e-Governance and Electronic Voting April 2, 7 Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 1 Demonstration: Property in Allegheny County – Online What is the government doing? Why are they doing it? Should(n’t) they do it? What are some benefits? What are some downsides? Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 2 What is e-Governance? Citizens Computers (ICT) Government There are two dimensions within the term e-Governance • Computers • Government Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 3 What are the Modes of eGovernment? Typically thought of as connection between citizen and state • There is often more than one layer of government Geography Departmental • Parallel to B2C in the e-commerce world What about B2B equivalent? What about C2C equivalent? – Protests helped bring down the government in Philippines via texting (SMS) There is also Government to Business Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 4 E-government involves more than IT European Commission defines e-government as “The use of ICT in public administrations combined with organizational change and new skills in order to improve public services and democratic processes and strengthen support to public policies” Source http://www.egov-goodpractice.org/download.php?&fileid=58 Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 5 Web-based applications transform the government and democratic processes Gartner Group defines e-government as “The continuous optimization in the public service delivery, access to public information and citizens’ participation by the internal and external transformation of relations based in the use of the information and communication technologies” Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 6 e-Government Encompasses 4 or 5 Stages of Development C o s t/ c o m p l e x i t y Transformation Transaction Interaction Presence Beginning Time Gartner’s e-government model Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 7 Underlying Governmental Structures are Fundamental The process is important • • • • Democracy? Freedom of Information? Accountability? Constitutional framework? Judiciary is especially important – Enforcement – Arbitration e-Governance also can involve third parties (not government or citizens) • Interested parties such as businesses, interest groups (NRA, environmentalists, etc.) Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 8 Hopes of e-Governance Increased access to government • What does a government need to do for this? Greater transparency in operations • What are the implications of this? Greater participation in policy • Will everyone participate equally or even similarly? Greater efficiency and service delivery • Asymmetric information remains a challenge Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 9 "Good governance is perhaps the single most important factor in eradicating poverty and promoting development." — Kofi Annan (now former) UN Secretary General Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 10 Access Consumer side • Need to be “online” Supply side • Governments need to made information available and accessible • The back-office really matters • Inter-departmental issues are important Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 11 Transparency “Govt. in the Sunshine Act” Just because you have a right to certain information • • • • Do you have to ask? Is it sanitized? Is it delayed? Is it real? At an international level, corruption is a major issue Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 12 Efficiency One hope is for a “single window” for interactions • Especially true for clearances and licensing • Inter-departmental issues are key to efficiency Greater participation should lead to greater efficiency (markets) Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 13 Participation Voting is only one aspect of governance (subsequent slides) How else do citizens participate? • • • • Taxes Direct interaction Intermediated interaction Polls There is evidence ICT reinforces some divides, but also opens up new access Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 14 US e-Government Websites Federal • www.firstgov.gov/ State • http://www.state.pa.us/ County • http://www.county.allegheny.pa.us/ City • http://www.city.pittsburgh.pa.us/ … Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 15 International e-Governance Globally, most efforts are top-down instead of bottom up Much greater challenge of access (often) Poorer governance Much more intersection into commercial activities • Many countries still have State Owned Enterprises (SOEs) PTTs, Power Company, Airlines, Banks, Cement company, etc. Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 16 E-Government Readiness Index a Web Measure Index United States Denmark United Kingdom 0.9132 0.9047 0.8852 1 2 3 Sweden 0.8741 4 Republic of Korea Australia Canada Singapore Finland 0.8575 0.8377 0.8369 0.8340 0.8239 Norway Netherlands Germany New Zealand Iceland Switzerland Belgium Austria Japan Ireland Estonia Malta 0.8178 0.8026 0.7873 0.7811 0.7699 0.7538 0.7525 0.7487 0.7260 0.7058 0.7029 0.6877 b E-participation Index c 1.0000 0.9730 0.9691 1 2 3 United Kingdom United States Canada 1.000 0.934 0.902 0.9459 4 Singapore 0.836 5 6 7 8 9 United States United Kingdom Singapore Republic of Korea Denmark Chile Canada Australia Finland 0.9344 0.8842 0.8726 0.8301 0.8069 5 6 7 8 9 Netherlands Mexico New Zealand Republic of Korea Denmark 0.803 0.770 0.770 0.770 0.738 10 11 12 13 14 15 16 17 18 19 20 21 Germany Mexico Sweden Belgium New Zealand Malta Netherlands Estonia Austria Israel Norway Ireland 0.7954 0.7838 0.7722 0.7722 0.7413 0.7375 0.7181 0.6988 0.6988 0.6911 0.6873 0.6564 10 11 12 13 14 15 16 17 18 19 20 Australia Estonia Colombia Belgium Chile Germany Finland Sweden France Malta Austria 0.672 0.639 0.623 0.607 0.607 0.590 0.574 0.574 0.459 0.459 0.443 22 Chile 0.6835 Argentina 23 Israel 0.6805 Columbia 24 France 0.6687 Brazil 25 Luxembourg 0.6600 Japan Average 0.7798 World Average 0.4127 North America 0.8751 Europe 0.5866 South and Eastern Asia 0.4603 South and Central 0.4558 America Caribbean 0.4106 Oceania 0.3006 Ethics and Policy issues in Computing Africa 0.2528• Carnegie Mellon University • Global eGovernance 0.6429 0.6409 0.6371 0.6293 Source: UN Global E-Government Readiness Report 2004: Towards Access for Opportunity Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 17 Difficulties with e-Governance Metrics • Poor metrics lead to misallocation of resources or even bad outcomes Land-records are a major interface in developing countries (and elsewhere) • Digitization projects Hoped to reduce corruption and speed up the process Did it work? – Depends who you ask – Those in the system benefited, those outside were worse off (e.g., Bhoomi project in India) Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 18 Other Issues Privacy • Governmental • Inter-citizen Censorship, wiretapping, etc. China • Unique has 99% of connectivity is within country Use of ICT for Security • Wireless mesh across New Orleans Reported to reduce crime Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 19 How to Improve e-Governance Supply vs. Demand • Partly a chicken and egg problem Latin American Countries • Improve content regardless of user base • e-Governance becomes a “killer app” Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 20 “Killer Apps” for ICT and Governance Taxes • Brazil had ~95% of income taxes filed online (2003) Contracting • Sharing information • Actual transactions Voting • Not yet online, but computerized, nonetheless Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 21 Electronic Voting Somewhat controversial, esp. in the US • Why? Electronic voting needs to be in the context of voting overall • • • • Access and participation Informed decisions Influence of money Reduction of errors and fraud How do these compare to paper voting? (“Ballot Stuffing”) Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 22 Design of Electoral Systems The problem and a Comparison: US and India Builds on work by Eswaran Subrahmanian (CMU/NIST) Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 23 Goals of an Electoral System: Voters and voting process Ensure that every body that is eligible to vote has an opportunity to vote Ensure that any eligible voter is allowed to vote only once Voters get the information on candidates in a fair and consistent manner Ensure the ability to register Ensure orderly process of voting Minimize fraud in the process Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 24 Goals of the Electoral Systems: Candidacy and canvassing Allow for a citizen to be able to participate as a candidate in the election Allow for the candidate to express their political position to the Voters Minimize the number of candidates competing in the election: Low but sufficient barrier to entry Minimize the influence any one interest group on the candidate Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 25 Goal of the Electoral System: Voting Mechanism Ensure that the mechanism registers votes Ensure that the mechanism cannot be tampered with Ensure that the mechanism allows for accurate counting The vote cast is correctly registered and attributed to the right candidate The votes cast are correctly tabulated to decide the winner Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 26 Decision Variables: Voters and Voting Process Criteria for eligibility to Vote: Age, Criminal record, Citizenship Criteria for determining the identity of the voter: Voter id card format and content Criteria for determining that the voter votes only once: Check list, ink marker Locale of voting: on location, absentee Security of the Process: Military, local police, national guard, Party officials, State employees Fairness and standards for dispute resolution Verification of Process: Internal observers, international observers Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 27 Decision variables: Candidacy Criteria for being a candidate: • • • • • Measure of support (100,000 signatures) Deposit money (~$5000) Party affiliation: none, only registered parties etc. Citizenship: Born, naturalized Age by position sought President: 45 and over Congress • Registering: number of days before election Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 28 Decision variables: Candidacy Types of positions: Legislator, Senate, Mayor etc Definition of electoral region for candidacy: (population per district etc) Responsibility of demarcation of region: State government, Election commission Method of demarcation: arbitrary, grid based, Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 29 Decision variables: Canvassing Start of canvassing for Election: Days before election End of canvassing: days before election Modes of Information Dissemination: Street rallies,Flyers, TV and Radio Ads Scope of content of electoral material: Offensive, personal attacks etc Money spent on Canvassing - Limits or no limits Financing of Canvassing: Public, private Limits on citizen financial contribution: upper bound Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 30 Decision Variables: Voting Mechanism Type of Mechanism: paper, mechanical, electronic Security of the mechanism: Special paper, type of locking Counting model: Hand count, Machine count, cumulative count Verification Models: Human, automated verification, committee Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 31 Design of the Electoral Systems: Responsibility Centralized: India • Independent election commission like the supreme court • Central and state election commissions(EC) • Electoral laws executed by Central EC and reforms proposed by CEC • CEC is central coordinator and enforcer Decentralized and Mixed Mode: US • • • • • Canvassing - Central Candidacy - Federal and State Voter eligibility: State and Federal Voting Mechanism: Local (County) Security - Local Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 32 Last Indian National Election (2004) 337 million voters 600 million eligible/registered voters • Registration is CEC responsibility: not individuals • Computerized nation electoral roles • Registration verification in Community halls in villages 1.2 million security officials 1 Million electronic voting machines • Training and demonstration across the country 4 million Poll officers Election over 3 weeks Official results in 3 Days Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 33 US election: First Tuesday of November One day Numerous electoral rolls Numerous types of machines Official result expected in 3- 4 weeks • US States: State Secretary of State Non-uniform electoral laws Minimal security Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 34 India: Electronic Voting Machine (EVM) Introduced in 1998 Indigenous -produced by 2 Public Sector Companies - BEL and ECIL Run on batteries - Tamper proof Votes recorded by pressing a button Votes stored in memory Result retrieved by press of button General Elections 2004 conducted fully on EVMs Around 1,075,000 EVMs were used Can be modified as per the requirement Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 35 How to Improve Electronic Voting Simplicity, Simplicity, Simplicity • Less loopholes Accidental Malicious Standardization • India benefits due to Federal Standards Open Source? Voter Verifiable Audits/Paper Trails[???] • Many experts doubt the value of this • Cryptography can be more secure than paper Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 36 Computing’s Impact on Elections Polls Blogs • FEC ruled to exempt them from some restrictions • Hoped these are grass-roots and a great equalizer Are they? News and media Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 37 Thinking Points on Voting Should you be voting online? • • • • Is it safe? Issues of timing? Is it deliberative? Is it asymmetric (e.g., discriminates by class) Internet voting is a narrow subset of electronic voting (more later) Should I be able to know how you voted? NO! • But, what about transparency? www.fundrace.org – By looking at whom you paid money to, can guess whom you voted for Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 38 History of Voting “Ballots” from Italian ballotta, meaning “little ball” Ancient: clash of spears, balls in urns, division by groups, wooden tickets (tabellæ) American colonies: voting aloud to public official 1857: Australia introduces secret paper ballot 1888: Australian ballot introduced in U.S. (KY, MA) 1892: Mechanical lever machine to “protect mechanically the voter from rascaldom” 1960s: Punched cards 1970s: Optical scan 1978: Direct-recording electronic systems 2000: Internet voting in primaries 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 39 Voting Jurisdictions Voting in the U.S. is conducted by the states • 50 states + DC + territories • Supervised generally by Secretaries of State • Delegated to 3170 counties ~10,000 voting jurisdictions (cities, school boards, …) ~200,000 precincts (avg. 60-70 per county) > 1,400,000 poll workers (avg. 7/precinct, 440/cty) 150 million registered voters, 105 million actually vote Federal government has very little power over elections 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 40 PENNSYLVANIA Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 41 Pennsylvania Voting Methods 2004 ALLEGHENY COUNTY Optical Punch Card Lever DRE Paper Mixed N/A SOURCE: ELECTIONLINE.ORG Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Allegheny County CITY OF PITTSBURGH Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 43 5th Ave. (Precincts) Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 44 Pittsburgh East End Wards and Precincts 5th Ave. 14th City Ward Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 45 Pittsburgh East End Political Districts 8th City Council District Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 46 Pittsburgh East End Political Districts 11th County Council District Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 47 Pittsburgh East End Political Districts 23rd Pennsylvania House District Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 48 Pittsburgh East End Political Districts 43rd Pennsylvania Senate District Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 49 Pittsburgh East End Political Districts 11th County Council 8th City Council 23rd House 43rd Senate Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 50 Functions of a Voting System 1. Authenticate voter 2. Present candidates and issues to voter 3. Capture voter’s preferences 4. Transport preferences to counting location 5. Add up vote totals (tabulation) 6. Publish vote totals (reporting) 7. Provide audit mechanism But: vote must be secret 17-803/17-400 ELECTRONIC VOTING FALL 2004 • • • • CS ISSUES SECURITY PRIVACY HCI SOFTWARE ENGINEERING COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 51 Authentication In each precinct, only registered voters are allowed to vote Need a registration system before the election Need authentication mechanism on Election Day • Only registered voters vote • No one can impersonate a voter • Each voter can only vote once In this course, we will not discuss voter registration Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Voting System Requirements Secrecy Security Accuracy Auditability Accessibility to disabled Protective counter (votes cast since manufacture) Public counter (votes cast today) Conform to state voting provisions (e.g. write-ins) Meet Federal standards Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Election tasks Registering voters Validating/authenticating voters Distributing/collecting ballots Tallying votes How are these tasks accomplished in the elections in which you have participated? • • • • Government elections Stock holder elections Student government elections Professional society elections Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 54 Desirable properties of secret ballot elections Accuracy Convenience Privacy Flexibility Verifiability Mobility Invulnerability (Democracy) Trustworthy Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 55 Accuracy Votes cannot be altered Validated votes cannot be eliminated from the final tally Invalid votes will not be counted in the final tally Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 56 Privacy Neither election authorities nor anyone else can link any ballot to the voter who cast it No voter can prove that he or she voted in a particular way Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 57 Invulnerability (to ballot box stuffing) Only eligible voters can vote Each eligible voter can vote only once The accuracy property ensures that ballots are not lost or altered after being submitted to the ballot box The invulnerability property ensures that only valid ballots are accepted into the ballot box Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 58 Verifiability Anyone can independently verify that all votes have been counted correctly • Weaker version: voters can verify that their own votes were counted correctly • Achieved through audit trails and/or cryptographic verification Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 59 Convenience Voters can cast their votes quickly, in one session, and with minimal equipment or special skills Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 60 Flexibility A variety of ballot question formats are permitted including open ended questions Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 61 Mobility There are no restrictions on the location from which a voter can cast a vote • Not yet always true Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 62 Trustworthy Voter feels that • Vote was counted • Vote was private • Nobody else can vote more than once • Nobody can alter others’ votes People believe that the machine works correctly and that its behavior cannot be modified These have to do with perception It is also important that these perceptions are true Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 63 Computers used for Predicting Elections Irony: 1952 US Presidential Election • UNIVAC computer • Based on just 1% of the vote, predicted sweeping Eisenhower victory • No one believed the computer TV networks ignored its prediction • It was right! Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 64 Ballot Types Document ballot • Paper ballot • punched-card • optical scan Non-document ballot • Lever machine • DRE (Direct Recording Electronic) machine Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ US Voting Equipment Trends Source: Election Data Services 1600 1400 US Counties 1200 Punch Card Lever Paper Ballots Optical Scan Electronic Mixed 1000 800 600 400 200 0 Nov–2000 Nov–2002 Nov–2004 Nov–2006 Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 66 Paper (.6%) Advantages • Simple • Captures voter intent • Not subject to equipment malfunctions Disadvantages • Time consuming to count • Does not prevent over votes or under votes • Many ballot fraud schemes involving paper ballots Ballot box stuffing Ballot invalidation Pre-marked ballots Ballot theft Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 67 Paper Ballots 10/29/1864 17-803/17-400 ELECTRONIC VOTING FALL 2004 1/27/1925 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 68 New York Times, April 4, 1855 BALLOT BOXES DESTROYED INJURIES IN RIOTS MORE BALLOTS CAST THAN NAMES ON THE POLL LIST Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 69 Florida’s Solution “The ballots shall first be counted, and, if the number of ballots exceeds the number of persons who voted … the ballots shall be placed back into the box, and one of the inspectors shall publicly draw out and destroy unopened as many ballots as are equal to such excess.” F.S. §102.061 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 70 Why Do We Use Voting Machines? To prevent fraud • Lever machine (1892) “To protect mechanically the voter from rascaldom” Faster, more accurate counting Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Lever Machines (14%) SOURCE: MICHIGAN SOS 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 72 Lever Machines (14%) 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 73 Lever Machines (14%) 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 74 Lever Machines Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 75 Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 76 Punched-Card (14%) Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Punch Card Voting Used by about 14% of the U.S. in 2004 Used in 69 of 88 counties in Ohio (PA only has 67 counties) Began in the 1960s with the IBM Porta-Punch By 2000 was used in 37% of the U.S., until Florida Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Votomatic Punch-Card System BALLOT FRAME VOTING SETUP VOTING BOOTH BALLOT SEALS VOTING STYLUS 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 79 Punched Card (14%) SOURCE: MICHIGAN SOS 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 80 Chads SOURCE: PETER SHEERIN Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Hanging Chad SOURCE: NEW YORK TIMES 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 82 Palm Beach County “Butterfly” Ballot SOURCE: SOUTH FLORIDA SUN-SENTINEL 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 83 Votomatic Punched-Card System The infamous Butterfly Ballot 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 84 Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 85 Buchanan Vote by County (Florida, 2000) GRAPH COURTESY OF PROF. GREG ADAMS CARNEGIE MELLON & PROF. CHRIS FASTNOW CHATHAM COLLEGE (PURPLE ANNOTATIONS ADDED) LINEAR FIT WITHOUT PALM BEACH, BROWARD, MIAMI-DADE Pinellas (St. Petersburg-Clearwater) Hillsborough (Tampa) Broward (Fort Lauderdale) Miami-Dade Orange (Orlando) SOURCE: PROF. GREG ADAMS 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 86 Datavote Uses a die to punch a clean hole Employed in a small fraction of punch card counties Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Counting Punched Cards SOURCE: NEW YORK TIMES 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 88 Recount When a ballot is handled, it can be changed The voter’s intent must be determined Suppose only one of four corners is detached. It is a vote? Dimpled chad, pregnant chad: how to count? 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 89 Punched-Card Problems Can’t see whom you’re voting for Registration of card in ballot frame Must use stylus: no positive feedback on punch Hanging chad: chad that is partially attached to the card • How may corners? • Hanging chad causes count to differ every time Dimple: chad that is completely attached but shows evidence of an attempt to punch • Dimple can turn into a vote on multiple readings 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 90 Mark Sense, Optical Scan (34%) TIMING MARKS START OF BALLOT 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 91 Mark-Sense, Optical Scan (34%) Scanning methods • Visible light • Infrared Issues: • Dark/light marks • Some scanners require carbon-based ink • Voter intent may not be captured by machine Machine does not see what the human sees 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 92 AN OPTICAL SCAN BALLOT SOURCE: SANTA BARBARA COUNTY Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 93 SOURCE: Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 94 Precinct Count v. Central Count Precinct count • Voter marks ballot, inserts into machine • Machine rejects overvoted (and maybe undervoted) ballots Central count • Marked ballots are transported to a central location for counting • No opportunity for correction of overvotes/undervotes 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 95 ES&S Model 110 Precinct Tabulator Voter inserts ballot, receives immediate overvote/undervote notification SOURCE: ES&S 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 96 ES&S Model 650 Central Tabulator Ballots counted centrally, away from voter. No overvote/undervote notification SOURCE: Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ ES&S 97 Optical Scan Vote Reading Is it reliable? Is voter intent captured? Can it be manipulated? Infrared v. visible light • Problem: machine “sees” marks differently from voter What is a valid vote? 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 98 Effect of Humidity SOURCE: DOUG JONES 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 99 Direct-Recording Electronic (31%) DEMO SOURCE: SHOUP VOTING SOLUTIONS 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 100 Direct-Recording Electronic (31%) SOURCE: SHOUP VOTING SOLUTIONS 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 101 DRE Systems DRE means “direct recording electronic” There is no document ballot Voter votes by interacting directly with a machine, not by marking a piece of paper “Electronic voting system” means a system in which one or more voting devices are used to permit the registering or recording of votes and in which such votes are computed and tabulated by automatic tabulating equipment. The system shall provide for a permanent physical record of each vote cast. Pa. Elec. Code. 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 102 A Well-Designed e-Voting Machine NO PORTS, NO CONNECTORS, NO MODEM, NO WIRELESS, NO INTERNET PROPRIETARY OPERATING SYSTEM (NOT WINDOWS) SOFTWARE FROM A TRUSTED SOURCE (NOT THE VENDOR) BALLOT SETUP DATA VOTER CHOICES READ-ONLY MEMORY READ-ONLY MEMORY RANDOM ACCESS MEMORY INTERNAL PAPER TRAIL WRITE-ONCE MEMORY TOTALS REPORT SIGNED BY ELECTION JUDGES WRITE-ONCE MEMORY TO COUNTY BOARD 16-HOUR BATTERY MACHINE SEALED WITH PAPER TRAIL Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Advanced (formerly Shoup) WINvote DRE USES WIRELESS NETWORK SOURCE: ADVANCED VOTING SOLUTIONS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Diebold Accu-Vote ACCU-VOTE TS TOUCHSCREEN ACCU-VOTE TSX TOUCHSCREEN ACCU-VOTE OS OPTICAL SCAN SOURCE: DIEBOLD Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ ES&S iVotronic Touchscreen DRE 1. INSERT PEB 2. MAKE SELECTIONS 4. CAST BALLOT 3. REVIEW BALLOT SOURCE: ES&S Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Guardian 1242 (formerly Danaher) Full-face DRE SOURCE: GUARDIAN Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Liberty Election Systems Full-face DRE LIBERTYVOTE SOURCE: LIBERTY Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Microvote INFINITY DRE MV-464 DRE ABSENTEE CARD READER SOURCE: MICROVOTE Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Sequoia Pacific AVC Advantage Full-Face DRE SOURCE: SEQUOIA Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Sequoia Pacific Edge DRE SOURCE: SEQUOIA Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Sequoia Pacific Edge DRE SOURCE: SEQUOIA Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Hart eSlate SOURCE: HART INTERCIVIC Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Known Issues: The Hursti Exploit Discovered by Finnish security expert Harri Hursti Works against Diebold optical scan voting machines Diebold AccuVote OS has a PCMCIA memory card with ballot setup information, vote counters and predefined report formats PRINTER INSIDE OPTICAL BALLOT LCD DISPLAY FRONT OF MACHINE BACK OF MACHINE Source: M. Shamos Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 114 The Hursti Exploit Memory card created at county, inserted in machine: ELECTION DATA TO PRODUCE TABULATION: • CANDIDATE NAMES • PARTIES • BALLOT POSITIONS VOTE COUNTERS ACCUBASIC .ABO FILES FOR REPORTS, NOT TABULATION Counters are short integers; overflow is not trapped Large positive numbers act as negative numbers, e.g. 65,520 is equivalent to -16 since 65,520+16 = 65,536 = 0 Source: M. Shamos Hursti Exploit, Part 1: Preload the card with some negative and some positive counts in a race. Make sure the net sum is zero. Hursti Exploit, Part 2: Replace the zero report .abo file with one that always prints zeros regardless of counter values. Result: Votes added to some candidates, subtracted from others, but the total count does not exceed the number of voters. Result: When memory card counters are overwritten at the close of polls, no electronic record of the exploit exists. NOT CERTIFIED Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 115 Help America Vote Act of 2002 Payments to states to replace paper and level machines: $3 billion Establishes Election Assistance Commission Reforms the standards process (National Institute of Standards and Technology) Provisional voting Statewide registration systems Complaint procedure Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ The Problem Voters do not trust DRE systems Why? • • • • • • • • Numerous irregularities around the country “Black box” phenomenon Reports by computer security specialists Warnings by computer scientists Jurisdictions rushing to replace old systems Secretive vendor behavior Public awareness of computer vulnerabilities Newspaper editorials, e.g. New York Times Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ The Problem Are DRE systems untrustworthy? • Some are, some aren’t DRE systems used for 25 years without a single verified incident of tampering • • • • Much more difficult to alter computerized records than paper Proprietary operating systems Redundant encrypted memories Testing None of this matters. Perception governs What to do? Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Statutory Requirements HAVA Sec. 301(a)(2)(i): “The voting system shall produce a permanent paper record with a manual audit capacity for such system.” Maryland Election Law 9-102(c): “Standards for certification.- The State Board may not certify a voting system unless the State Board determines that: (1) the voting system will: … (vi) be capable of creating a paper record of all votes cast in order that an audit trail is available in the event of a recount” Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Paper Trail Proposal Allow each voter to see her choices on paper before casting a vote If the choices are incorrect, they can be corrected The paper becomes the official ballot If there is a discrepancy between the paper record and the computer record, the paper governs Why? Because that’s the one the voter verified Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ VVPAT Voter-verified paper audit trail Produce a paper document that the voter can view before casting the ballot to verify that the vote was captured correctly Retain the paper document to be used for a recount, if necessary. Concept: if someone has tampered with the machine, the correct count can be obtained from the paper records [Assume for the purposes of this talk that the statement is accurate. It isn’t, but assume it is.] Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Paper Trail Advantages Demonstrates to the voter that the machine captured her choices correctly Creates a sense of security among voters Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Paper Trail Disadvantages No guarantee vote was counted, will ever be counted or paper will be in existence if a recount is ordered Massive paper handling and security problem Slow counting • • Sacramento experiment 06/04: took an average of 20 minutes per ballot to tabulate and verify results Recounting California would take 450 years Accessibility issues Voter confusion • Must remember a lengthy ballot Machines questioned when nothing is wrong Increased demand for recounts Creates doubt among voters (CalTech-MIT Report) 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Voting Problems Machine won’t operate Machine fails during the election Intruder tampers with paper records NOT ADDRESSED BY PAPER TRAIL • Stuffing, removal, alteration Machine captures choices incorrectly Intruder alters vote totals after election Machine maliciously or erroneously switches votes SOLVED BY PAPER TRAIL DEPENDS ON PHYSICAL SECURITY OF PAPER TRAIL Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Legal Requirements Election law defines the process of democracy PA Election Code is extremely long and complex Every voting system used in PA must comply with the PA Constitution and the Election Code A system that violates the law cannot be used, no matter how good or desirable it may be Determination whether to certify a voting system is made by the Secretary of the Commonwealth based on report from an appointed examiner Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Mandatory Requirements Voter secrecy “All elections by the citizens shall be by ballot or by such other method as may be prescribed by law; Provided, That secrecy in voting be preserved.” Pa. Const. Art. VII, Sec. 4. 1. Secrecy Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Mandatory Requirements Ballot non-identifiability “No ballot which is so marked as to be capable of identification shall be counted.” Pa. Election Code, 25 P.S. 3063(a) Purpose: to prevent vote-selling 2. Non-identifiability Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Mandatory Requirements Can’t allow voter a take-home receipt showing how she voted Could be used as proof of vote Would promote vote-selling 3. No take-home receipts Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Mandatory Requirements Voter-verified ballots must be voter-verifiable If the ballot contains anything that is not readable by the voter that could be used to change or invalidate the vote, it’s not voterverifiable The voting system must be “suitably designed for the purpose used.” 25 P.S. 3031.7(11) 4. Nothing unverifiable Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Sequoia VeriVote Paper Trail CONTINUOUS ROLL OF PAPER Voter Choices Problems: 1. No secrecy. Ballots are printed in sequential order 2. Each ballot is identifiable by serial number Ballot Serial Number Two-dimensional Barcode with Voter Choices Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ VoteTrakker Cut-Sheet From an Avante whitepaper: Wrong! The “check-code” makes the ballot identifiable AND not voter-verifiable NJ021111002026 482961 Feb 26, 2001 President / Vice President GEORGE WASHINGTON, Andrew JACKSON US Senator John HANCOCK House of Representative Ben Franklin County Clerk John Quincy ADAMS Board of Chosen Freeholders Paul REVERE Board of Chosen Freeholders William H TAFT Board of Chosen Freeholders Theodore ROOSEVELT Public Question 1 Yes Public Question 2 No Public Question 3 Yes Thank you for voting! Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Populex Ballot Marking System Machine only MARKS a ballot; does not tabulate Ballot is tabulated by a separate scanner that reads the barcode Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ A Populex Ballot Problems: 3. Voter can take ballot home 4. Not voter-verifiable 5. No ballot integrity HUMAN-READABLE SELECTIONS MYSTERIOUS BARCODE Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ AccuPoll Cut-Sheet System Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ AccuPoll Paper Trail BALLOT KEY BALLOT KEY, 2D BARCODE OCR SCANNABLE CHOICES HUMAN-READABLE CHOICES Problems: 3. Voter can take ballot home 4. Not voter-verifiable 5. No ballot integrity Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ Voter Verifiability Having each voter be able to verify that 1.her vote was understood by the machine 2.her vote was counted by the machine 3.her vote was counted as part of the final tally 4.no unauthorized votes were counted Paper trails provide (1), but not (2), (3) or (4) Systems exist that provide all four Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ A Simplistic Voting Protocol Voter’s Public Key Voter’s Private Key Tallier Validator Voter Tallier’s Public Key Tallier’s Private Key Tallier and validator can collude to violate privacy Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 137 Can Cryptography Help? Yes – using “mix-nets” (Chaum) and “voterverified secret ballots” (Chaum; Neff) Official ballot is electronic not paper. Ballot is encrypted version of choices. Ballots posted on public bulletin board. Voter gets paper “receipt” so she can: • Ensure that her ballot is properly posted • Detect voting machine error or fraud 17-803/17-400 ELECTRONIC VOTING FALL 2004 SOURCE: RON RIVEST COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 138 Voter needs evidence That her vote is “cast as intended”: That her ballot is indeed encryption of her choices, and what her ballot is This is extremely challenging, since She can’t compute much herself She can’t take away anything that would allow her to prove how she voted So: she takes away evidence that allows her (as she exits polling site) to detect whether cheating occurred, and receipt to prove what her ballot is SOURCE: RON RIVEST 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 139 Everyone needs evidence That votes are “counted as cast”: That mix-servers (“mixes”) properly permute and re-encrypt ballots. This is challenging, since Mixes cannot reveal the permutation they applied to ballots That trustees properly decrypt the permuted ballots This is relatively straightforward, using known techniques. This is “universal verifiability” 17-803/17-400 ELECTRONIC VOTING FALL 2004 SOURCE: RON RIVEST COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 140 Electronic Voting in 2004 From the e-voting viewpoint, the 2004 election was not very interesting 1444 reports to the Election Incident Reporting System Reports fell into three categories: • Fantasies (allegations of fraud with no evidence) • Misunderstandings (truthful but misinterpreted allegations) • Genuine problems Problems exist that were not reported, e.g. voter privacy problems 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 141 Reported Problems Machine unreliability Changed votes Lost votes 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 142 Enthusiasm for e-Voting Growing Despite increasing realization of problems Technology solves all sorts of other problems, why not voting? People like the vision of voting in their PJs Belief that e-voting will increase voter turnout Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 143 Internet Voting Where? • • • • Polling place Kiosks Home Anywhere 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 144 Internet Voting Benefits Convenience • Accessibility in all weather, all ages • Vote anywhere, maybe even from cellphone • Availability of candidate information Maybe lower operating cost (maybe not) • if regular polling places are eliminated 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 145 Internet Voting Risks Digital divide • People without Internet access • People without computer skills Security, trust Casual environment Open to the world 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 146 Internet Voting Security Risks Bugs Backdoors to manipulation Malicious code COTS (Commercial Off-the-Shelf Software), e.g. Windows, may contain exploits Insider attacks • Compromising results • Compromising privacy Client attacks • Operator (for Internet cafes) • Worms, viruses, ActiveX, spyware 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 147 Internet Voting Security Risks Denial of Service • DDOS attacks on server • Selective disenfranchisement Spoof websites • Fake “official” site – captures voting credentials, issues fake acknowledgement, then casts real vote differently Promotion of coercion • Automated credential-selling • Installation of watcher software 17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 148 Gauging election risks and threats Risks and threats vary depending on: • Type of election (public vs. private) • Consequences of a successful attack • Value of election outcome to potential adversaries • Expertise, skill & resources needed to disrupt • Level of motivation of potential attackers • Amount of disruption needed to sway the election or call its outcome into doubt • Consequences of a perception of unfair outcome Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 149 Internet voting in public elections Social issues: • Vote coercion • Vote sale • Vote solicitation (click here to vote, banner ads) Technical issues: • • • • Securing the platform Securing the communications channel Assuring availability of the network Registration issues, one vote per person, no dead voters • Authentication in each direction • Maintaining equitable costs (no poll tax, e.g. smartcard reader) Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 150 What Will Electronic Voting NOT Fix? Getting people to vote (turnout) • Brazil has mandatory federal elections Value of a vote • Electoral College (where winner takes all, mostly) Access to voting • Registration • Logistical constraints (Tuesdays are working days) Limited choices - Two Party System Power of incumbency • Congress – over 98% success rate • Redistricting makes it much worse Influencing Elections • Money • Special Interest Groups Ethics and Policy issues in Computing • Carnegie Mellon University • Spring 2008 • Tongia • http://www.contrib.andrew.cmu.edu/~tongia/sp08/08-200/ 151