Dan provides a particularly stark illustration of the most severe technical vulnerabilities found in the 2007 California Top-To-Bottom Review (in which many ACCURATE researchers participated):

Wallach is an expert on Travis County’s eSlate machines because he participated in one of the nation’s only comprehensive DRE machine security audits in California back in 2007. Wallach says the most serious flaws with the machines arise from their networking capabilities. To tally the votes at the end of the election, the Hart InterCivic’s voting machines are taken to a distribution center where they are connected to an ordinary PC running special vote-counting software.

Wallach said that the PC software had a buffer overflow vulnerability, which meant that a single malicious voting machine could take control of the vote-counting PC. And the PC, in turn, had the power to directly modify the memory of the other voting machines which would later be connected to it. Hence, a malicious party with access to a single voting machine could trigger a viral attack on the voting machines used in dozens of precincts.

The Texas Supreme Court essentially ruled that this issue–whether or not to require voting machines be fundamentally auditable–is a policy issue and that the proper resolution is with the Texas legislature or, ultimately, Texan voters.

The central idea in this result is that these researchers have examined how people fill in bubble forms, like optical scan ballots in voting, to see if there is enough structure in these bubble patterns to uniquely identify the individual filling out the form. They apply some serious machine-learning mojo and can correctly identify the individual about 50% of the time, a much greater identification rate than the 3% rate for making completely random guesses. And the correct answer is one of the top three results 75% of the time.

This has both good and bad consequences for elections. Bad in that anyone with form-filling data such as an employer or an exit pollster, likely has enough identifying information to identify a person’s ballot based solely on a scanned image of that ballot, the likes of which advocates (such as the Humboldt Election Transparency Project) have been releasing for a few years now. Good in that this might help to identify when a different person filled out a ballot (vote buying) or, more importantly, if many ballots were filled out by the same person (ballot box stuffing).

The Princeton team has had this paper accepted to USENIX Security in August and they’ve been playing around with mitigations for voting, such as the inked markers used in Los Angeles for the InkaVote system (where a cheap inked dauber can apply a uniform size and amount of ink to a target).

Full disclosure: the author of this post, Joseph Lorenzo Hall, was a visiting postdoc at CITP for the past three years and consulted closely with the CITP team on this work.

The Program Chairs, Hovav Shacham and Vanessa Teague, have worked hard to put together a dynamite schedule… some highlights:

• 13 Research Papers!
• Keynote by Dana Debeauvoir, County Clerk, Travis County, Texas
• Invited Talk by Philip Stark, UC Berkeley Statistics
• Two panels:
• A post-mortem on the Sarasota CD13 race in 2006 moderated by Dan Wallach; and,
• A panel on internet voting moderated by Josh Benaloh
• A seriously relevant and highly entertaining and humorous rump session!

Register before July 18 or the registration fee goes up by $50.

As a researcher here at ACCURATE, I figured we should have good advice for DOL.

(If you need a quick primer on security issues in e-voting, GMU’s Jerry Brito has just posted an episode of his Surprisingly Free podcast where he and I work through a number of basic issues in e-voting and security. I’d suggest you check out Jerry’s podcast regularly as he gets great guests and really digs deep into the issues while keeping it at an understandable level.)

The DOL issued a Request for Information (PDF) that asked a series of questions, beginning with the very basic, “Should we issue e-voting guidelines at all?” The questions go on to ask about the necessity of voter-verified paper audit trails (VVPATs), observability, meaningful recounts, ballot secrecy, preventing flawed and/or malicious software, logging, insider threats, voter intimidation, phishing, spoofing, denial-of-service and recovering from malfunctions.

Whew. The DOL clearly wanted a “brain dump” from computer security and the voting technology communities!

It turns out that labor elections and government elections aren’t as different as I originally thought. The controlling statute for union elections (the LMRDA) and caselaw* that has developed over the years require strict ballot secrecy–such that any technology that could link a voter and their ballot is not allowed–both during voting and in any post-election process. The one major difference is that there isn’t a body of election law and regulation on top of which unions and the DOL can run their elections; for example, election laws frequently disallow campaigning or photography within a certain distance of an official polling place while that would be hard to prohibit in union elections.

After a considerable amount of wrangling and writing, ACCURATE submitted a comment, find it here in PDF. The essential points we make are pretty straightforward: 1) don’t allow internet voting from unsupervised, uncontrolled computing devices for any election that requires high integrity; and, 2) only elections that use voter-verified paper records (VVPRs) subject to an audit process that uses those records to audit the reported election outcome can avoid the various types of threats that DOL is concerned with. The idea is simple: VVPRs are independent of the software and hardware of the voting system, so it doesn’t matter how bad those aspects are as long as there is a robust parallel process that can check the result. Of course, VVPRs are no panacea: they must be carefully stored, secured and transported and ACCURATE’s HCI researchers have shown that it’s very hard to get voters to consistently check them for accuracy. However, those problems are much more tractable than, say, removing all the malware and spyware from hundreds of thousands of voter PCs and mobile devices.

I must say I was a bit surprised to see the other sets of comments submitted, mostly by voting system vendors and union organizations, but also the Electronic Privacy Information Center (EPIC). ACCURATE and EPIC seem to be lone voices in this process “porting” what we’ve learned about the difficulties of running secure civic elections to the labor sphere. Many of the unions talked about how they must have forms of electronic, phone and internet voting as their constituencies are spread far and wide, can’t make it to polling places and are concerned with environmental impacts of paper and more traditional voting methods. Of course, we would counter that accommodations can be made for most of these concerns and still not fundamentally undermine the integrity of union elections.

Both unions and vendors used an unfortunate rhetorical tactic when talking about security properties of these systems: “We’ve run x hundreds of elections using this kind of technology and have never had a problem/no one has ever complained about fraud.” Unfortunately, that’s not how security works. Akin to adversarial processes like financial audits, security isn’t something that you can base predictions of future performance on past results. That is, the SEC doesn’t say to companies that their past 10 years of financials have been in order, so take a few years off. No, security requires careful design, affirmative effort and active auditing to assure that a system doe not violate the properties it claims.

There’s a lot more in our comment, and I’d be more than happy to respond to comments if you have questions.

* Check out the “Court Cases” section of the Federal Register notice linked to above.

We offered a few suggestions for further improving v2.0 of the VSTCP Manual:

• The term “malfunction” should be explicitly defined in the VSTCP Manual and the conditions for triggering manufacturer reporting of malfunctions to EAC better specified along with a more detailed set of reporting requirements. We endorsed the recommendations of the Brennan Center for Justice at New York University School of Law in their report “Voting System Failures: A Database Solution”.
• The requirement for source code review of 1% of Lines of Code (LOC) during the new Test Readiness Review, where a voting system must pass a few basic tests before being allowed to undergo more extensive testing, needs to be better specified to be effective; we proposed a few ways this could be improved.
• There should be explicit recognition that an important goal of the test plan and test report is to facilitate reproducibility of certification testing. We cited the difficulty of reproducing certain tests ACCURATE PIs and researchers faced during the California Top-To-Bottom Review and the Ohio EVEREST voting system review.
• The procedure for dealing with modifications to software in relation to the trusted build process needs to be better specified to handle each possibility of availability/unavailability of the original build environment and/or file signatures. The bottom line is if an unmodified file can pass signature verification or can be manually compared to a bona-fide unmodified file, then it doesn’t have to undergo testing again; otherwise, there’s no basis to know if the file has been unmodified.

We look forward to working further with EAC, vendors, advocates and experts to ensure the Testing and Certification Program remains healthy, efficient and robust.

Some highlights:

• The paper, “Efficient User-Guided Ballot Image Verification” (PDF) by Arel Cordero, Theron Ji, Alan Tsai, Keaton Mowery, and David Wagner won the best paper award. This research explored novel methods of processing images of ballots to allow simultaneous inspection (to detect stray marks) and verification of ballots. They are able to show an improvement in efficiency of an order of magnitude. Watch the video of their presentation here.
• Andrea Mascher, Paul Cotton, and Douglas Jones presented their work entitled, “Towards Publishable Event Logs That Reveal Touchscreen Faults” (PDF). While many academics complain that “we can’t look over voter’s shoulders in the voting booth”, Mascher et al. developed methods of performing usability/interaction studies on touchscreen interfaces while maintaining the secrecy of the voter’s ballot. Watch the video of their presentation here.
• Gillian Piner and Michael Byrne offered their work on usability assessment of low-fi (non-electronic) accessibility devices to help voters with disabilities vote privately and independently, in a paper “Baseline Usability Data for a Non-Electronic Approach to Accessible Voting” (PDF). You can watch the video from their presentation here.
• Finally, Joseph Lorenzo Hall moderated a panel on vulnerabilities with the Indian EVM voting machine that included P.V. Indiresan (Former Director, IIT-Madras), G.V.L Narasimha Rao (Citizens for Verifiability, Transparency, and Accountability in Elections, VeTA), Alok Shukla (Election Commission of India) and J. Alex Halderman (University of Michigan). The panel was quite lively and attracted a great deal of press attention from India and the U.S. Watch the video of the panel here.

EVT/WOTE is the premier venue for voting technology research and, frankly, a really fun time. ACCURATE is privileged to have founded EVT in 2006 and I think I speak for all of us when we say we’re impressed with the quality of scholarship presented each year at this venue.

Today, ACCURATE submitted comments on the first such pilot program under the new system, geared towards UOCAVA voters. This pilot program is a joint collaboration between FVAP, NIST and EAC, under the MOVE Act, that seeks to provide “kiosk” voting systems for a federal election for UOCAVA voters.

It’s an ambitious undertaking, and the draft standard reflects a great deal of work towards setting requirements to which voting systems can be tested and certified to provide UOCAVA voting capacity. ACCURATE’s comments break down like so:

• The focus on controlled, supervised voting system architectures is appropriate. Many of the fundamental problems with forms of Internet voting are associated with uncontrolled platforms–users PCs, mobile devices, etc.–in unsupervised environments–i.e., at home instead of a dedicated polling place-like environment. The requirements restrict voting systems to dedicated platforms in supervised environments, short-circuiting this concern with broader efforts at Internet voting.
• The requirement for a Voter-Verified Paper Record (VVPR) is warranted. ACCURATE strongly believes that auditability achieved through an independent, indelible audit trail that the voter has an opportunity to correct is an essential part of computerized voting system integrity. The Draft calls for such a record, in the form of a paper record. However, we feel the need to point out that VVPRs are not terribly useful unless audits are conducted using these records to provide regular checks on the correct functioning of the voting system.
• The usability and accessibility requirements need work. ACCURATE noted that there are no accessibility requirements in the Draft and the usability requirements seem hastily assembled from a previous standards effort. In our comments, we discuss how attention to usability and accessibility is key during the development stages of new technology and go on to recommend that some additional usability testing and requirements be added to the draft.
• There have been significant improvements in security specification and testing. The Draft does a good job at improving upon some of the security specifications and testing that we have seen in the past. We are encouraged to see threat modeling and penetration testing adopted in the draft requirements and we recommend a few changes that would make them even stronger.

The EAC made this manual available for a 15-day public comment period that ended today and we submitted comments (In 2006, ACCURATE submitted public comments on the original manual for the larger testing and certification program).

From our comment submitted today:

The Draft Manual does an admirable job of incorporating some of the features of a feedback-rich pilot testing process, but we believe that it can and should go further. Our recommendations fall into four categories. First, the EAC should amend the Draft Manual to provide more details about what separates pilot certification from certification under the current, VVSG-based certification program. Specifically, the EAC should clarify what qualifies as a voting system pilot program, how it will decide whether to allow a manufacturer to pursue pilot certification for a given system, and what conditions are attached to pilot certification. Second, the pilot certification program should accept feedback from, and establish a systematic process for responding to, voters. Third, the EAC should strengthen the Draft Manual’s provisions for engaging with manufacturers at the system design stage and feeding data from pilot elections back to the design stage. Finally, the EAC should address the question of balance between piloting relatively mature systems and permitting pilots to force potentially major changes in pilot system design. This involves questions of the time and expense involved in pilot certification.

Our comment goes into detail about what we think could be improved in the VSPPTC Manual and how the unique nature of pilot voting systems provide opportunities and pose risks different from more mature voting technology.

The due date is April 16, 2010, 11:59 p.m. PDT… send in your best work!

Cryptographer Ben Adida, who is unaffiliated with the Scantegrity project or any other party in the election, has agreed to act as an independent auditor of the election. Working from nothing but the public specifications of how the system works, he’s independently verifying that the results are correct.

It’s important to note that, for this particular election technology, the votes are being cast on traditional paper ballots that could always be counted, recounted, or otherwise inspected manually. That’s not strictly necessary for election security — our own VoteBox system works more like a paperless electronic voting system and has the same security guarantees as Scantegrity — but it’s essential when rolling out a new technology where a real election with real politicians’ careers is at stake. We need to know that real elections can be really verified, and we need a fallback position if the crypto somehow goes wrong.

Of course, for these technologies to truly get out of the lab and into the field, we can’t expect Ben Adida to personally verify every election, worldwide, nor should we trust him to. What we can expect is that tools that Adida and others like him build will be picked up and used by local election watchers, party officials, news outlets, and the like. We’re not there yet, but we’re on our way.

(Note: Truly, the first ever binding e2e election was a web-based election for the president of a Belgian university, based on Adida’s Helios system (full paper). This used similar cryptographic mechanisms, but no web-based election system can ever have the coercion resistance or privacy guarantees of voting in a classical voting booth.

Edit: The University of Ottawa Graduate Students Association had a binding e2e election in 2007 using PunchScan, a predecessor to Scantegrity.)