Electronic%20Voting%20Down%20for%20the%20Count?

1
Electronic VotingDown for the Count?

• Charles P Riedesel
• University of Nebraska, Lincoln
• Computer Science Engineering

2
Where I am coming from

• Mathematician fair elections are impossible
• Computer scientist/engineer designing
  errorless/unhackable computer hardware and
  software is impossible
• Politition fooling the people all the time is
  impossible

3
Where am I coming from?

• I teach computer organization By the end of
  freshman year my students can design the
  circuitry of a functional computer. I know how
  to hide an Easter Egg in hardware that is
  virtually impossible to find.
• Counterfeit chips are already a problem
• An Easter Egg is a surprise that can be uncovered
  by very particular actions, a Cryptic Knock
• Example MicroSoft Excel 97 had a hidden flight
  simulator, activated by keying at special cell
• Cryptic knocks can be used to wake up trojan
  horses!

4
Where am I coming from?

• I have taught operating systems and compiler
  construction at the jr/sr/grad level. With this
  knowledge we can replace and/or modify COTS
  (Commercial Off The Shelf) software to do things
  totally unexpected by unknowing programmers.

5
Where am I coming from?

• I have gone through a lot of the technical
  reports about voting systems hardware and
  software, and can make sense and comment of most
  of it. My colleagues who are more expert at
  communication networks and software engineering
  aspects can absorb it all.

6
Todays Agenda

• The role of elections in our democracy
• Makings of an election
• Rise and fall of the DRE
• Other players, organizations, documents
• Recommendations

7
The Role of Elections in Our Democracy

• Inherent mathematical flaws of elections
• An election is only a snapshot of those voting
• Weighted voting
• One person, one vote?
• Legitimacy based on trust
• Principles for a good election

8
Inherent Mathematical Flaws of Elections

• Winning is not transitive
• Three-way race with Alice, Bob and Calvin based
  on three equally important issues of abortion,
  taxes, and war.
• Voters prefer Alice, then Bob, then Calvin on
  abortion.
• Voters prefer Bob, then Calvin, then Alice on
  taxes.
• Voters prefer Calvin, then Alice, then Bob on war
• In two way races Alice beats Bob, Bob beats
  Calvin, and Calvin beats Alice!

9
An Election is only a Snapshot

• Elections are held on one day (usually)
• Polls demonstrate dynamics of a race
• Sensitive to late-breaking news, charges
• New information after the election
• Election really valid for 2, 4, or 6 years?

10
Weighted Voting

• What if Alice beats Bob, but it is only because
  51 mildly prefer Alice, but 49 detest Alice and
  adore Bob? Overall, Bob is better liked!
• What if Calvin beats Don 55 to 45. Instead of
  winner takes all, put both in office and weigh
  their single vote 55-45 on all issues!

11
One Person, One Vote?

• You are smart, well versed on issues.
• The idiot with an IQ of 40 on your right really
  has no idea what is going on.
• The blow-hard on your left is caught up in some
  single-issue thing.
• Should your vote really count the same as either
  of theirs?

12
Legitimacy Based on Trust

• Numerous flaws in elections
• Possibility of mathematically invalid results
• Can anyone find a better way?
• What level of imperfection can we tolerate?
• Essential that winners and losers alike buy in to
  the system and accept results

13
Principles for a Good Election

• Vote storage mechanisms should be
• Simple
• Reliable
• Durable (for the votes)
• Tamper-evident
• History-independent
• Subliminal-free
• Cost effective

14
Principles for a Good Election

• Voters need to know their vote is
• Accurately recorded
• Counted in the total
• Anonymous no way to track back who voted how
• Private no possible evidence to show anyone how
  he/she voted

15
Makings of an Election

• Voting system machinery
• GEMS
• Electronic Voting Machines
• DRE, DRE with VVPT, PCOS
• Process of an election
• Regulatory actors
• HAVA
• NIST, TGDC, EAC, STS
• ITAs ciber, Wyle Labs, SysTest Labs
• NASED
• FEC

16
Voting System Machinery

• GEMS General Election Management System the
  computer and software that takes in and processes
  the results from all the voting machines
• DRE Direct Recording Electronic voting machine
  votes recorded in software
• DRE with VVPT Voter Verifiable Paper Trail
  votes also recorded on paper
• PCOS Precinct Center Optical Scan scans and
  records vote upon being cast

17
Process of an Election

• Election Definition define races, candidates,
  districts, precincts
• Configure Voting Equipment, Print Ballots
  geography makes each precinct different
• Pre-Election Test Verify that everything is
  ready
• Election Day Open polls, vote, close polls
• Canvassing Compute and publish totals, archive
  results
• (Copied from a slide by Douglas Jones)

18
Regulatory Actors

• HAVA Help America Vote Act, 2002,
• Get rid of hanging chad,
• Eliminate mechanical voting machines,
• Central count for absentee ballots only,
• Promote accessibility for disabled voters,
• Fund new machines,
• Set up new agencies

19
Regulatory Actors

• NIST National Institute of Standards
  Technology technical advisor to
• TGDC Technical Guidelines Development Committee
  advisory board to
• (note Nebraska Secretary Of State John A. Gale
  is a member of TGDC!)
• EAC U.S. Elections Assistance Commission
  handful of presidential appointees
• STS Security and Transparency Subcommittee of
  TGDC Requiring Software Independence in VVSG
  2007 recommendation to TGDC 11/2006

20
Regulatory Actors

• ITAs Independent Testing Authorities
• Ciber employs standard methodologies for
  evaluating correctness and quality of software
• Jan 2007 in trouble for not following quality
  control procedures and lack of documentation
• Wyle Labs review source code, does hardware
  testing and functional testing of voting machines
• SysTest quality assurance, software test
  engineering, verification validation

21
Regulatory Actors

• NASED (National Organization of State Election
  Directors) under the
• Election Center to which the ITAs report, part of
  the old
• FEC (Federal Election Commission)

22
Rise and Fall of the DRE

• The Direct Recording Electronic machine
• Hopkins Report
• SAIC Report
• Compuware Report
• Raba Report
• VSTAAB Report
• Hursti II Report
• Princeton Report
• Nedap Report

23
Rise and Fall of the DRE

• Major makers of DREs are
• Sequoia
• Diebold
• ESS
• Policy of Security through Obscurity
• Fundamental Challenge electronic votes can
  evaporate with NO remaining evidence, unlike
  paper ballots
• Not a transparent process

24
Rise and Fall of the DRE

• Categories of Possible Attacks
• Corrupt software inserted prior to election day
• Wireless or other remote control attacks
• Attacks on tally servers
• Miscalibration of machines
• Shutting off voting machine features
• Denial-of-service attacks
• Corrupt poll workers actions
• Attacks on ballots or VVPT
• (thanks to Brennan Center for Justice)

25
Rise and Fall of the DRE

• Challenges for the Attacker
• Overcome vendor motivation
• Finding an insertion opportunity
• Obtaining technical knowledge
• Obtaining election knowledge
• Changing votes
• Eluding inspection
• Eluding testing and detection
• Avoiding detection after polls close
• (thanks to Brennan Center for Justice)

26
Rise and Fall of the DRE

• Hopkins Report Bev Harris discovered an ftp
  site for Diebold that contained the software for
  its DRE, the AccuVote-TS. She took it to Aviel
  Rubin of Stanford.
• Analysis of an Electronic Voting System by
  Aviel Rubin, et. al., 7/23/2003
• Based just on code analysis discovered numerous
  potential security problems and lax software
  engineering standards.

27
Rise and Fall of the DRE

• SAIC (Science Applications International
  Corporation) Report for Maryland State Board of
  Elections
• Risk Assessment Report Diebold AccuVote-TS
  Voting System and Processes, 9/2/2003
• Only 40 page redacted version (Diebolds
  agreement let them do it) ever released until
  nearly 200 page full version leaked 11/2006 by
  whistleblower
• Risk assessment responding to Hopkins Report,
  resolves many problems and hides others

28
Rise and Fall of the DRE

• Compuware (Corp.) Report
• Direct Recording Electronic (DRE) Technical
  Security Assessment Report, for the Ohio
  Secretary of State, 11/21/2003
• Security assessment and validation of four voting
  machines, including Diebolds AccuVote-TS
• About 275 pages with test scenarios, results, and
  any identified risks with risk level (of which
  are a number)
• Limited to the voting machine, not policies and
  processes

29
Rise and Fall of the DRE

• RABA (Technologies) Report for the state of
  Maryland
• Trusted Agent Report Diebold AccuVote-TS Voting
  System, January 20, 2004
• Security experts review the Diebold system, the
  SAIC report, and formed Red Team exercise to
  probe actual system setup
• Successfully hacked it and the GEMS server in
  multiple ways
• Considerable risks found, but with
  recommendations can be mitigated well enough for
  the primary
• More needed for general election - ultimately
  need paper receipts

30
Rise and Fall of the DRE

• VSTAAB (Californias Voting System Technical
  Assessment and Advisory Board) Report Security
  Analysis of the Diebold AccuBasic Interpreter,
  2/14/2006
• 3 computer scientists from U of California
  analyzed AccuBasic, a proprietary, interpreted
  language used in a couple machines including the
  AV-TSx touchscreen because no ITA testing was
  done
• Problems (many easily correctable) found

31
Rise and Fall of the DRE

• Hursti II Report, a Black Box Voting Project by
  Harri Hursti, Diebold TSx Evaluation SECURITY
  ALERT May 11, 2006 Critical Security Issues
  with Diebold TSx at invitation of a Utah county
• Firmware is easy to change
• PCMCIA virus threat

32
Rise and Fall of the DRE

• Princeton Report Security Analysis of the
  Diebold AccuVote-TS Voting Machine by several
  authors at Princeton University, Sept 13, 2006
• Obtained one of the DRE machines, demonstrated
  Hurstis proposed virus, and created a demo virus
  that attacks an election
• Problems in common with desktop PCs
• Diebold response is that polling place procedures
  provide adequate protection

33
Rise and Fall of the DRE

• Nedap(/Groenendaal) Report Nedap/Groenendall
  ES3B Voting Computer a Security Analysis,
  10/6/2006
• Used extensively in Netherlands and nearby
• Authors show how anyone can quickly gain complete
  and virtually undetectable control over election
  results
• Radio eminations up to several meters away can be
  used to tell who votes what
• Sold in US by Liberty Voting Solutions

34
Rise and Fall of the DRE

• TGDC report by STS to NIST calls for Software
  Independence, basically ruling out paperless
  DREs
• By the end of November 2006, NIST concludes that
  paperless DREs are not acceptable
• At the beginning of December 2006, the EAC
  rejects 6-6 recommendation to only certify DREs
  that use independent audit technology (namely
  paper). Cost was a factor.

35
Other Players, Organizations, Documents

• Douglas Jones
• Ariel Rubin
• Bev Harris Black Box Voting
• Rebecca Mercuri
• Eugene Spafford
• William Pitt Truthout
• David Dill Verified Voting Foundation
• Linda Malone President of NASED
• Barbara Simons - USACM
• The Brennan Center for Justice
• IEEE, ACM

36
Douglas Jones

• University of Iowa at Iowa City
• Department of Computer Science
• Gives many talks, lay and technical
• Inspiration for parts of this presentation
• See Voting Security A Technical Perspective,
  presented at U of S. Car. Cybersecurity
  Symposium, 10/27/2005

37
Aviel Rubin

• John Hopkins University
• Election Judge
• Author Brave New Ballot The Battle to Safeguard
  Democracy in the Age of Electronic Voting
• Analyzed source code at the discovered Diebold
  ftp site

38
Bev Harris

• Seattle grandmother and writer
• Stumbled on the Diebold ftp site, 2002
• Founded Black Box Voting
• Voracious investigator

39
Rebecca Mercuri

• Founder of Notable Software and Knowledge
  Concepts
• Promotes mechanism with printout to be voter
  verified which is protected behind glass before
  being dropped into box

40
Eugene Spafford

• Chair of USACM (US Public Policy Committee of the
  ACM)
• Endorsed Nov. 2006 STS report advocating paper
  trails

41
William Pitt

• Managing editor of Truth Out

42
David Dill

• Founder of Verified Voting Foundation
• Stanford University
• Endorses voter verifiable audit trail

43
Linda Malone

• President of NASED
• Administrator of Marylands State Board of
  Elections
• In unaired Oct 2006 interview responds to
  questions about critical Diebold report with I
  think you are in fantasy land

44
Barbara Simons

• Formerly at IBM
• Former ACM chair
• USACM member
• Gives statements and testimony
• Upcoming 2007 book with Doug Jones

45
The Brennan Center for Justice

• New York University
• 2006 report on security problems of 3 most common
  electronic systems

46
IEEE and ACM

• Association for Computing Machinery
• Institute of Electrical and Electronics Engineers
• Professional organizations representing computer
  sciences and engineering
• ACM Policy Statement all systems should have
• Careful engineering
• Strong safeguards
• Rigorous testing of design and operation

47
Recommendations

• Keep things in perspective
• Restore and maintain trust
• Regulate, fund, and train
• Decentralize and diversify
• Establish reasonable processes
• Implement an assessment cycle

48
Recommendations

• Keep Things in Perspective There are many
  factors that influence an election. Some we
  accept without question as legitimate, some are
  ignored, some are presented as terrible threats.
  How much do we spend to eliminate one threat, no
  matter how small and unlikely?

49
Recommendations

• Restore and Maintain Trust
• Pay attention and respond respectfully
• Educate yourself and others
• Openly take reasonable steps
• Stay calm
• Act quickly and decisively when appropriate
• Question authority at the same time as you
  respect authority
• Keep everything as transparent as possible

50
Recommendations

• Regulate, Fund, and Train There is no human or
  technological perfect system
• Regulate all aspects of the election cycle
• Provide adequate funding for all aspects of the
  election cycle including certification,
  acquisition, verification, and development of
  hardware and software
• Poll workers are generally low paid and
  unskilled, yet the system depends on them!

51
Recommendations

• Decentralize and Diversify Attacks (accidental
  and malicious) are most effective when
  implemented system-wide. Think of virus threat if
  all computers were the same or all cattle had the
  same DNA thus the same vulnerabilities!
• Promote competition in the industry
• One size doesnt fit all consider costs,
  demographics, and accessibility
• Dont fund a pie-in-the-sky perfect solution
• Limited use of DREs may be acceptable

52
Recommendations

• Establish Reasonable Processes People need to
  know what to do in case of all kinds of events.
  Secure systems depend on the people implementing
  and using them following proper protocols.
  Development and certification are loaded with
  details that are easily overlooked.

53
Recommendations

• Implement an Assessment Cycle The poll workers
  and others closest to an election should
  participate in evaluating the processes, looking
  for both good and bad features, and providing
  feedback that will be used (not sit on a
  shelf!!!) to improve the system. They see things
  the experts miss.