Electronic Voting Electronic Voting SystemsSystems

A Brief Look at the Current Issues A Brief Look at the Current Issues and Some Possible Improvementsand Some Possible Improvements

Andrew NotarianAndrew Notarian

Help America Vote Act Help America Vote Act (HAVA)(HAVA)

► Reaction to 2000 Voting ControversyReaction to 2000 Voting Controversy► Gives States Funds to Replace Gives States Funds to Replace

EquipmentEquipment► Uniform Equipment Across a StateUniform Equipment Across a State► Better AccessibilityBetter Accessibility► January 2006 DeadlineJanuary 2006 Deadline► Most States Bought Electronic Voting Most States Bought Electronic Voting

MachinesMachines

Source: http://concise.britannica.com/

Direct Record Electronic (DRE) Direct Record Electronic (DRE) Voting MachinesVoting Machines

► Analogous to Analogous to Mechanical Lever Mechanical Lever MachinesMachines

►No Paper BallotNo Paper Ballot► Selections are Selections are

stored on a memory stored on a memory devicedevice

Source: Feldman, Felten & Wallach 2006Source: Feldman, Felten & Wallach 2006

ControversyControversy

►Crashes and Bugs Already ObservedCrashes and Bugs Already Observed►One NC County lost 4,500 to 12,000 One NC County lost 4,500 to 12,000

votes in 2004 because of a technical votes in 2004 because of a technical problemproblem

►Recent elections have been very close, Recent elections have been very close, so accuracy is more important than so accuracy is more important than usualusual

►Widespread Reports of Security and Widespread Reports of Security and Privacy Problems from CS CommunityPrivacy Problems from CS Community

Real Time ControversyReal Time Controversy

►Blogs, Security & University web sites Blogs, Security & University web sites are the scene of the pro-security sideare the scene of the pro-security side

►DRE Vendor Web sites post documents DRE Vendor Web sites post documents intending to discredit unfavorable intending to discredit unfavorable security studiessecurity studies

►Peer-Reviewed Papers and Peer-Reviewed Papers and Conferences often circumnavigated in Conferences often circumnavigated in the interest of “getting it out there”.the interest of “getting it out there”.

An Independent AssessmentAn Independent Assessment

►National Research Council (NRC) convenes National Research Council (NRC) convenes a committee in 2004 to investigate e-votinga committee in 2004 to investigate e-voting

► Co-chairs: Two former State GovernorsCo-chairs: Two former State Governors► Receive Testimony from Industry experts, Receive Testimony from Industry experts,

policy makers across the political spectrumpolicy makers across the political spectrum► Final Report released in early 2006Final Report released in early 2006

www.cstb.org

NRC Key Areas of ConcernNRC Key Areas of Concern

► SecuritySecurity► Usability & Human FactorsUsability & Human Factors► Life CycleLife Cycle► Poll Worker TrainingPoll Worker Training► DataData► Public ConfidencePublic Confidence► Testing, Certification & EvaluationTesting, Certification & Evaluation► Funding & Sustaining ImprovementFunding & Sustaining Improvement► Election InstitutionsElection Institutions► The Role of the Private Sector in Election The Role of the Private Sector in Election

AdministrationAdministration

Security: JHU Study, 2003Security: JHU Study, 2003

►Diebold AccuVote-TS 4.3.1 Source Diebold AccuVote-TS 4.3.1 Source Code LeakedCode Leaked

►C++ code for a Windows CE platformC++ code for a Windows CE platform►Coding Style seems immature, ad-hocCoding Style seems immature, ad-hoc►DES key stored in plaintext throughoutDES key stored in plaintext throughout►Etc. etc.Etc. etc.►Conclusion: AccuVote not ready for Conclusion: AccuVote not ready for

use in a general electionuse in a general election

Security: Maryland ReactsSecurity: Maryland Reacts

► MD had just purchased $56.6 million of MD had just purchased $56.6 million of Diebold AccuVote units around the time JHU Diebold AccuVote units around the time JHU Study went publicStudy went public

► MD orders SAIC to conduct a security MD orders SAIC to conduct a security assessment – mostly agrees with JHUassessment – mostly agrees with JHU

► MD orders RABA Technologies to perform a MD orders RABA Technologies to perform a second assessment – mostly validates JHU second assessment – mostly validates JHU FindingsFindings

► SAIC and RABA had access to newer, more SAIC and RABA had access to newer, more complete code basecomplete code base

Security: Princeton Study, Security: Princeton Study, 20062006

►Princeton Researchers buy an AccuVote Princeton Researchers buy an AccuVote machine through a private channelmachine through a private channel

►They tinker and find ways to break itThey tinker and find ways to break it►AccuVote unit and software version as AccuVote unit and software version as

purchased had been widely used in purchased had been widely used in actual elections, and had been actual elections, and had been accredited by the National Association accredited by the National Association of State Election Directors (NASED)of State Election Directors (NASED)

Security: Princeton FindingsSecurity: Princeton Findings

► Easy to disrupt voting process through Easy to disrupt voting process through injected virus, Denial of Serviceinjected virus, Denial of Service

► Possible to inject code to change vote Possible to inject code to change vote counts with physical access to machine for counts with physical access to machine for 60 seconds60 seconds

► Physical locks on the devices are easily Physical locks on the devices are easily obtained on the Internet (e.g. “mini-bar obtained on the Internet (e.g. “mini-bar keys” were the same)keys” were the same)

► Issues found in 2003 JHU Study still not Issues found in 2003 JHU Study still not addressedaddressed

Security: Princeton Proof of Security: Princeton Proof of ConceptConcept

► A “Vote Stealing Control A “Vote Stealing Control Panel” was injected into Panel” was injected into the AccuVote because to the AccuVote because to device automatically device automatically looks to removable looks to removable storage for code to run storage for code to run (“AutoRun”)(“AutoRun”)

► External Storage Devices External Storage Devices are also not encryptedare also not encrypted

► Vote Stealing leaves no Vote Stealing leaves no tracestraces

Source: Feldman, Felten & Wallach 2006Source: Feldman, Felten & Wallach 2006

Security: Not Just DieboldSecurity: Not Just Diebold

►A group of concerned citizens A group of concerned citizens performed their own analysis of Nedap performed their own analysis of Nedap DREs used in EuropeDREs used in Europe

►Many security & privacy issues were Many security & privacy issues were discovereddiscovered

► Ireland chose not to deploy their new Ireland chose not to deploy their new Nedap machines as a resultNedap machines as a result

►Germany did a bitwise code audit Germany did a bitwise code audit before and after their electionsbefore and after their elections

Usability & Human FactorsUsability & Human Factors

►NRC found that sufficient usability NRC found that sufficient usability studies of DREs had not been studies of DREs had not been conductedconducted

►Voters should be given ample Voters should be given ample opportunities to practice using the opportunities to practice using the machines before and during election machines before and during election dayday

Life CycleLife Cycle

► Election Boards used to buying equipment that Election Boards used to buying equipment that will last decadeswill last decades

► Voting Machines will fail and become obsolete Voting Machines will fail and become obsolete much quickermuch quicker

► What happens if the vendor goes out of What happens if the vendor goes out of business?business?

► What happens if the memory cards are no What happens if the memory cards are no longer on the market?longer on the market?

► Smaller election bodies may not have mature Smaller election bodies may not have mature approaches to procurement (risk analysis, etc.)approaches to procurement (risk analysis, etc.)

Poll Worker TrainingPoll Worker Training

►Most poll workers and election judges Most poll workers and election judges want more trainingwant more training

►Between the 2006 Primary and Election, Between the 2006 Primary and Election, MD provided re-training opportunitiesMD provided re-training opportunities

►Most poll workers not tech savvyMost poll workers not tech savvy►Polling Stations need mature tech Polling Stations need mature tech

support infrastructure, i.e. places to go support infrastructure, i.e. places to go for helpfor help

Testing, Certification & Testing, Certification & EvaluationEvaluation

► IEEE was/is developing a Standard for IEEE was/is developing a Standard for Voting Machine evaluation (1583)Voting Machine evaluation (1583)

►Electronic Frontier Foundation fought the Electronic Frontier Foundation fought the standard because it did not address standard because it did not address security, reliability, accuracy, accessibilitysecurity, reliability, accuracy, accessibility

►NRC recommends independent Voting NRC recommends independent Voting Device certification body (a UL type, or a Device certification body (a UL type, or a new body within a National Laboratory)new body within a National Laboratory)

Ideas: Gambling IndustryIdeas: Gambling Industry

►NRC received testimony from NV/NJ NRC received testimony from NV/NJ ►Gambling Computers are heavily regulated, Gambling Computers are heavily regulated,

made by licensed vendors, inspected oftenmade by licensed vendors, inspected often►Assumption is that people will try to cheatAssumption is that people will try to cheat►Testing, testing, testingTesting, testing, testing►Formal Dispute Resolution process if any Formal Dispute Resolution process if any

given party suspects they’ve been cheatedgiven party suspects they’ve been cheated►Voting Industry could learn from thisVoting Industry could learn from this

Ideas: Voter Verified Paper Trail Ideas: Voter Verified Paper Trail (VVPAT)(VVPAT)

►Paper receipts could allow voters to Paper receipts could allow voters to see that the machine “got it right”see that the machine “got it right”

►Paper receipts could serve as a backup Paper receipts could serve as a backup vote counting mechanismsvote counting mechanisms

►Parallel Testing: compare paper vote Parallel Testing: compare paper vote count to DRE countcount to DRE count

►Paper Receipt could be printed onto Paper Receipt could be printed onto optical scan cardsoptical scan cards

Ideas: Fancy VVPATIdeas: Fancy VVPAT

►David Chaum proposed encrypted paper David Chaum proposed encrypted paper receipts, which come in two laminated receipts, which come in two laminated layerslayers

►Separating the layers makes receipt Separating the layers makes receipt unreadable, one layer discardedunreadable, one layer discarded

►Entering the serial number at the Entering the serial number at the election website provides an image of election website provides an image of the lost layer and makes receipt the lost layer and makes receipt readable againreadable again

►Probably too complicated…Probably too complicated…

Ideas: My Fancy VVPT IdeaIdeas: My Fancy VVPT Idea

► Encrypt parameters about the vote (machine Encrypt parameters about the vote (machine serial number, time/date, candidate serial number, time/date, candidate selections, etc.) into a one-way hashselections, etc.) into a one-way hash

► Print that hash onto a paper receipt Print that hash onto a paper receipt graphicallygraphically

► Allow voter to enter receipt serial number at Allow voter to enter receipt serial number at election website and see that the hash image election website and see that the hash image on file matches the receipt – i.e. the vote on file matches the receipt – i.e. the vote hasn’t been modifiedhasn’t been modified

► Also, definitely don’t use thermal printers for Also, definitely don’t use thermal printers for these VVPAT receiptsthese VVPAT receipts

Ideas: Open Source SoftwareIdeas: Open Source Software

►Many computer scientists believe open Many computer scientists believe open code is more secure (lots of free testers)code is more secure (lots of free testers)

►Most software vendors believe closed Most software vendors believe closed code is more secure (problems are code is more secure (problems are unknown)unknown)

►Australia posts the source code of their Australia posts the source code of their voting system online as a .ZIP archivevoting system online as a .ZIP archive

►Belgium allowed public inspection of Belgium allowed public inspection of voting code to increase confidencevoting code to increase confidence

Ideas: Open Source SoftwareIdeas: Open Source Software

►DREs cost around $5000 eachDREs cost around $5000 each►$100 Linux Laptops could run open-$100 Linux Laptops could run open-

source voting software, much cheapersource voting software, much cheaper►The simpler the code, the less room The simpler the code, the less room

for security issues to creep infor security issues to creep in►Windows CE full of functionality a Windows CE full of functionality a

voting machine doesn’t needvoting machine doesn’t need

ConclusionsConclusions

► HAVA’s January 2006 Deadline seemed to make states HAVA’s January 2006 Deadline seemed to make states rush to buy voting system not ready for wide userush to buy voting system not ready for wide use

► Great Advantages to e-voting: speed, accessibility, etc.Great Advantages to e-voting: speed, accessibility, etc.► Electronic Voting Security & Privacy will improve with Electronic Voting Security & Privacy will improve with

time. The technologies are still very immature.time. The technologies are still very immature.► Formal independent Certification and Testing is a mustFormal independent Certification and Testing is a must► Voter Verified Paper Audit Trails could help gain voter Voter Verified Paper Audit Trails could help gain voter

trust, prove that DREs are accuratetrust, prove that DREs are accurate► Security problems must be addressed, not discreditedSecurity problems must be addressed, not discredited► Consider open-source software as appropriateConsider open-source software as appropriate