5 Jul 2011: TX Supreme Court Rules on Voting Machine Suit

Last week, the Texas Supreme Court ruled that the NAACP of Austin could have its case dismissed against the Secretary of State of Texas. Tim Lee writing for Ars Technica does a great job of summarizing the case, quoting ACCURATE Acting Director Dan Wallach and Postdoc Joseph Lorenzo Hall.

Dan provides a particularly stark illustration of the most severe technical vulnerabilities found in the 2007 California Top-To-Bottom Review (in which many ACCURATE researchers participated):

Wallach is an expert on Travis County’s eSlate machines because he participated in one of the nation’s only comprehensive DRE machine security audits in California back in 2007. Wallach says the most serious flaws with the machines arise from their networking capabilities. To tally the votes at the end of the election, the Hart InterCivic’s voting machines are taken to a distribution center where they are connected to an ordinary PC running special vote-counting software.

Wallach said that the PC software had a buffer overflow vulnerability, which meant that a single malicious voting machine could take control of the vote-counting PC. And the PC, in turn, had the power to directly modify the memory of the other voting machines which would later be connected to it. Hence, a malicious party with access to a single voting machine could trigger a viral attack on the voting machines used in dozens of precincts.

The Texas Supreme Court essentially ruled that this issue–whether or not to require voting machines be fundamentally auditable–is a policy issue and that the proper resolution is with the Texas legislature or, ultimately, Texan voters.

23 Jun 2011: Fascinating Result from Princeton: Bubble-Fingerprinting

Researchers and close ACCURATE confidants at Princeton’s Center for Information Technology Policy, Will Clarkson, Joe Calandrino and Ed Felten, have just released a neat new result (“New Research Result: Bubble Forms Not So Anonymous”).

The central idea in this result is that these researchers have examined how people fill in bubble forms, like optical scan ballots in voting, to see if there is enough structure in these bubble patterns to uniquely identify the individual filling out the form. They apply some serious machine-learning mojo and can correctly identify the individual about 50% of the time, a much greater identification rate than the 3% rate for making completely random guesses. And the correct answer is one of the top three results 75% of the time.

This has both good and bad consequences for elections. Bad in that anyone with form-filling data such as an employer or an exit pollster, likely has enough identifying information to identify a person’s ballot based solely on a scanned image of that ballot, the likes of which advocates (such as the Humboldt Election Transparency Project) have been releasing for a few years now. Good in that this might help to identify when a different person filled out a ballot (vote buying) or, more importantly, if many ballots were filled out by the same person (ballot box stuffing).

The Princeton team has had this paper accepted to USENIX Security in August and they’ve been playing around with mitigations for voting, such as the inked markers used in Los Angeles for the InkaVote system (where a cheap inked dauber can apply a uniform size and amount of ink to a target).

Full disclosure: the author of this post, Joseph Lorenzo Hall, was a visiting postdoc at CITP for the past three years and consulted closely with the CITP team on this work.

20 Jun 2011: EVT/WOTE 2011 Program now up!

The program for the 2011 Electronic Voting Technology Workshop / Workshop on Trustworthy Elections (EVT/WOTE’11) is now up here: http://www.usenix.org/events/evtwote11/tech/.

The Program Chairs, Hovav Shacham and Vanessa Teague, have worked hard to put together a dynamite schedule… some highlights:

  • 13 Research Papers!
  • Keynote by Dana Debeauvoir, County Clerk, Travis County, Texas
  • Invited Talk by Philip Stark, UC Berkeley Statistics
  • Two panels:
    • A post-mortem on the Sarasota CD13 race in 2006 moderated by Dan Wallach; and,
    • A panel on internet voting moderated by Josh Benaloh
  • A seriously relevant and highly entertaining and humorous rump session!

Register before July 18 or the registration fee goes up by $50.

16 Mar 2011: ACCURATE Comments on E-voting in Union Elections

The U.S. Department of Labor (DOL) recently asked for public comment on a fascinating issue: what kind of guidelines should they give unions that want to use “electronic voting” to elect their officers? (Curiously, they defined electronic voting broadly to include computerized (DRE) voting systems, vote-by-phone systems and internet voting systems.)

As a researcher here at ACCURATE, I figured we should have good advice for DOL.

(If you need a quick primer on security issues in e-voting, GMU’s Jerry Brito has just posted an episode of his Surprisingly Free podcast where he and I work through a number of basic issues in e-voting and security. I’d suggest you check out Jerry’s podcast regularly as he gets great guests and really digs deep into the issues while keeping it at an understandable level.)

The DOL issued a Request for Information (PDF) that asked a series of questions, beginning with the very basic, “Should we issue e-voting guidelines at all?” The questions go on to ask about the necessity of voter-verified paper audit trails (VVPATs), observability, meaningful recounts, ballot secrecy, preventing flawed and/or malicious software, logging, insider threats, voter intimidation, phishing, spoofing, denial-of-service and recovering from malfunctions.

Whew. The DOL clearly wanted a “brain dump” from computer security and the voting technology communities!

Read the rest of this entry »

31 Jan 2011: ACCURATE Comments on the VSTCP Manual, v2.0

The Election Assistance Commission put the 2nd version of their Voting System Testing and Certification Program (VSTCP) Manual out for comment in late November of last year. Today was the due date for comments and ACCURATE submitted a public comment lauding the EAC for how the Testing and Certification Program and the associated Manual have evolved in positive directions. You can read ACCURATE’s commentary here (PDF).

We offered a few suggestions for further improving v2.0 of the VSTCP Manual:

  • The term “malfunction” should be explicitly defined in the VSTCP Manual and the conditions for triggering manufacturer reporting of malfunctions to EAC better specified along with a more detailed set of reporting requirements. We endorsed the recommendations of the Brennan Center for Justice at New York University School of Law in their report “Voting System Failures: A Database Solution”.
  • The requirement for source code review of 1% of Lines of Code (LOC) during the new Test Readiness Review, where a voting system must pass a few basic tests before being allowed to undergo more extensive testing, needs to be better specified to be effective; we proposed a few ways this could be improved.
  • There should be explicit recognition that an important goal of the test plan and test report is to facilitate reproducibility of certification testing. We cited the difficulty of reproducing certain tests ACCURATE PIs and researchers faced during the California Top-To-Bottom Review and the Ohio EVEREST voting system review.
  • The procedure for dealing with modifications to software in relation to the trusted build process needs to be better specified to handle each possibility of availability/unavailability of the original build environment and/or file signatures. The bottom line is if an unmodified file can pass signature verification or can be manually compared to a bona-fide unmodified file, then it doesn’t have to undergo testing again; otherwise, there’s no basis to know if the file has been unmodified.

We look forward to working further with EAC, vendors, advocates and experts to ensure the Testing and Certification Program remains healthy, efficient and robust.

10 Aug 2010: ACCURATE Research at EVT/WOTE 2010

Results from ACCURATE research were presented recently at the EVT/WOTE 2010 Workshop, co-located with the 2010 USENIX Security Symposium.

Some highlights:

EVT/WOTE is the premier venue for voting technology research and, frankly, a really fun time. ACCURATE is privileged to have founded EVT in 2006 and I think I speak for all of us when we say we’re impressed with the quality of scholarship presented each year at this venue.

30 Apr 2010: ACCURATE’s UOCAVA Pilot Program Comments

As we described earlier this week, the Election Assistance Commission is developing a new voting systems testing and certification regime geared towards pilot voting systems–that is, experimental voting systems intended for limited use in designated pilot program elections, with specific standards, testing and certification. (On Monday, ACCURATE submitted comments on the administrative infrastructure for this new regime.)

Today, ACCURATE submitted comments on the first such pilot program under the new system, geared towards UOCAVA voters. This pilot program is a joint collaboration between FVAP, NIST and EAC, under the MOVE Act, that seeks to provide “kiosk” voting systems for a federal election for UOCAVA voters.

It’s an ambitious undertaking, and the draft standard reflects a great deal of work towards setting requirements to which voting systems can be tested and certified to provide UOCAVA voting capacity. ACCURATE’s comments break down like so:

  • The focus on controlled, supervised voting system architectures is appropriate. Many of the fundamental problems with forms of Internet voting are associated with uncontrolled platforms–users PCs, mobile devices, etc.–in unsupervised environments–i.e., at home instead of a dedicated polling place-like environment. The requirements restrict voting systems to dedicated platforms in supervised environments, short-circuiting this concern with broader efforts at Internet voting.
  • The requirement for a Voter-Verified Paper Record (VVPR) is warranted. ACCURATE strongly believes that auditability achieved through an independent, indelible audit trail that the voter has an opportunity to correct is an essential part of computerized voting system integrity. The Draft calls for such a record, in the form of a paper record. However, we feel the need to point out that VVPRs are not terribly useful unless audits are conducted using these records to provide regular checks on the correct functioning of the voting system.
  • The usability and accessibility requirements need work. ACCURATE noted that there are no accessibility requirements in the Draft and the usability requirements seem hastily assembled from a previous standards effort. In our comments, we discuss how attention to usability and accessibility is key during the development stages of new technology and go on to recommend that some additional usability testing and requirements be added to the draft.
  • There have been significant improvements in security specification and testing. The Draft does a good job at improving upon some of the security specifications and testing that we have seen in the past. We are encouraged to see threat modeling and penetration testing adopted in the draft requirements and we recommend a few changes that would make them even stronger.

26 Apr 2010: A New Voting System Certification Regime

Voting systems are certified at the national level to a set of standards–the VVSG–by the U.S. Election Assistance Commission (EAC). The EAC recently adopted a second avenue for certifying voting systems for use in pilot programs, called the Voting System Pilot Program Testing and Certification (VSPPTC) program. A critical piece of the VSPPTC program is the adoption of the VSPPTC manual, a manual and set of policies that will govern how, when and what voting system manufacturers can submit for pilot voting system testing and certification.

The EAC made this manual available for a 15-day public comment period that ended today and we submitted comments (In 2006, ACCURATE submitted public comments on the original manual for the larger testing and certification program).

From our comment submitted today:

The Draft Manual does an admirable job of incorporating some of the features of a feedback-rich pilot testing process, but we believe that it can and should go further. Our recommendations fall into four categories. First, the EAC should amend the Draft Manual to provide more details about what separates pilot certification from certification under the current, VVSG-based certification program. Specifically, the EAC should clarify what qualifies as a voting system pilot program, how it will decide whether to allow a manufacturer to pursue pilot certification for a given system, and what conditions are attached to pilot certification. Second, the pilot certification program should accept feedback from, and establish a systematic process for responding to, voters. Third, the EAC should strengthen the Draft Manual’s provisions for engaging with manufacturers at the system design stage and feeding data from pilot elections back to the design stage. Finally, the EAC should address the question of balance between piloting relatively mature systems and permitting pilots to force potentially major changes in pilot system design. This involves questions of the time and expense involved in pilot certification.

Our comment goes into detail about what we think could be improved in the VSPPTC Manual and how the unique nature of pilot voting systems provide opportunities and pose risks different from more mature voting technology.

24 Feb 2010: EVT/WOTE 2010 Call for Papers

The Program Chairs of the 2010 Electronic Voting Technology Workshop / Workshop on Trustworthy Elections (EVT/WOTE’10), Doug Jones (University of Iowa), Jean-Jacques Quisquater (Université Catholique de Louvain) and Eric Rescorla (RTFM, Inc.) have released the Call For Papers for this year’s conference.

The due date is April 16, 2010, 11:59 p.m. PDT… send in your best work!

2 Nov 2009: Takoma Park: first ever e2e binding election

Takoma Park, Maryland, for its local election today, is embarking on something of a radical experiment. They’re using Scantegrity‘s verifiable voting technology. The “normal” voter’s experience is that they get what looks like a standard optical-scan bubble ballot, but the bubbles have invisible ink in them that reveal a code when the voter selects the bubble with the proper pen. Voters can optionally write down these codes and use them later to verify their ballot appears on a public web site, yet without being able to prove how they’ve voted to anybody else. MIT Tech Review has nice summary of how it works.

Cryptographer Ben Adida, who is unaffiliated with the Scantegrity project or any other party in the election, has agreed to act as an independent auditor of the election. Working from nothing but the public specifications of how the system works, he’s independently verifying that the results are correct.

It’s important to note that, for this particular election technology, the votes are being cast on traditional paper ballots that could always be counted, recounted, or otherwise inspected manually. That’s not strictly necessary for election security — our own VoteBox system works more like a paperless electronic voting system and has the same security guarantees as Scantegrity — but it’s essential when rolling out a new technology where a real election with real politicians’ careers is at stake. We need to know that real elections can be really verified, and we need a fallback position if the crypto somehow goes wrong.

Of course, for these technologies to truly get out of the lab and into the field, we can’t expect Ben Adida to personally verify every election, worldwide, nor should we trust him to. What we can expect is that tools that Adida and others like him build will be picked up and used by local election watchers, party officials, news outlets, and the like. We’re not there yet, but we’re on our way.

(Note: Truly, the first ever binding e2e election was a web-based election for the president of a Belgian university, based on Adida’s Helios system (full paper). This used similar cryptographic mechanisms, but no web-based election system can ever have the coercion resistance or privacy guarantees of voting in a classical voting booth.

Edit: The University of Ottawa Graduate Students Association had a binding e2e election in 2007 using PunchScan, a predecessor to Scantegrity.)