CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Paper Trails and Voting System Certification Michael I. Shamos, Ph.D., J.D. Institute for Software Research Carnegie Mellon University
Fear is Rampant
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Outline The Certification Process –Federal qualification –State certification Paper trails –What are they? –Examples –Pennsylvania Election Code
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Qualification and Certification A vendor “may request the Secretary of the Commonwealth to examine such system if –the voting system has been examined and approved by a federally recognized independent testing authority and –if it meets any voting system performance and test standards established by the Federal Government.” 25 P.S. §3031.5(a) Federal recognition (under HAVA) is by the EAC, with advice from the National Institute of Standards and Technology (NIST)
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Federal Qualification There are three federally recognized ITAs: –CIBER (Huntsville), SysTest (Denver), Wyle (Huntsville) They test to the 2002 Federal Voting System Standards developed by the FEC (now transferred to the EAC) 2005 Standards published; not yet used for testing A system that has passed ITA testing is “federally qualified” and is eligible for Pennsylvania testing
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS State Certification ITAs do not test for compliance with state law Every state has unusual requirements; must be examined by the state “No electronic voting system shall, upon any examination or reexamination, be approved by the Secretary of the Commonwealth, or by any examiner appointed by him, unless it be established that such system, at the time of such examination or reexamination [meets a list of mandatory requirements]” 25 P.S. §3031.7
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Certification Requirements Secrecy Accuracy Security; precludes tampering No overvotes; no double voting PA election law: straight-party, write-ins (Total of 17 requirements) + All other provisions of PA election law
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Certification Exams Public (by policy, not statute) Two examiners; one selected by Department of State for each exam Examiner submits report to the Secretary Secretary decides whether to approve certification “No electronic voting system not so approved shall be used at any election” 25 P.S. §3031.5(c) A county may use any approved system
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Why Don’t We Have Paper Trails? Answer: No paper trail system exists that complies with Pennsylvania law Question: Why is it so difficult to engineer a legal paper trail system?
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS VVPAT Voter-verified paper audit trail Produce a paper document that the voter can view before casting the ballot to verify that the vote was captured correctly Retain the paper document to be used for a recount, if necessary. DEMODEMO Concept: if someone has tampered with the machine, the correct count can be obtained from the paper records [Assume this statement is accurate. It isn’t, but assume it is.]
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Reality: It’s very hard No one has ever done it in an election No one can give a credible way to do it Electronic machines are more secure than any other voting method Myth 1: It’s easy to tamper with electronic voting machines
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Reality: DREs have been used successfully in Pennsylvania for over 20 years, since 1984 Myth 2: DREs are a new, untried technology
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Reality: Every DRE must “provide for a permanent physical record of each vote cast” 25 P.S. § The record is made; not visible to voter Myth 3: “Paperless” DREs are unauditable and don’t allow recounts
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Reality: False. It guarantees only that the voter choice was understood by the machine No guarantee that it was recorded, counted or that it will survive long enough for a recount Myth 4: A voter-verified paper trail guarantees that every vote counts
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Reality: DRE elections are fully auditable The voter knows her vote has been counted because the machine is tested before and after the election The audit mechanism can be tested Myth 5: You can’t have a trustworthy election without a voter-verified paper trail
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Reality: Requiring a paper trail will make DRE elections impossible in PA since no certifiable paper trail system currently exists Myth 6: The legislature can solve the problem by requiring a paper trail
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Mandatory Requirements Voter secrecy “All elections by the citizens shall be by ballot or by such other method as may be prescribed by law; Provided, That secrecy in voting be preserved.” Pa. Const. Art. VII, Sec Secrecy
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Mandatory Requirements Ballot non-identifiability “No ballot which is so marked as to be capable of identification shall be counted.” Pa. Election Code, 25 P.S. §3063(a) Purpose: to prevent vote-selling 2. Non-identifiability
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Mandatory Requirements Can’t allow voter a take-home receipt showing how she voted Could be used as proof of vote Would promote vote-selling 3. No take-home receipts
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Mandatory Requirements Voter-verified ballots must be voter-verifiable If the ballot contains anything that is not readable by the voter that could be used to change or invalidate the vote, it’s not voter-verifiable The voting system must be “suitably designed for the purpose used.” 25 P.S. §3031.7(11) 4. Nothing unverifiable
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Sequoia VeriVote Paper Trail Ballot Serial Number Two-dimensional Barcode with Voter Choices CONTINUOUS ROLL OF PAPER Problems: 1. No secrecy. Ballots are printed in sequential order 2. Each ballot is identifiable by serial number
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS VoteTrakker Cut-Sheet From an Avante whitepaper: NJ Feb 26, 2001 President / Vice President GEORGE WASHINGTON, Andrew JACKSON US Senator John HANCOCK House of Representative Ben Franklin County Clerk JohnQuincy ADAMS Board of Chosen Freeholders Paul REVERE Board of Chosen Freeholders William HTAFT Board of Chosen Freeholders Theodore ROOSEVELT Public Question 1 Yes Public Question 2 No Public Question 3 Yes Thank you for voting! Wrong! The “check-code” makes the ballot identifiable AND not voter-verifiable
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Populex Ballot Marking System Machine only MARKS a ballot; does not tabulate Ballot is tabulated by a separate scanner that reads the barcode
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS A Populex Ballot HUMAN-READABLE SELECTIONS MYSTERIOUS BARCODE Problems: 3. Voter can take ballot home 4. Not voter-verifiable 5. No ballot integrity
AccuPoll Cut-Sheet System
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS AccuPoll Paper Trail BALLOT KEY BALLOT KEY, 2D BARCODE OCR SCANNABLE CHOICES HUMAN-READABLE CHOICES Problems: 3. Voter can take ballot home 4. Not voter-verifiable 5. No ballot integrity
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS VVPATs V V PAT SYSTEMS CONTINUOUS ROLL CUT SHEET VIEW-ONLY VOTER-HANDLED DEPOSIT (e.g. AccuPoll) TAKE-HOME (e.g. VoteHere) CRYPTO INDICIA (e.g. Sequoia) NO INDICIA (e.g. Diebold) CRYPTO INDICIA (e.g. Avante) NO INDICIA
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS VVPATs V V PAT SYSTEMS CONTINUOUS ROLL CUT SHEET VIEW-ONLY VOTER-HANDLED DEPOSIT (e.g. AccuPoll) TAKE-HOME (e.g. VoteHere) CRYPTO INDICIA (e.g. Sequoia) NO INDICIA (e.g. Diebold) CRYPTO INDICIA (e.g. Avante) NO INDICIA COMPLETE VIOLATION OF VOTER PRIVACY
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS VVPATs V V PAT SYSTEMS CONTINUOUS ROLL CUT SHEET VIEW-ONLY VOTER-HANDLED DEPOSIT (e.g. AccuPoll) TAKE-HOME (e.g. VoteHere) CRYPTO INDICIA (e.g. Sequoia) NO INDICIA (e.g. Diebold) CRYPTO INDICIA (e.g. Avante) NO INDICIA
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS VVPATs V V PAT SYSTEMS CONTINUOUS ROLL CUT SHEET VIEW-ONLY VOTER-HANDLED DEPOSIT (e.g. AccuPoll) TAKE-HOME (e.g. VoteHere) CRYPTO INDICIA (e.g. Sequoia) NO INDICIA (e.g. Diebold) CRYPTO INDICIA (e.g. Avante) NO INDICIA NOT VOTER-VERIFIABLE
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS VVPATs V V PAT SYSTEMS CONTINUOUS ROLL CUT SHEET VIEW-ONLY VOTER-HANDLED DEPOSIT (e.g. AccuPoll) TAKE-HOME (e.g. VoteHere) CRYPTO INDICIA (e.g. Sequoia) NO INDICIA (e.g. Diebold) CRYPTO INDICIA (e.g. Avante) NO INDICIA
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS VVPATs V V PAT SYSTEMS CONTINUOUS ROLL CUT SHEET VIEW-ONLY VOTER-HANDLED DEPOSIT (e.g. AccuPoll) TAKE-HOME (e.g. VoteHere) CRYPTO INDICIA (e.g. Sequoia) NO INDICIA (e.g. Diebold) CRYPTO INDICIA (e.g. Avante) NO INDICIA CAN BE USED AS PROOF OF VOTE
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS VVPATs V V PAT SYSTEMS CONTINUOUS ROLL CUT SHEET VIEW-ONLY VOTER-HANDLED DEPOSIT (e.g. AccuPoll) TAKE-HOME (e.g. VoteHere) CRYPTO INDICIA (e.g. Sequoia) NO INDICIA (e.g. Diebold) CRYPTO INDICIA (e.g. Avante) NO INDICIA NO SUCH SYSTEM EXISTS
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS VVPATs V V PAT SYSTEMS CONTINUOUS ROLL CUT SHEET VIEW-ONLY VOTER-HANDLED DEPOSIT (e.g. AccuPoll) TAKE-HOME (e.g. VoteHere) CRYPTO INDICIA (e.g. Sequoia) NO INDICIA (e.g. Diebold) CRYPTO INDICIA (e.g. Avante) NO INDICIA NOT COMMERCIALLY AVAILABLE
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS VVPATs V V PAT SYSTEMS CONTINUOUS ROLL CUT SHEET VIEW-ONLY VOTER-HANDLED DEPOSIT (e.g. AccuPoll) TAKE-HOME (e.g. VoteHere) CRYPTO INDICIA (e.g. Sequoia) NO INDICIA (e.g. Diebold) CRYPTO INDICIA (e.g. Avante) NO INDICIA NO SUCH SYSTEM EXISTS NOT COMMERCIALLY AVAILABLE NOT VOTER-VERIFIABLE CAN BE USED AS PROOF OF VOTE COMPLETE VIOLATION OF VOTER PRIVACY
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Paul DeGregorio Commissioner, Election Assistance Commission
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Q A &
Paper Trails Traditional electronic voting: only record made of your vote is electronic Usually, machine counters are incremented; AND Complete “image” of each ballot is stored in redundant memories, some write-once, e.g. CD-R Problem: what happens if there’s a bug (or a malicious intrusion) causing the ballot to be recorded incorrectly (not as you saw it while voting)?
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Paper Trails Traditional answer: Examine the machines, examine the source code Test the machines before, during and after the election But suppose someone could hide undetectable rogue code that swapped votes? [Assume it’s possible, whether it is or not] How would we ever know? One answer: voter-verified paper audit trail (VVPAT)
Electronic Voting Voter interacts with a computer to select and record her choices No “document ballot,” like a punched card or optical scan POLLING PLACE FULL BALLOT RECORDED ON 1. MACHINE; AND 2. WRITE-ONCE MEDIA; AND 3. REMOVABLE MEMORY DEVICE (PCMCIA CARD, ENCRYPTED) COUNTY OFFICE BUILDING AT CLOSE OF POLLS: TOTALS TAPE PRODUCED, SIGNED BY JUDGES THIS IS THE OFFICIAL VOTE TOTALS TAPE POSTED IN POLLING PLACE COPY OF TAPE SENT TO COUNTY MEMORY CARD REMOVED MEMORY CARD SENT TO COUNTY UNOFFICIAL VOTE TOTALS PRODUCED, GIVEN TO MEDIA WEEKS LATER: OFFICIAL CANVASS BASED ON OFFICIAL RETURNS
Paper-trail advocates say: if no VVPAT, then precinct count optical scanning is the best alternative
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS The Hursti Exploit Discovered by Finnish security expert Harri Hursti Works against Diebold optical scan voting machines Diebold AccuVote OS has a PCMCIA memory card with ballot setup information, vote counters and predefined report formats PRINTER INSIDE OPTICAL BALLOT LCD DISPLAY BACK OF MACHINE FRONT OF MACHINE
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Pennsylvania Law The voting system “shall include the following mechanisms or capabilities:” 1.“a public counter … which shall show during any period of operation the total number of ballots entered for computation and tabulation.” (THE “PUBLIC COUNTER”) 2.“an element which generates a printed record at the beginning of its operation which verifies that the tabulating elements for each candidate position and each question and the public counter are all set to zero.” (THE “ZERO REPORT”) 3.“an element which generates a printed record at the finish of its operation of the total number of voters whose ballots have been tabulated [and] the total number of votes cast for each candidate whose name appears on the ballot.” (THE “TOTALS REPORT”) 25 P.S. §3031.7(16)
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Background of Exploit Voting machines are used in multiple states For ease of maintenance, Diebold uses a report generation language “AccuBasic” to satisfy the report requirements of different states AccuBasic is like Basic, but only has read access to the memory card “Compiled” AccuBasic is similar to Java bytecode “Compiled” AccuBasic programs are loaded on the memory card automatically by a computer at the county “Compiled” AccuBasic is interpreted by firmware on the scanner to produce printed reports on the onboard printer on Election Day In Pennsylvania, the TOTALS REPORT signed by the election judges constitutes the official return
SOURCE: SCOOP.NZSCOOP.NZ The Hursti Exploit HACK ZERO REPORT PRESET VOTE TOTALS Human Interface
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS The Hursti Exploit Diebold creates AccuBasic source (.abs) filesabs Diebold compiles.abs into AccuBasic “object” (.abo) filesabo Diebold adds.abo files to its GEMS Election Management System AT DIEBOLD County buys GEMS with.abo files loaded for its state County sets up election with GEMS Election data,.abo files loaded on memory card County tests machine with memory card AT COUNTY County delivers machine to polling place Zero report printed out Voters cast ballots Totals report printed out AT POLLING PLACE POLLS OPENED POLLS CLOSED HURSTI EXPLOIT OCCURS HERE
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS The Hursti Exploit Memory card created at county, inserted in machine: VOTE COUNTERS ACCUBASIC.ABO FILES FOR REPORTS, NOT TABULATION CANDIDATE NAMES PARTIES BALLOT POSITIONS ELECTION DATA TO PRODUCE TABULATION: Counters are short integers; overflow is not trapped Large positive numbers act as negative numbers, e.g. 65,520 is equivalent to -16 since 65, = 65,536 = 0 Hursti Exploit, Part 1: Preload the card with some negative and some positive counts in a race. Make sure the net sum is zero. Hursti Exploit, Part 2: Replace the zero report.abo file with one that always prints zeros regardless of counter values. Result: Votes added to some candidates, subtracted from others, but the total count does not exceed the number of voters. Result: When memory card counters are overwritten at the close of polls, no electronic record of the exploit exists. NOT CERTIFIED
CCAP SPRING CONFERENCE MARCH 28, 2006 COPYRIGHT © 2006 MICHAEL I. SHAMOS Other Diebold Machines? Accu-Vote Central Count optical scan does not use either Accu-Basic or memory cards. CERTIFIED Accu-Vote TSx touchscreen uses Accu-Basic but –does not have candidate counters on memory card, so no pre-loading possible –has firmware that checks number of ballots voted, so zero totals can be verified CERTIFIED
Department of State does not buy voting equipment; counties do Total number of Diebold machines in Pennsylvania: 0 Hursti exploit not possible on TSx and central count opscan
Some People Are Never Satisfied LAWSUITS AGAINST THE SECRETARY OF THE COMMONWEATH FILED JAN. 17, 2006 FILED 11:35 A.M. FILED 11:36 A.M.