Presentation is loading. Please wait.

Presentation is loading. Please wait.

Electronic Voting: Danger and Opportunity

Published byMyles Nelson Modified over 8 years ago

Similar presentations

Presentation on theme: "Electronic Voting: Danger and Opportunity"— Presentation transcript:

1 Electronic Voting: Danger and Opportunity
J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University

2

3 Joint work with … Joe Calandrino Ari Feldman Ed Felten

4

5 2000 Recount Debacle Help America Vote Act Legislative response:
Provided $3.9 billion to states to upgrade voting machines by November 2006

6 Direct Recording Electronic – Store votes in internal memory
DREs to the Rescue? Direct Recording Electronic – Store votes in internal memory

7 DREs are Computers Viruses Rootkits Bugs Attacks =

8

9

10 Diebold’s History of Secrecy
Used NDAs to prevent states from allowing independent security audits Source code leaked in 2003, researchers at Johns Hopkins found major flaws Diebold responded with vague legal threats, personal attacks, disinformation campaign Internal s leaked in 2003 reveal poor security practices by developers Diebold tried to suppress sites with legal threats

11 We Get a Machine (2006) Obtained legally from an anonymous private party Software is 2002 version, but certified and used in actual elections First complete, public, independent security audit of a DRE

12 Research Goals Conduct independent security audit
Confirm findings of previous researchers (Hursti, Kohno et al.) Verify threats by building demonstration attacks Figure out how to do better Who wants to know? Voters, candidates, election officials, policy makers, researchers

13 Removable Flash Memory Card
SH3 CPU 32 MB SDRAM 128 KB EPROM 16 MB Flash Removable Flash Memory Card

14

15 Our Findings Malicious software running on the machine can steal votes undetectably, altering all backups and logs [Feldman, Halderman & Felten 2007]

16 Correct result: George 5, Benedict 0

17

18

19 Our Findings Malicious software running on the machine can steal votes undetectably, altering all backups and logs Anyone with physical access to the machine or memory card can install malicious code in as little as one minute [Feldman, Halderman & Felten 2007]

20

21 The Key Jukebox by Flickr user shil (CC)
Minibar by Flickr user *0ne* (CC) Commonly available key Easy-to-pick lock Key photo on web site

22

23 Our Findings Malicious software running on the machine can steal votes undetectably, altering all backups and logs Anyone with physical access to the machine or memory card can install malicious code in as little as one minute Malicious code can spread automatically and silently from machine to machine in the form of a voting machine virus [Feldman, Halderman & Felten 2007]

24 Voting Machine Virus

25 Viral Spread

26

27 California “Top-to-Bottom” Study
Bill Zeller Alex Halderman Harlan Yu Joe Calandrino Debra Bowen Ari Feldman

28 California “Top-to-Bottom” Results
Hart Sequoia Diebold

29

30 WHAT TO DO?

31 E-Voting Advantages Voters prefer it Faster reporting Fewer undervotes
Improved accessibility Potentially increased security*

32 WE CAN DO BETTER!

33 Electronic + Paper Records
Touch-screen (DRE) machine, plus voter-verifiable paper trail Hand-marked paper ballot, machine-scanned immediately

34 Failure Modes Paper Ballots Electronic Records Physical tampering
“Retail” fraud After the election Electronic Records Cyber-tampering “Wholesale” fraud Before the election Redundancy + Different failure modes = Greater security

35 Proposed Legislation H.R. 811: Voter Confidence and Increased Accessibility Act Voter-verifiable paper record and random manual audits Access to voting software and source code, to verify security Additional money for states Rep. Rush Holt In time for 2008 election. Rush Holt, PhD physics.

36 How to Audit Redundancy only helps if we use both records! Electronic records fast and cheap to tally. Paper records very expensive and slow to tally. But: verified by voter

37 How to Use Paper Records?
Use a machine to count the paper records Too risky Count the paper records by hand Too expensive Check a random subset of paper records by hand …but which subset?

38 Standard Approach Pick some precincts randomly. Hand-count paper records. Should match electronic records.

39 Statistical Auditing’s Goal
Establish, with high statistical confidence, that hand-counting all of the paper records would yield the same winner as the electronic tally.

40 Audit Example For 95% confidence, hand-audit 60 precincts
Alice: % Bob: % Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper For 95% confidence, hand-audit 60 precincts Cost: about $100,000

41 An Alternative Approach
Precinct-based auditing Ballot-based auditing

42 100 marbles, 10% blue 6300 beads, 10% blue
How large a sample do we need?

43 Audit Example ballots For 95% confidence, hand-audit 60 precincts
Alice: % Bob: % Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper ballots For 95% confidence, hand-audit 60 precincts Cost: about $100,000 $1,000

44 Why Not Ballot-based? Need to match up electronic with paper ballots.
Voting Machine Alice Bob ● Alice ○ Bob ○ Alice ● Bob Need to match up electronic with paper ballots. Compromises the secret ballot!

45 Secret Ballot Prevents coercion and vote-buying Requirements:
Nobody can tell how you voted. You can’t prove to anyone how you voted. You can be confident in these properties.

46 Serial Numbers Voting Machine 1 ● Alice ○ Bob 2 ○ Alice ● Bob 1 Alice
3 ● Alice ○ Bob

47 “Random” Identifiers Voting Machine 325631 ● Alice ○ Bob 218594
810581 ● Alice ○ Bob

48 Machine-Assisted Auditing
Alice: 510 Bob: 419 ○ Alice ● Bob ○ Alice ● Bob 1 1 Bob Alice ... 929 Bob = Step 1. Check electronic records against paper records using a recount machine. [Calandrino, Halderman & Felten 2007]

49 Machine-Assisted Auditing
= ○ Alice ● Bob 1 1 Bob Alice ... 929 Bob Alice: 510 Bob: 419 [Calandrino, Halderman & Felten 2007]

50 Machine-Assisted Auditing
○ Alice ● Bob 321 ● Alice ○ Bob 716 ○ Alice ● Bob 1 ○ Alice ● Bob 1 1 Bob Alice ... 929 Bob = 321 Bob 716 Alice = Step 2. Audit the recount machine by selecting random ballots for human inspection. [Calandrino, Halderman & Felten 2007]

51 Machine-Assisted Auditing
Machine Recount Manual Audit We can use a machine without having to trust it! As efficient as ballot-based auditing, while protecting the secret ballot.

52 Evaluation 2006 Virginia U.S. Senate race 0.3% margin of victory We want 99% confidence Precinct-based Machine-assisted # ballots 1,141,900 2,339 # precincts 1,252 1,351 Jim Webb (D) and George Allen

53 Doing Even Better Only need to audit ballots marked for Alice.
Bob: % Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper Goal: Reject hypothesis that ≥ 5% of ballots are marked electronically for Alice but on paper for Bob. Only need to audit ballots marked for Alice.

54 In General … Key idea: Probability of auditing a ballot should depend on how that ballot is marked Full algorithm accounts for: multi-candidate races multi-seat races undervotes and overvotes write-ins

55 Evaluation 2006 Virginia U.S. Senate race 0.3% margin of victory We want 99% confidence Precinct-based Machine-assisted Content-sensitive # ballots 1,141,900 2,339 1,179 # precincts 1,252 1,351 853

56 E-Voting: Opportunity
Used correctly, new technology can make voting cheaper, faster, and more reliable. Where possible, should design technology so that we don’t need to trust it. Research points the way… Making rapid progress—on some problems. In practice, we have a long journey ahead.

57 Electronic Voting: Danger and Opportunity
J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University

Download ppt "Electronic Voting: Danger and Opportunity"

Similar presentations

I Think I Voted. E-voting vs. Democracy Prof. David L. Dill Department of Computer Science Stanford University

I Think I Voted. E-voting vs. Democracy Prof. David L. Dill Department of Computer Science Stanford University
Electronic Voting Systems

Electronic Voting Systems
ELECTRONIC VOTING (HK) FEBRUARY 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Voting: The Technology of Democracy Michael I. Shamos, Ph.D., J.D.

ELECTRONIC VOTING (HK) FEBRUARY 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Electronic Voting: The Technology of Democracy Michael I. Shamos, Ph.D., J.D.
Law and Data: Voting Technology and the Law Henry E. Brady Class of 1941 Monroe Deutsch Professor of Political Science and Public Policy, University of.

Law and Data: Voting Technology and the Law Henry E. Brady Class of 1941 Monroe Deutsch Professor of Political Science and Public Policy, University of.
The Battle for Accountable Voting Systems Prof. David L. Dill Department of Computer Science Stanford University

The Battle for Accountable Voting Systems Prof. David L. Dill Department of Computer Science Stanford University
Making Sure Every Vote Counts in the Digital Era: The Need for Standards Mandating Voter-Verified Paper Ballots Sarah Rovito 2007 WISE Intern August 3,

Making Sure Every Vote Counts in the Digital Era: The Need for Standards Mandating Voter-Verified Paper Ballots Sarah Rovito 2007 WISE Intern August 3,
Good or Bad?.  One of the closest contests in US history  Florida was the pivotal state  Neither Democrat Al Gore nor Republican George W. Bush had.

Good or Bad?.  One of the closest contests in US history  Florida was the pivotal state  Neither Democrat Al Gore nor Republican George W. Bush had.
Will Your Vote Count? Will your vote count? Voting machine choices N.C. Coalition for Verified Voting www.ncvoter.net Joyce McCloy Pros and Cons of voting.

Will Your Vote Count? Will your vote count? Voting machine choices N.C. Coalition for Verified Voting Joyce McCloy Pros and Cons of voting.
ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.

ThreeBallot, VAV, and Twin Ronald L. Rivest – MIT CSAIL Warren D. Smith - CRV Talk at EVT’07 (Boston) August 6, 2007 Ballot Box Ballot Mixer Receipt G.
Registration Must register at least 25 days before the election You can register by mail, or at post offices, DMVs, libraries, and schools Must submit.

Registration Must register at least 25 days before the election You can register by mail, or at post offices, DMVs, libraries, and schools Must submit.
Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University.

Electronic Voting: Danger and Opportunity J. Alex Halderman Department of Computer Science Center for Information Technology Policy Princeton University.
1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.

1 Receipt-freedom in voting Pieter van Ede. 2 Important properties of voting  Authority: only authorized persons can vote  One vote  Secrecy: nobody.
Analysis of an Electronic Voting System

Analysis of an Electronic Voting System
By Varun Jain. Introduction  Florida 2000 election fiasco, drew conclusion that paper ballots couldn’t be counted  Computerized voting system, DRE (Direct.

By Varun Jain. Introduction  Florida 2000 election fiasco, drew conclusion that paper ballots couldn’t be counted  Computerized voting system, DRE (Direct.
1 J. Alex Halderman Security Failures in Electronic Voting Machines Ariel Feldman Alex Halderman Edward Felten Center for Information Technology Policy.

1 J. Alex Halderman Security Failures in Electronic Voting Machines Ariel Feldman Alex Halderman Edward Felten Center for Information Technology Policy.
Election Observer Training 2008 Elections Certification & Training Program 360.902.4180.

Election Observer Training 2008 Elections Certification & Training Program
Observation of e-enabled elections Jonathan Stonestreet Council of Europe Workshop Oslo, 18-19 March 2010.

Observation of e-enabled elections Jonathan Stonestreet Council of Europe Workshop Oslo, March 2010.
©1996-2004 VoteHere, Inc. All rights reserved. November 2004 VHTi Data Demonstration Andrew Berg Director, Engineering.

© VoteHere, Inc. All rights reserved. November 2004 VHTi Data Demonstration Andrew Berg Director, Engineering.
Midterm Exam. Problem 1: Short Answer Access Control –Subject, object, rights Common Criteria –Government Assurance Standard Originator Controlled Access.

Midterm Exam. Problem 1: Short Answer Access Control –Subject, object, rights Common Criteria –Government Assurance Standard Originator Controlled Access.
Presentation by Christine McElroy

Presentation by Christine McElroy

Similar presentations

Ads by Google