Electronic Voting Down for the Count? Charles P Riedesel University of Nebraska, Lincoln Computer Science & Engineering

Where I am coming from Mathematician – “fair” elections are impossible Computer scientist/engineer – designing errorless/unhackable computer hardware and software is impossible Politition – fooling the people all the time is impossible

Where am I coming from? I teach computer organization – By the end of freshman year my students can design the circuitry of a functional computer. I know how to hide an “Easter Egg” in hardware that is virtually impossible to find. –Counterfeit chips are already a problem –An Easter Egg is a surprise that can be uncovered by very particular actions, a “Cryptic Knock” –Example: MicroSoft Excel 97 had a hidden flight simulator, activated by keying at special cell –Cryptic knocks can be used to wake up trojan horses!

Where am I coming from? I have taught operating systems and compiler construction at the jr/sr/grad level. With this knowledge we can replace and/or modify COTS (Commercial Off The Shelf) software to do things totally unexpected by unknowing programmers.

Where am I coming from? I have gone through a lot of the technical reports about voting systems hardware and software, and can make sense and comment of most of it. My colleagues who are more expert at communication networks and software engineering aspects can absorb it all.

Today’s Agenda The role of elections in our democracy Makings of an election Rise and fall of the DRE Other players, organizations, documents Recommendations

The Role of Elections in Our Democracy Inherent mathematical flaws of elections An election is only a snapshot of those voting Weighted voting One person, one vote? Legitimacy based on trust Principles for a good election

Inherent Mathematical Flaws of Elections Winning is not transitive –Three-way race with Alice, Bob and Calvin based on three equally important issues of abortion, taxes, and war. –Voters prefer Alice, then Bob, then Calvin on abortion. –Voters prefer Bob, then Calvin, then Alice on taxes. –Voters prefer Calvin, then Alice, then Bob on war –In two way races Alice beats Bob, Bob beats Calvin, and Calvin beats Alice!

An Election is only a Snapshot Elections are held on one day (usually) Polls demonstrate dynamics of a race Sensitive to late-breaking news, charges New information after the election Election really valid for 2, 4, or 6 years?

Weighted Voting What if Alice beats Bob, but it is only because 51% mildly prefer Alice, but 49% detest Alice and adore Bob? Overall, Bob is better liked! What if Calvin beats Don 55% to 45%. Instead of winner takes all, put both in office and weigh their single vote on all issues!

One Person, One Vote? You are smart, well versed on issues. The idiot with an IQ of 40 on your right really has no idea what is going on. The blow-hard on your left is caught up in some single-issue thing. Should your vote really count the same as either of theirs?

Legitimacy Based on Trust Numerous flaws in elections Possibility of mathematically invalid results Can anyone find a better way? What level of imperfection can we tolerate? Essential that winners and losers alike buy in to the system and accept results

Principles for a Good Election Vote storage mechanisms should be –Simple –Reliable –Durable (for the votes) –Tamper-evident –History-independent –Subliminal-free –Cost effective

Principles for a Good Election Voters need to know their vote is –Accurately recorded –Counted in the total –Anonymous – no way to track back who voted how –Private – no possible evidence to show anyone how he/she voted

Makings of an Election Voting system machinery –GEMS –Electronic Voting Machines DRE, DRE with VVPT, PCOS Process of an election Regulatory actors –HAVA –NIST, TGDC, EAC, STS –ITA’s – ciber, Wyle Labs, SysTest Labs –NASED –FEC

Voting System Machinery GEMS: General Election Management System – the computer and software that takes in and processes the results from all the voting machines DRE: Direct Recording Electronic voting machine – votes recorded in software DRE with VVPT: Voter Verifiable Paper Trail – votes also recorded on paper PCOS: Precinct Center Optical Scan – scans and records vote upon being cast

Process of an Election Election Definition – define races, candidates, districts, precincts Configure Voting Equipment, Print Ballots – geography makes each precinct different Pre-Election Test – Verify that everything is ready Election Day – Open polls, vote, close polls Canvassing – Compute and publish totals, archive results –(Copied from a slide by Douglas Jones)

Regulatory Actors HAVA: Help America Vote Act, 2002, –Get rid of hanging chad, –Eliminate mechanical voting machines, –Central count for absentee ballots only, –Promote accessibility for disabled voters, –Fund new machines, –Set up new agencies

Regulatory Actors NIST: National Institute of Standards & Technology – technical advisor to TGDC: Technical Guidelines Development Committee – advisory board to –(note: Nebraska Secretary Of State John A. Gale is a member of TGDC!) EAC: U.S. Elections Assistance Commission – handful of presidential appointees STS: Security and Transparency Subcommittee of TGDC – “Requiring Software Independence in VVSG 2007” recommendation to TGDC 11/2006

Regulatory Actors ITA’s: Independent Testing Authorities –Ciber: employs standard methodologies for evaluating correctness and quality of software Jan 2007 – in trouble for not following quality control procedures and lack of documentation –Wyle Labs: review source code, does hardware testing and functional testing of voting machines –SysTest: quality assurance, software test engineering, verification & validation

Regulatory Actors NASED (National Organization of State Election Directors) under the Election Center to which the ITAs report, part of the old FEC (Federal Election Commission)

Rise and Fall of the DRE The Direct Recording Electronic machine Hopkins Report SAIC Report Compuware Report Raba Report VSTAAB Report Hursti II Report Princeton Report Nedap Report

Rise and Fall of the DRE Major makers of DRE’s are –Sequoia –Diebold –ES&S Policy of “Security through Obscurity” Fundamental Challenge – electronic votes can evaporate with NO remaining evidence, unlike paper ballots Not a transparent process

Rise and Fall of the DRE Categories of Possible Attacks –Corrupt software inserted prior to election day –Wireless or other remote control attacks –Attacks on tally servers –Miscalibration of machines –Shutting off voting machine features –Denial-of-service attacks –Corrupt poll workers actions –Attacks on ballots or VVPT (thanks to Brennan Center for Justice)

Rise and Fall of the DRE Challenges for the Attacker –Overcome vendor motivation –Finding an insertion opportunity –Obtaining technical knowledge –Obtaining election knowledge –Changing votes –Eluding inspection –Eluding testing and detection –Avoiding detection after polls close (thanks to Brennan Center for Justice)

Rise and Fall of the DRE Hopkins Report – Bev Harris discovered an ftp site for Diebold that contained the software for its DRE, the AccuVote-TS. She took it to Aviel Rubin of Stanford. –“Analysis of an Electronic Voting System” by Aviel Rubin, et. al., 7/23/2003 –Based just on code analysis discovered numerous potential security problems and lax software engineering standards.

Rise and Fall of the DRE SAIC (Science Applications International Corporation) Report for Maryland State Board of Elections –“Risk Assessment Report: Diebold AccuVote-TS Voting System and Processes”, 9/2/2003 –Only 40 page redacted version (Diebold’s agreement let them do it) ever released until nearly 200 page full version leaked 11/2006 by whistleblower –Risk assessment responding to Hopkins Report, resolves many problems and hides others

Rise and Fall of the DRE Compuware (Corp.) Report –“Direct Recording Electronic (DRE) Technical Security Assessment Report”, for the Ohio Secretary of State, 11/21/2003 –Security assessment and validation of four voting machines, including Diebold’s AccuVote-TS –About 275 pages with test scenarios, results, and any identified risks with risk level (of which are a number) –Limited to the voting machine, not policies and processes

Rise and Fall of the DRE RABA (Technologies) Report for the state of Maryland –“Trusted Agent Report: Diebold AccuVote-TS Voting System”, January 20, 2004 –Security experts review the Diebold system, the SAIC report, and formed “Red Team” exercise to probe actual system setup –Successfully hacked it and the GEMS server in multiple ways –“Considerable” risks found, but with recommendations can be mitigated well enough for the primary –More needed for general election - ultimately need paper receipts

Rise and Fall of the DRE VSTAAB (California’s Voting System Technical Assessment and Advisory Board) Report “Security Analysis of the Diebold AccuBasic Interpreter”, 2/14/2006 –3 computer scientists from U of California analyzed AccuBasic, a proprietary, interpreted language used in a couple machines including the AV-TSx touchscreen because no ITA testing was done –Problems (many easily correctable) found

Rise and Fall of the DRE Hursti II Report, a Black Box Voting Project by Harri Hursti, “Diebold TSx Evaluation – SECURITY ALERT: May 11, 2006: Critical Security Issues with Diebold TSx at invitation of a Utah county –Firmware is easy to change –PCMCIA virus threat

Rise and Fall of the DRE Princeton Report “Security Analysis of the Diebold AccuVote-TS Voting Machine” by several authors at Princeton University, Sept 13, 2006 –Obtained one of the DRE machines, demonstrated Hursti’s proposed virus, and created a demo virus that attacks an election –Problems in common with desktop PCs –Diebold response is that polling place procedures provide adequate protection

Rise and Fall of the DRE Nedap(/Groenendaal) Report – “Nedap/Groenendall ES3B Voting Computer: a Security Analysis”, 10/6/2006 –Used extensively in Netherlands and nearby –Authors show how anyone can quickly gain complete and virtually undetectable control over election results –Radio eminations up to several meters away can be used to tell who votes what –Sold in US by Liberty Voting Solutions

Rise and Fall of the DRE TGDC report by STS to NIST calls for Software Independence, basically ruling out paperless DRE’s By the end of November 2006, NIST concludes that paperless DRE’s are not acceptable At the beginning of December 2006, the EAC rejects 6-6 recommendation to only certify DRE’s that use “independent audit technology” (namely paper). Cost was a factor.

Other Players, Organizations, Documents Douglas Jones Ariel Rubin Bev Harris – Black Box Voting Rebecca Mercuri Eugene Spafford William Pitt – Truthout David Dill – Verified Voting Foundation Linda Malone – President of NASED Barbara Simons - USACM The Brennan Center for Justice IEEE, ACM

Douglas Jones University of Iowa at Iowa City Department of Computer Science Gives many talks, lay and technical Inspiration for parts of this presentation –See “Voting Security: A Technical Perspective”, presented at U of S. Car. Cybersecurity Symposium, 10/27/2005

Aviel Rubin John Hopkins University Election Judge Author “Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting” Analyzed source code at the discovered Diebold ftp site

Bev Harris Seattle grandmother and writer Stumbled on the Diebold ftp site, 2002 Founded Black Box Voting Voracious investigator

Rebecca Mercuri Founder of Notable Software and Knowledge Concepts Promotes mechanism with printout to be voter verified which is protected behind glass before being dropped into box

Eugene Spafford Chair of USACM (US Public Policy Committee of the ACM) Endorsed Nov STS report advocating paper trails

William Pitt Managing editor of Truth Out

David Dill Founder of Verified Voting Foundation Stanford University Endorses voter verifiable audit trail

Linda Malone President of NASED Administrator of Maryland’s State Board of Elections In unaired Oct 2006 interview responds to questions about critical Diebold report with “I think you are in fantasy land”

Barbara Simons Formerly at IBM Former ACM chair USACM member Gives statements and testimony Upcoming 2007 book with Doug Jones

The Brennan Center for Justice New York University 2006 report on security problems of 3 most common electronic systems

IEEE and ACM Association for Computing Machinery Institute of Electrical and Electronics Engineers Professional organizations representing computer sciences and engineering ACM Policy Statement – all systems should have –Careful engineering –Strong safeguards –Rigorous testing of design and operation

Recommendations Keep things in perspective Restore and maintain trust Regulate, fund, and train Decentralize and diversify Establish reasonable processes Implement an assessment cycle

Recommendations Keep Things in Perspective – There are many factors that influence an election. Some we accept without question as legitimate, some are ignored, some are presented as terrible threats. How much do we spend to eliminate one threat, no matter how small and unlikely?

Recommendations Restore and Maintain Trust –Pay attention and respond respectfully –Educate yourself and others –Openly take reasonable steps –Stay calm –Act quickly and decisively when appropriate –Question authority at the same time as you respect authority –Keep everything as transparent as possible

Recommendations Regulate, Fund, and Train – There is no human or technological perfect system –Regulate all aspects of the election cycle –Provide adequate funding for all aspects of the election cycle including certification, acquisition, verification, and development of hardware and software –Poll workers are generally low paid and unskilled, yet the system depends on them!

Recommendations Decentralize and Diversify – Attacks (accidental and malicious) are most effective when implemented system-wide. Think of virus threat if all computers were the same or all cattle had the same DNA – thus the same vulnerabilities! –Promote competition in the industry –One size doesn’t fit all – consider costs, demographics, and accessibility –Don’t fund a pie-in-the-sky perfect solution –Limited use of DRE’s may be acceptable

Recommendations Establish Reasonable Processes – People need to know what to do in case of all kinds of events. Secure systems depend on the people implementing and using them following proper protocols. Development and certification are loaded with details that are easily overlooked.

Recommendations Implement an Assessment Cycle – The poll workers and others closest to an election should participate in evaluating the processes, looking for both good and bad features, and providing feedback that will be used (not sit on a shelf!!!) to improve the system. They see things the experts miss.