e-Governance and Electronic Voting April 2, 7 1

advertisement
e-Governance and Electronic Voting
April 2, 7
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
1
Demonstration: Property in Allegheny
County – Online
What is the government doing?
Why are they doing it?
Should(n’t) they do it?
What are some benefits?
What are some downsides?
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
2
What is e-Governance?
Citizens
Computers
(ICT)
Government
There are two dimensions within the term
e-Governance
• Computers
• Government
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
3
What are the Modes of eGovernment?
Typically thought of as connection between
citizen and state
• There is often more than one layer of
government
 Geography
 Departmental
• Parallel to B2C in the e-commerce world
 What about B2B equivalent?
 What about C2C equivalent?
– Protests helped bring down the government in Philippines
via texting (SMS)
 There is also Government to Business
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
4
E-government involves more than IT
European Commission defines e-government
as
“The use of ICT in public administrations combined
with organizational change and new skills in
order to improve public services and
democratic processes and strengthen support
to public policies”
Source http://www.egov-goodpractice.org/download.php?&fileid=58
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
5
Web-based applications transform the
government and democratic processes
Gartner Group defines e-government as
“The continuous optimization in the public service
delivery, access to public information and
citizens’ participation by the internal and
external transformation of relations based in
the use of the information and communication
technologies”
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
6
e-Government Encompasses 4 or 5 Stages
of Development
C
o
s
t/
c
o
m
p
l
e
x
i
t
y
Transformation
Transaction
Interaction
Presence
Beginning
Time
Gartner’s e-government model
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
7
Underlying Governmental Structures
are Fundamental
 The process is important
•
•
•
•
Democracy?
Freedom of Information?
Accountability?
Constitutional framework?
 Judiciary is especially important
– Enforcement
– Arbitration
 e-Governance also can involve third parties (not
government or citizens)
• Interested parties such as businesses, interest groups
(NRA, environmentalists, etc.)
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
8
Hopes of e-Governance
Increased access to government
• What does a government need to do for this?
Greater transparency in operations
• What are the implications of this?
Greater participation in policy
• Will everyone participate equally or even
similarly?
Greater efficiency and service delivery
• Asymmetric information remains a challenge
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
9
"Good governance is perhaps the
single most important factor in
eradicating poverty and
promoting development."
— Kofi Annan
(now former) UN Secretary General
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
10
Access
Consumer side
• Need to be “online”
Supply side
• Governments need to made information
available and accessible
• The back-office really matters
• Inter-departmental issues are important
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
11
Transparency
“Govt. in the Sunshine Act”
Just because you have a right to certain
information
•
•
•
•
Do you have to ask?
Is it sanitized?
Is it delayed?
Is it real?
At an international level, corruption is a
major issue
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
12
Efficiency
One hope is for a “single window” for
interactions
• Especially true for clearances and licensing
• Inter-departmental issues are key to efficiency
Greater participation should lead to greater
efficiency (markets)
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
13
Participation
Voting is only one aspect of governance
(subsequent slides)
How else do citizens participate?
•
•
•
•
Taxes
Direct interaction
Intermediated interaction
Polls
There is evidence ICT reinforces some
divides, but also opens up new access
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
14
US e-Government Websites
Federal
• www.firstgov.gov/
State
• http://www.state.pa.us/
County
• http://www.county.allegheny.pa.us/
City
• http://www.city.pittsburgh.pa.us/
…
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
15
International e-Governance
Globally, most efforts are top-down instead
of bottom up
Much greater challenge of access
(often) Poorer governance
Much more intersection into commercial
activities
• Many countries still have State Owned
Enterprises (SOEs)
 PTTs, Power Company, Airlines, Banks, Cement
company, etc.
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
16
E-Government Readiness Index
a
Web Measure Index
United States
Denmark
United Kingdom
0.9132
0.9047
0.8852
1
2
3
Sweden
0.8741
4
Republic of Korea
Australia
Canada
Singapore
Finland
0.8575
0.8377
0.8369
0.8340
0.8239
Norway
Netherlands
Germany
New Zealand
Iceland
Switzerland
Belgium
Austria
Japan
Ireland
Estonia
Malta
0.8178
0.8026
0.7873
0.7811
0.7699
0.7538
0.7525
0.7487
0.7260
0.7058
0.7029
0.6877
b
E-participation Index
c
1.0000
0.9730
0.9691
1
2
3
United Kingdom
United States
Canada
1.000
0.934
0.902
0.9459
4
Singapore
0.836
5
6
7
8
9
United States
United Kingdom
Singapore
Republic of
Korea
Denmark
Chile
Canada
Australia
Finland
0.9344
0.8842
0.8726
0.8301
0.8069
5
6
7
8
9
Netherlands
Mexico
New Zealand
Republic of Korea
Denmark
0.803
0.770
0.770
0.770
0.738
10
11
12
13
14
15
16
17
18
19
20
21
Germany
Mexico
Sweden
Belgium
New Zealand
Malta
Netherlands
Estonia
Austria
Israel
Norway
Ireland
0.7954
0.7838
0.7722
0.7722
0.7413
0.7375
0.7181
0.6988
0.6988
0.6911
0.6873
0.6564
10
11
12
13
14
15
16
17
18
19
20
Australia
Estonia
Colombia
Belgium
Chile
Germany
Finland
Sweden
France
Malta
Austria
0.672
0.639
0.623
0.607
0.607
0.590
0.574
0.574
0.459
0.459
0.443
22
Chile
0.6835
Argentina
23
Israel
0.6805
Columbia
24
France
0.6687
Brazil
25
Luxembourg
0.6600
Japan
Average
0.7798
World Average
0.4127
North America
0.8751
Europe
0.5866
South and Eastern Asia
0.4603
South and Central
0.4558
America
Caribbean
0.4106
Oceania
0.3006
Ethics
and Policy issues in Computing
Africa
0.2528• Carnegie Mellon University •
Global eGovernance
0.6429
0.6409
0.6371
0.6293
Source: UN Global E-Government Readiness
Report 2004: Towards Access for Opportunity
Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
17
Difficulties with e-Governance
Metrics
• Poor metrics lead to misallocation of resources
or even bad outcomes
Land-records are a major interface in
developing countries (and elsewhere)
• Digitization projects
 Hoped to reduce corruption and speed up the
process
 Did it work?
– Depends who you ask
– Those in the system benefited, those outside were worse
off (e.g., Bhoomi project in India)
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
18
Other Issues
Privacy
• Governmental
• Inter-citizen
Censorship, wiretapping, etc.
China
• Unique has 99% of connectivity is within
country
Use of ICT for Security
• Wireless mesh across New Orleans
 Reported to reduce crime
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
19
How to Improve e-Governance
Supply vs. Demand
• Partly a chicken and egg problem
Latin American Countries
• Improve content regardless of user base
• e-Governance becomes a “killer app”
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
20
“Killer Apps” for ICT and Governance
Taxes
• Brazil had ~95% of income taxes filed online
(2003)
Contracting
• Sharing information
• Actual transactions
Voting
• Not yet online, but computerized, nonetheless
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
21
Electronic Voting
Somewhat controversial, esp. in the US
• Why?
Electronic voting needs to be in the context
of voting overall
•
•
•
•
Access and participation
Informed decisions
Influence of money
Reduction of errors and fraud
 How do these compare to paper voting? (“Ballot
Stuffing”)
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
22
Design of Electoral Systems
The problem and a Comparison:
US and India
Builds on work by Eswaran
Subrahmanian (CMU/NIST)
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
23
Goals of an Electoral System:
Voters and voting process
 Ensure that every body that is eligible to vote has
an opportunity to vote
 Ensure that any eligible voter is allowed to vote
only once
 Voters get the information on candidates in a fair
and consistent manner
 Ensure the ability to register
 Ensure orderly process of voting
 Minimize fraud in the process
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
24
Goals of the Electoral Systems:
Candidacy and canvassing
Allow for a citizen to be able to participate
as a candidate in the election
Allow for the candidate to express their
political position to the Voters
Minimize the number of candidates
competing in the election: Low but sufficient
barrier to entry
Minimize the influence any one interest
group on the candidate
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
25
Goal of the Electoral System: Voting
Mechanism
 Ensure that the mechanism registers votes
 Ensure that the mechanism cannot be tampered
with
 Ensure that the mechanism allows for accurate
counting
 The vote cast is correctly registered and
attributed to the right candidate
 The votes cast are correctly tabulated to decide
the winner
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
26
Decision Variables: Voters and Voting
Process
 Criteria for eligibility to Vote: Age, Criminal record,
Citizenship
 Criteria for determining the identity of the voter: Voter
id card format and content
 Criteria for determining that the voter votes only
once: Check list, ink marker
 Locale of voting: on location, absentee
 Security of the Process: Military, local police, national
guard, Party officials, State employees
 Fairness and standards for dispute resolution
Verification of Process: Internal observers, international
observers
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
27
Decision variables: Candidacy
 Criteria for being a candidate:
•
•
•
•
•
Measure of support (100,000 signatures)
Deposit money (~$5000)
Party affiliation: none, only registered parties etc.
Citizenship: Born, naturalized
Age by position sought
 President: 45 and over
 Congress
• Registering: number of days before election
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
28
Decision variables: Candidacy
 Types of positions: Legislator, Senate, Mayor etc
 Definition of electoral region for candidacy:
(population per district etc)
 Responsibility of demarcation of region: State
government, Election commission
 Method of demarcation: arbitrary, grid based,
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
29
Decision variables: Canvassing
 Start of canvassing for Election: Days before election
 End of canvassing: days before election
 Modes of Information Dissemination: Street rallies,Flyers,
TV and Radio Ads
 Scope of content of electoral material: Offensive, personal
attacks etc
 Money spent on Canvassing - Limits or no limits
 Financing of Canvassing: Public, private
 Limits on citizen financial contribution: upper bound
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
30
Decision Variables: Voting Mechanism
Type of Mechanism: paper, mechanical,
electronic
Security of the mechanism: Special paper,
type of locking
Counting model: Hand count, Machine
count, cumulative count
Verification Models: Human, automated
verification, committee
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
31
Design of the Electoral Systems:
Responsibility
 Centralized: India
• Independent election commission like the supreme
court
• Central and state election commissions(EC)
• Electoral laws executed by Central EC and reforms
proposed by CEC
• CEC is central coordinator and enforcer
 Decentralized and Mixed Mode: US
•
•
•
•
•
Canvassing - Central
Candidacy - Federal and State
Voter eligibility: State and Federal
Voting Mechanism: Local (County)
Security - Local
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
32
Last Indian National Election (2004)
 337 million voters
 600 million eligible/registered voters
• Registration is CEC responsibility: not individuals
• Computerized nation electoral roles
• Registration verification in Community halls in villages
 1.2 million security officials
 1 Million electronic voting machines
• Training and demonstration across the country
 4 million Poll officers
 Election over 3 weeks
 Official results in 3 Days
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
33
US election: First Tuesday of
November
One day
Numerous electoral rolls
Numerous types of machines
Official result expected in 3- 4 weeks
• US States: State Secretary of State
Non-uniform electoral laws
Minimal security
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
34
India: Electronic Voting Machine (EVM)
 Introduced in 1998
 Indigenous -produced by 2 Public Sector
Companies - BEL and ECIL
 Run on batteries - Tamper proof
 Votes recorded by pressing a button
 Votes stored in memory
 Result retrieved by press of button
 General Elections 2004 conducted fully on EVMs
 Around 1,075,000 EVMs were used
 Can be modified as per the requirement
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
35
How to Improve Electronic Voting
Simplicity, Simplicity, Simplicity
• Less loopholes
 Accidental
 Malicious
Standardization
• India benefits due to Federal Standards
Open Source?
Voter Verifiable Audits/Paper Trails[???]
• Many experts doubt the value of this
• Cryptography can be more secure than paper
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
36
Computing’s Impact on Elections
Polls
Blogs
• FEC ruled to exempt them from some
restrictions
• Hoped these are grass-roots and a great
equalizer
 Are they?
News and media
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
37
Thinking Points on Voting
 Should you be voting online?
•
•
•
•
Is it safe?
Issues of timing?
Is it deliberative?
Is it asymmetric (e.g., discriminates by class)
 Internet voting is a narrow subset of electronic
voting (more later)
 Should I be able to know how you voted? NO!
• But, what about transparency?
 www.fundrace.org
– By looking at whom you paid money to, can guess whom you
voted for
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
38
History of Voting
 “Ballots” from Italian ballotta, meaning “little ball”
 Ancient: clash of spears, balls in urns, division by groups,
wooden tickets (tabellæ)
 American colonies: voting aloud to public official
 1857: Australia introduces secret paper ballot
 1888: Australian ballot introduced in U.S. (KY, MA)
 1892: Mechanical lever machine to “protect
mechanically the voter from rascaldom”
 1960s: Punched cards
 1970s: Optical scan
 1978: Direct-recording electronic systems
 2000: Internet voting in primaries
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
39
Voting Jurisdictions
 Voting in the U.S. is conducted by the states
• 50 states + DC + territories
• Supervised generally by Secretaries of State
• Delegated to 3170 counties
 ~10,000 voting jurisdictions (cities, school boards, …)
 ~200,000 precincts (avg. 60-70 per county)
 > 1,400,000 poll workers (avg. 7/precinct, 440/cty)
 150 million registered voters, 105 million actually vote
 Federal government has very little power over elections
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
40
PENNSYLVANIA
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
41
Pennsylvania Voting Methods 2004
ALLEGHENY
COUNTY
Optical
Punch Card
Lever
DRE
Paper
Mixed
N/A
SOURCE: ELECTIONLINE.ORG
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Allegheny County
CITY OF
PITTSBURGH
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
43
5th Ave.
(Precincts)
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
44
Pittsburgh East End Wards and Precincts
5th Ave.
14th City Ward
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
45
Pittsburgh East End Political Districts
8th City Council District
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
46
Pittsburgh East End Political Districts
11th County Council District
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
47
Pittsburgh East End Political Districts
23rd Pennsylvania House District
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
48
Pittsburgh East End Political Districts
43rd Pennsylvania Senate District
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
49
Pittsburgh East End Political Districts
11th County Council
8th City Council
23rd House
43rd Senate
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
50
Functions of a Voting System
1. Authenticate voter
2. Present candidates and issues to voter
3. Capture voter’s preferences
4. Transport preferences to counting location
5. Add up vote totals (tabulation)
6. Publish vote totals (reporting)
7. Provide audit mechanism
But: vote must be secret
17-803/17-400 ELECTRONIC VOTING
FALL 2004
•
•
•
•
CS ISSUES
SECURITY
PRIVACY
HCI
SOFTWARE
ENGINEERING
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
51
Authentication
 In each precinct, only registered voters are
allowed to vote
 Need a registration system before the election
 Need authentication mechanism on Election Day
• Only registered voters vote
• No one can impersonate a voter
• Each voter can only vote once
 In this course, we will not discuss voter
registration
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Voting System Requirements
 Secrecy
 Security
 Accuracy
 Auditability
 Accessibility to disabled
 Protective counter (votes cast since manufacture)
 Public counter (votes cast today)
 Conform to state voting provisions (e.g. write-ins)
 Meet Federal standards
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Election tasks
Registering voters
Validating/authenticating voters
Distributing/collecting ballots
Tallying votes
How are these tasks accomplished in the
elections in which you have participated?
•
•
•
•
Government elections
Stock holder elections
Student government elections
Professional society elections
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
54
Desirable properties of secret ballot elections
 Accuracy
 Convenience
 Privacy
 Flexibility
 Verifiability
 Mobility
 Invulnerability
(Democracy)
 Trustworthy
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
55
Accuracy
Votes cannot be altered
Validated votes cannot be eliminated from
the final tally
Invalid votes will not be counted in the final
tally
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
56
Privacy
Neither election authorities nor anyone else
can link any ballot to the voter who cast it
No voter can prove that he or she voted in
a particular way
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
57
Invulnerability (to ballot box stuffing)
Only eligible voters can vote
Each eligible voter can vote only once

The accuracy property ensures that ballots
are not lost or altered after being submitted
to the ballot box

The invulnerability property ensures that
only valid ballots are accepted into the ballot box
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
58
Verifiability
Anyone can independently verify that all
votes have been counted correctly
• Weaker version: voters can verify that their
own votes were counted correctly
• Achieved through audit trails and/or
cryptographic verification
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
59
Convenience
Voters can cast their votes quickly, in one
session, and with minimal equipment or
special skills
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
60
Flexibility
A variety of ballot question formats are
permitted including open ended questions
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
61
Mobility
There are no restrictions on the location
from which a voter can cast a vote
• Not yet always true
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
62
Trustworthy
 Voter feels that
• Vote was counted
• Vote was private
• Nobody else can vote more
than once
• Nobody can alter others’
votes
 People believe that the machine works correctly
and that its behavior cannot be modified
 These have to do with perception
 It is also important that these perceptions are true
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
63
Computers used for Predicting
Elections
Irony: 1952 US Presidential Election
• UNIVAC computer
• Based on just 1% of the vote, predicted
sweeping Eisenhower victory
• No one believed the computer
 TV networks ignored its prediction
• It was right!
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
64
Ballot Types
 Document ballot
• Paper ballot
• punched-card
• optical scan
 Non-document ballot
• Lever machine
• DRE (Direct Recording Electronic) machine
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
US Voting Equipment Trends
Source: Election Data Services
1600
1400
US Counties
1200
Punch Card
Lever
Paper Ballots
Optical Scan
Electronic
Mixed
1000
800
600
400
200
0
Nov–2000
Nov–2002
Nov–2004
Nov–2006
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
66
Paper (.6%)
 Advantages
• Simple
• Captures voter intent
• Not subject to
equipment
malfunctions
 Disadvantages
• Time consuming to
count
• Does not prevent over
votes or under votes
• Many ballot fraud
schemes involving
paper ballots




Ballot box stuffing
Ballot invalidation
Pre-marked ballots
Ballot theft
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
67
Paper Ballots
10/29/1864
17-803/17-400 ELECTRONIC VOTING
FALL 2004
1/27/1925
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
68
New York Times, April 4, 1855
BALLOT BOXES DESTROYED
INJURIES IN RIOTS
MORE BALLOTS CAST THAN
NAMES ON THE POLL LIST
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
69
Florida’s Solution
“The ballots shall first be counted, and, if the
number of ballots exceeds the number of
persons who voted … the ballots shall be placed
back into the box, and one of the inspectors shall
publicly draw out and destroy unopened as
many ballots as are equal to such excess.” F.S.
§102.061
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
70
Why Do We Use Voting Machines?
 To prevent fraud
• Lever machine (1892) “To protect mechanically
the voter from rascaldom”
 Faster, more accurate counting
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Lever Machines (14%)
SOURCE: MICHIGAN SOS
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
72
Lever Machines (14%)
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
73
Lever Machines (14%)
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
74
Lever Machines
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
75
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
76
Punched-Card (14%)
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Punch Card Voting
 Used by about 14% of the U.S. in 2004
 Used in 69 of 88 counties in Ohio (PA only
has 67 counties)
 Began in the 1960s with the IBM Porta-Punch
 By 2000 was used in 37% of the U.S., until
Florida
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Votomatic Punch-Card System
BALLOT FRAME
VOTING SETUP
VOTING BOOTH
BALLOT
SEALS
VOTING
STYLUS
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
79
Punched Card (14%)
SOURCE: MICHIGAN SOS
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
80
Chads
SOURCE: PETER SHEERIN
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Hanging Chad
SOURCE: NEW YORK TIMES
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
82
Palm Beach County “Butterfly” Ballot
SOURCE: SOUTH FLORIDA SUN-SENTINEL
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
83
Votomatic Punched-Card System
The infamous Butterfly Ballot
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
84
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
85
Buchanan Vote by County (Florida, 2000)
GRAPH COURTESY OF
PROF. GREG ADAMS
CARNEGIE MELLON
&
PROF. CHRIS FASTNOW
CHATHAM COLLEGE
(PURPLE ANNOTATIONS ADDED)
LINEAR FIT WITHOUT PALM BEACH,
BROWARD, MIAMI-DADE
Pinellas (St. Petersburg-Clearwater)
Hillsborough (Tampa)
Broward (Fort Lauderdale)
Miami-Dade
Orange (Orlando)
SOURCE: PROF. GREG ADAMS
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
86
Datavote
 Uses a die to punch a clean hole
 Employed in a small
fraction of punch card
counties
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Counting Punched Cards
SOURCE: NEW YORK TIMES
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
88
Recount
 When a ballot is handled, it can be changed
 The voter’s intent must be determined
 Suppose only one of four corners is detached.
It is a vote?
 Dimpled chad, pregnant chad: how to count?
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
89
Punched-Card Problems




Can’t see whom you’re voting for
Registration of card in ballot frame
Must use stylus: no positive feedback on punch
Hanging chad: chad that is partially attached to the
card
• How may corners?
• Hanging chad causes count to differ every time
 Dimple: chad that is completely attached but shows
evidence of an attempt to punch
• Dimple can turn into a vote on multiple readings
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
90
Mark Sense, Optical Scan (34%)
TIMING
MARKS
START OF
BALLOT
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
91
Mark-Sense, Optical Scan (34%)
 Scanning methods
• Visible light
• Infrared
 Issues:
• Dark/light marks
• Some scanners require
carbon-based ink
• Voter intent may not be
captured by machine

 Machine does not see
what the human sees
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
92
AN OPTICAL
SCAN BALLOT
SOURCE:
SANTA
BARBARA
COUNTY
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
93
SOURCE:
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
94
Precinct Count v. Central Count
 Precinct count
• Voter marks ballot, inserts into machine
• Machine rejects overvoted (and maybe undervoted) ballots
 Central count
• Marked ballots are transported to a central location for
counting
• No opportunity for correction of overvotes/undervotes
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
95
ES&S Model 110 Precinct Tabulator
Voter inserts ballot, receives
immediate overvote/undervote
notification
SOURCE: ES&S
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
96
ES&S Model 650 Central Tabulator
Ballots counted centrally,
away from voter.
No overvote/undervote
notification
SOURCE:
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
ES&S
97
Optical Scan Vote Reading
 Is it reliable?
 Is voter intent captured?
 Can it be manipulated?
 Infrared v. visible light
• Problem: machine “sees” marks differently from
voter
 What is a valid vote?
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
98
Effect of Humidity
SOURCE: DOUG JONES
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
99
Direct-Recording Electronic (31%)
DEMO
SOURCE: SHOUP VOTING SOLUTIONS
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
100
Direct-Recording Electronic (31%)
SOURCE: SHOUP VOTING SOLUTIONS
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
101
DRE Systems
 DRE means “direct recording electronic”
 There is no document ballot
 Voter votes by interacting directly with a machine, not by marking
a piece of paper
 “Electronic voting system” means a system in which one or more
voting devices are used to permit the registering or recording of
votes and in which such votes are computed and tabulated by
automatic tabulating equipment. The system shall provide for a
permanent physical record of each vote cast. Pa. Elec. Code.
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
102
A Well-Designed e-Voting Machine
NO PORTS, NO CONNECTORS, NO MODEM, NO WIRELESS, NO INTERNET
PROPRIETARY OPERATING SYSTEM
(NOT WINDOWS)
SOFTWARE FROM A
TRUSTED SOURCE
(NOT THE VENDOR)
BALLOT SETUP DATA
VOTER CHOICES
READ-ONLY
MEMORY
READ-ONLY
MEMORY
RANDOM ACCESS
MEMORY
INTERNAL
PAPER
TRAIL
WRITE-ONCE
MEMORY
TOTALS REPORT
SIGNED BY ELECTION JUDGES
WRITE-ONCE MEMORY
TO COUNTY BOARD
16-HOUR BATTERY
MACHINE SEALED WITH PAPER TRAIL
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Advanced (formerly Shoup)
WINvote DRE
USES WIRELESS NETWORK
SOURCE: ADVANCED VOTING SOLUTIONS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Diebold Accu-Vote
ACCU-VOTE TS
TOUCHSCREEN
ACCU-VOTE TSX
TOUCHSCREEN
ACCU-VOTE OS
OPTICAL SCAN
SOURCE: DIEBOLD
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
ES&S iVotronic Touchscreen DRE
1. INSERT PEB
2. MAKE SELECTIONS
4. CAST BALLOT
3. REVIEW BALLOT
SOURCE: ES&S
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Guardian 1242 (formerly Danaher)
Full-face DRE
SOURCE: GUARDIAN
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Liberty Election Systems
Full-face DRE
LIBERTYVOTE
SOURCE: LIBERTY
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Microvote
INFINITY DRE
MV-464 DRE
ABSENTEE
CARD READER
SOURCE: MICROVOTE
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Sequoia Pacific
AVC Advantage Full-Face DRE
SOURCE: SEQUOIA
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Sequoia Pacific
Edge DRE
SOURCE: SEQUOIA
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Sequoia Pacific
Edge DRE
SOURCE: SEQUOIA
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Hart eSlate
SOURCE: HART INTERCIVIC
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Known Issues: The Hursti Exploit
 Discovered by Finnish security expert Harri Hursti
 Works against Diebold optical scan voting machines
 Diebold AccuVote OS has a PCMCIA memory card
with ballot setup information, vote counters and
predefined report formats
PRINTER
INSIDE
OPTICAL
BALLOT
LCD
DISPLAY
FRONT OF MACHINE
BACK OF MACHINE
Source: M. Shamos
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
114
The Hursti Exploit
 Memory card created at county, inserted in machine:
ELECTION DATA TO
PRODUCE TABULATION:
• CANDIDATE NAMES
• PARTIES
• BALLOT POSITIONS
VOTE COUNTERS
ACCUBASIC .ABO
FILES FOR REPORTS,
NOT TABULATION
 Counters are short integers;
overflow is not trapped
 Large positive numbers act
as negative numbers, e.g.
65,520 is equivalent to -16
since 65,520+16 = 65,536 = 0
Source: M. Shamos
 Hursti Exploit, Part 1: Preload the card with some negative and
some positive counts in a race. Make sure the net sum is zero.
 Hursti Exploit, Part 2: Replace the zero report .abo file with one
that always prints zeros regardless of counter values.
 Result: Votes added to some candidates, subtracted from others,
but the total count does not exceed the number of voters.
 Result: When memory card counters are overwritten at the close of
polls, no electronic record of the exploit exists. NOT CERTIFIED
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
115
Help America Vote Act of 2002
 Payments to states to replace paper and level
machines: $3 billion
 Establishes Election Assistance Commission
 Reforms the standards process (National Institute of
Standards and Technology)
 Provisional voting
 Statewide registration systems
 Complaint procedure
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
The Problem
 Voters do not trust DRE systems
 Why?
•
•
•
•
•
•
•
•
Numerous irregularities around the country
“Black box” phenomenon
Reports by computer security specialists
Warnings by computer scientists
Jurisdictions rushing to replace old systems
Secretive vendor behavior
Public awareness of computer vulnerabilities
Newspaper editorials, e.g. New York Times
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
The Problem
 Are DRE systems untrustworthy?
• Some are, some aren’t
 DRE systems used for 25 years without a single verified incident
of tampering
•
•
•
•
Much more difficult to alter computerized records than paper
Proprietary operating systems
Redundant encrypted memories
Testing
 None of this matters. Perception governs
 What to do?
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Statutory Requirements
 HAVA Sec. 301(a)(2)(i): “The voting system shall
produce a permanent paper record with a manual
audit capacity for such system.”
 Maryland Election Law 9-102(c): “Standards for
certification.- The State Board may not certify a
voting system unless the State Board determines
that:
(1) the voting system will: … (vi) be capable of
creating a paper record of all votes cast in order that
an audit trail is available in the event of a recount”
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Paper Trail Proposal
 Allow each voter to see her choices on paper before
casting a vote
 If the choices are incorrect, they can be corrected
 The paper becomes the official ballot
 If there is a discrepancy between the paper record
and the computer record, the paper governs
 Why? Because that’s the one the voter verified
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
VVPAT
 Voter-verified paper audit trail
 Produce a paper document that the voter can
view before casting the ballot to verify that the
vote was captured correctly
 Retain the paper document to be used for a
recount, if necessary.
 Concept: if someone has tampered with the
machine, the correct count can be obtained from
the paper records
 [Assume for the purposes of this talk that the
statement is accurate. It isn’t, but assume it is.]
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Paper Trail Advantages
 Demonstrates to the voter that the machine
captured her choices correctly
 Creates a sense of security among voters
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Paper Trail Disadvantages
 No guarantee vote was counted, will ever be counted or paper will be in
existence if a recount is ordered
 Massive paper handling and security problem
 Slow counting
•
•
Sacramento experiment 06/04: took an average of 20 minutes per ballot to
tabulate and verify results
Recounting California would take 450 years
 Accessibility issues
 Voter confusion
•
Must remember a lengthy ballot
 Machines questioned when nothing is wrong
 Increased demand for recounts
 Creates doubt among voters (CalTech-MIT Report)
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Voting Problems
 Machine won’t operate
 Machine fails during the election
 Intruder tampers with paper records
NOT ADDRESSED
BY PAPER TRAIL
• Stuffing, removal, alteration
 Machine captures choices incorrectly
 Intruder alters vote totals after election
 Machine maliciously or erroneously
switches votes
SOLVED BY
PAPER TRAIL
DEPENDS ON
PHYSICAL
SECURITY OF
PAPER TRAIL
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Legal Requirements
 Election law defines the process of democracy
 PA Election Code is extremely long and complex
 Every voting system used in PA must comply with the
PA Constitution and the Election Code
 A system that violates the law cannot be used, no
matter how good or desirable it may be
 Determination whether to certify a voting system is
made by the Secretary of the Commonwealth based
on report from an appointed examiner
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Mandatory Requirements
 Voter secrecy
“All elections by the citizens shall be by ballot
or by such other method as may be
prescribed by law; Provided, That secrecy in
voting be preserved.”
Pa. Const. Art. VII, Sec. 4.
1. Secrecy
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Mandatory Requirements
 Ballot non-identifiability
“No ballot which is so marked as to be
capable of identification shall be counted.”
Pa. Election Code, 25 P.S. 3063(a)
 Purpose: to prevent vote-selling
2. Non-identifiability
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Mandatory Requirements
 Can’t allow voter a take-home receipt
showing how she voted
 Could be used as proof of vote
 Would promote vote-selling
3. No take-home receipts
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Mandatory Requirements
 Voter-verified ballots must be voter-verifiable
 If the ballot contains anything that is not
readable by the voter that could be used to
change or invalidate the vote, it’s not voterverifiable
 The voting system must be “suitably designed
for the purpose used.”
25 P.S. 3031.7(11)
4. Nothing unverifiable
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Sequoia VeriVote Paper Trail
CONTINUOUS ROLL
OF PAPER
Voter Choices
Problems:
1. No secrecy. Ballots are
printed in sequential order
2. Each ballot is identifiable
by serial number
Ballot Serial
Number
Two-dimensional
Barcode with
Voter Choices
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
VoteTrakker Cut-Sheet
From an Avante whitepaper:
Wrong! The “check-code” makes the
ballot identifiable AND not voter-verifiable
NJ021111002026
482961
Feb 26, 2001
President / Vice President
GEORGE WASHINGTON, Andrew JACKSON
US Senator
John HANCOCK
House of Representative
Ben Franklin
County Clerk
John Quincy ADAMS
Board of Chosen Freeholders
Paul REVERE
Board of Chosen Freeholders
William H TAFT
Board of Chosen Freeholders
Theodore ROOSEVELT
Public Question 1
Yes
Public Question 2
No
Public Question 3
Yes
Thank you for voting!
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Populex Ballot Marking System
 Machine only MARKS a ballot; does not tabulate
 Ballot is tabulated by a separate scanner that reads the barcode
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
A Populex Ballot
Problems:
3. Voter can take
ballot home
4. Not voter-verifiable
5. No ballot integrity
HUMAN-READABLE
SELECTIONS
MYSTERIOUS
BARCODE
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
AccuPoll Cut-Sheet System
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
AccuPoll Paper Trail
BALLOT KEY
BALLOT KEY,
2D BARCODE
OCR SCANNABLE CHOICES
HUMAN-READABLE
CHOICES
Problems:
3. Voter can take
ballot home
4. Not voter-verifiable
5. No ballot integrity
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
Voter Verifiability
 Having each voter be able to verify that
1.her vote was understood by the machine
2.her vote was counted by the machine
3.her vote was counted as part of the final tally
4.no unauthorized votes were counted
 Paper trails provide (1), but not (2), (3) or (4)
 Systems exist that provide all four
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
A Simplistic Voting Protocol
Voter’s
Public Key
Voter’s
Private Key
Tallier
Validator
Voter
Tallier’s
Public Key
Tallier’s
Private Key
 Tallier and validator can collude to violate privacy
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
137
Can Cryptography Help?
 Yes – using “mix-nets” (Chaum) and “voterverified secret ballots” (Chaum; Neff)
 Official ballot is electronic not paper.
 Ballot is encrypted version of choices.
 Ballots posted on public bulletin board.
 Voter gets paper “receipt” so she can:
• Ensure that her ballot is properly posted
• Detect voting machine error or fraud
17-803/17-400 ELECTRONIC VOTING
FALL 2004
SOURCE: RON RIVEST
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
138
Voter needs evidence
 That her vote is “cast as intended”:
 That her ballot is indeed encryption of her
choices, and what her ballot is
This is extremely challenging, since
She can’t compute much herself
She can’t take away anything that would allow her to prove
how she voted
 So: she takes away evidence that allows her
(as she exits polling site) to detect whether
cheating occurred, and receipt to prove what
her ballot is
SOURCE: RON RIVEST
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
139
Everyone needs evidence
 That votes are “counted as cast”:
 That mix-servers (“mixes”) properly permute
and re-encrypt ballots.
This is challenging, since
Mixes cannot reveal the permutation they applied to
ballots
 That trustees properly decrypt the permuted
ballots
This is relatively straightforward, using known
techniques.
 This is “universal verifiability”
17-803/17-400 ELECTRONIC VOTING
FALL 2004
SOURCE: RON RIVEST
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
140
Electronic Voting in 2004
 From the e-voting viewpoint, the 2004 election was not very
interesting
 1444 reports to the Election Incident Reporting System
 Reports fell into three categories:
• Fantasies (allegations of fraud with no evidence)
• Misunderstandings (truthful but misinterpreted allegations)
• Genuine problems
 Problems exist that were not reported, e.g. voter privacy
problems
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
141
Reported Problems
 Machine unreliability
 Changed votes
 Lost votes
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
142
Enthusiasm for e-Voting Growing
Despite increasing realization of problems
Technology solves all sorts of other
problems, why not voting?
People like the vision of voting in their PJs
Belief that e-voting will increase voter
turnout
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
143
Internet Voting
Where?
•
•
•
•
Polling place
Kiosks
Home
Anywhere
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
144
Internet Voting Benefits
 Convenience
• Accessibility in all weather, all ages
• Vote anywhere, maybe even from cellphone
• Availability of candidate information
 Maybe lower operating cost (maybe not)
• if regular polling places are eliminated
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
145
Internet Voting Risks
 Digital divide
• People without Internet access
• People without computer skills
 Security, trust
 Casual environment
 Open to the world
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
146
Internet Voting Security Risks




Bugs
Backdoors to manipulation
Malicious code
COTS (Commercial Off-the-Shelf Software), e.g. Windows, may contain
exploits
 Insider attacks
• Compromising results
• Compromising privacy
 Client attacks
• Operator (for Internet cafes)
• Worms, viruses, ActiveX, spyware
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
147
Internet Voting Security Risks
 Denial of Service
• DDOS attacks on server
• Selective disenfranchisement
 Spoof websites
• Fake “official” site – captures voting credentials, issues fake
acknowledgement, then casts real vote differently
 Promotion of coercion
• Automated credential-selling
• Installation of watcher software
17-803/17-400 ELECTRONIC VOTING
FALL 2004
COPYRIGHT © 2004 MICHAEL I. SHAMOS
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
148
Gauging election risks and threats
Risks and threats vary depending on:
• Type of election (public vs. private)
• Consequences of a successful attack
• Value of election outcome to potential
adversaries
• Expertise, skill & resources needed to disrupt
• Level of motivation of potential attackers
• Amount of disruption needed to sway the
election or call its outcome into doubt
• Consequences of a perception of unfair
outcome
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
149
Internet voting in public elections
 Social issues:
• Vote coercion
• Vote sale
• Vote solicitation (click here to vote, banner ads)
 Technical issues:
•
•
•
•
Securing the platform
Securing the communications channel
Assuring availability of the network
Registration issues, one vote per person, no dead
voters
• Authentication in each direction
• Maintaining equitable costs (no poll tax, e.g. smartcard
reader)
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
150
What Will Electronic Voting NOT Fix?
 Getting people to vote (turnout)
• Brazil has mandatory federal elections
 Value of a vote
• Electoral College (where winner takes all, mostly)
 Access to voting
• Registration
• Logistical constraints (Tuesdays are working days)
 Limited choices - Two Party System
 Power of incumbency
• Congress – over 98% success rate
• Redistricting makes it much worse
 Influencing Elections
• Money
• Special Interest Groups
Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/
151
Download