E-voting in an
Untrustworthy World
Rebecca Mercuri, Ph.D.
Election Administration
Assumptions
 People in power run elections
 Power corrupts
 Election administrators have a vested
interest in:
 remaining in control and/or
 passing control to like-minded
individuals
 Election systems that rely on procedural
or validatory controls that are performed
by election administrators are inherently
subvertible
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
The 6 Commandments of Voting
- Michael Shamos
I.
II.
*Thou shalt keep each voter’s choices an inviolable secret.*
Thou shalt allow each eligible voter to vote only once, and only
for those offices in which the voter is authorized to cast a vote.
III. Thou shalt not permit tampering with thy voting system, nor
the exchange of gold for votes.
IV. Thou shalt report all votes accurately.
V. Thy voting system shall remain operable throughout each
election.
VI. Thou shalt keep an audit trail to detect sins against
Commandments II-IV, but thy audit trail shall not violate
Commandment I.
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Voters Want
 To know that their ballot is cast
and counted as intended
 Counts and recounts to be:





independent
unbiased
reproduceable
accurate
understandable
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Recounts
 Fully electronic systems do not provide any way
for the voter to independently verify that the
ballot cast corresponds to the data that was
recorded and transmitted.
 Election officials are given no way to conduct an
independent recount since the audit trails that are
provided lack checks and balances.
 “Recounts” are really only “Reprints” because
they use computer-generated ballot images.
(GIGO -- Garbage In, Garbage Out.)
 “Fail-safe” vendor claims are misleading –
machines can and have failed in actual use,
resulting in unrecoverable data loss.
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Vulnerabilities
 Inherent in the nature of all computers (including
those used for ballot preparation and vote
tallying) are aspects that can be intentionally or
accidentally used to subvert the systems.
 Elections are large-stakes, adversarial processes
that occur in a short, identifiable time frame,
hence they are high-risk targets.
 The anonymity requirement for voting prevents
the use of traditional forms of auditing.
 Earlier forms of election fraud typically required
collusion, computers provide opportunity for a
lone insider to affect outcomes on a broad scale.
 Such corruption is nearly impossible to prevent or
detect.
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
The Perfect Crime
 Occurs invisibly
 Weapon is part of regular toolset
 Potential suspects are allowed to tamper with
crime scene before evidence is collected
 Critical evidence is prevented from disclosure
 “Hearsay” evidence -- not from original source
 Prosecutors are falsely maligned
 Incorrect suspect is charged
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
The Smell Test
 Are Generally Accepted Principles and Procedures
being used?





auditing
security
testing
manufacture
configuration management
 Are standards biased to favor vendors over users?
 Do claims violate laws of science?
 Do you need a Ph.D. to understand it?
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
The Eyeball Test
 Are there parts of the system that are prevented
from disclosure?
 Are all elements in the critical data path open for
independent verification and validation?
 How can all administrators and users confirm that
appropriate modules (for software, hardware,
crypto, etc.) are installed?
 How do we know it really works?
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
The Taste Test
 Allow others to try it out before you do
 Collect data from results
 Compare with other products
 Obtain ingredients list
 Discard if toxic
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Auditory Feedback for the Blind
“Very few of our members were able to vote privately,
independently, despite Santa Clara County’s [Calif.]
supposed ‘accessible’ [Sequoia] touch screens.”
-- Dawn Wilcox, president of the Silicon Valley Council of the Blind
Features include: poor sound quality, delayed response
time, upside-down Braille, 30+ minutes to cast ballot.
Mercer County New Jersey was charged $2,000 per
machine on top of the $6,000 pricetag for the Sequoia
“audio option.”
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Tactile Ballots
 Allow visually impaired citizens to vote
privately at the precinct or at home.
 Approved by the United Nations and used
by the State of Rhode Island and also by
various democratic countries.
http://www.electionaccess.org/Bp/Ballot_Templates.htm
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
California Recall Data Analysis
Machine Type
Punchcard
Datavote
Votomatic
Pollstar
Optical Scan
Diebold Accu-Vote-OS
ES&S 550 and 650
ES&S Eagle
Mark-A-Vote
Sequoia
Touchscreen
Diebold Accu-Vote-TS
Sequoia Edge
Recall
6.24
1.95
8.17
6.03
2.68
2.37
2.51
1.87
3.04
4.35
1.50
0.73
2.01
Recall
Rank
3
3
10
9
2
5
6
2
7
8
1
1
4
Candidates
8.30
5.25
9.46
9.01
7.46
5.91
9.06
10.89
7.57
5.54
6.77
9.23
4.37
Cand.
Rank
3
2
9
6
2
4
7
10
5
3
1
8
1
Average
7.3
3.6
8.8
7.5
5.1
4.1
5.8
6.4
5.3
4.9
4.1
5.0
3.1
Rank
3
2
10
9
2
3
7
8
6
4
1
5
1
Based on information compiled by Chad Michael Topaz <topaz@ucla.edu>
and Rebecca Mercuri from data provided by the California Secretary of State
at: http://www.ss.ca.gov/elections/sov/2003_special/contents.htm
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Accuracy
 Every vote does NOT count!
 Lost vote rate of 3 - 5% far exceeds
manufacturer’s stated “error rates”
 Residual vote is an inappropriate metric
 Testing is performed on pristine data sets
under controlled conditions and does not
reflect real voting environment
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
David Chaum’s Crypto Solution
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Cryptographic Solutions
 Modules must be subjected to formal
correctness proofs
 Who trusts the trustees?
 Must be understandable by general public
 Must be transparent to all
 Independent auditing is essential
Could/should be used to secure paper ballots
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Open Source
…can NOT provide sufficient verification and
validation assurances.
“You can’t trust code that you did not totally create
yourself. (Especially code from companies that
employ people like me.) No amount of sourcelevel verification or scrutiny will protect you from
using untrusted code.”
-- Ken Thompson, 1984
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Ballots ≠ Receipts
 Ballot has a distinct legal connotation
 Verified is not the same as verifiable
 Must retain anonymity
 Must not demonstrate proof of vote
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Election Lotto
Ballots should be:
Easy to obtain
Usable by all
Controlled when cast
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
Voting Machine Hacking Contest
 Proof of hack will not prevent vendors from playing
the “we’ve fixed that” shell game
 Lack of hack provides no assurance of security
 Despite this....DEFCON 12 has offered a contest
venue (Las Vegas, July 30 - Aug. 1)
 Put up or shut up challenge -- Shamos, Neff/Adler,
other vendors
 Rules will need to be well-defined in advance
 Must allow insider or outside attack
 SEE ME FOR DETAILS!
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri
For More Information...
Rebecca Mercuri
mercuri@acm.org
www.notablesoftware.com/evote.html
E-voting in an Untrustworthy World
Copyright © 2004 Rebecca Mercuri