View
214
Download
0
Embed Size (px)
Citation preview
E-voting in anUntrustworthy
WorldRebecca Mercuri, Ph.D.
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Election AdministrationAssumptions
People in power run elections Power corrupts Election administrators have a vested
interest in: remaining in control and/or passing control to like-minded
individuals Election systems that rely on procedural
or validatory controls that are performed by election administrators are inherently subvertible
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
The 6 Commandments of Voting
- Michael ShamosI. *Thou shalt keep each voter’s choices an
inviolable secret.*II. Thou shalt allow each eligible voter to vote only
once, and only for those offices in which the voter is authorized to cast a vote.
III. Thou shalt not permit tampering with thy voting system, nor the exchange of gold for votes.
IV. Thou shalt report all votes accurately.V. Thy voting system shall remain operable
throughout each election.VI. Thou shalt keep an audit trail to detect sins
against Commandments II-IV, but thy audit trail shall not violate Commandment I.
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Voters Want
To know that their ballot is cast and counted as intended
Counts and recounts to be: independent unbiased reproduceable accurate understandable
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Recounts Fully electronic systems do not provide any
way for the voter to independently verify that the ballot cast corresponds to the data that was recorded and transmitted.
Election officials are given no way to conduct an independent recount since the audit trails that are provided lack checks and balances.
“Recounts” are really only “Reprints” because they use computer-generated ballot images. (GIGO -- Garbage In, Garbage Out.)
“Fail-safe” vendor claims are misleading – machines can and have failed in actual use, resulting in unrecoverable data loss.
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Vulnerabilities Inherent in the nature of all computers (including
those used for ballot preparation and vote tallying) are aspects that can be intentionally or accidentally used to subvert the systems.
Elections are large-stakes, adversarial processes that occur in a short, identifiable time frame, hence they are high-risk targets.
The anonymity requirement for voting prevents the use of traditional forms of auditing.
Earlier forms of election fraud typically required collusion, computers provide opportunity for a lone insider to affect outcomes on a broad scale.
Such corruption is nearly impossible to prevent or detect.
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
The Perfect Crime
Occurs invisibly Weapon is part of regular toolset Potential suspects are allowed to tamper with
crime scene before evidence is collected Critical evidence is prevented from disclosure “Hearsay” evidence -- not from original source Prosecutors are falsely maligned Incorrect suspect is charged
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
The Smell Test Are Generally Accepted Principles and Procedures
being used? auditing security testing manufacture configuration management
Are standards biased to favor vendors over users? Do claims violate laws of science? Do you need a Ph.D. to understand it?
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
The Eyeball Test
Are there parts of the system that are prevented from disclosure?
Are all elements in the critical data path open for independent verification and validation?
How can all administrators and users confirm that appropriate modules (for software, hardware, crypto, etc.) are installed?
How do we know it really works?
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
The Taste Test
Allow others to try it out before you do Collect data from results Compare with other products Obtain ingredients list Discard if toxic
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Auditory Feedback for the Blind“Very few of our members were able to vote privately,
independently, despite Santa Clara County’s [Calif.] supposed ‘accessible’ [Sequoia] touch screens.”
-- Dawn Wilcox, president of the Silicon Valley Council of the Blind
Features include: poor sound quality, delayed response time, upside-down Braille, 30+ minutes to cast ballot.
Mercer County New Jersey was charged $2,000 per machine on top of the $6,000 pricetag for the Sequoia “audio option.”
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Tactile Ballots
Allow visually impaired citizens to vote privately at the precinct or at home.
Approved by the United Nations and used by the State of Rhode Island and also by various democratic countries.
http://www.electionaccess.org/Bp/Ballot_Templates.htm
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
California Recall Data Analysis
Machine Type RecallRecallRank Candidates
Cand.Rank Average Rank
Punchcard 6.24 3 8.30 3 7.3 3Datavote 1.95 3 5.25 2 3.6 2Votomatic 8.17 10 9.46 9 8.8 10Pollstar 6.03 9 9.01 6 7.5 9Optical Scan 2.68 2 7.46 2 5.1 2Diebold Accu-Vote-OS 2.37 5 5.91 4 4.1 3ES&S 550 and 650 2.51 6 9.06 7 5.8 7ES&S Eagle 1.87 2 10.89 10 6.4 8Mark-A-Vote 3.04 7 7.57 5 5.3 6Sequoia 4.35 8 5.54 3 4.9 4Touchscreen 1.50 1 6.77 1 4.1 1Diebold Accu-Vote-TS 0.73 1 9.23 8 5.0 5Sequoia Edge 2.01 4 4.37 1 3.1 1
Based on information compiled by Chad Michael Topaz <[email protected]> and Rebecca Mercuri from data provided by the California Secretary of Stateat: http://www.ss.ca.gov/elections/sov/2003_special/contents.htm
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Accuracy
Every vote does NOT count! Lost vote rate of 3 - 5% far exceeds
manufacturer’s stated “error rates” Residual vote is an inappropriate metric Testing is performed on pristine data sets
under controlled conditions and does not reflect real voting environment
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
David Chaum’s Crypto Solution
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Cryptographic Solutions
Modules must be subjected to formal correctness proofs
Who trusts the trustees? Must be understandable by general public Must be transparent to all Independent auditing is essential
Could/should be used to secure paper ballots
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Open Source
…can NOT provide sufficient verification and validation assurances.
“You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code.”
-- Ken Thompson, 1984
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Ballots ≠ Receipts
Ballot has a distinct legal connotation Verified is not the same as verifiable Must retain anonymity Must not demonstrate proof of vote
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Election Lotto
Ballots should be:
Easy to obtain
Usable by all
Controlled when cast
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Voting Machine Hacking Contest Proof of hack will not prevent vendors from playing
the “we’ve fixed that” shell game Lack of hack provides no assurance of security Despite this....DEFCON 12 has offered a contest
venue (Las Vegas, July 30 - Aug. 1) Put up or shut up challenge -- Shamos, Neff/Adler,
other vendors Rules will need to be well-defined in advance Must allow insider or outside attack SEE ME FOR DETAILS!
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
For More Information...
Rebecca Mercuri
www.notablesoftware.com/evote.html