Slide1: Coming up: Vote verification talk by Alan Sherman (UMBC)
A Study of �Vote Verification Technologies: A Study of Vote Verification Technologies Alan T. Sherman
Dept. of CSEE
University of Maryland, Baltimore County (UMBC)
May 3, 2006
Joint work with: Joint work with Don Norris, Dept. of Public Policy, MIPAR
John Pinkston, Dept. of CSEE
A. Gangopadhyay, S. Holden, G. Karabatis, A.G. Koru,
C. Law, A. Sears, D. Zhang
Dept. of Information Systems
National Center for the Study of Elections
of the Maryland Institute for
Policy Analysis and Research (MIPAR)
Diebold AccuvoteTS�Touch Screen �Direct Recording Equipment (DRE): Diebold AccuvoteTS Touch Screen Direct Recording Equipment (DRE)
How well do verifiers� enable voters to check their votes are : How well do verifiers enable voters to check their votes are cast as intended
recorded as cast
tallied as recorded ?
Overview: Overview Evaluated 4 vote verification products
Diebold paper trail (VVPAT)
MIT-Selker audio system
Scytl Pnyx.DRE software system
VoteHere Sentinel (cryptographic receipts)
For Maryland State Board of Elections
Analysis in context of real elections
Interdisciplinary study—first of its kind
Outline: Outline Background and motivation
Voting in Maryland
Related work
Genesis of UMBC study
Verification Systems
Study systems, evaluation criteria
Analysis
Maryland Procedures
Discussion, conclusions, open problems
Background and Motivation: Background and Motivation
Background: Background
Following 2000 fiasco in FL, MD moved to DREs and centralized management
Began purchasing Diebold DREs in 2001
DREs improved accuracy and efficiency
No irregularities have been detected, but...
DREs Improve Accessibility: DREs Improve Accessibility Visually-impaired voters can use headsets, large fonts, or both
So can anyone else too
Can DREs Be Trusted?: Can DREs Be Trusted? Malicious code
Subversion of system (hardware, software, OS)
Faulty design, implementation
Key management
Configuration
Data handling
Physical storage and security
[Play Baxter Movie]
Voting in Maryland: Voting in Maryland ~20,000 DREs (100% by fall 2006)
23 counties + Baltimore City
Dual system of state and local control
3.1 million registered voters
(5.6 million residents)
$96 million on Diebold system by FY 2007
(~$2.82 / resident / year over 6 years)
Financially committed to Diebold through 2012
What Is Special About Voting?: What Is Special About Voting? Critical national infrastructure
Everyone must be able to vote
Elderly, infirm, disabled (blind, deaf)
Below average IQ
Happens infrequently
Voters must have confidence in outcome
Conform to state and federal law
Genesis of Study: Genesis of Study MD General Assembly (GA)
considered move toward paper trail (2005)
GA mandated study (2005)
Governor Ehrlich vetoed study
State Board of Elections commissioned study (August 2005)
Study Question: Study Question How well do various vote verification products work?
NOT:
What voting system should MD use?
Is the Diebold System secure?
Options for Maryland: Options for Maryland Keep Diebold, with parallel testing; continue monitoring technology
Add verification system to Diebold
Change to different system
Precinct-count optical scan (e.g., Automark, Populex)
Receipt-based system (e.g., VoteHere, Punchscan)
[Discussing third option is outside study scope]
Related Work: Related Work Usability study (Herrnson, et al., 2006)
www.capc.umd.edu
Survey of MD voters (Norris, 2006)
www.umbc.edu/mipar
Diebold GEMS Server: Diebold GEMS Server Dedicated workstation at each LBE; Accumulates DRE votes; Generates reports
Diebold GEMS Server: Diebold GEMS Server Dedicated workstation at each LBE; Accumulates DRE votes; Generates reports
All tallies checked by hand from printouts from each DRE of DRE totals
Verification Systems: Verification Systems
Benefits of Verification: Benefits of Verification Increased assurance via independent system
Adversary must corrupt two systems
Separate tally and audit log
Challenges to Verification: Challenges to Verification Adds complexity (increases cost, chance of disruption, opportunity for privacy loss)
Lack of standard interfaces
Requires modification of Diebold software
Is true system independence possible?
Study Systems: Study Systems Diebold VVPAT
MIT-Selker audio system
Scytl Pnyx.DRE
VoteHere Sentinel
Democracy Systems VoteGuard
Avante
IP.Com
“Parallel testing” of DREs
Study Systems: Study Systems Diebold VVPAT
MIT-Selker audio system
Scytl Pnyx.DRE
VoteHere Sentinel
Democracy Systems VoteGuard
Avante
IP.Com
“Parallel testing” of DREs
Math Challenge�on Parallel Testing:: Math Challenge on Parallel Testing:
Given that B of the N DREs are bad, what is
the chance of selecting at least one bad
DRE in a random sample of k DREs?
Solution later …
Evaluation Criteria: Evaluation Criteria Reliability
Functional completeness
Accessibility
Data management
Election integrity, voter privacy
Implementation / integration with DRE
Impact on voters and procedures
Security Criteria: Security Criteria Election integrity
Ballots cast as intended
Ballots recorded as cast
Ballots tallied as recorded
Voter privacy
Resistance to disruption
Study Methods: Study Methods Met with vendor
Examined product in UMBC lab
Assigned numerical score for each criterion (1-low, 5-high)
Wrote narrative
We did not weight the scores to yield an overall score or product recommendation
Diebold VVPAT: pros: Diebold VVPAT: pros Prints votes on paper roll
Relatively simple and intuitive
Produces physical record
Diebold VVPAT: cons: Diebold VVPAT: cons Can LBEs store paper rolls securely?
Voter cannot verify what rolls used in recount
Paper roll records order of votes cast
Barcodes cannot be trusted
Lacks vendor independence
Printer jams easily
Blind cannot verify paper record, only audio output
Costly ($1,500 / add-on unit)
MIT-Selker Audio System: pros: MIT-Selker Audio System: pros Records votes on audio tape
Easier to catch mistakes
Relatively simple
Produces physical record
Relatively simple integration
No software required
Inexpensive ($100 / unit)
MIT-Selker Audio System: cons : MIT-Selker Audio System: cons Can LBEs store tapes securely?
Voters cannot verify what tapes are used in recount
Tape records order of votes cast
Deaf cannot use
Recount is labor intensive
Vendor lacks business plan
Needs reliable storage of magnetic media
Scytl Pnyx.DRE: pros: Scytl Pnyx.DRE: pros Echoes ballot choices on confirmation screen
Stores electronic copy of vote
Well engineered
Has been used outside USA
Two-way handshake with DRE
Scytl Pnyx.DRE: cons: Scytl Pnyx.DRE: cons Must trust software to store displayed vote
Can cause DRE to fail and vice-versa (via two-way handshake)
More complicated integration with DRE
Not all functionality implemented
$500 / unit
VoteHere Sentinel: pros: VoteHere Sentinel: pros Outstanding election integrity: voter can verify vote is recorded in official data as cast, and that tally is computed correctly from official data
Integrity based on cryptography, not computer security
Open source, high quality software
Disabled voters can enjoy same level of integrity
VoteHere Sentinel: cons: VoteHere Sentinel: cons Application software missing (only reference library exists)
More complicated: voter experience, conceptual model, election officials must maintain web site
Most voters will not understand the cryptography
No attempt to maintain consistency between DRE and Sentinel
$500 / unit
Parallel Testing: Parallel Testing Attempts to detect widespread corruption of DREs
Tests randomly-selected DREs on election day in simulated election
Limitations:
Can adversary “signal” selected DREs?
Number and choice of DREs for testing
Probability of Selecting Bad DRE: Probability of Selecting Bad DRE
Probability of Selecting Bad DRE: Probability of Selecting Bad DRE
Summary Scores: Summary Scores
Maryland Procedures: Maryland Procedures
Installing DRE Software: Installing DRE Software SBE technicians install OS and application software on all DREs (critical process)
Diebold object code from Independent Testing Agency (ITA)
Cryptographic hash check performed on trusted SBE machine
DREs stored at LBEs
Voter Authority Cards: Voter Authority Cards Physical card at precinct for each voter
Records DRE used by voter
Poll workers may not ask for photo ID (only utility bill)
Discussion, Conclusions, Open Problems: Discussion, Conclusions, Open Problems
Modifying Diebold Software: Modifying Diebold Software Needed for verification systems
Requires Diebold cooperation
Diebold not commercially motivated
Who pays?
Must pass ITA after any change
Why Are Products Not Better?: Why Are Products Not Better? Relatively small market
Lack of clear performance standards
Multitude of state and local styles for ballots and reports
Security (and accessibility) is afterthought
Emerging technologies
Funding technologies for the “social good”
Vendors Should Provide: Vendors Should Provide Product description
Functional specifications
Testable reference implementation
Performance data from mock election
Documentation
Open Problems: Open Problems Standard interfaces for verifiers
Adversarial data consistency problem
Develop/improve receipt-based systems (e.g. Punchscan David Chaum)
Performance ratings guidelines
Adversarial Data Consistency Problem : Adversarial Data Consistency Problem (DRE and verifier honest) tallies agree
Minimize disruption by one dishonest unit
Ex: Voter aborts in middle of process
Adversarial Data Consistency Problem : Adversarial Data Consistency Problem Two-way communication
enables either unit to cause disruption
facilitates collusion among two dishonest units
Call for National Cooperation: Call for National Cooperation National standards (beyond HAVA 2002)
Standard interfaces
Performance ratings guidelines
Standard configurations (ballot styles, report formats)
Joint funding for R&D
Other Voting Issues: Other Voting Issues Encouraging people to vote
Registration
Absentee / provisional ballots
Accessibility
Mathematics of voting (e.g., Borda Count)
Internet voting
MD House Bill-244: MD House Bill-244
Mandates “voter verified” paper record (not paper roll)
Paper record is official record
House approved 137-0
Governor now supports
Senate killed by not voting
Costs $24-50 million
Questions / Discussion: Questions / Discussion
Acknowledgments: Acknowledgments VoteHere model diagram from VoteHere
VoteHere voter experience diagram by Kevin Fisher
Photos from Google Images
Rivest-Sherman Ciphertext-Only Attacks on Enigma: Rivest-Sherman Ciphertext-Only Attacks on Enigma Tomorrow (Friday)
10:30am
same location
Extra slides: Extra slides
VoteHere Model: VoteHere Model
Understanding Politics: Understanding Politics Gov. Ehrlich stole democratic issue
Wants to be able to question outcome of next election (?)
Heavy lobbying by TrueVoteMD
Linda Lamone (D) Governor Ehrlich (R)
Summary Security & Privacy Scores: Summary Security & Privacy Scores
Diebold AccuvoteTS: Diebold AccuvoteTS Voter Authority Precinct Official Key,
Configuration tally tally
VoteHere Model: VoteHere Model