Electronic Voting:Danger and Opportunity

J. Alex Halderman

Department of Computer ScienceCenter for Information Technology Policy

Princeton University

Joint work with …

Joe Calandrino Ari Feldman Ed Felten

2000 Recount Debacle

Legislative response:Help America Vote Act

Provided $3.9 billion to statesto upgrade voting machines by November 2006

DREs to the Rescue?

Direct Recording Electronic – Store votes in internal memory

DREs are Computers

BugsRootkits

VirusesAttacks

=

Diebold’s History of Secrecy

• Prevented states from allowing independent security audits – hid behind NDAs, trade secret law

• Source code leaked in 2003, researchers at Johns Hopkins found major flawsDiebold responded with vague legal threats,personal attacks, disinformation campaign

• Internal emails leaked in 2003 reveal poor security practices by developersDiebold tried to suppress sites with legal threats

We Get a Machine(2006)

Obtained legally from an anonymous private party

Software is 2002 version, but certified and used in actual elections

First complete, public, independent security audit of a DRE

Research Goals• Conduct independent security audit• Confirm findings of previous researchers

(Hursti, Kohno et al.)

• Verify threats by building demonstration attacks• Figure out how to do better

Who wants to know? Voters, candidates, election officials, policy makers, researchers

16 MB Flash

128 KB EPROM

SH3CPU

32 MBRAM

2 PCMCIA Slots

Boot Jumper Table

Software Problems

One Example:

DES-CBCK(BallotID:VoteBitmap), CRC-16(…)

Our Findings

• Malicious software running on the machine can steal votes undetectably, altering all backups and logs

[Feldman, Halderman & Felten 2007]

Correct result: George 5, Benedict 0

Our Findings

• Malicious software running on the machine can steal votes undetectably, altering all backups and logs

• Anyone with physical access to the machine or memory card can install malicious code in as little as one minute

[Feldman, Halderman & Felten 2007]

The Key

Our Findings

• Malicious software running on the machine can steal votes undetectably, altering all backups and logs

• Anyone with physical access to the machine or memory card can install malicious code in as little as one minute

• Malicious code can spread automatically and silently from machine to machine in the form of a voting machine virus

[Feldman, Halderman & Felten 2007]

Voting Machine Virus

Viral Spread

Joe Calandrino Ari FeldmanBill Zeller Harlan YuAlex Halderman

Debra Bowen

California “Top-to-Bottom” Study

Hart Sequoia Diebold

California “Top-to-Bottom” Results

WHAT TO DO?

Voters prefer it

Faster reporting

Fewer undervotes

Improved accessibility

Potentially increased security*

E-Voting Advantages

WE CAN DO BETTER!

Electronic + Paper Records

Touch-screen (DRE) machine,plus voter-verifiable paper trail

Hand-marked paper ballot,machine-scanned immediately

Failure Modes

Paper BallotsPhysical tampering“Retail” fraudAfter the election

Redundancy + Different failure modes = Greater security

Electronic RecordsCyber-tampering“Wholesale” fraudBefore the election

But…Redundancy only helps if we use both records!

How to Use Paper Records?

Use a machine to count the paper records

Count all the paper records by hand

Check a random subset of paper records by hand…but which subset?

Too risky

Too expensive

Standard Approach

Pick some precincts randomly.Hand-count paper records.

Should match electronic records.

Statistical Auditing’s Goal

Establish, with high statistical confidence, that hand-counting all of the paper records would yield the same winner as the electronic tally.

Audit Example

Alice: 55%Bob: 45% Goal: Reject hypothesis that

≥ 5% of ballots differ between electronic and paper

For 95% confidence, hand-audit 60 precincts

Cost: about $100,000

An Alternative Approach

Precinct-based auditing

Ballot-based auditing

100 marbles, 10% blue 6300 beads, 10% blue

How large a sample do we need?

Audit Example

Alice: 55%Bob: 45% Goal: Reject hypothesis that

≥ 5% of ballots differ between electronic and paper

For 95% confidence, hand-audit 60 precincts

Cost: about $100,000

ballots

$1,000

Why Not Ballot-based?

VotingMachine

AliceBobAlice

● Alice○ Bob

○ Alice● Bob

● Alice○ Bob

Need to match up electronic with paper ballots.

Compromises the secret ballot!

Secret BallotPrevents coercion and vote-buying

Requirements: Nobody can tell how you voted. You can’t prove to anyone how you voted. You can be confident in these properties.

Serial Numbers

VotingMachine

1 Alice2 Bob3 Alice

1● Alice○ Bob

2○ Alice● Bob

3● Alice○ Bob

“Random” Identifiers

VotingMachine

325631 Alice218594 Bob810581 Alice

325631● Alice○ Bob

218594○ Alice● Bob

810581● Alice○ Bob

Machine-Assisted Auditing

[Calandrino, Halderman & Felten 2007]

=

○ Alice● Bob1

1 Bob2 Alice...929 Bob

Alice: 510Bob: 419

○ Alice● Bob

Step 1. Check electronic records against paper recordsusing a recount machine.

Machine-Assisted Auditing

[Calandrino, Halderman & Felten 2007]

=

○ Alice● Bob1

1 Bob2 Alice...929 Bob

Alice: 510Bob: 419

○ Alice● Bob

=

321 Bob716 Alice

Machine-Assisted Auditing

[Calandrino, Halderman & Felten 2007]

○ Alice● Bob1

1 Bob2 Alice...929 Bob

=

○ Alice● Bob321

● Alice○ Bob716

○ Alice● Bob1

Step 2. Audit the recount machine by selecting random ballots for human inspection.

We can use a machinewithout having to trust it!

Machine-Assisted Auditing

As efficient as ballot-based auditing,while protecting the secret ballot.

Machine Recount Manual Audit

Doing Even Better

Key idea: Probability of auditing a ballot should depend on how that ballot is marked

Full algorithm accounts for:multi-candidate racesmulti-seat racesundervotes and overvoteswrite-ins

Doing Even Better

Alice: 55%Bob: 45%

Goal: Reject hypothesis that ≥ 5% of ballots differ between electronic and paper

Goal: Reject hypothesis that ≥ 5% of ballots are marked electronically for Alice but on paper for Bob.

Only need to audit ballots marked for Alice.

Evaluation

2006 Virginia U.S. Senate race0.3% margin of victoryWe want 99% confidence

Precinct-

basedMachine-assisted

Content-sensitive

# ballots 1,141,900 2,339 1,179 # precincts 1,252 1,351 853

Electronic Voting:Danger and Opportunity

J. Alex Halderman

Department of Computer ScienceCenter for Information Technology Policy

Princeton University

Proposed Legislation

H.R. 811: Voter Confidence and Increased Accessibility Act

• Voter-verifiable paper record and random manual audits

• Access to voting software and source code, to verify security

• Additional money for states

Rep. Rush Holt