1. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS What’s Right With Electronic Voting? Michael I. Shamos, Ph.D., J.D. Institute for Software Research School of Computer Science Carnegie Mellon University

2. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Electronic Voting Horror Stories

4. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Questions Is electronic voting secure? Is there anything good about it? If not, why do we use it? Why can’t we just vote with paper ballots? Do paper trails solve the problems?

5. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS My Background Computerized voting system examiner for –Massachusetts (2006- ) –Pennsylvania (1980-2000, 2004- ) –Texas (1987-2000) –Delaware (1989) –West Virginia (1982) –Nevada (1995) Performed 119 voting system examinations Testified before Congress 4 times Taught voting system testing at NIST Expert witness in 5 electronic voting cases

6. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Outline Voting in the U.S. Voting system requirements Voting methods (opscan, DRE) Problems with electronic voting Rating different voting methods

7. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Pennsylvania Counties SOURCE: ELECTIONLINE.ORGELECTIONLINE.ORG ALLEGHENY COUNTY BLUE, GREEN, PURPLE, YELLOW: electronic RED: optical scan

8. Allegheny County CITY OF PITTSBURGH = CMU Ohio River Allegheny River Monongahela River

9. 5 th Ave. (Precincts)

10. Pittsburgh East End Wards and Precincts 14 th City Ward 5 th Ave.

11. Pittsburgh East End Political Districts 43 rd Senate23 rd House 8 th City Council11 th County Council

12. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS U.S. Voting History Colonies:Voice voting to officials in public Early 1800s:Handwritten paper ballots 1850 - today:Rampant paper ballot fraud 1888:Secret paper (Australian) ballot in U.S. 1892:Lever machine to “protect mechanically the voter from rascaldom” 1960s:Punched cards 1970s:Optical scan 1978:Direct-recording electronic systems 2000:Florida! 2002:Help America Vote Act (HAVA) 2006:Widespread electronic voting

13. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Paper Ballots Australian (secret) ballot (U.S., 1888) SOURCE: DOUGLAS W. JONES

14. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Voting System Functions Present the correct ballot clearly to each voter –including disabled & foreign language –must warn of overvotes Capture the voter’s choices unambiguously –binary (yes/no) is best Record the voter’s choices securely –prevent tampering Tabulate and report the correct totals Provide an audit mechanism –permanent paper record

15. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Principal Methods of U.S. Voting The Help America Vote Act (HAVA, 2002) banned –Punched-card voting (implicitly) –Lever machines (implicitly) –Hand-counted paper ballots (mostly) We are left with –Optical scan, counted at precinct –Optical scan, counted centrally (with restrictions) –Direct-recording electronic (DRE)

16. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Full Opscan Ballot Full Opscan Ballot (Too Big to Fit) Marin County, CA (2006) 30 races, 98 candidates 30 propositions 3 sheets, 6 sides Paper trail would be 6 feet long for each voter –10 contests per foot, 60 contests

17. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Optical Scan Problems Issues: –Dark/light marks, wrong ink –Printing trickery –Voter intent? Marks are not binary Machine does not see what the human sees –Visible v. infrared Disabled can’t vote without an assistive device (ballot marker) COMPLETE THE ARROW:

18. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS SOURCE: HAWAII ADMIN. REGS. §2-51-85.2 What Constitutes a Vote? To avoid a repeat of Florida 2000, HAVA required all states to define “what constitutes a vote” They all did it differently

19. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Legal/Constitutional Requirements Voter secrecy –We can’t tell how she voted –She can’t prove how she voted Overvote warning Security against tampering Permanent paper record of each vote cast, with audit capacity Disabled accessibility Alternative language accessibility + LOTS of state requirements (> 100)

20. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Electronic Voting Demo

21. Electronic Voting Voter interacts with a computer to select and record her choices No “document ballot” POLLING PLACE FULL BALLOT RECORDED ON 1. MULTIPLE INTERNAL MEDIA; AND 2. PAPER; AND 3. REMOVABLE MEMORY DEVICE (PCMCIA CARD) COUNTY OFFICE BUILDING AT CLOSE OF POLLS: TOTALS TAPE PRODUCED, SIGNED BY JUDGES THIS IS THE OFFICIAL RETURN TOTALS TAPE POSTED IN POLLING PLACE COPY OF TAPE SENT TO COUNTY RANDOMIZED AUDIT TRAIL PRINTED – CAN BE USED FOR RECOUNT MEMORY CARD REMOVED MEMORY CARD SENT TO COUNTY UNOFFICIAL VOTE TOTALS PRODUCED, GIVEN TO MEDIA WEEKS LATER: OFFICIAL CANVASS BASED ON OFFICIAL RETURNS

22. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Determining Winners with DREs VOTERS VOTE ELECTION DAY ELECTRONIC MEDIA SENT TO TABULATION CENTER RESULTS TABULATED, RELEASED TO PRESS ELECTION NIGHT TOTALS PRINTED OUT AT PRECINCT, SIGNED BY JUDGES TOTALS REPORT POSTED AT PRECINCT TOTALS REPORTS SENT TO COUNTY UNOFFICIAL ONLY! WEEKS LATER CANVASS BY COUNTY ELECTIONS BOARD WINNERS CERTIFIED OFFICIAL RESULTS

23. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS

25. Tarrant County Canvass, 3/7/06

26. Examining/Testing Voting Machines SYSTEM DEVELOPED BY VENDOR SYSTEM SUBMITTED FOR FEDERAL QUALIFICATION SYSTEM TESTED TO NIST STANDARDS BY INDEPENDENT TESTING AUTHORITY (ITA) ITA CREATES “WITNESS BUILD” OF SYSTEM SYSTEM NOW “FEDERALLY QUALIFIED” SYSTEM SUBMITTED FOR STATE CERTIFICATION SYSTEM TESTED TO STATE STANDARDS AND FOR HAVA COMPLIANCE BY EXAMINER SECRETARY OF STATE CERTIFES SYSTEM SYSTEM NOW “STATE CERTIFIED” COUNTY BUYS SYSTEM, RECEIVES SOFTWARE FROM ITA COUNTY PERFORMS ACCEPTANCE TESTING PARTIES NOTIFIED 40 DAYS IN ADVANCE OF ELECTION SETUP SYSTEM READY FOR ELECTION SETUP COUNTY SETS UP MACHINES FOR ELECTION (PUBLIC) PRE-ELECTION LOGIC AND ACCURACY TESTING (PUBLIC) MACHINES ARE SEALED SYSTEM READY FOR ELECTION

27. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Voter Verification 1.Was my vote recorded properly? 2.Was my vote counted? 3.What can I do if I think it wasn’t? 4.Will my vote be around in case of a recount? 5.Was everyone who voted authorized? Optical scan voting solves (1) DRE voting is auditable, but not voter-verified

28. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS VVPAT VVPAT = voter-verified paper audit trail Produce a paper document that the voter can view before casting the ballot to verify that the vote was captured correctly Retain the paper document to be used for a recount, if necessary. DEMODEMO The VVPAT provides proof that the vote was recorded properly (at least on the paper) VVPAT SHOULD list all candidates presented to voter, even ones that were not voted for

29. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS VVPAT Problems No secrecy: ballots recorded sequentially Blind voters can’t read it Long paper trail, e.g. 6 feet per voter Can’t count it (8 weeks in Cuyahoga County, OH) Sacramento, CA: 20 minutes per ballot, 4 people each Recounting CA would take 8000 man-years –Mandatory 5%? 400 man-years in one week = 20,000 people University of Maryland: 1-3% of voters verified Cuyahoga County, OH primary May 2006 10% of paper records found illegible, tampered with or completely missing

30. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Counting the VVPAT SOURCE: ELECTION SCIENCE INSTITUTEELECTION SCIENCE INSTITUTE

31. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Counting the VVPAT SOURCE: ELECTION SCIENCE INSTITUTEELECTION SCIENCE INSTITUTE

32. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Counting the VVPAT SOURCE: ELECTION SCIENCE INSTITUTEELECTION SCIENCE INSTITUTE

33. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS The Hursti II Attack Harri Hursti (2/06), repeated by Felten (9/06) Attack on Diebold touchscreen units Given access to the machine, its software can be replaced quickly, i.e., a few minutes Not a bug, but a “feature” to permit rapid upgrade Can the intrusion be detected? Can the exploit be disabled?

34. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Machine Reliability The 2002 Federal standards require a mean time between failures (MTBF) of at least 163 hours Under the exponential failure model, 10% of voting machines will fail within 18 hours! Unacceptable! In practice, 20% of VVPAT machines fail on Election Day “Failure” does not mean loss of votes, but inability to continue voting

35. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Comparison of Voting Methods DRE, NO VVPAT DRE WITH VVPAT (CURRENT) PRECINCT OPSCAN (PCOS) PCOS & BALLOT MARKER Security7 Secrecy9 Accessibility9 Usability9 Reliability6 TOTALS

36. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Comparison of Voting Methods DRE, NO VVPAT DRE WITH VVPAT (CURRENT) PRECINCT OPSCAN (PCOS) PCOS & BALLOT MARKER Security79 Secrecy92 Accessibility95 Usability96 Reliability63 TOTALS

37. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Comparison of Voting Methods DRE, NO VVPAT DRE WITH VVPAT (CURRENT) PRECINCT OPSCAN (PCOS) PCOS & BALLOT MARKER Security794 Secrecy928 Accessibility950 Usability965 Reliability639 TOTALS

38. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Comparison of Voting Methods DRE, NO VVPAT DRE WITH VVPAT (CURRENT) PRECINCT OPSCAN (PCOS) PCOS & BALLOT MARKER Security7946 Secrecy9289 Accessibility9509 Usability9659 Reliability6397 TOTALS

39. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Comparison of Voting Methods DRE, NO VVPAT DRE WITH VVPAT (CURRENT) PRECINCT OPSCAN (PCOS) PCOS & BALLOT MARKER Security7946 Secrecy9289 Accessibility9509 Usability9659 Reliability6397 TOTALS40252640

40. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Q A &

41. Pittsburgh East End Political Districts 8 th City Council District

42. Pittsburgh East End Political Districts 11 th County Council District

43. Pittsburgh East End Political Districts 23 rd Pennsylvania House District

44. Pittsburgh East End Political Districts 43 rd Pennsylvania Senate District

45. Pennsylvania Voting Methods (2006) SOURCE: ELECTIONLINE.ORGELECTIONLINE.ORG ALLEGHENY COUNTY ES&S iVotronic ES&S 100 & iVotronic ES&S 100 AutoMark Advanced WinVote ES&S 650 AutoMark Diebold TSx Danaher 1242 Sequoia Edge Hart InterCivic eSlate Sequoia Advantage Hart InterCivic eScan/eSlate PAGED DREFULL-FACE DREDRE & OPTICALOPTICAL

46. Pennsylvania Voting Systems (2006) ES&S iVOTRONIC TOUCHSCREEN ES&S iVOTRONIC + M100 OPTICAL ES&S iVOTRONIC + M100 + AUTOMARK ES&S 650 OPTICAL DIEBOLD TSX TOUCHSCREEN ADVANCED WINVOTE SEQUOIA EDGE TOUCHSCREEN DANAHER 1242 FULL-FACE DRE SEQUOIA ADVANTAGE FULL-FACE DRE HART ESLATE DRE HART ESLATE + ESCAN

47. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS What’s the Best Voting Method? HAVA requires –vote verification, correction §301(a)(1)(A)(i) –overvote warning §301(a)(1)(A)(iii) –permanent paper record §301(a)(2)(B)(i) –disabled accessibility §301(a)(3)(A) –alternative language accessibility §301(a)(4) States require –secrecy –security –reliability –usability

48. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Desirable Voting System Characteristics Secret Accurate Eligible voters Vote once only Tamper-proof Reliable Auditable No vote-buying (receipt-free) Verifiable Non-coercible Transparent MOST STATES REQUIRE NO STATES REQUIRE (except coercion is a crime)

49. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Voting System Requirements Accuracy Secrecy Security Auditability No take-home receipts No identifiable ballots –Pennsylvania law: “No ballot which is so marked as to be capable of identification shall be counted.” 25 P.S. §3063(a) Conformance with state law

50. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Federal Requirements (2006) Overvote warning Permanent paper record Correct ballot before casting Disabled accessibility Multiple languages and alphabets (LA County: 12)

51. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Sample State Laws Ballot complexity, e.g. 135 candidates Vote-for-many (e.g. 25 out of 87) Straight-party voting Write-ins Early voting Ballot rotation Provisional ballots “Fleeing voter”

52. UNIVERSITY LECTURE SERIES OCTOBER 12, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Why Don’t We Have Paper Trails in Pennsylvania? No one makes a paper trail machine that conforms to Pennsylvania law Several violate multiple provisions, particularly secrecy