Computer Science 654Lecture 7: Electronic Voting Security IssuesWayne PattersonProfessor of Computer ScienceHoward UniversitySpring 2009

Automated and e-Voting Automated voting systems have been in

existence for over a century Only came into public use in the 1980s

An electronic voting (or e-voting) system is a voting system in which the election data is recorded, stored and processed primarily as digital information.

In the United States, interest in electronic voting rose after the fiasco of the 2000 presidential election in Florida with confusing ballots and “hanging chads”

Hanging Chads and Funny Ballots

Other Country Examples of Electronic Voting Australia

In October of 2001 electronic voting was used for the first time in an Australian parliamentary election (8.3%).

Belgium started in 1991. It is widely used since 1999.

Brazil Since 2000, all Brazilian elections have been fully electronic.

Canada used since at least the 1990s at the municipal level in many cities

Estonia first country to have legally binding general elections using the Internet – 2005

France remote Internet voting for the first time in 2003 when French citizens living in the

United States elected their representatives to the Assembly of the French Citizens Abroad.

Germany About 2000 Nedap machines have been used in the 2005 Bundestag elections covering

approximately 2 million voters India

Electronic voting in India was first introduced in 1989 and used on experimental basis.

Other Country Examples of Electronic Voting Ireland

Nedap machines were used on a 'pilot' basis in some constituencies in two elections in 2002. Due to campaigning, the machines have not been used since.

Italy experimented in the 2006 elections with electronic voting machines from Nedap

Netherlands Since the late nineties, voting machines are used extensively during elections.

Norway carried out pilots in three municipalities at local elections in 2003 on voting machines

in the polling stations using touch screens. Romania

first implemented electronic voting systems in 2003, on a limited basis, to extend voting capabilities to soldiers

Switzerland Several cantons (Geneva, Neuchâtel and Zürich) have developed Internet voting test

projects to allow citizens to vote via the Internet or by SMS. United Kingdom

Voting pilots have taken place since 2000 in Englamd, and in Scotland, scanners will be used to electronically count paper ballots in the Scottish Parliament general election in 2007.

Machine Manufacturers AccuPoll/Unisys Advanced Voting Solutions Avante Diebold (US) Danaher Corporation (Guardian Voing Systems) Election Systems and Software (ES&S) (US) Hart Intercivic (US) Inkavote (EDS) Liberty/NEDAP Powervote Microvote Populex Sequoia/Smartmatic Unilect VoteHere (Dategrity)Vote-PAD

ES&S iVotronic

Sequoia

The Rubin/Johns Hopkins Attack on Diebold May 2004 IEEE Symposium on Privacy and Security Analysis of the source code “Far below even the most minimal security standards

applicable in other contexts.” Unauthorized privilege escalation Incorrect use of cryptography Vulnerabilities to network threats Poor software development processes

No “voter-verified audit trail” KEY MANAGEMENT. All of the data on a storage device is

encrypted using a single, hardcoded DES key: #define DESKEY ((des_key*)"F2654hD4")

The Princeton Hack of Diebold September 2006 Fully independent security study of a Diebold AccuVote-TS

Voting Machine “Vulnerable to extremely serious attacks” Physical access to a machine or its removable memory card

for one minute could allow installation of malicious code Which could steal votes undetectably, modifying all records,

logs, and counters Malicious code could also spread silently from machine to

machine See http://www.youtube.com/watch?v=5WMG34cv0zM

Sequoia Gets Hacked Sequoia Makes Like Diebold And Gets Hacked By Princeton

By John Gideon, VotersUnite.org    February 11, 2007 A New Jersey Attorney Will Ask A Judge To Decertify Sequoia AVC Advantage

Machines A Princeton Professor Paid $86 For What A NJ County Paid $40,000 For  In a report in Sunday's The Star-Ledger [NJ] it was revealed that Sequoia AVC Advantage

Direct Recording Electronic (DRE) voting machines used in 18 of New Jersey's 21 counties were improperly certified for use by the state.

[Attorney Penny]Venetis filed legal papers Friday claiming the state never certified some 10,000 Sequoia AVC Advantage machines as secure or reliable as required by law.  "There is zero documentation --- no proof whatsoever --- that any state official has ever reviewed Sequoia machines," Venetis, co-director of the Rutgers Constitutional Litigation Clinic, said in an interview. "This means you cannot use them. ... These machines are being used to count most of the votes in the state without being tested in any way, shape or form."

Sequoia Still Being Hacked At the same time Princeton Computer Science Professor Andrew Appel revealed that he

bought 5 of the Advantage voting machines from an on-line government equipment clearinghouse for a total of $86. Virtually identical machines were bought in 2005 by Essex County New Jersey for $8,000 apiece. Professor Appel and his team put the 5 machines to good use according to the article. A Princeton student picked one machine's lock "in seven seconds" to access the removable chips containing Sequoia's vote-recording software, Appel said. "We can take a version of Sequoia's software program and modify it to do something different --- like appear to count votes, but really move them from one candidate to another.”

And what does Sequoia have to say for itself? Citing more than a century in the election business, Sequoia Voting Systems asserts on its Web site that "our tamperproof products, including ... the AVC Advantage, are sought after from coast to coast for their accuracy and reliability." While promising to look into Appel's claims, Sequoia's Michelle Shafer asserted that hacking scenarios are unlikely.

Appel counters:But Appel said voting machines often are left unattended at polling places prior to elections. He is confident his students and other recent buyers of 136 Sequoia machines sold on GovDeals.com --- where bidders also can find surplus coffins, locomotives and World War I cannons --- will crack Sequoia's code. Then, he said, it will be fairly simple for anyone with bad intentions and a screwdriver to swap Sequoia's memory chips for reprogrammed ones.

State-by-State

California 10 out of 58 counties Diebold AccuVote-TS, Sequoia AVC Edge, ES&S iVotronic, Hart Intercivic eSlate No voter-verifiable paper with DRE in this election but voters must be given paper ballot alternative to using DRE.

Florida 15 out of 67 counties ES&S iVotronic, Sequoia AVC Edge No voter-verifiable paper with DRE, recounts on touchscreens will not be possible, in violation of state law

mandating them in close elections. Maryland Statewide

Diebold AccuVote-TS No voter-verifiable paper with DRE

Nevada Statewide Sequoia AVC Edge Has voter-verifiable paper trail; state chose Sequoia partly because paper trail was offered.

Ohio 7 of 88 counties use DRE ES&S iVotronic, Sequoia AVC Advantage, Danaher, MicroVote MV 464 Ohio has mandated a paper audit trail for DRE machines by 2006. No system currently in use has voter-verifiable

paper trail, though some older systems, like the MV-464 have internal printers that record ballot information for each machine.

South Carolina 36 of 46 counties use DRE -- 85 percent of registered voters. ES&S iVotronic, Danaher ELECTronic 1242, Microvote 464, Microvote Infinity, Unilect No voter-verifiable paper with DRE. iVotronic has three different memory locations where vote data is stored.

Brennan Center Report In December 2006, the Brennan Center for Social Justice at New York

University released a comprehensive report, “The Machinery of Democracy: Voting System Security, Accessibility,

Usability, and Cost” Recommendations regarding security:

Conduct automatic routine audits comparing voter-verified paper records to the electronic record following every election.

Perform “parallel testing” (selection of voting machines at random and testing them as realistically as possible) on Election Day.

Ban use of voting machines with wireless components. Use a transparent and random selection process for all auditing procedures. Ensure decentralized programming and voting system administration. Institute clear and effective procedures for addressing evidence of fraud or

error. Unfortunately, very few jurisdictions have implemented any of the

security measures that the Task Force’s analysis shows are necessary to make voting systems substantially more secure.

The Role of HAVA, Election Assistance Commission, NIST HAVA (Help America Vote Act of 2002)

Requires voting system standards, permanent paper record, disabled accessibility, alternative language accessibility, provisional voting, registration by mail

Election Assistance Commission to assist in the administration of Federal elections and to otherwise

provide assistance with the administration of certain Federal election laws and programs, to establish minimum election administration standards for States and units of local government with responsibility for the administration of Federal elections

National Institute of Standards and Technology Agency mandated to carry out work of EAC “software-independent voting systems” Independent audit

NIST: Security Aspects Of Electronic Voting The Help America Vote Act (HAVA) of 2002 was passed by Congress to

encourage the upgrade of voting equipment across the United States. HAVA established the Election Assistance Commission (EAC) and the Technical Guidelines Development Committee (TGDC), chaired by the Director of NIST, was well as a Board of Advisors and Standard Board. HAVA calls on NIST to provide technical support to the EAC and TGDC in efforts related to human factors, security, and laboratory accreditation. To explore and research issues related to the security and transparency of voting systems, the TGDC established the Security and Transparency Subcommittee (STS). The Security Technology Group of the Information Technology Laboratory’s Computer Security Division supports the activities of the EAC, TGDC, and STS related to voting equipment security. The Security Technology Group supports the TGDC’s development effort for the next generation of the Voluntary Voting System Guidelines (VVSG), focusing on developing a security architecture that addresses significant threats to voting systems and enhancing voting system auditability.For more information on NIST’s efforts related to HAVA see http://vote.nist.gov/

NIST and the Help America Vote Act (HAVA) The 2002 Help America Vote Act has given NIST a key role in helping to realize

nationwide improvements in voting systems. To assist the Election Assistance Commission with the development of voluntary voting system guidelines, HAVA established the Technical Guidelines Development Committee (TGDC) and directs NIST to chair the TGDC. NIST research activities include:

security of computers, computer networks, and computer data storage used in voting systems;

methods to detect and prevent fraud; protection of voter privacy; and the role of human factors in the design and application of voting systems,

including assistive technologies for individuals with disabilities (including blindness) and varying levels of literacy

the recommendation of testing laboratories to the U.S. Election Assistance Commission (EAC). The EAC, not NIST, certifies voting systems for use in elections.

More details of NIST's role in HAVA are available here.

NIST HAVA Efforts Technical Guidelines Development Committee (TGDC)

The TGDC is charged by the U.S. Election Assistance Commission (EAC) to provide technical guidance on implementing election-related technologies and to foster the development of voluntary, consensus guidelines.  The NIST Director chairs the TGDC and NIST staff conduct the committee's technical work in accordance with HAVA.  The TGDC page provides access to full details.

National Voluntary Laboratory Accreditation Program (NVLAP)NIST's NVLAP has established an accreditation program for laboratories that perform testing of voting systems, including hardware and software components. This program will provide for the accreditation of laboratories that test voting systems using standards determined by the Election Assistance Commission (EAC). The EAC, not NIST, certifies voting systems for use in elections.

National Software Reference Library (NSRL)NIST's National Software Reference Library collects software from various sources and incorporates file profiles computed from this software into a Reference Data Set of information.  This concept can assist in addressing voting systems needs in several areas. Officials could determine that the software used during elections is the expected software. Verification that the software remains the same during distribution, installation, setup, or use is possible, supporting a “chain of custody.”   Full details are available on the NSRL voting page.

High-Interest Events and Items A Threat Analysis on UOCAVA Voting Systems

NVLAP Suspends Accreditation of SysTest Labs, Incorporated

NIST VVSG Test Development

Next Version Voluntary Voting System Guidelines (VVSG)

How NIST Works With the TGDC (video)

VVSG Recommendations Companion Document and Video Tutorials

June 12, 2008, Letter from NIST to EAC Regarding Ciber, Inc. (html)

Federal Register Notice: Voting Equipment Evaluations Phase II (Extension) (html)

Federal Register Notice: Voting Equipment Evaluations Phase II (html)

Princeton Warning on E-Voting Machine Hack Shows Human Touch Can Be a Good Thing By Brian Prince, 2008-10-27, eweek.com A report released by Princeton University claims an electronic voting machine used in

New Jersey can be hacked in 7 minutes. Sequoia, the company that makes the machines, denies the report's conclusions. Still, the Princeton report is a reminder that, sometimes, it's nice to have a set of human eyes go over data.

Sometimes it’s better to do things the old-fashioned way—at least partly. Perhaps that’s the lesson to be learned from a report released by Princeton University that

outlines security concerns surrounding an electronic voting machine used in New Jersey. With the U.S. presidential election looming, the report states it is possible to hack the

Sequoia AVC Advantage 9.00H DRE (direct-recording electronic) voting machine in 7 minutes by loading fraudulent firmware.

By replacing the Z80 processor chip in the machine or removing one ROM chip from its socket and putting in a new one, a hacker can potentially siphon votes from one candidate and give them to another.

“The fraudulent firmware can steal votes during an election, just as its criminal designer programs it to do,” the report states. “The fraud cannot practically be detected. There is no paper audit trail on this machine; all electronic records of the votes are under control of the firmware, which can manipulate them all simultaneously.”

The subject of the voting machines entered the legal arena in 2004, when the Coalition for Peace Action, a Princeton-based civic group, sued the state over its use of the machines. The case was dismissed by the trial court in January 2005 and then reinstated in 2006 by the Appellate Court. While the appeal was pending in the summer of 2005, a bill was passed requiring that any voting system in New Jersey produce a voter-verified paper ballot as of Jan. 1, 2008. The state was given a six-month extension to comply on two occasions.

Some Valuable Readings http://itpolicy.princeton.edu/voting/videos.html

Demonstrations at Princeton on video http://www.cs.ucsb.edu/%7Eseclab/projects/v

oting/#video Demonstration at UC Santa Barbara on YouTube

http://www.wired.com/news/technology/0,72742-0.html Article about Appel’s purchase of Sequoia machines for $16

http://www.acm.org/crossroads/xrds2-4/voting.html Article from 1997 by Lorrie Cranor outlining some e-voting issues

http://avirubin.com/vote/ Rubin’s website at Johns Hopkins about e-voting

http://www.internetnews.com/bus-news/article.php/3646231 Article about NIST’s recommendations

Valuable Readings (More) http://www.diebold.com/dieboldes/demos_tsx.asp

Diebold’s home page http://www.sequoiavote.com/demo.php?lang=en#overflash

Sequoia’s demo http://www.essvote.com/HTML/products/electronic_voting.html

ES&S website http://www.hartic.com/innerpage.php?pageid=98#

Hart Intercivic eSlate demo http://electionline.org/Default.aspx?tabid=1099

State-by-State data 9/06 http://www.scpronet.com/helpscvote.html

South Carolina Progressive Network information http://www.votetrustusa.org/index.php?option=com_frontpage&Itemid=1

VoteTrust, a national organization advocating fair elections http://www.epic.org/privacy/surveillance/spotlight/0906/

Electronic Privacy Information Center http://www.brennancenter.org/

Brennan Center at NYU