UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS What’s Right With...
-
date post
21-Dec-2015 -
Category
Documents
-
view
213 -
download
0
Transcript of UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS What’s Right With...
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
What’s Right WithElectronic Voting?
Michael I. Shamos, Ph.D., J.D.Institute for Software ResearchSchool of Computer ScienceCarnegie Mellon University
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Electronic Voting Horror Stories
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Questions
• Is electronic voting secure?• Is there anything good about it?• If not, why do we use it?• Why can’t we just vote with paper ballots?• Do paper trails solve the problems?
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
My Background
• Computerized voting system examiner for– Massachusetts (2006- )– Pennsylvania (1980-2000, 2004- )– Texas (1987-2000)– Delaware (1989)– West Virginia (1982)– Nevada (1995)
• Performed 119 voting system examinations• Testified before Congress 4 times• Taught voting system testing at NIST• Expert witness in 5 electronic voting cases
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Outline
• Voting in the U.S.• Voting system requirements• Voting methods (opscan, DRE)• Problems with electronic voting• Rating different voting methods
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Pennsylvania Counties
SOURCE: ELECTIONLINE.ORG
ALLEGHENYCOUNTY
BLUE, GREEN, PURPLE, YELLOW: electronicRED: optical scan
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
U.S. Voting HistoryColonies: Voice voting to officials in public
Early 1800s: Handwritten paper ballots
1850 - today: Rampant paper ballot fraud
1888: Secret paper (Australian) ballot in U.S.
1892: Lever machine to“protect mechanically the voter from rascaldom”
1960s: Punched cards
1970s: Optical scan
1978: Direct-recording electronic systems
2000: Florida!
2002: Help America Vote Act (HAVA)
2006: Widespread electronic voting
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Paper Ballots
Australian (secret) ballot (U.S., 1888)
SOURCE: DOUGLAS W. JONES
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Voting System Functions
• Present the correct ballot clearly to each voter– including disabled & foreign language– must warn of overvotes
• Capture the voter’s choices unambiguously– binary (yes/no) is best
• Record the voter’s choices securely– prevent tampering
• Tabulate and report the correct totals• Provide an audit mechanism
– permanent paper record
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Principal Methods of U.S. Voting
• The Help America Vote Act (HAVA, 2002) banned– Punched-card voting (implicitly)– Lever machines (implicitly)– Hand-counted paper ballots (mostly)
• We are left with– Optical scan, counted at precinct– Optical scan, counted centrally (with restrictions)– Direct-recording electronic (DRE)
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Full Opscan Ballot (Too Big to Fit)
• Marin County, CA (2006)• 30 races, 98 candidates• 30 propositions• 3 sheets, 6 sides• Paper trail would be 6 feet long for each voter
– 10 contests per foot, 60 contests
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Optical Scan Problems
• Issues:– Dark/light marks, wrong ink– Printing trickery – Voter intent?
• Marks are not binary• Machine does not see what
the human sees– Visible v. infrared
• Disabled can’t vote without an assistive device (ballot marker)
COMPLETE THE ARROW:
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
SOURCE: HAWAII ADMIN. REGS. §2-51-85.2
What Constitutes a Vote?
• To avoid a repeat of Florida 2000, HAVA required all states to define “what constitutes a vote”
• They all did it differently
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Legal/Constitutional Requirements
• Voter secrecy– We can’t tell how she voted– She can’t prove how she voted
• Overvote warning• Security against tampering• Permanent paper record of each vote cast, with
audit capacity• Disabled accessibility• Alternative language accessibility
+ LOTS of state requirements (> 100)
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Electronic Voting Demo
Electronic Voting• Voter interacts with a computer to select and record her choices• No “document ballot”
POLLINGPLACE
FULL BALLOT RECORDED ON1. MULTIPLE INTERNAL MEDIA; AND2. PAPER; AND3. REMOVABLE MEMORY DEVICE (PCMCIA CARD)
COUNTYOFFICE
BUILDING
AT CLOSE OF POLLS:TOTALS TAPE PRODUCED,SIGNED BY JUDGES
THIS IS THE OFFICIAL RETURN
TOTALS TAPE POSTEDIN POLLING PLACE
COPY OF TAPE SENTTO COUNTY
RANDOMIZED AUDITTRAIL PRINTED – CANBE USED FOR RECOUNT
MEMORYCARDREMOVED
MEMORYCARD SENTTO COUNTY
UNOFFICIAL VOTETOTALS PRODUCED,GIVEN TO MEDIA
WEEKS LATER:OFFICIAL CANVASSBASED ON OFFICIALRETURNS
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Determining Winners with DREs
VOTERSVOTE
ELECTION DAY
ELECTRONICMEDIA SENT
TO TABULATIONCENTER
RESULTS TABULATED,RELEASED TO PRESS
ELECTION NIGHT
TOTALSPRINTED OUT AT
PRECINCT,SIGNED BY
JUDGES
TOTALSREPORT
POSTED ATPRECINCT
TOTALSREPORTS SENT TOCOUNTY
UNOFFICIALONLY!
WEEKS LATER
CANVASS BYCOUNTY
ELECTIONSBOARD
WINNERSCERTIFIED
OFFICIALRESULTS
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Tarrant County Canvass, 3/7/06
Examining/Testing Voting Machines
SYSTEM DEVELOPED BY VENDOR
SYSTEM SUBMITTED
FOR FEDERAL QUALIFICATION
SYSTEM TESTED TO NIST STANDARDS BY
INDEPENDENT TESTING AUTHORITY (ITA)
ITA CREATES“WITNESS BUILD”
OF SYSTEM
SYSTEM NOW “FEDERALLY QUALIFIED”
SYSTEM SUBMITTED FOR STATE
CERTIFICATION
SYSTEM TESTED TO STATE STANDARDS
AND FOR HAVA COMPLIANCE BY
EXAMINER
SECRETARY OF STATE CERTIFES
SYSTEMSYSTEM NOW
“STATE CERTIFIED”
COUNTY BUYS SYSTEM,
RECEIVES SOFTWARE FROM ITA
COUNTY PERFORMS
ACCEPTANCE TESTING
PARTIES NOTIFIED 40 DAYS IN
ADVANCE OF ELECTION SETUP
SYSTEM READY FOR ELECTION SETUP
COUNTY SETS UP MACHINES FOR ELECTION
(PUBLIC)
PRE-ELECTION LOGIC AND ACCURACY
TESTING (PUBLIC)
MACHINES ARE SEALED
SYSTEM READY FOR ELECTION
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Voter Verification
1. Was my vote recorded properly?
2. Was my vote counted?
3. What can I do if I think it wasn’t?
4. Will my vote be around in case of a recount?
5. Was everyone who voted authorized?
• Optical scan voting solves (1)• DRE voting is auditable, but not voter-verified
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
VVPAT
• VVPAT = voter-verified paper audit trail• Produce a paper document that the voter can view
before casting the ballot to verify that the vote was captured correctly
• Retain the paper document to be used for a recount, if necessary. DEMO
• The VVPAT provides proof that the vote was recorded properly (at least on the paper)
• VVPAT SHOULD list all candidates presented to voter, even ones that were not voted for
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
VVPAT Problems• No secrecy: ballots recorded sequentially
• Blind voters can’t read it
• Long paper trail, e.g. 6 feet per voter
• Can’t count it (8 weeks in Cuyahoga County, OH)
• Sacramento, CA: 20 minutes per ballot, 4 people each
• Recounting CA would take 8000 man-years– Mandatory 5%? 400 man-years in one week = 20,000 people
• University of Maryland: 1-3% of voters verified
• Cuyahoga County, OH primary May 2006• 10% of paper records found illegible, tampered with
or completely missing
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Counting the VVPAT
SOURCE: ELECTION SCIENCE INSTITUTE
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Counting the VVPAT
SOURCE: ELECTION SCIENCE INSTITUTE
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Counting the VVPAT
SOURCE: ELECTION SCIENCE INSTITUTE
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
The Hursti II Attack
• Harri Hursti (2/06), repeated by Felten (9/06)• Attack on Diebold touchscreen units• Given access to the machine, its software can be
replaced quickly, i.e., a few minutes• Not a bug, but a “feature” to permit rapid upgrade
• Can the intrusion be detected?• Can the exploit be disabled?
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Machine Reliability
• The 2002 Federal standards require a mean time between failures (MTBF) of at least 163 hours
• Under the exponential failure model, 10% of voting machines will fail within 18 hours! Unacceptable!
• In practice, 20% of VVPAT machines fail on Election Day
• “Failure” does not mean loss of votes, but inability to continue voting
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Comparison of Voting Methods
DRE, NO VVPAT
DRE WITH VVPAT
(CURRENT)
PRECINCT OPSCAN (PCOS)
PCOS & BALLOT MARKER
Security 7
Secrecy 9
Accessibility 9
Usability 9
Reliability 6
TOTALS
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Comparison of Voting Methods
DRE, NO VVPAT
DRE WITH VVPAT
(CURRENT)
PRECINCT OPSCAN (PCOS)
PCOS & BALLOT MARKER
Security 7 9
Secrecy 9 2
Accessibility 9 5
Usability 9 6
Reliability 6 3
TOTALS
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Comparison of Voting Methods
DRE, NO VVPAT
DRE WITH VVPAT
(CURRENT)
PRECINCT OPSCAN (PCOS)
PCOS & BALLOT MARKER
Security 7 9 4
Secrecy 9 2 8
Accessibility 9 5 0
Usability 9 6 5
Reliability 6 3 9
TOTALS
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Comparison of Voting Methods
DRE, NO VVPAT
DRE WITH VVPAT
(CURRENT)
PRECINCT OPSCAN (PCOS)
PCOS & BALLOT MARKER
Security 7 9 4 6
Secrecy 9 2 8 9
Accessibility 9 5 0 9
Usability 9 6 5 9
Reliability 6 3 9 7
TOTALS
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Comparison of Voting Methods
DRE, NO VVPAT
DRE WITH VVPAT
(CURRENT)
PRECINCT OPSCAN (PCOS)
PCOS & BALLOT MARKER
Security 7 9 4 6
Secrecy 9 2 8 9
Accessibility 9 5 0 9
Usability 9 6 5 9
Reliability 6 3 9 7
TOTALS 40 25 26 40
Pennsylvania Voting Methods (2006)
SOURCE: ELECTIONLINE.ORG
ALLEGHENYCOUNTY
ES&S iVotronicES&S 100 &iVotronic
ES&S 100AutoMark
Advanced WinVote
ES&S 650AutoMark
Diebold TSx
Danaher 1242
Sequoia Edge
Hart InterCiviceSlate Sequoia Advantage Hart InterCivic
eScan/eSlate
PAGED DRE FULL-FACE DRE DRE & OPTICAL OPTICAL
Pennsylvania Voting Systems (2006)
ES&S iVOTRONICTOUCHSCREEN
ES&S iVOTRONIC+ M100 OPTICAL
ES&S iVOTRONIC+ M100 + AUTOMARK
ES&S 650OPTICAL
DIEBOLD TSXTOUCHSCREEN
ADVANCEDWINVOTE
SEQUOIA EDGETOUCHSCREEN
DANAHER 1242FULL-FACE DRE
SEQUOIA ADVANTAGEFULL-FACE DRE
HART ESLATEDRE
HART ESLATE+ ESCAN
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
What’s the Best Voting Method?
• HAVA requires– vote verification, correction §301(a)(1)(A)(i)
– overvote warning §301(a)(1)(A)(iii)
– permanent paper record §301(a)(2)(B)(i)
– disabled accessibility §301(a)(3)(A)
– alternative language accessibility §301(a)(4)
• States require– secrecy– security– reliability– usability
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Desirable Voting System Characteristics
• Secret• Accurate• Eligible voters• Vote once only• Tamper-proof• Reliable• Auditable• No vote-buying
(receipt-free)
• Verifiable• Non-coercible• Transparent
MOST STATESREQUIRE
NO STATES REQUIRE(except coercion is a crime)
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Voting System Requirements
• Accuracy• Secrecy• Security• Auditability• No take-home receipts• No identifiable ballots
– Pennsylvania law: “No ballot which is so marked as to be capable of identification shall be counted.” 25 P.S. §3063(a)
• Conformance with state law
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Federal Requirements (2006)
• Overvote warning• Permanent paper record• Correct ballot before casting• Disabled accessibility• Multiple languages and alphabets (LA County: 12)
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Sample State Laws
• Ballot complexity, e.g. 135 candidates • Vote-for-many (e.g. 25 out of 87)• Straight-party voting• Write-ins• Early voting• Ballot rotation• Provisional ballots• “Fleeing voter”
UNIVERSITY LECTURE SERIES OCTOBER 12, 2006
COPYRIGHT © 2006 MICHAEL I. SHAMOS
Why Don’t We Have Paper Trails in Pennsylvania?
• No one makes a paper trail machine that conforms to Pennsylvania law
• Several violate multiple provisions, particularly secrecy