Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber 1...

140
Computers and Society • Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/co 1 Electronic Voting Electronic Voting Week 11 - March 29, 31
  • date post

    19-Dec-2015
  • Category

    Documents

  • view

    222
  • download

    1

Transcript of Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber 1...

Page 1: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/1

Electronic VotingElectronic Voting

Week 11 - March 29, 31

Page 2: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

History of Voting• “Ballots” from Italian ballotta, meaning “little ball”• Ancient: clash of spears, balls in urns, division by groups, wooden tickets

(tabellæ)• American colonies: voting aloud to public official• 1857: Australia introduces secret paper ballot• 1888: Australian ballot introduced in U.S. (KY, MA)• 1892: Mechanical lever machine to “protect mechanically the voter from

rascaldom”• 1960s: Punched cards• 1970s: Optical scan• 1978: Direct-recording electronic systems• 2000: Internet voting in primaries

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 3: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Voting Jurisdictions

• Voting in the U.S. is conducted by the states– 50 states + DC + territories– Supervised generally by Secretaries of State– Delegated to 3170 counties

• ~10,000 voting jurisdictions (cities, school boards, …)• ~200,000 precincts (avg. 60-70 per county)• > 1,400,000 poll workers (avg. 7/precinct, 440/cty)• 150 million registered voters, 105 million actually vote• Federal government has very little power over elections

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 4: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

PENNSYLVANIA

Page 5: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Pennsylvania Voting Methods 2004

Optical

Punch Card

Lever

DRE

Paper

Mixed

N/A SOURCE: ELECTIONLINE.ORG

ALLEGHENYCOUNTY

Page 6: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Allegheny County

CITY OFPITTSBURGH

Page 7: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

5th Ave.

(Precincts)

Page 8: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Pittsburgh East End Wards and Precincts

14th City Ward

5th Ave.

Page 9: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Pittsburgh East End Political Districts

8th City Council District

Page 10: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Pittsburgh East End Political Districts

11th County Council District

Page 11: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Pittsburgh East End Political Districts

23rd Pennsylvania House District

Page 12: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Pittsburgh East End Political Districts

43rd Pennsylvania Senate District

Page 13: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Pittsburgh East End Political Districts

43rd Senate23rd House8th City Council11th County Council

Page 14: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Functions of a Voting System

1. Authenticate voter

2. Present candidates and issues to voter

3. Capture voter’s preferences

4. Transport preferences to counting location

5. Add up vote totals (tabulation)

6. Publish vote totals (reporting)

7. Provide audit mechanism

But: vote must be secret

CS ISSUES• SECURITY• PRIVACY• HCI• SOFTWARE ENGINEERING

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 15: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Authentication

• In each precinct, only registered voters are allowed to vote• Need a registration system before the election• Need authentication mechanism on Election Day

– Only registered voters vote

– No one can impersonate a voter

– Each voter can only vote once

• In this course, we will not discuss voter registration

Page 16: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Voting System Requirements• Secrecy• Security• Accuracy• Auditability• Accessibility to disabled• Protective counter (votes cast since manufacture)• Public counter (votes cast today)• Conform to state voting provisions (e.g. write-ins)• Meet Federal standards

Page 17: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/17

Election tasksElection tasksRegistering voters

Validating/authenticating voters

Distributing/collecting ballots

Tallying votes

How are these tasks accomplished in the elections in which you have participated?Government electionsStock holder electionsStudent government electionsProfessional society elections

Page 18: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/18

Desirable properties of secret ballot Desirable properties of secret ballot electionselections

Accuracy

Privacy

Verifiability

Invulnerability (Democracy)

Convenience

Flexibility

Mobility

Trustworthy

Page 19: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/19

Votes cannot be altered

Validated votes cannot be eliminated from the final tally

Invalid votes will not be counted in the final tally

AccuracyAccuracy

Page 20: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/20

PrivacyPrivacyNeither election authorities nor

anyone else can link any ballot to the voter who cast it

No voter can prove that he or she voted in a particular way

Page 21: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/21

Invulnerability (to ballot box Invulnerability (to ballot box stuffing)stuffing)

Only eligible voters can vote

Each eligible voter can vote only once

The accuracy property ensures that ballotsare not lost or altered after being submitted to the ballot box

The invulnerability property ensures that only valid ballots are accepted into the ballot box

Page 22: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/22

VerifiabilityVerifiabilityAnyone can independently verify that

all votes have been counted correctlyWeaker version: voters can verify that

their own votes were counted correctlyAchieved through audit trails and/or

cryptographic verification

Page 23: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/23

ConvenienceConvenienceVoters can cast their votes quickly, in

one session, and with minimal equipment or special skills

Page 24: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/24

FlexibilityFlexibilityA variety of ballot question formats

are permitted including open ended questions

Page 25: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/25

MobilityMobilityThere are no restrictions on the

location from which a voter can cast a vote

Page 26: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/26

TrustworthyTrustworthy Voter feels that

Vote was countedVote was privateNobody else can vote more

than onceNobody can alter others’

votes

People believe that the machine works correctly and that its behavior cannot be modified

These have to do with perception

It is also important that these perceptions are true

Page 27: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Ballot Types

• Document ballot– Paper ballot– punched-card– optical scan

• Non-document ballot– Lever machine– DRE machine

Page 28: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

U.S. Voting Methods 2000-2004

• Punched-card (32%)• Optical scan (28%)• Lever (16%)• DRE (12%)• Paper (1%)• Indeterminate: (11%)

CardOpticalLeverDREIndetPaper

PUNCHEDCARD

OPTICAL

LEVER

DRE

?

2000

PAPER

• Optical scan (34%)• DRE (31%)• Lever (14%)• Punched-card (14%)• Paper (1%)• Indeterminate: (6%)

DRE

CARD

OPTICAL

LEVER

?

2004

Page 29: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/29

Paper (.6%)Paper (.6%) Advantages

SimpleCaptures voter

intentNot subject to

equipment malfunctions

DisadvantagesTime consuming to

countDoes not prevent

over votes or under votes

Many ballot fraud schemes involving paper ballots

• Ballot box stuffing• Ballot invalidation• Pre-marked ballots• Ballot theft

Page 30: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Paper Ballots

1/27/192510/29/1864

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 31: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

New York Times, April 4, 1855

BALLOT BOXES DESTROYED

INJURIES IN RIOTS

MORE BALLOTS CAST THANNAMES ON THE POLL LIST

Page 32: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Florida’s Solution

“The ballots shall first be counted, and, if the number of ballots exceeds the number of persons who voted … the ballots shall be placed back into the box, and one of the inspectors shall publicly draw out and destroy unopened as many ballots as are equal to such excess.” F.S. §102.061

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 33: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Why Do We Use Voting Machines?

• To prevent fraud– Lever machine (1892) “To protect mechanically the voter

from rascaldom”

• Faster, more accurate counting

Page 34: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Lever Machines (14%)

SOURCE: MICHIGAN SOS

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 35: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Lever Machines (14%)

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 36: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Lever Machines (14%)

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 37: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Lever Machines

Page 38: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.
Page 39: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.
Page 40: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Punched-Card (14%)

Page 41: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Punch Card Voting• Will be used by about 14% of the U.S. in 2004• Will be used in 69 of 88 counties in Ohio (PA only has

67 counties)• Began in the 1960s with the IBM Porta-Punch• By 2000 was used in 37% of the U.S., until Florida

Page 42: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Votomatic Punch-Card System

VOTING BOOTH

BALLOT FRAME

VOTINGSTYLUS

BALLOTSEALS

VOTING SETUP

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 43: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Punched Card (14%)

SOURCE: MICHIGAN SOS

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 44: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Chads

SOURCE: PETER SHEERIN

Page 45: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Hanging Chad

SOURCE: NEW YORK TIMES

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 46: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Palm Beach County “Butterfly” Ballot

SOURCE: SOUTH FLORIDA SUN-SENTINEL

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 47: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Votomatic Punched-Card System

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 48: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/48

Page 49: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Buchanan Vote by County (Florida, 2000)

GRAPH COURTESY OF

PROF. GREG ADAMSCARNEGIE MELLON

&PROF. CHRIS FASTNOW

CHATHAM COLLEGE

SOURCE: PROF. GREG ADAMS

Broward (Fort Lauderdale)

Miami-Dade

Hillsborough (Tampa)

Pinellas (St. Petersburg-Clearwater)

Orange (Orlando)

LINEAR FIT WITHOUT PALM BEACH, BROWARD, MIAMI-DADE

(PURPLE ANNOTATIONS ADDED)

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 50: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Datavote

• Uses a die to punch a clean hole• Employed in a small

fraction of punch cardcounties

Page 51: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Counting Punched Cards

SOURCE: NEW YORK TIMES

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 52: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Recount

• When a ballot is handled, it can be changed• The voter’s intent must be determined• Suppose only one of four corners is detached. It is a

vote?• Dimpled chad, pregnant chad: how to count?

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 53: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Punched-Card Problems

• Can’t see whom you’re voting for• Registration of card in ballot frame• Must use stylus: no positive feedback on punch• Hanging chad: chad that is partially attached to the card

– How may corners?

– Hanging chad causes count to differ every time

• Dimple: chad that is completely attached but shows evidence of an attempt to punch– Dimple can turn into a vote on multiple readings

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 54: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Mark Sense, Optical Scan (34%)

TIMINGMARKS

START OFBALLOT

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 55: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Mark-Sense, Optical Scan (34%)

• Scanning methods– Visible light

– Infrared

• Issues:– Dark/light marks

– Some scanners require carbon-based ink

– Voter intent may not be captured by machine

• Machine does not see what the human sees

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 56: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

SOURCE:SANTABARBARACOUNTY

AN OPTICALSCAN BALLOT

Page 57: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

SOURCE:

Page 58: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Precinct Count v. Central Count

• Precinct count– Voter marks ballot, inserts into machine

– Machine rejects overvoted (and maybe undervoted) ballots

• Central count– Marked ballots are transported to a central location for counting

– No opportunity for correction of overvotes/undervotes

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 59: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

ES&S Model 110 Precinct Tabulator

SOURCE: ES&S

Voter inserts ballot, receivesimmediate overvote/undervotenotification

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 60: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

ES&S Model 650 Central Tabulator

SOURCE: ES&S

Ballots counted centrally, away from voter.No overvote/undervotenotification

Page 61: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Optical Scan Vote Reading

• Is it reliable?• Is voter intent captured?• Can it be manipulated?• Infrared v. visible light

– Problem: machine “sees” marks differently from voter

• What is a valid vote?

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 62: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Effect of Humidity

SOURCE: DOUG JONES

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 63: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Direct-Recording Electronic (31%)

SOURCE: SHOUP VOTING SOLUTIONS

DEMO

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 64: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Direct-Recording Electronic (31%)

SOURCE: SHOUP VOTING SOLUTIONS

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 65: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

DRE Systems

• DRE means “direct recording electronic”• There is no document ballot• Voter votes by interacting directly with a machine, not by marking

a piece of paper• “Electronic voting system” means a system in which one or more

voting devices are used to permit the registering or recording of votes and in which such votes are computed and tabulated by automatic tabulating equipment. The system shall provide for a permanent physical record of each vote cast. Pa. Elec. Code.

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 66: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

A Well-Designed e-Voting Machine

READ-ONLYMEMORY

READ-ONLYMEMORY

RANDOM ACCESSMEMORY

WRITE-ONCEMEMORY

INTERNALPAPERTRAIL

VOTER CHOICES

PROPRIETARY OPERATING SYSTEM(NOT WINDOWS)

BALLOT SETUP DATA

SOFTWARE FROM ATRUSTED SOURCE(NOT THE VENDOR)

16-HOUR BATTERY

NO PORTS, NO CONNECTORS, NO MODEM, NO WIRELESS, NO INTERNET

TOTALS REPORTSIGNED BY ELECTION JUDGES

WRITE-ONCE MEMORYTO COUNTY BOARD

MACHINE SEALED WITH PAPER TRAIL

Page 67: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Advanced (formerly Shoup)WINvote DRE

SOURCE: ADVANCED VOTING SOLUTIONS

USES WIRELESS NETWORK

Page 68: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Diebold Accu-Vote

SOURCE: DIEBOLD

ACCU-VOTE OSOPTICAL SCAN

ACCU-VOTE TSXTOUCHSCREEN

ACCU-VOTE TSTOUCHSCREEN

Page 69: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

ES&S iVotronic Touchscreen DRE

SOURCE: ES&S

2. MAKE SELECTIONS1. INSERT PEB 3. REVIEW BALLOT

4. CAST BALLOT

Page 70: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Guardian 1242 (formerly Danaher)Full-face DRE

SOURCE: GUARDIAN

Page 71: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Liberty Election SystemsFull-face DRE

SOURCE: LIBERTY

LIBERTYVOTE

Page 72: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Microvote

SOURCE: MICROVOTE

INFINITY DRE

ABSENTEE CARD READER

MV-464 DRE

Page 73: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Sequoia PacificAVC Advantage Full-Face DRE

SOURCE: SEQUOIA

Page 74: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Sequoia PacificEdge DRE

SOURCE: SEQUOIA

DEMO

Page 75: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Sequoia PacificEdge DRE

SOURCE: SEQUOIA

DEMO

Page 76: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Hart eSlate

SOURCE: HART INTERCIVIC

Page 77: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Help America Vote Act of 2002

• Payments to states to replace paper and level machines: $3 billion

• Establishes Election Assistance Commission• Reforms the standards process (National Institute of

Standards and Technology)• Provisional voting• Statewide registration systems• Complaint procedure

Page 78: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

The Problem

• Voters do not trust DRE systems• Why?

– Numerous irregularities around the country

– “Black box” phenomenon

– Reports by computer security specialists

– Warnings by computer scientists

– Jurisdictions rushing to replace old systems

– Secretive vendor behavior

– Public awareness of computer vulnerabilities

– Newspaper editorials, e.g. New York Times

Page 79: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

The Problem

• Are DRE systems untrustworthy?– Some are, some aren’t

• DRE systems used for 25 years without a single verified incident of tampering– Much more difficult to alter computerized records than paper

– Proprietary operating systems

– Redundant encrypted memories

– Testing

• None of this matters. Perception governs• What to do?

Page 80: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Statutory Requirements

• HAVA Sec. 301(a)(2)(i): “The voting system shall produce a permanent paper record with a manual audit capacity for such system.”

• Maryland Election Law 9-102(c): “Standards for certification.- The State Board may not certify a voting system unless the State Board determines that:

(1) the voting system will: … (vi) be capable of creating a paper record of all votes cast in order that an audit trail is available in the event of a recount”

Page 81: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Paper Trail Proposal

• Allow each voter to see her choices on paper before casting a vote

• If the choices are incorrect, they can be corrected• The paper becomes the official ballot• If there is a discrepancy between the paper record and the

computer record, the paper governs• Why? Because that’s the one the voter verified

Page 82: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Paper Trail Advantages

• Demonstrates to the voter that the machine captured her choices correctly

• Creates a sense of security among voters

Page 83: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Paper Trail Disadvantages• No guarantee vote was counted, will ever be counted or paper will be in

existence if a recount is ordered• Massive paper handling and security problem• Slow counting

– Sacramento experiment 06/04: took an average of 20 minutes per ballot to tabulate and verify results

– Recounting California would take 450 years

• Accessibility issues• Voter confusion

– Must remember a lengthy ballot

• Machines questioned when nothing is wrong• Increased demand for recounts• Creates doubt among voters (CalTech-MIT Report)

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 84: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Voting Problems

• Machine won’t operate• Machine fails during the election• Intruder tampers with paper records

– Stuffing, removal, alteration

• Machine captures choices incorrectly

• Intruder alters vote totals after election• Machine maliciously or erroneously

switches votes

NOT ADDRESSEDBY PAPER TRAIL

SOLVED BYPAPER TRAIL

DEPENDS ONPHYSICALSECURITY OFPAPER TRAIL

Page 85: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

AccuPoll Paper Trail

SOURCE: ACCU-POLL

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 86: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Avante Vote-Trakker Paper Trail

NJ021111002026 482961Feb 26, 2001

President / Vice PresidentGEORGE WASHINGTON, Andrew JACKSON

US SenatorJohn HANCOCK

House of RepresentativeBen Franklin

County ClerkJohn Quincy ADAMS

Board of Chosen FreeholdersPaul REVERE

Board of Chosen FreeholdersWilliam H TAFT

Board of Chosen FreeholdersTheodore ROOSEVELT

Public Question 1Yes

Public Question 2No

Public Question 3Yes

Thank you for voting!

SOURCE: AVANTE

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 87: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Populex

1. Voter gets blank paper ballot, inserts in machine.

2. Voter removes touchscreen stylus.

3. Voter uses stylus to make selections on the touchscreen.NO INTERNAL COMPUTER RECORD OR COUNT, ONLY PAPER OUTPUT.

4. When voter is finished, machine prints a bar code and corresponding “punch” numbers which contain the voter’s selections on the paper ballot.

5. Voter verifies the ballot in privacy using a computerized read station. The voter then submits the ballot to an election judge to be counted.COUNTING IS BY BAR CODE.

SOURCE: POPULEX

Page 88: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

Voter Verifiability

• Having each voter be able to verify that1. her vote was understood by the machine

2. her vote was counted by the machine

3. her vote was counted as part of the final tally

4. no unauthorized votes were counted

• Paper trails provide (1), but not (2), (3) or (4)• Systems exist that provide all four

Page 89: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/89

Evaluating information sourcesEvaluating information sources Don’t believe everything you read!

News sources are usually a reporter's interpretation of what someone else did

Conference and journal papers are first hand reports of research studies that have been peer reviewed but journals usually have more review than conferences

Technical reports are usually first hand reports of research studies that have not been peer reviewed (yet) Look for subsequent conference or journal publications

Web sites and books are anything goes, but books at least have an editor (usually)

When possible, cite research results and technical information from peer reviewed sources

Research and Communication Skills

Page 90: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/90

Research and Communication Skills

Organizing a research paperOrganizing a research paperDecide up front what the point of your

paper is and stay focused as you write

Once you have decided on the main point, pick a title

Start with an outline

Use multiple levels of headings (usually 2 or 3)

Don’t ramble!

Page 91: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/91

Research and Communication Skills

Typical paper organizationTypical paper organization Abstract

Short summary of paper

Introduction Motivation (why this work is interesting/important, not your personal

motivation)

Background and related work Sometimes part of introduction, sometimes two sections

Methods What you did In a systems paper you may have system design and evaluation sections

instead

Results What you found out

Discussion Also called Conclusion or Conclusions May include conclusions, future work, discussion of implications,etc.

References

Appendix Stuff not essential to understanding the paper, but useful, especially to

those trying to reproduce your results - data tables, proofs, survey forms, etc.

These sections may be different in your papers

Page 92: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/92

Research and Communication Skills

Road mapRoad map Papers longer than a few pages should

have a “road map” so readers know where you are going

Road map usually comes at the end of the introduction

Tell them what you are going to say in the roadmap, say it, (then tell them what you said in the conclusions)

Examples In the next section I introduce X and discuss related work. In

Section 3 I describe my research methodology. In Section 4 I present results. In Section 5 I present conclusions and possible directions for future work.

Waldman et al, 2001: “This article presents an architecture for robust Web publishing systems. We describe nine design goals for such systems, review several existing systems, and take an in-depth look at Publius, a system that meets these design goals.”

Page 93: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/93

Research and Communication Skills

Use topic sentencesUse topic sentences (Almost) every paragraph should have a topic

sentence Usually the first sentence Sometimes the last sentence Topic sentence gives the main point of the paragraph

First paragraph of each section and subsection should give the main point of that section

Examples from Waldman et al, 2001 In this section we attempt to abstract the particular

implementation details and describe the underlying components and architecture of a censorship-resistant system.

Anonymous publications have been used to help bring about change throughout history.

Page 94: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/94

Research and Communication Skills

Avoid unsubstantiated claimsAvoid unsubstantiated claims Provide evidence for every claim you make

Related work Results of your own experiments

Conclusions should not come as a surprise Analysis of related work, experimental results, etc. should

support your conclusions Conclusions should summarize, highlight, show

relationships, raise questions for future work Don’t introduce new ideas in discussion or conclusion

section (other than ideas for related work) Don’t reach conclusions not supported by the rest of your

paper

Page 95: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Electronic Voting in 2004

• From the evoting viewpoint, the 2004 election was not very interesting

• 1444 reports to the Election Incident Reporting System• Reports fell into three categories:

– Fantasies (allegations of fraud with no evidence)– Misunderstandings (truthful but misinterpreted allegations)– Genuine problems

• Problems exist that were not reported, e.g. voter privacy problems

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 96: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Reported Problems

• Machine unreliability• Changed votes• Lost votes

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 97: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Carteret County, NC

• UniLect Patriot DRE machine• Used since 1996• Software: Intellect 2.49; Firmware: 2.54

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 98: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

17-803/17-400 ELECTRONIC VOTING FALL 2004

COPYRIGHT © 2004 MICHAEL I. SHAMOS

UniLect Patriot

SOURCE: UNILECT

VOTING MACHINE

BALLOT SETUP UNIT

PRECINCT CONTROLLER

Page 99: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Carteret County, NC

• Alleged by manufacturer to have a capacity of 10,500 ballots

• Used in Carteret County for early voting• Real capacity was only 3,005• But 7,537 people voted early• Machine produces a warning when full, but does not

prevent voting• 4,532 votes were permanently lost

Page 100: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Carteret County, NC

• What happened?• Machine had redundant ballot storage in machine and

on memory pack• But capacity was exceeded• Many fixes available

– Don’t allow voting when machine is full!– Increase capacity so it is huge– Paper trail would have solved the problem

• No FEC Standards covering capacity

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 101: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Craven County, NC

• Election Systems & Software DRE machine• Hardware: Votronic Model 1• Software: Unity 2.2• Firmware: 5.28

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 102: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Craven County, NC

• First election night tally showed 11,283 more votes for President than the 40,534 people first thought to have voted in the county

• Some precincts were counted twice• Found by a reporter on Nov. 3• One race was affected: County Board of

Commissioners District 5 seat (1067-944)• Problem would have been discovered in the canvass

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 103: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Franklin County, OH

• Columbus, OH• Danaher Controls (Danaher Guardian) DRE• Model: ELECTronic 1242

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 104: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Franklin County, OH

• A computer error with a voting machine cartridge gave President Bush 3,893 extra votes.

• Unofficial results gave Bush 4,258 votes to Kerry's 260 votes in Precinct 1B. Records show only 638 voters cast ballots in that precinct.

• Calls were received Thursday from people who saw the error when reading the list of poll results on the election board's Web site.

• After Precinct 1B closed, a cartridge from one of three voting machines at the polling place generated a faulty number at a computerized reading station.

• The reader also recorded zero votes in a county commissioner race.

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 105: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Franklin County, OH

• County elections director said the error would have been discovered when the official canvass for the election is performed later this month.

• The cartridge was retested Thursday and there were no problems. He couldn't explain why the computer reader malfunctioned.

• Workers checked the cartridge against memory banks in the voting machine Thursday and each showed that 115 people voted for Bush on that machine. With the other machines, the total for Bush in the precinct added up to 365 votes.

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 106: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Orlean Parish, LA

• New Orleans• Sequoia Voting Systems, Inc• Model: AVC Advantage

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 107: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Orleans Parish, LA

• Sequoia machines failed to boot up on election day and local election officials had no backup plan. EFF attorneys filed a complaint in Civil District Court attempting to force election officials in the Parish of New Orleans to keep polls open late. The NAACP also filed a complaint urging polls to remain open late to accommodate disenfranchised voters.

• The machines that failed in New Orleans were older Sequoia AVC Edge machines and 80 incidents of failure were recorded across a number of precincts.

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 108: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Boulder County, CO

• Hart Intercivic Optical Scan, Precinct-Based• Model: BallotNow

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 109: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Boulder County, CO

• A printing error that distorted bar codes on paper ballots is being blamed for delays that made this one of the last counties in the nation to report election results.

• The county clerk's office and officials at a Denver printing company are examining flaws in thousands of ballots that slowed the vote count to a crawl.

• County Clerk Linda Salas said Monday the bad ballots were distributed at random, cropping up in some precincts, but not in others. The exact number of bad ballots is still unknown, Salas said.

• Scanners rejected ballots with the bad bar codes, requiring election judges to tally those votes race by race.

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 110: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Boulder County, CO

• Voting equipment was tested before the election. But the printing error occurred only on actual ballots that went to voters, not the test ballots, Salas said.

• Adding to the delays were attempts to figure out why the scanners were rejecting some ballots. Technicians from Hart Intercivic, which makes the scanners, and Kodak, which makes the lenses, examined the machines before the bar code error - which was not visible to the naked eye - was caught, Salas said.

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 111: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Thurston County, WA

• Election Systems & Software punched card system

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 112: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Thurston County, WA

• Elections staff recounted an estimated 81,000 ballots first tallied Election Day after learning that computer software wasn't set up properly for the first count.

• No errors were caused in tabulating the ballots the first time, Thurston County Auditor Kim Wyman said.

• The mistake did make it impossible to know exactly how many poll-site ballots were cast in each precinct of the county. A dozen staff members worked into the evening, recounting the ballots after properly setting software on the machines. They needed the data as part of their routine effort to confirm that machine-vote totals equal the totals in poll books

• An "F2 key" was not punched when elections workers set up the vote-counting machines prior to Tuesday's election, Wyman said.

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 113: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Paper Trail Problems

• Clark County, NV (Las Vegas) + Reno

• 5 machines at a Reno polling place malfunctioned at the same time due to a failure to change paper. The problem backed up lines and caused the site to stay open until about 10 p.m., three hours past closing.

• In Reno, at least two voters complained that their votes were erroneously recorded. Machines, which resemble ATMs or computers, began to work again after they were shut down and restarted.

• Two machines malfunctioned at separate polling places in Las Vegas.

• Audits of random machines to be completed by all 17 Nevada counties by Tuesday.

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 114: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/114

Electronic votingElectronic votingPoll site voting, no networking

Already in use today in the form of Direct Recording Electronic (DRE) machines

Poll site voting via networked voting machines

Poll site voting via networked PCs

Kiosk voting - voting via networked PCs or voting machines at kiosks, not necessarily at traditional polling places

Vote from home (or anywhere else)

Page 115: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/115

Enthusiasm for evoting Enthusiasm for evoting growinggrowing

Despite increasing realization of problems

Technology solves all sorts of other problems, why not voting?

People like the vision of voting in their PJs

Belief that evoting will increase voter turnout

Page 116: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Internet Voting

• Where?– Polling place– Kiosks– Home– Anywhere

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 117: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Internet Voting Benefits

• Convenience– Accessibility in all weather, all ages– Vote anywhere, maybe even from cellphone– Availability of candidate information

• Maybe lower operating cost (maybe not)– if regular polling places are eliminated

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 118: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Internet Voting Risks

• Digital divide– People without Internet access– People without computer skills

• Security, trust• Casual environment• Open to the world

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 119: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Internet Voting Security Risks• Bugs• Backdoors to manipulation• Malicious code• COTS (Commercial Off-the-Shelf Software), e.g. Windows, may contain

exploits• Insider attacks

– Compromising results– Compromising privacy

• Client attacks– Operator (for Internet cafes)– Worms, viruses, ActiveX, spyware

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 120: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Internet Voting Security Risks

• Denial of Service– DDOS attacks on server– Selective disenfranchisement

• Spoof websites– Fake “official” site – captures voting credentials, issues fake

acknowledgement, then casts real vote differently• Promotion of coercion

– Automated credential-selling– Installation of watcher software

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 121: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/121

Gauging election risks and Gauging election risks and threatsthreats

Risks and threats vary depending on:Type of election (public vs. private)Consequences of a successful attackValue of election outcome to potential

adversariesExpertise, skill & resources needed to

disruptLevel of motivation of potential attackersAmount of disruption needed to sway the

election or call its outcome into doubtConsequences of a perception of unfair

outcome

Page 122: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/122

Internet voting in public Internet voting in public electionselections Social issues:

Vote coercionVote saleVote solicitation (click here to vote, banner ads)

Technical issues:Securing the platformSecuring the communications channel Assuring availability of the networkRegistration issues, one vote per person, no

dead votersAuthentication in each directionMaintaining equitable costs (no poll tax, e.g.

smartcard reader)

Page 123: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Can cryptography help?

• Yes – using “mix-nets” (Chaum) and “voter-verified secret ballots” (Chaum; Neff)

• Official ballot is electronic not paper.• Ballot is encrypted version of choices.• Ballots posted on public bulletin board.• Voter gets paper “receipt” so she can:

– Ensure that her ballot is properly posted– Detect voting machine error or fraud

SOURCE: RON RIVEST

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 124: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Voter needs evidence

• That her vote is “cast as intended”:• That her ballot is indeed encryption of her

choices, and what her ballot is.This is extremely challenging, since

She can’t compute much herselfShe can’t take away anything that would allow her to prove how she voted

• So: she takes away evidence that allows her (as she exits polling site) to detect whether cheating occurred, and receipt to prove what her ballot is.

SOURCE: RON RIVEST

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 125: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Everyone needs evidence

• That votes are “counted as cast”:• That mix-servers (“mixes”) properly permute

and re-encrypt ballots.This is challenging, since

Mixes cannot reveal the permutation they applied to ballots

• That trustees properly decrypt the permuted ballots

This is relatively straightforward, using known techniques.

• This is “universal verifiability”SOURCE: RON RIVEST

17-803/17-400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Page 126: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/126

Voter’sPrivate Key

Tallier’sPublic Key

Voter’sPublic Key BALLOT

Tallier’sPrivate Key

Vote

r

Talli

er

Valid

ato

r

Tallier and validator can collude to violate privacyBALLOT

A Simplistic Voting ProtocolA Simplistic Voting Protocol

Page 127: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/127

SensusSensus A design and prototype implementation of an

electronic voting system

Based on Fujioka, Okamoto, Ohta (FOO) protocol

Implemented in C and Perl on a Unix system

This is one example of the many electronic voting protocols

References Fujioka, A, Okamoto, T., and Ohta, K. A practical secret

voting scheme for large scale elections. In Advances in Cryptology - AUSCRYPT '92, Springer-Verlag, Berlin. 1993, pp. 244-251.

Cranor, L. and Cytron, R. Sensus: A Security-Conscious Electronic Polling System for the Internet. Proceedings of the Hawai`i International Conference on System Sciences, January 7-10, 1997, Wailea, Hawai`i, USA. http://lorrie.cranor.org/pubs/hicss/

Page 128: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/128

Blind SignaturesBlind SignaturesAllow someone to sign a document

without knowing what they are signing

Like signing the outside of an envelope with carbon paper and a document inside

Page 129: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/129

Blind SignaturesBlind Signatures All arithmetic is mod n

Blinding (performed by voter): choose a random blinding factor r compute and present for signing: m x re where m is the

message, e = encryption (public) key

Signing (performed by validator): compute ( m x re )d d = decryption (private) key this is equal to r x md

Unblinding (performed by voter): compute r x md /r = md

Page 130: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/130

The Sensus Polling ProtocolThe Sensus Polling ProtocolPollster - the user’s agent - trusted by

user

Validator - validates ballots (without seeing content of ballots)

Tallier - counts validated ballots and reports results (without knowing which voter voted which ballot)

Registrar - registers voters

Page 131: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/131

The Pollster prepares the The Pollster prepares the ballotballot

Presents ballot questions to user and records answers

Generates key pair and seals ballot

Blinds sealed ballot

Signs blinded, sealed ballot

Page 132: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/132

Validator Pollster Tallier

• blinded, sealed ballot• ID number• signature

1

The Sensus Polling ProtocolThe Sensus Polling Protocol

Page 133: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/133

Validator Pollster Tallier

1

• signed, blinded, sealed ballot

2

The Sensus Polling ProtocolThe Sensus Polling Protocol

Page 134: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/134

Validator Pollster Tallier

1

2

• sealed ballot, signed by validator

3

The Sensus Polling ProtocolThe Sensus Polling Protocol

Page 135: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/135

Validator Pollster Tallier

1

3

2

• sealed ballot, signed by tallier• receipt #

4

The Sensus Polling ProtocolThe Sensus Polling Protocol

Page 136: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/136

Validator Pollster Tallier

1

4

3

2

• receipt #• key to unseal ballot

5

The Sensus Polling ProtocolThe Sensus Polling Protocol

Page 137: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/137

Validator Pollster Tallier

1

4

3

2

5

The Sensus Polling ProtocolThe Sensus Polling Protocol

Page 138: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/138

Sensus assumptionsSensus assumptions Communication occurs over an anonymous

channel

Machines (along with secrets on them) are secure (including users’ machines!)

Messages are not likely to arrive at validator and tallier in the same order

Strong encryption

Election is not disrupted due to denial of service attacks, power outages, etc.

Can we count on these assumptions to be true?

Page 139: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/139

Even if these assumptions holdEven if these assumptions holdIf voters abstain, validator may

submit ballots for themThese invalid ballots may be detected,

but not corrected

Voters can prove how they voted (and sell their votes)

Only weak verifiability (voters can verify their votes but not third-party)

Page 140: Computers and Society Carnegie Mellon University Spring 2005 Lorrie Cranor and Dave Farber  1 Electronic Voting Week.

Computers and Society • Carnegie Mellon University • Spring 2005 • Lorrie Cranor and Dave Farber • http://lorrie.cranor.org/courses/sp05/140

Homework 7 discussionHomework 7 discussionApplyYourself.com

Hackers?Ethical?Rejected?