Outline The Battle for • Principles & concepts • Trust and DREs Accountable Voting • Voter verifiable audit trail Systems • Future • Conclusion Prof. David L. Dill Department of Computer Science Stanford University http://www.verifiedvoting.org Role of Elections Transparency Democracy depends on everyone, especially It is not enough for elections to be accurate. the losers, accepting the results of We have to know that they are accurate. elections. All critical aspects of the process must be “The people have spoken . . . the bastards!” – publicly observable, or – independently checkable - Dick Tuck concession speech (Preferably both) Transparency With Paper Ballots Levels of Accountability Paper ballots are compatible with We often have to trust people, but we rarely transparent processes. trust them without accountability . – Voter makes a permanent record of vote. Levels of accountability – Locked ballot box is in public view. – Can we detect error? – Transportation and counting of ballots are – Can we correct it? observed by political parties and election officials. Simple error detection is the most Everyone understands paper. condition for trustworthiness. Any new system should be at least this trustworthy . 1
Trust Outline • Principles & concepts “You have to trust somebody.” • Trust and DREs • Voter verifiable audit trail We only need to trust groups of people with • Future diverse interests (e.g., observers from • Conclusion different political parties). DRE Definition The Man Behind the Curtain Suppose voting booth has a man behind a curtain DRE = “Direct Recording Electronic” – Voter is anonymous – Voter dictates votes to scribe. For this talk, “DRE” does not include – Voter never sees ballot. machines with voter verifiable paper records. There is no accountability in this system! (analogy due to Dan Wallach and Drew Dean) The DRE Auditing Gap Integrity of DRE Implementations ? Recorded Screen ? votes touches ? Paperless electronic voting requires DRE software and hardware to be perfect . It must never lose or change votes. Pr esi dent Pr esi dent Joe Bl ow Fr ed Der f DRE System Current computer technology isn’t up to Any accidental or deliberate flaw in recording the task. mechanism can compromise the election. . . . Undetectably! 2
Program bugs Security Risk We don’t know how to eliminate program • What assets are being protected? bugs. – At the national level, trillions of dollars. • Who are potential attackers? • Inspection and testing catch the easy – Hackers, Candidates, Zealots, problems. – Foreign governments, Criminal organizations • Only the really nasty ones remain Attackers may be very sophisticated and/or – obscure well-financed. – happen unpredictably. A Generic Attack Generic attack • Programmer, system administrator, or DREs are creating new kinds of risks. janitor adds hidden vote-changing code. Nationwide fraud becomes easier than local • Code can be concealed from inspection in fraud. hundreds of ways. Local election officials can’t stop it! • Code can be triggered only during real election – Using “cues” - date, voter behavior – Explicitly by voter, poll worker, or wireless network. • Change small % of votes in plausible ways. Threats From Insiders Voting is Especially Hard • FBI: “The disgruntled insider is a principal Unlike almost every other secure system, source of computer crimes.” voting must discard vital information: the connection between the voter and – The 1999 Computer Security Institute/FBI report notes that 55% of respondents reported the vote. malicious activity by insiders. • Crimes are easier for insiders (e.g., embezzling). 3
“We’ve never had a proven case of Comparison with banking vote fraud on DREs” Electronic audit records have names of • Votes have definitely been lost due to bugs (Wake County, NC, 2002). everyone involved in every transaction. • Fraud has never been investigated. Banks usually have paper backup! • Candidates don’t bother asking for recounts . . . And computer crime still occurs -- They just get “reprints” especially by insiders. • Danger and motivation increases with number of but DREs (twice as many votes this election than 2002). • Fraud can be quantified (we can tell when it • Applications with much more security and lower happens). stakes have had sophisticated fraud (e.g., • Customers are protected. gambling). What software are we running? Summary of Technical Barriers We cannot verify that desired software is It is currently (practically) impossible to running on a computer. create trustworthy DREs because: • Stringent software design/review (even • We cannot eliminate program bugs. formal verification) doesn’t solve the • We cannot guarantee program security. problem. • We cannot verify that the desired • Open source does not solve the problem. software is running on the computer. – “Disclosed” source is, however, highly desirable! Outline The Man Behind the Curtain • Principles & concepts Now, suppose the man who filled out the ballot • Trust and DREs – Shows you the ballot so you can make sure it is • Voter verifiable audit trail correct. • Future – Lets you put it in the ballot box (or lets you • Conclusion watch him do it). There is accountability – You can make him redo the ballot if it’s wrong. – He can be fired or arrested if he does it wrong. 4
Voter Verifiable Audit Trail VVAT is not enough • Voter must be able to verify the Closing the audit gap is necessary but not permanent record of his or her vote (i.e., sufficient . ballot). Additional conditions: • Ballot is deposited in a secure ballot box. – Physical security of ballots through final count must be maintained. – Voter can’t keep it because of possible – Process must be transparent (observers with vote selling. diverse interests must be permitted at all • Voter verified records must be audited, points). and must take precedence over other There are many other requirements, e.g., counts. accessibility. This closes the auditing gap. Options for Voter Verifiable Audit Manual Recounts Trails Computer counts cannot be trusted. • Manual ballots with manual counts. Like other audits, independent recounts • Optically scanned paper ballots. should be performed at least – Precinct-based optical scan ballots have low voter error rates. – When there are doubts about the election • Touch screen machines with voter verifiable – When candidates challenge printers. – On a random basis • Other possibilities Computer-generated ballots can have – Other media than paper? additional security features. – Cryptographic schemes? – Digital signatures/time stamps For now, paper is the only option that is – Matching identifiers for reconciling with paper available and well-understood . ballots. Outline November, 2004 • Principles & concepts We’ve done what we can to get paper. In the short term, we’re focusing on other initiatives. • Trust and DREs • TechWatch • Voter verifiable audit trail – Computer-literate volunteers to observe election. • Future – They will observe & document pre-election testing. – They will observe election (often as poll workers) & vote • Conclusion counting • Election Scorecard – Questions about basic “best practices” related to election security – Working with Brennan Center, Leadership Conference on Civil Rights, Center for American Progres 5
Election Incident Reporting Medium-term System • Online capture of election incident reports. • Get a nationwide requirement for voter- verified paper ballots. • The Verified Voting Foundation is partnered with CPSR for SW development. • Document existing practices based on Tech Watch results. • Reports will be entered by Election Protection Coalition (60+ members) • Recommend best practices for election integrity. • Hotline 1-866-OUR-VOTE • Goals – Deal with incidents in real-time, when possible – Collect knowledge on how elections really work. Long Term Outline A continuing campaign for election • Principles & concepts transparency and trustworthiness • Trust and DREs – Technology • Voter verifiable audit trail – Procedures • Future – Election law • Conclusion – Monitoring Key points The Big Risk • Election equipment should be proved reliable and secure before it is deployed. All elections conducted on • There is little evidence that DREs are DREs are open to question. safe, and a lot of evidence to the contrary. • The problems cannot be fixed without a voter verifiable audit trail of some kind. • With a voter verifiable audit trail and due attention to election practices, the problem can be solved. 6
www.verifiedvoting.org More information is available at our website. Voting vs. Safety-Critical Systems “If we can trust computers to fly airplanes, why can’t we trust them to handle our votes?” – Accountability: Failures in safety-critical systems are detectable – Standards and practices of safety-critical software are not used in voting machine development. “If we required that, we could only afford one voting machine for the state of Texas!” – Safety-critical systems are not designed to be secure against attacks by insiders. 7
Recommend
More recommend
