9 6

Reliability 6 3

TOTALS




DRE, NO VVPAT

DRE WITH VVPAT

(CURRENT)



Security 7 9 4

Secrecy 9 2 8

Accessibility 9 5 0

Usability 9 6 5

Reliability 6 3 9

TOTALS




DRE, NO VVPAT

DRE WITH VVPAT

(CURRENT)



Security 7 9 4 6

Secrecy 9 2 8 9

Accessibility 9 5 0 9

Usability 9 6 5 9

Reliability 6 3 9 7

TOTALS




DRE, NO VVPAT

DRE WITH VVPAT

(CURRENT)



Security 7 9 4 6

Secrecy 9 2 8 9

Accessibility 9 5 0 9

Usability 9 6 5 9

Reliability 6 3 9 7

TOTALS 40 25 26 40



QA&


8th City Council District


11th County Council District


23rd Pennsylvania House District


43rd Pennsylvania Senate District

Pennsylvania Voting Methods (2006)

SOURCE: ELECTIONLINE.ORG

ALLEGHENYCOUNTY

ES&S iVotronicES&S 100 &iVotronic

ES&S 100AutoMark

Advanced WinVote

ES&S 650AutoMark

Diebold TSx

Danaher 1242

Sequoia Edge

Hart InterCiviceSlate Sequoia Advantage Hart InterCivic

eScan/eSlate

PAGED DRE FULL-FACE DRE DRE & OPTICAL OPTICAL

http://www.electionline.org/interactiveMap_result.jsp?state=PA&stateText=Pennsylvania&topicText=Voting%20System%20Used&topic_string=22:votingsystemtypemain

Pennsylvania Voting Systems (2006)

ES&S iVOTRONICTOUCHSCREEN

ES&S iVOTRONIC+ M100 OPTICAL

ES&S iVOTRONIC+ M100 + AUTOMARK

ES&S 650OPTICAL

DIEBOLD TSXTOUCHSCREEN

ADVANCEDWINVOTE

SEQUOIA EDGETOUCHSCREEN

DANAHER 1242FULL-FACE DRE

SEQUOIA ADVANTAGEFULL-FACE DRE

HART ESLATEDRE

HART ESLATE+ ESCAN



What’s the Best Voting Method?

• HAVA requires– vote verification, correction §301(a)(1)(A)(i)

– overvote warning §301(a)(1)(A)(iii)

– permanent paper record §301(a)(2)(B)(i)

– disabled accessibility §301(a)(3)(A)

– alternative language accessibility §301(a)(4)

• States require– secrecy– security– reliability– usability



Desirable Voting System Characteristics

• Secret• Accurate• Eligible voters• Vote once only• Tamper-proof• Reliable• Auditable• No vote-buying

(receipt-free)

• Verifiable• Non-coercible• Transparent

MOST STATESREQUIRE

NO STATES REQUIRE(except coercion is a crime)



Voting System Requirements

• Accuracy• Secrecy• Security• Auditability• No take-home receipts• No identifiable ballots

– Pennsylvania law: “No ballot which is so marked as to be capable of identification shall be counted.” 25 P.S. §3063(a)

• Conformance with state law



Federal Requirements (2006)

• Overvote warning• Permanent paper record• Correct ballot before casting• Disabled accessibility• Multiple languages and alphabets (LA County: 12)



Sample State Laws

• Ballot complexity, e.g. 135 candidates • Vote-for-many (e.g. 25 out of 87)• Straight-party voting• Write-ins• Early voting• Ballot rotation• Provisional ballots• “Fleeing voter”



Why Don’t We Have Paper Trails in Pennsylvania?

• No one makes a paper trail machine that conforms to Pennsylvania law

• Several violate multiple provisions, particularly secrecy

Date post:	21-Dec-2015
Category:	Documents
View:	213 times
Download:	0 times

UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS What’s Right With...

Documents