vote Verification Sherman GWU

50 %
50 %
Information about vote Verification Sherman GWU
Education

Published on January 7, 2008

Author: Columbia

Source: authorstream.com

Slide1:  Coming up: Vote verification talk by Alan Sherman (UMBC) A Study of Vote Verification Technologies:  A Study of Vote Verification Technologies Alan T. Sherman Dept. of CSEE University of Maryland, Baltimore County (UMBC) May 3, 2006 Joint work with:  Joint work with Don Norris, Dept. of Public Policy, MIPAR John Pinkston, Dept. of CSEE A. Gangopadhyay, S. Holden, G. Karabatis, A.G. Koru, C. Law, A. Sears, D. Zhang Dept. of Information Systems National Center for the Study of Elections of the Maryland Institute for Policy Analysis and Research (MIPAR) Diebold AccuvoteTS Touch Screen Direct Recording Equipment (DRE):  Diebold AccuvoteTS Touch Screen Direct Recording Equipment (DRE) How well do verifiers enable voters to check their votes are :  How well do verifiers enable voters to check their votes are cast as intended recorded as cast tallied as recorded ? Overview:  Overview Evaluated 4 vote verification products Diebold paper trail (VVPAT) MIT-Selker audio system Scytl Pnyx.DRE software system VoteHere Sentinel (cryptographic receipts) For Maryland State Board of Elections Analysis in context of real elections Interdisciplinary study—first of its kind Outline:  Outline Background and motivation Voting in Maryland Related work Genesis of UMBC study Verification Systems Study systems, evaluation criteria Analysis Maryland Procedures Discussion, conclusions, open problems Background and Motivation:  Background and Motivation Background:  Background Following 2000 fiasco in FL, MD moved to DREs and centralized management Began purchasing Diebold DREs in 2001 DREs improved accuracy and efficiency No irregularities have been detected, but... DREs Improve Accessibility:  DREs Improve Accessibility Visually-impaired voters can use headsets, large fonts, or both So can anyone else too Can DREs Be Trusted?:  Can DREs Be Trusted? Malicious code Subversion of system (hardware, software, OS) Faulty design, implementation Key management Configuration Data handling Physical storage and security [Play Baxter Movie] Voting in Maryland:  Voting in Maryland ~20,000 DREs (100% by fall 2006) 23 counties + Baltimore City Dual system of state and local control 3.1 million registered voters (5.6 million residents) $96 million on Diebold system by FY 2007 (~$2.82 / resident / year over 6 years) Financially committed to Diebold through 2012 What Is Special About Voting?:  What Is Special About Voting? Critical national infrastructure Everyone must be able to vote Elderly, infirm, disabled (blind, deaf) Below average IQ Happens infrequently Voters must have confidence in outcome Conform to state and federal law Genesis of Study:  Genesis of Study MD General Assembly (GA) considered move toward paper trail (2005) GA mandated study (2005) Governor Ehrlich vetoed study State Board of Elections commissioned study (August 2005) Study Question:  Study Question How well do various vote verification products work? NOT: What voting system should MD use? Is the Diebold System secure? Options for Maryland:  Options for Maryland Keep Diebold, with parallel testing; continue monitoring technology Add verification system to Diebold Change to different system Precinct-count optical scan (e.g., Automark, Populex) Receipt-based system (e.g., VoteHere, Punchscan) [Discussing third option is outside study scope] Related Work:  Related Work Usability study (Herrnson, et al., 2006) www.capc.umd.edu Survey of MD voters (Norris, 2006) www.umbc.edu/mipar Diebold GEMS Server:  Diebold GEMS Server Dedicated workstation at each LBE; Accumulates DRE votes; Generates reports Diebold GEMS Server:  Diebold GEMS Server Dedicated workstation at each LBE; Accumulates DRE votes; Generates reports All tallies checked by hand from printouts from each DRE of DRE totals Verification Systems:  Verification Systems Benefits of Verification:  Benefits of Verification Increased assurance via independent system Adversary must corrupt two systems Separate tally and audit log Challenges to Verification:  Challenges to Verification Adds complexity (increases cost, chance of disruption, opportunity for privacy loss) Lack of standard interfaces Requires modification of Diebold software Is true system independence possible? Study Systems:  Study Systems Diebold VVPAT MIT-Selker audio system Scytl Pnyx.DRE VoteHere Sentinel Democracy Systems VoteGuard Avante IP.Com “Parallel testing” of DREs Study Systems:  Study Systems Diebold VVPAT MIT-Selker audio system Scytl Pnyx.DRE VoteHere Sentinel Democracy Systems VoteGuard Avante IP.Com “Parallel testing” of DREs Math Challenge on Parallel Testing::  Math Challenge on Parallel Testing: Given that B of the N DREs are bad, what is the chance of selecting at least one bad DRE in a random sample of k DREs? Solution later … Evaluation Criteria:  Evaluation Criteria Reliability Functional completeness Accessibility Data management Election integrity, voter privacy Implementation / integration with DRE Impact on voters and procedures Security Criteria:  Security Criteria Election integrity Ballots cast as intended Ballots recorded as cast Ballots tallied as recorded Voter privacy Resistance to disruption Study Methods:  Study Methods Met with vendor Examined product in UMBC lab Assigned numerical score for each criterion (1-low, 5-high) Wrote narrative We did not weight the scores to yield an overall score or product recommendation Diebold VVPAT: pros:  Diebold VVPAT: pros Prints votes on paper roll Relatively simple and intuitive Produces physical record Diebold VVPAT: cons:  Diebold VVPAT: cons Can LBEs store paper rolls securely? Voter cannot verify what rolls used in recount Paper roll records order of votes cast Barcodes cannot be trusted Lacks vendor independence Printer jams easily Blind cannot verify paper record, only audio output Costly ($1,500 / add-on unit) MIT-Selker Audio System: pros:  MIT-Selker Audio System: pros Records votes on audio tape Easier to catch mistakes Relatively simple Produces physical record Relatively simple integration No software required Inexpensive ($100 / unit) MIT-Selker Audio System: cons :  MIT-Selker Audio System: cons Can LBEs store tapes securely? Voters cannot verify what tapes are used in recount Tape records order of votes cast Deaf cannot use Recount is labor intensive Vendor lacks business plan Needs reliable storage of magnetic media Scytl Pnyx.DRE: pros:  Scytl Pnyx.DRE: pros Echoes ballot choices on confirmation screen Stores electronic copy of vote Well engineered Has been used outside USA Two-way handshake with DRE Scytl Pnyx.DRE: cons:  Scytl Pnyx.DRE: cons Must trust software to store displayed vote Can cause DRE to fail and vice-versa (via two-way handshake) More complicated integration with DRE Not all functionality implemented $500 / unit VoteHere Sentinel: pros:  VoteHere Sentinel: pros Outstanding election integrity: voter can verify vote is recorded in official data as cast, and that tally is computed correctly from official data Integrity based on cryptography, not computer security Open source, high quality software Disabled voters can enjoy same level of integrity VoteHere Sentinel: cons:  VoteHere Sentinel: cons Application software missing (only reference library exists) More complicated: voter experience, conceptual model, election officials must maintain web site Most voters will not understand the cryptography No attempt to maintain consistency between DRE and Sentinel $500 / unit Parallel Testing:  Parallel Testing Attempts to detect widespread corruption of DREs Tests randomly-selected DREs on election day in simulated election Limitations: Can adversary “signal” selected DREs? Number and choice of DREs for testing Probability of Selecting Bad DRE:  Probability of Selecting Bad DRE Probability of Selecting Bad DRE:  Probability of Selecting Bad DRE Summary Scores:  Summary Scores Maryland Procedures:  Maryland Procedures Installing DRE Software:  Installing DRE Software SBE technicians install OS and application software on all DREs (critical process) Diebold object code from Independent Testing Agency (ITA) Cryptographic hash check performed on trusted SBE machine DREs stored at LBEs Voter Authority Cards:  Voter Authority Cards Physical card at precinct for each voter Records DRE used by voter Poll workers may not ask for photo ID (only utility bill) Discussion, Conclusions, Open Problems:  Discussion, Conclusions, Open Problems Modifying Diebold Software:  Modifying Diebold Software Needed for verification systems Requires Diebold cooperation Diebold not commercially motivated Who pays? Must pass ITA after any change Why Are Products Not Better?:  Why Are Products Not Better? Relatively small market Lack of clear performance standards Multitude of state and local styles for ballots and reports Security (and accessibility) is afterthought Emerging technologies Funding technologies for the “social good” Vendors Should Provide:  Vendors Should Provide Product description Functional specifications Testable reference implementation Performance data from mock election Documentation Open Problems:  Open Problems Standard interfaces for verifiers Adversarial data consistency problem Develop/improve receipt-based systems (e.g. Punchscan David Chaum) Performance ratings guidelines Adversarial Data Consistency Problem :  Adversarial Data Consistency Problem (DRE and verifier honest)  tallies agree Minimize disruption by one dishonest unit Ex: Voter aborts in middle of process Adversarial Data Consistency Problem :  Adversarial Data Consistency Problem Two-way communication enables either unit to cause disruption facilitates collusion among two dishonest units Call for National Cooperation:  Call for National Cooperation National standards (beyond HAVA 2002) Standard interfaces Performance ratings guidelines Standard configurations (ballot styles, report formats) Joint funding for R&D Other Voting Issues:  Other Voting Issues Encouraging people to vote Registration Absentee / provisional ballots Accessibility Mathematics of voting (e.g., Borda Count) Internet voting MD House Bill-244:  MD House Bill-244 Mandates “voter verified” paper record (not paper roll) Paper record is official record House approved 137-0 Governor now supports Senate killed by not voting Costs $24-50 million Questions / Discussion:  Questions / Discussion Acknowledgments:  Acknowledgments VoteHere model diagram from VoteHere VoteHere voter experience diagram by Kevin Fisher Photos from Google Images Rivest-Sherman Ciphertext-Only Attacks on Enigma:  Rivest-Sherman Ciphertext-Only Attacks on Enigma Tomorrow (Friday) 10:30am same location Extra slides:  Extra slides VoteHere Model:  VoteHere Model Understanding Politics:  Understanding Politics Gov. Ehrlich stole democratic issue Wants to be able to question outcome of next election (?) Heavy lobbying by TrueVoteMD Linda Lamone (D) Governor Ehrlich (R) Summary Security & Privacy Scores:  Summary Security & Privacy Scores Diebold AccuvoteTS:  Diebold AccuvoteTS Voter Authority Precinct Official Key, Configuration tally tally VoteHere Model:  VoteHere Model

Add a comment

Related presentations

Related pages

Scantegrity Mock Election at Takoma Park - SEAS

Scantegrity Mock Election at Takoma Park Alan T. Sherman (UMBC) ... There have been several usability studies on voting systems and vote-verification
Read more

Poorvi L. Vora Research: Voting - The George Washington ...

Poorvi L. Vora - Research: Voting ; ... 2009, with the author list: Alan T. Sherman, Richard ... Rahul Simha and Poorvi L. Vora. Vote Verification using ...
Read more

STS Teleconference

... Update on GWU Workshop. 3) ... Alan Sherman, co-author of Maryland Vote Verification Study Department of Computer Science and Electrical Engineering ...
Read more

⭐Scantegrity Mock Election at Takoma Park - docplayer.net

Scantegrity Mock Election at Takoma Park Alan T. Sherman (UMBC ... UMBC), Poorvi Vora (GWU) ... studies on voting systems and vote-verification ...
Read more

CiteSeerX — Citation Query RIES Internet voting in action

RIES Internet voting in action ... to voter interest in vote verification. 1 ... Travis Mayberry (umbc, Stefan Popoveniuc (gwu, Ronald L ...
Read more

Scantegrity Mock Election at Takoma Park (summary)

1 2 Scantegrity Mock Election at Takoma Park (summary) Alan T. Sherman, 1. Richard Carback, David Chaum, Jeremy Clark, John Conway, Aleksander Essex,
Read more

Scantegrity II Mock Election at Takoma Park

Scantegrity II Mock Election at Takoma Park Alan T. Sherman (UMBC Cyber Defense Lab) and Scantegrity Team (GWU, MIT, Ottawa, UMBC, VSI, Waterloo)
Read more

Punchscan: Introduction and System Definition of a High ...

Punchscan: Introduction and System Definition of a High-Integrity Election System Kevin Fisher, Richard Carback and Alan T. Sherman Center for Information ...
Read more