E-voting in an Untrustworthy World Rebecca Mercuri, Ph.D

E-voting in anUntrustworthy

WorldRebecca Mercuri, Ph.D.

E-voting in an Untrustworthy World

Copyright © 2004 Rebecca Mercuri

Election AdministrationAssumptions

People in power run elections Power corrupts Election administrators have a vested

interest in: remaining in control and/or passing control to like-minded

individuals Election systems that rely on procedural

or validatory controls that are performed by election administrators are inherently subvertible



The 6 Commandments of Voting

- Michael ShamosI. *Thou shalt keep each voter’s choices an

inviolable secret.*II. Thou shalt allow each eligible voter to vote only

once, and only for those offices in which the voter is authorized to cast a vote.

III. Thou shalt not permit tampering with thy voting system, nor the exchange of gold for votes.

IV. Thou shalt report all votes accurately.V. Thy voting system shall remain operable

throughout each election.VI. Thou shalt keep an audit trail to detect sins

against Commandments II-IV, but thy audit trail shall not violate Commandment I.



Voters Want

To know that their ballot is cast and counted as intended

Counts and recounts to be: independent unbiased reproduceable accurate understandable



Recounts Fully electronic systems do not provide any

way for the voter to independently verify that the ballot cast corresponds to the data that was recorded and transmitted.

Election officials are given no way to conduct an independent recount since the audit trails that are provided lack checks and balances.

“Recounts” are really only “Reprints” because they use computer-generated ballot images. (GIGO -- Garbage In, Garbage Out.)

“Fail-safe” vendor claims are misleading – machines can and have failed in actual use, resulting in unrecoverable data loss.



Vulnerabilities Inherent in the nature of all computers (including

those used for ballot preparation and vote tallying) are aspects that can be intentionally or accidentally used to subvert the systems.

Elections are large-stakes, adversarial processes that occur in a short, identifiable time frame, hence they are high-risk targets.

The anonymity requirement for voting prevents the use of traditional forms of auditing.

Earlier forms of election fraud typically required collusion, computers provide opportunity for a lone insider to affect outcomes on a broad scale.

Such corruption is nearly impossible to prevent or detect.



The Perfect Crime

Occurs invisibly Weapon is part of regular toolset Potential suspects are allowed to tamper with

crime scene before evidence is collected Critical evidence is prevented from disclosure “Hearsay” evidence -- not from original source Prosecutors are falsely maligned Incorrect suspect is charged



The Smell Test Are Generally Accepted Principles and Procedures

being used? auditing security testing manufacture configuration management

Are standards biased to favor vendors over users? Do claims violate laws of science? Do you need a Ph.D. to understand it?



The Eyeball Test

Are there parts of the system that are prevented from disclosure?

Are all elements in the critical data path open for independent verification and validation?

How can all administrators and users confirm that appropriate modules (for software, hardware, crypto, etc.) are installed?

How do we know it really works?



The Taste Test

Allow others to try it out before you do Collect data from results Compare with other products Obtain ingredients list Discard if toxic



Auditory Feedback for the Blind“Very few of our members were able to vote privately,

independently, despite Santa Clara County’s [Calif.] supposed ‘accessible’ [Sequoia] touch screens.”

-- Dawn Wilcox, president of the Silicon Valley Council of the Blind

Features include: poor sound quality, delayed response time, upside-down Braille, 30+ minutes to cast ballot.

Mercer County New Jersey was charged $2,000 per machine on top of the $6,000 pricetag for the Sequoia “audio option.”



Tactile Ballots

Allow visually impaired citizens to vote privately at the precinct or at home.

Approved by the United Nations and used by the State of Rhode Island and also by various democratic countries.

http://www.electionaccess.org/Bp/Ballot_Templates.htm



California Recall Data Analysis

Machine Type RecallRecallRank Candidates

Cand.Rank Average Rank

Punchcard 6.24 3 8.30 3 7.3 3Datavote 1.95 3 5.25 2 3.6 2Votomatic 8.17 10 9.46 9 8.8 10Pollstar 6.03 9 9.01 6 7.5 9Optical Scan 2.68 2 7.46 2 5.1 2Diebold Accu-Vote-OS 2.37 5 5.91 4 4.1 3ES&S 550 and 650 2.51 6 9.06 7 5.8 7ES&S Eagle 1.87 2 10.89 10 6.4 8Mark-A-Vote 3.04 7 7.57 5 5.3 6Sequoia 4.35 8 5.54 3 4.9 4Touchscreen 1.50 1 6.77 1 4.1 1Diebold Accu-Vote-TS 0.73 1 9.23 8 5.0 5Sequoia Edge 2.01 4 4.37 1 3.1 1

Based on information compiled by Chad Michael Topaz <[email protected]> and Rebecca Mercuri from data provided by the California Secretary of Stateat: http://www.ss.ca.gov/elections/sov/2003_special/contents.htm



Accuracy

Every vote does NOT count! Lost vote rate of 3 - 5% far exceeds

manufacturer’s stated “error rates” Residual vote is an inappropriate metric Testing is performed on pristine data sets

under controlled conditions and does not reflect real voting environment



David Chaum’s Crypto Solution



Cryptographic Solutions

Modules must be subjected to formal correctness proofs

Who trusts the trustees? Must be understandable by general public Must be transparent to all Independent auditing is essential

Could/should be used to secure paper ballots



Open Source

…can NOT provide sufficient verification and validation assurances.

“You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code.”

-- Ken Thompson, 1984



Ballots ≠ Receipts

Ballot has a distinct legal connotation Verified is not the same as verifiable Must retain anonymity Must not demonstrate proof of vote



Election Lotto

Ballots should be:

Easy to obtain

Usable by all

Controlled when cast



Voting Machine Hacking Contest Proof of hack will not prevent vendors from playing

the “we’ve fixed that” shell game Lack of hack provides no assurance of security Despite this....DEFCON 12 has offered a contest

venue (Las Vegas, July 30 - Aug. 1) Put up or shut up challenge -- Shamos, Neff/Adler,

other vendors Rules will need to be well-defined in advance Must allow insider or outside attack SEE ME FOR DETAILS!



For More Information...

Rebecca Mercuri

[email protected]

www.notablesoftware.com/evote.html

Documents

E-voting in an Untrustworthy World Rebecca Mercuri, Ph.D