Add to collection(s) Add to saved
  1. Social Science
  2. Political Science

Theory v. Practice in Electronic Voting

advertisement 
Theory v. Practice
in Electronic Voting
Michael I. Shamos, Ph.D., J.D.
Co-Director, Institute for eCommerce
Carnegie Mellon University
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Voting System Certification
• Before voting equipment can be used or “offered for
sale” in a state, it must be certified by the state
• Certification procedures differ among the states
• Most require examination by a statutory panel of
examiners
• I was an examiner for
–
–
–
–
–
Pennsylvania (1980-2000)
Texas (1987-2000)
West Virginia (1982)
Delaware (1989)
Nevada (1995)
• Examined ~100 different voting systems
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Outline
•
•
•
•
•
Voting history
Voting administration
General voting model
Vulnerabilities
Important problems
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
History of Voting
• Ancient: clash of spears, division by groups, wooden
tickets (tabellæ), balls in urns
• “ballot” from Italian ballotta, meaning “little ball”
• American colonies: voting aloud to public official
• Early 1800s: Handwritten paper ballots
• 1857: Australia introduces secret paper ballot
• 1888: Australian ballot introduced in U.S. (KY, MA)
• 1892: Mechanical lever machine to
“protect mechanically the voter from rascaldom”
• 1960s: Punched cards
• 1970s: Optical scan
• 1978: Direct-recording electronic systems
• 2000: Internet voting in primaries
Paper Ballots
• Original paper ballots were handwritten. Easy to
identify voter!
• Australian ballot (U.S., 1888)
SOURCE: DOUGLAS W. JONES
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Paper Ballots
10/29/1864
DIMACS ELECTRONIC VOTING
MAY 26, 2004
1/27/1925
COPYRIGHT © 2004 MICHAEL I. SHAMOS
New York Times, April 4, 1855
BALLOT BOXES DESTROYED
INJURIES IN RIOTS
MORE BALLOTS CAST THAN
NAMES ON THE POLL LIST
Voting Irregularities
“The ballots shall first be counted, and, if the number of
ballots exceeds the number of persons who voted … the
ballots shall be placed back into the box, and one of the
inspectors shall publicly draw out and destroy unopened
as many ballots as are equal to such excess.” F.S.
§102.061
“If two or more ballots are found folded together to
present the appearance of a single ballot … if, upon
comparison of the … appearance of such ballots, a
majority of the inspectors are of the opinion that the
ballots were voted by one person, such ballots shall be
destroyed.” F.S. §102.061
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
New York Times, January 12, 1925
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Voting is an Ill-Conditioned
Problem
• Consider a two-candidate election with n voters
• Let e (error) be the fraction of votes that can be
counted incorrectly without changing the result
• Let p be the fraction of voters who prefer candidate A
• As n grows and p  0.5, we must have e < 1/n to
obtain the correct result
• But e does not decrease as n increases
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Florida Vote Totals
8:00 a.m. Nov. 15, 2000
MARGIN WAS 300 OUT OF 5,820,684 VOTES = 1 IN 20,000
FEC STANDARDS ALLOW AN ERROR OF
~1 IN 2000 BALLOTS
SOURCE: CNN.COM
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
What’s the Chance of a Repeat?
• Assume we draw 6 million samples with equal
probability of choosing A or B (voters are truly
indifferent)
• What is the probability margin(x) that | A – B | < x?
margin( x) 
2

x / 1225
t 2 / 2
e
dt
0
• (1225 is the standard deviation of the binomial
distribution with n = 6,000,000, p = 0.5)
• margin(300) > 19%!
• margin(16) > 1%
• Final Bush-Gore margin was 537; margin(537) > 33%!
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Voting Administration in the U.S.
• Voting in the U.S. is conducted by the states
– 50 states + DC + territories
– Supervised by Secretaries of State through “elections bureau”
– Process delegated to counties, supervised by county clerk
• 3141 counties in the U.S.
• ~170,000 precincts (wards, etc.), about 54/county
• 205M eligible voters; 150M registered voters;
105M actual voters; 1M poll workers
• Federal government has only limited constitutional
power over voting procedures
– Certain “Federal offices,” e.g. U.S. Senator
– Constitutional rights, e.g. “equal protection”
– Can’t conduct elections
U.S. Voting Methods 2000-2004
2000
•
•
•
•
•
•
2004
•
•
•
•
•
•
Punched-card (32%)
Optical scan (28%)
Lever (16%)
DRE (12%)
Paper (1%)
Indeterminate: (11%)
Optical scan (34%)
DRE (31%)
Lever (14%)
Punched-card (14%)
Paper (1%)
Indeterminate: (6%)
PAPER
?
?
DRE
PUNCHED
CARD
LEVER
OPTICAL
Card
Optical
Lever
DRE
Indet
Paper
CARD
DRE
OPTICAL
LEVER
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
The Voting Process
3. SUBMIT DEVICE
AND SOFTWARE
REGISTRATION
AUTHORITY
VENDOR
2. RECEIVE
TOKEN A
1. PRESENT
CREDENTIALS
12. PRESENT
VOTING
TOKEN B
VOTER
VOTING DEVICE
PRESENT
SLATE
13. PRESENT
SLATE
14. CAPTURE
CHOICES
15. PROVIDE
VERIFICATION
10. PRESENT
TOKEN A
4. CERTIFY DEVICE
AND SOFTWARE
5. FURNISH DEVICE
TO COUNTY
CERTIFYING
AUTHORITY
6. FURNISH
SOFTWARE
SETUP
SLATE
8. LOAD
ELECTION
DATA
CAPTURE
VOTE
7. “BALLOT
PROGRAMMING”
ELECTION
AUTHORITY
16. STORE
VOTES
11. RECEIVE
VOTING
TOKEN B
POLL
AUTHORITY
ELECTION
DAY
9. TURN ON
DEVICE
19. TRANSMIT
TOTALS
RECORD
VOTE
20. CERTIFY
RESULTS
17. TRANSMIT VOTES
WINNERS
TABULATION
DEVICE
18. TABULATE
VOTES
Counting Punched Cards
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
SOURCE: LOS ANGELES COUNTY
Vulnerabilities in the Process
• Registration
– Authentication of credentials
– Registration of dead voters, voters who have moved, etc.
• Registered voter tokens
– Forgery
– Transferability
• Voting System Vendors
– No requirements
– No accountability
– Tendency to hide behind trade secret claims to conceal
defects
– What’s in the software?
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Vulnerabilities II
• Certification
– Role of “Independent Testing Authorities”
– Federal Election Commission standards
– Lack of meaningful state certification (usually check only for
conformance to state law)
– Lack of meaningful code review, source or object
• Distribution and storage of machines
– Vendor modifications and maintenance
– Insider modifications and maintenance
– Intruder access
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Vulnerabilities III
• Distribution and storage of software
–
–
–
–
Lack of central distribution
Presence of central distribution
Vendor, insider, intruder modification
Testing procedures
• Ballot (slate) programming
–
–
–
–
Error
Delegation to vendor
Control over ballot programming (memory packs, etc.)
Connection between candidate names and voting positions
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Vulnerabilities IV
• Polling place procedures
–
–
–
–
Poll worker training
Testing procedures, verification of slate
Error recovery, irregularities, power failure
Voter education
• Voting
–
–
–
–
–
–
Connection between registration token and vote? (Privacy)
Multiple voting
Tampering with machines, stuffing, alteration of ballots
Choice capture, confusion, early completion, fleeing voter
Verification
Vote storage, redundancy, ballot images
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Vulnerabilities V
• Transmission and tabulation of votes
– How do they get to the tabulation device?
– Authentication and accounting for memory packs
– Avoiding multiple counting
• Post-election procedures
–
–
–
–
–
Testing
Impound, custody over software, slate programming
Canvass
Retally
Recount
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
FEC Standards
• Focus on mechanical reliability, not security
• Example: Volume I Standard 6.4.2.,
“Protection Against Malicious Software”:
• “Voting systems shall deploy protection against the
many forms of threats to which they may be exposed
such as file and macro viruses, worms, Trojan horses,
and logic bombs. Vendors shall develop and
document the procedures to be followed to ensure that
such protection is maintained in a current status.”
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Complications
•
•
•
•
•
•
•
•
•
Ballot complexity, e.g. 135 candidates
Straight-party voting
Ballot (slate) rotation
Split precincts
Vote-for-many
Language
Write-in votes
Spoiled, invalid, damaged, defaced ballots
Open ballot
– W.V. Constitution “In all elections by the people, the mode of
voting shall be by ballot; but the voter shall be left free to vote
by either open, sealed or secret ballot, as he may elect.”
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Complications
•
•
•
•
•
Absentee voting
Early voting
Challenged voters
Disabled access, e.g. audio ballots
Huge variety of state-imposed requirements
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
What’s an Audit Trail?
• Two types:
– A. Record of voting system events, e.g. opening of polls
– B. Record of ballot images
• In Maryland, a voting system must be “be capable of
creating a paper record of all votes cast in order that
an audit trail is available in the event of a recount.”
Md. Election Law § 9-102(c)(1)(vi)
• This is done by storing complete ballot images in
randomized order
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
What’s a Recount?
• Purpose: “verify” that the original tabulation was
correct
• Three kinds of recounts:
– A. Physical ballots exist: Count them again.
– B. Computer records exist: Tabulate them again.
– C. No physical ballots or computer records exist
(e.g. lever machines): Read the counters again
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Desirable Voting System
Characteristics
•
•
•
•
•
•
•
•
Secret
Accurate
Eligible voters
Vote once only
Tamper-proof
Reliable
Auditable
No vote-buying
(receipt-free)
DIMACS ELECTRONIC VOTING
MOST STATES
REQUIRE
• Verifiable
• Non-coercible
• Transparent
NO STATES REQUIRE
(except coercion is a crime)
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Role of Cryptography in Voting
• Profound
• BUT:
• To be adopted, protocols must deal with ALL
vulnerabilities, not just theoretically convenient ones
• Transparency problem: not enough people understand
cryptography or the claims made for it
• Requires reliance on a small community of experts
• Naming problem: few politicians will vote for
“homomorphic” anything
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Absentee Voting
• Of the 105 million registered voters, ~ 5 million are
unable to vote on Election Day because of inability to
comply with absentee voting requirements
• Almost 5% of the electorate wants to vote but can’t
• Bush-Gore was decided by a margin of 0.01% in
Florida, 1/500 of the non-voting absentee population
• The biggest problem in voting is not tampering or
paper trails, but how to include the absentees
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Q&A
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Voting Law Environment
•
•
•
•
•
•
U.S. Constitution
Federal law
State constitutions
State law
State administrative regulations
Local practices
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Constitutional Review
• Presidential elections: “Each State shall appoint, in such Manner
as the Legislature thereof may direct, a Number of Electors, equal
to the whole Number of Senators and Representatives to which
the State may be entitled in the Congress.” U.S. Const. Art II, §1
• “The Congress may determine the Time of chusing the Electors,
and the Day on which they shall give their Votes; which Day shall
be the same throughout the United States.” U.S. Const. Art II, §1
• Tuesday after the first Monday in November 3 U.S. §1.
• If no winner on election day, “the electors may be appointed on a
subsequent day in such a manner as the legislature of such State
may direct.” 3 U.S. §2.
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Federal Election Comission
• Role of the FEC in voting in the United States
• None!
• The FEC
• enforces campaign financing laws
• assists states with voter registration
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Functions of a Voting System
1. Present candidates and issues to the voter (HCI)
2. Capture the voter’s preferences (HCI)
3. Transport preferences to counting location
4. Add up the vote totals (tabulation)
5. Publish the vote totals (reporting)
6. Provide audit mechanisms
But: vote must be secret
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Paper (1.7%)
• Ridiculous!
–
–
–
–
Requires manual counting
Easy fraud
Ballot stuffing
Invalidation
X
OVERVOTE CANCELS
VOTE FOR MAYOR
SOURCE: TOMPKINS COUNTY, NY
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Mark Sense, Optical Scan (24.6%)
TIMING
MARKS
START OF
BALLOT
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Mark-Sense, Optical Scan (24.6%)
• Scanning methods
– Visible light
– Infrared
• Issues:

– Dark/light marks
– Some scanners require
carbon-based ink
– Voter intent may not be
captured by machine
• Machine does not see
what the human sees
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Direct-Recording Electronic (7.7%)
SOURCE: SHOUP VOTING SOLUTIONS
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Direct-Recording Electronic (7.7%)
SOURCE: SHOUP VOTING SOLUTIONS
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Punched-Card Problems
•
•
•
•
Can’t see whom you’re voting for
Registration of card in ballot frame
Must use stylus: no positive feedback on punch
Hanging chad: chad that is partially attached to the
card
– How may corners?
– Hanging chad causes count to differ every time
• Dimple: chad that is completely attached but shows
evidence of an attempt to punch
– Dimple can turn into a vote on multiple readings
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Buchanan Vote by County (Florida, 2000)
GRAPH COURTESY OF
PROF. GREG ADAMS
CARNEGIE MELLON
&
PROF. CHRIS FASTNOW
CHATHAM COLLEGE
(PURPLE ANNOTATIONS ADDED)
LINEAR FIT WITHOUT PALM BEACH,
BROWARD, MIAMI-DADE
Pinellas (St. Petersburg-Clearwater)
Hillsborough (Tampa)
Broward (Fort Lauderdale)
Miami-Dade
Orange (Orlando)
SOURCE: PROF. GREG ADAMS
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Election Contest
• The certification of election or nomination of any person to office, or
of the result on any question submitted by referendum, may be
contested in the circuit court by any unsuccessful candidate for such
office ... or by any taxpayer, respectively.
• The grounds for contesting an election under this section are: ... .
– (c) Receipt of a number of illegal votes or rejection of a number of legal
votes sufficient to change or place in doubt the result of the election. …
– (e) Any other cause or allegation which, if sustained, would show that a
person other than the successful candidate was the person duly
nominated or elected to the office in question or that the outcome of the
election on a question submitted by referendum was contrary to the
result declared by the canvassing board or election board.”
F.S. §102.168.
• Successful challenge results in a “judgment of ouster.”
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Recounts in Florida
•
If a candidate is defeated by 1/2% or less, the board responsible for
certifying the results ... shall order a recount of the votes cast with
respect to such office. F.S. §102.166(3)(c). Or: candidate may protest to
county canvassing board
•
“If there is a discrepancy which could affect the outcome of an election,
the canvassing board may recount the ballots on the automatic
tabulating equipment.” F.S. §102.166(3)(c).
•
“The county canvassing board may authorize a manual recount.”
F.S. §102.166(4)(c).
•
“Each duplicate ballot shall be compared with the original ballot to
ensure the correctness of the duplicate.” F.S. §101.5615.
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Manual Recount
• “If the manual recount indicates an error in the vote tabulation which
could affect the outcome of the election, the county canvassing board
shall:
– (a) Correct the error and recount the remaining precincts with the vote
tabulation system;
– (b) Request the Department of State to verify the tabulation software; or
– (c) Manually recount all ballots.” F.S. §102.166(5)
• “Procedures for a manual recount are as follows:
– (a) The county canvassing board shall appoint as many counting teams
of at least two electors as is necessary to manually recount the ballots.
– (b) If a counting team is unable to determine a voter's intent in casting a
ballot, the ballot shall be presented to the county canvassing board for
it to determine the voter's intent.” F.S. §102.166(7)
DIMACS ELECTRONIC VOTING
MAY 26, 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Related documents
(c) The votes shall be counted according to the Popular... system in which the candidate with the most votes shall...
(c) The votes shall be counted according to the Popular... system in which the candidate with the most votes shall...
US Government Chapter 5-6-7 Test Study Guide Be sure to study
US Government Chapter 5-6-7 Test Study Guide Be sure to study
Government
Government
Download
advertisement