E-voting in an Untrustworthy World Rebecca Mercuri, Ph.D. Election Administration Assumptions People in power run elections Power corrupts Election administrators have a vested interest in: remaining in control and/or passing control to like-minded individuals Election systems that rely on procedural or validatory controls that are performed by election administrators are inherently subvertible E-voting in an Untrustworthy World Copyright © 2004 Rebecca Mercuri The 6 Commandments of Voting - Michael Shamos I. II. *Thou shalt keep each voter’s choices an inviolable secret.* Thou shalt allow each eligible voter to vote only once, and only for those offices in which the voter is authorized to cast a vote. III. Thou shalt not permit tampering with thy voting system, nor the exchange of gold for votes. IV. Thou shalt report all votes accurately. V. Thy voting system shall remain operable throughout each election. VI. Thou shalt keep an audit trail to detect sins against Commandments II-IV, but thy audit trail shall not violate Commandment I. E-voting in an Untrustworthy World Copyright © 2004 Rebecca Mercuri Voters Want To know that their ballot is cast and counted as intended Counts and recounts to be: independent unbiased reproduceable accurate understandable E-voting in an Untrustworthy World Copyright © 2004 Rebecca Mercuri Recounts Fully electronic systems do not provide any way for the voter to independently verify that the ballot cast corresponds to the data that was recorded and transmitted. Election officials are given no way to conduct an independent recount since the audit trails that are provided lack checks and balances. “Recounts” are really only “Reprints” because they use computer-generated ballot images. (GIGO -- Garbage In, Garbage Out.) “Fail-safe” vendor claims are misleading – machines can and have failed in actual use, resulting in unrecoverable data loss. E-voting in an Untrustworthy World Copyright © 2004 Rebecca Mercuri Vulnerabilities Inherent in the nature of all computers (including those used for ballot preparation and vote tallying) are aspects that can be intentionally or accidentally used to subvert the systems. Elections are large-stakes, adversarial processes that occur in a short, identifiable time frame, hence they are high-risk targets. The anonymity requirement for voting prevents the use of traditional forms of auditing. Earlier forms of election fraud typically required collusion, computers provide opportunity for a lone insider to affect outcomes on a broad scale. Such corruption is nearly impossible to prevent or detect. E-voting in an Untrustworthy World Copyright © 2004 Rebecca Mercuri The Perfect Crime Occurs invisibly Weapon is part of regular toolset Potential suspects are allowed to tamper with crime scene before evidence is collected Critical evidence is prevented from disclosure “Hearsay” evidence -- not from original source Prosecutors are falsely maligned Incorrect suspect is charged E-voting in an Untrustworthy World Copyright © 2004 Rebecca Mercuri The Smell Test Are Generally Accepted Principles and Procedures being used? auditing security testing manufacture configuration management Are standards biased to favor vendors over users? Do claims violate laws of science? Do you need a Ph.D. to understand it? E-voting in an Untrustworthy World Copyright © 2004 Rebecca Mercuri The Eyeball Test Are there parts of the system that are prevented from disclosure? Are all elements in the critical data path open for independent verification and validation? How can all administrators and users confirm that appropriate modules (for software, hardware, crypto, etc.) are installed? How do we know it really works? E-voting in an Untrustworthy World Copyright © 2004 Rebecca Mercuri The Taste Test Allow others to try it out before you do Collect data from results Compare with other products Obtain ingredients list Discard if toxic E-voting in an Untrustworthy World Copyright © 2004 Rebecca Mercuri Auditory Feedback for the Blind “Very few of our members were able to vote privately, independently, despite Santa Clara County’s [Calif.] supposed ‘accessible’ [Sequoia] touch screens.” -- Dawn Wilcox, president of the Silicon Valley Council of the Blind Features include: poor sound quality, delayed response time, upside-down Braille, 30+ minutes to cast ballot. Mercer County New Jersey was charged $2,000 per machine on top of the $6,000 pricetag for the Sequoia “audio option.” E-voting in an Untrustworthy World Copyright © 2004 Rebecca Mercuri Tactile Ballots Allow visually impaired citizens to vote privately at the precinct or at home. Approved by the United Nations and used by the State of Rhode Island and also by various democratic countries. http://www.electionaccess.org/Bp/Ballot_Templates.htm E-voting in an Untrustworthy World Copyright © 2004 Rebecca Mercuri California Recall Data Analysis Machine Type Punchcard Datavote Votomatic Pollstar Optical Scan Diebold Accu-Vote-OS ES&S 550 and 650 ES&S Eagle Mark-A-Vote Sequoia Touchscreen Diebold Accu-Vote-TS Sequoia Edge Recall 6.24 1.95 8.17 6.03 2.68 2.37 2.51 1.87 3.04 4.35 1.50 0.73 2.01 Recall Rank 3 3 10 9 2 5 6 2 7 8 1 1 4 Candidates 8.30 5.25 9.46 9.01 7.46 5.91 9.06 10.89 7.57 5.54 6.77 9.23 4.37 Cand. Rank 3 2 9 6 2 4 7 10 5 3 1 8 1 Average 7.3 3.6 8.8 7.5 5.1 4.1 5.8 6.4 5.3 4.9 4.1 5.0 3.1 Rank 3 2 10 9 2 3 7 8 6 4 1 5 1 Based on information compiled by Chad Michael Topaz <topaz@ucla.edu> and Rebecca Mercuri from data provided by the California Secretary of State at: http://www.ss.ca.gov/elections/sov/2003_special/contents.htm E-voting in an Untrustworthy World Copyright © 2004 Rebecca Mercuri Accuracy Every vote does NOT count! Lost vote rate of 3 - 5% far exceeds manufacturer’s stated “error rates” Residual vote is an inappropriate metric Testing is performed on pristine data sets under controlled conditions and does not reflect real voting environment E-voting in an Untrustworthy World Copyright © 2004 Rebecca Mercuri David Chaum’s Crypto Solution E-voting in an Untrustworthy World Copyright © 2004 Rebecca Mercuri Cryptographic Solutions Modules must be subjected to formal correctness proofs Who trusts the trustees? Must be understandable by general public Must be transparent to all Independent auditing is essential Could/should be used to secure paper ballots E-voting in an Untrustworthy World Copyright © 2004 Rebecca Mercuri Open Source …can NOT provide sufficient verification and validation assurances. “You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of sourcelevel verification or scrutiny will protect you from using untrusted code.” -- Ken Thompson, 1984 E-voting in an Untrustworthy World Copyright © 2004 Rebecca Mercuri Ballots ≠ Receipts Ballot has a distinct legal connotation Verified is not the same as verifiable Must retain anonymity Must not demonstrate proof of vote E-voting in an Untrustworthy World Copyright © 2004 Rebecca Mercuri Election Lotto Ballots should be: Easy to obtain Usable by all Controlled when cast E-voting in an Untrustworthy World Copyright © 2004 Rebecca Mercuri Voting Machine Hacking Contest Proof of hack will not prevent vendors from playing the “we’ve fixed that” shell game Lack of hack provides no assurance of security Despite this....DEFCON 12 has offered a contest venue (Las Vegas, July 30 - Aug. 1) Put up or shut up challenge -- Shamos, Neff/Adler, other vendors Rules will need to be well-defined in advance Must allow insider or outside attack SEE ME FOR DETAILS! E-voting in an Untrustworthy World Copyright © 2004 Rebecca Mercuri For More Information... Rebecca Mercuri mercuri@acm.org www.notablesoftware.com/evote.html E-voting in an Untrustworthy World Copyright © 2004 Rebecca Mercuri