vote Verification Sherman GWU

Information about vote Verification Sherman GWU

Published on January 7, 2008

Author: Columbia

Source: authorstream.com

Content

Slide1:  Coming up: Vote verification talk by Alan Sherman (UMBC) A Study of Vote Verification Technologies:  A Study of Vote Verification Technologies Alan T. Sherman Dept. of CSEE University of Maryland, Baltimore County (UMBC) May 3, 2006 Joint work with:  Joint work with Don Norris, Dept. of Public Policy, MIPAR John Pinkston, Dept. of CSEE A. Gangopadhyay, S. Holden, G. Karabatis, A.G. Koru, C. Law, A. Sears, D. Zhang Dept. of Information Systems National Center for the Study of Elections of the Maryland Institute for Policy Analysis and Research (MIPAR) Diebold AccuvoteTS Touch Screen Direct Recording Equipment (DRE):  Diebold AccuvoteTS Touch Screen Direct Recording Equipment (DRE) How well do verifiers enable voters to check their votes are :  How well do verifiers enable voters to check their votes are cast as intended recorded as cast tallied as recorded ? Overview:  Overview Evaluated 4 vote verification products Diebold paper trail (VVPAT) MIT-Selker audio system Scytl Pnyx.DRE software system VoteHere Sentinel (cryptographic receipts) For Maryland State Board of Elections Analysis in context of real elections Interdisciplinary study—first of its kind Outline:  Outline Background and motivation Voting in Maryland Related work Genesis of UMBC study Verification Systems Study systems, evaluation criteria Analysis Maryland Procedures Discussion, conclusions, open problems Background and Motivation:  Background and Motivation Background:  Background Following 2000 fiasco in FL, MD moved to DREs and centralized management Began purchasing Diebold DREs in 2001 DREs improved accuracy and efficiency No irregularities have been detected, but... DREs Improve Accessibility:  DREs Improve Accessibility Visually-impaired voters can use headsets, large fonts, or both So can anyone else too Can DREs Be Trusted?:  Can DREs Be Trusted? Malicious code Subversion of system (hardware, software, OS) Faulty design, implementation Key management Configuration Data handling Physical storage and security [Play Baxter Movie] Voting in Maryland:  Voting in Maryland ~20,000 DREs (100% by fall 2006) 23 counties + Baltimore City Dual system of state and local control 3.1 million registered voters (5.6 million residents) $96 million on Diebold system by FY 2007 (~$2.82 / resident / year over 6 years) Financially committed to Diebold through 2012 What Is Special About Voting?:  What Is Special About Voting? Critical national infrastructure Everyone must be able to vote Elderly, infirm, disabled (blind, deaf) Below average IQ Happens infrequently Voters must have confidence in outcome Conform to state and federal law Genesis of Study:  Genesis of Study MD General Assembly (GA) considered move toward paper trail (2005) GA mandated study (2005) Governor Ehrlich vetoed study State Board of Elections commissioned study (August 2005) Study Question:  Study Question How well do various vote verification products work? NOT: What voting system should MD use? Is the Diebold System secure? Options for Maryland:  Options for Maryland Keep Diebold, with parallel testing; continue monitoring technology Add verification system to Diebold Change to different system Precinct-count optical scan (e.g., Automark, Populex) Receipt-based system (e.g., VoteHere, Punchscan) [Discussing third option is outside study scope] Related Work:  Related Work Usability study (Herrnson, et al., 2006) www.capc.umd.edu Survey of MD voters (Norris, 2006) www.umbc.edu/mipar Diebold GEMS Server:  Diebold GEMS Server Dedicated workstation at each LBE; Accumulates DRE votes; Generates reports Diebold GEMS Server:  Diebold GEMS Server Dedicated workstation at each LBE; Accumulates DRE votes; Generates reports All tallies checked by hand from printouts from each DRE of DRE totals Verification Systems:  Verification Systems Benefits of Verification:  Benefits of Verification Increased assurance via independent system Adversary must corrupt two systems Separate tally and audit log Challenges to Verification:  Challenges to Verification Adds complexity (increases cost, chance of disruption, opportunity for privacy loss) Lack of standard interfaces Requires modification of Diebold software Is true system independence possible? Study Systems:  Study Systems Diebold VVPAT MIT-Selker audio system Scytl Pnyx.DRE VoteHere Sentinel Democracy Systems VoteGuard Avante IP.Com “Parallel testing” of DREs Study Systems:  Study Systems Diebold VVPAT MIT-Selker audio system Scytl Pnyx.DRE VoteHere Sentinel Democracy Systems VoteGuard Avante IP.Com “Parallel testing” of DREs Math Challenge on Parallel Testing::  Math Challenge on Parallel Testing: Given that B of the N DREs are bad, what is the chance of selecting at least one bad DRE in a random sample of k DREs? Solution later … Evaluation Criteria:  Evaluation Criteria Reliability Functional completeness Accessibility Data management Election integrity, voter privacy Implementation / integration with DRE Impact on voters and procedures Security Criteria:  Security Criteria Election integrity Ballots cast as intended Ballots recorded as cast Ballots tallied as recorded Voter privacy Resistance to disruption Study Methods:  Study Methods Met with vendor Examined product in UMBC lab Assigned numerical score for each criterion (1-low, 5-high) Wrote narrative We did not weight the scores to yield an overall score or product recommendation Diebold VVPAT: pros:  Diebold VVPAT: pros Prints votes on paper roll Relatively simple and intuitive Produces physical record Diebold VVPAT: cons:  Diebold VVPAT: cons Can LBEs store paper rolls securely? Voter cannot verify what rolls used in recount Paper roll records order of votes cast Barcodes cannot be trusted Lacks vendor independence Printer jams easily Blind cannot verify paper record, only audio output Costly ($1,500 / add-on unit) MIT-Selker Audio System: pros:  MIT-Selker Audio System: pros Records votes on audio tape Easier to catch mistakes Relatively simple Produces physical record Relatively simple integration No software required Inexpensive ($100 / unit) MIT-Selker Audio System: cons :  MIT-Selker Audio System: cons Can LBEs store tapes securely? Voters cannot verify what tapes are used in recount Tape records order of votes cast Deaf cannot use Recount is labor intensive Vendor lacks business plan Needs reliable storage of magnetic media Scytl Pnyx.DRE: pros:  Scytl Pnyx.DRE: pros Echoes ballot choices on confirmation screen Stores electronic copy of vote Well engineered Has been used outside USA Two-way handshake with DRE Scytl Pnyx.DRE: cons:  Scytl Pnyx.DRE: cons Must trust software to store displayed vote Can cause DRE to fail and vice-versa (via two-way handshake) More complicated integration with DRE Not all functionality implemented $500 / unit VoteHere Sentinel: pros:  VoteHere Sentinel: pros Outstanding election integrity: voter can verify vote is recorded in official data as cast, and that tally is computed correctly from official data Integrity based on cryptography, not computer security Open source, high quality software Disabled voters can enjoy same level of integrity VoteHere Sentinel: cons:  VoteHere Sentinel: cons Application software missing (only reference library exists) More complicated: voter experience, conceptual model, election officials must maintain web site Most voters will not understand the cryptography No attempt to maintain consistency between DRE and Sentinel $500 / unit Parallel Testing:  Parallel Testing Attempts to detect widespread corruption of DREs Tests randomly-selected DREs on election day in simulated election Limitations: Can adversary “signal” selected DREs? Number and choice of DREs for testing Probability of Selecting Bad DRE:  Probability of Selecting Bad DRE Probability of Selecting Bad DRE:  Probability of Selecting Bad DRE Summary Scores:  Summary Scores Maryland Procedures:  Maryland Procedures Installing DRE Software:  Installing DRE Software SBE technicians install OS and application software on all DREs (critical process) Diebold object code from Independent Testing Agency (ITA) Cryptographic hash check performed on trusted SBE machine DREs stored at LBEs Voter Authority Cards:  Voter Authority Cards Physical card at precinct for each voter Records DRE used by voter Poll workers may not ask for photo ID (only utility bill) Discussion, Conclusions, Open Problems:  Discussion, Conclusions, Open Problems Modifying Diebold Software:  Modifying Diebold Software Needed for verification systems Requires Diebold cooperation Diebold not commercially motivated Who pays? Must pass ITA after any change Why Are Products Not Better?:  Why Are Products Not Better? Relatively small market Lack of clear performance standards Multitude of state and local styles for ballots and reports Security (and accessibility) is afterthought Emerging technologies Funding technologies for the “social good” Vendors Should Provide:  Vendors Should Provide Product description Functional specifications Testable reference implementation Performance data from mock election Documentation Open Problems:  Open Problems Standard interfaces for verifiers Adversarial data consistency problem Develop/improve receipt-based systems (e.g. Punchscan David Chaum) Performance ratings guidelines Adversarial Data Consistency Problem :  Adversarial Data Consistency Problem (DRE and verifier honest)  tallies agree Minimize disruption by one dishonest unit Ex: Voter aborts in middle of process Adversarial Data Consistency Problem :  Adversarial Data Consistency Problem Two-way communication enables either unit to cause disruption facilitates collusion among two dishonest units Call for National Cooperation:  Call for National Cooperation National standards (beyond HAVA 2002) Standard interfaces Performance ratings guidelines Standard configurations (ballot styles, report formats) Joint funding for R&D Other Voting Issues:  Other Voting Issues Encouraging people to vote Registration Absentee / provisional ballots Accessibility Mathematics of voting (e.g., Borda Count) Internet voting MD House Bill-244:  MD House Bill-244 Mandates “voter verified” paper record (not paper roll) Paper record is official record House approved 137-0 Governor now supports Senate killed by not voting Costs $24-50 million Questions / Discussion:  Questions / Discussion Acknowledgments:  Acknowledgments VoteHere model diagram from VoteHere VoteHere voter experience diagram by Kevin Fisher Photos from Google Images Rivest-Sherman Ciphertext-Only Attacks on Enigma:  Rivest-Sherman Ciphertext-Only Attacks on Enigma Tomorrow (Friday) 10:30am same location Extra slides:  Extra slides VoteHere Model:  VoteHere Model Understanding Politics:  Understanding Politics Gov. Ehrlich stole democratic issue Wants to be able to question outcome of next election (?) Heavy lobbying by TrueVoteMD Linda Lamone (D) Governor Ehrlich (R) Summary Security & Privacy Scores:  Summary Security & Privacy Scores Diebold AccuvoteTS:  Diebold AccuvoteTS Voter Authority Precinct Official Key, Configuration tally tally VoteHere Model:  VoteHere Model

Related presentations


Other presentations created by Columbia

Electrical motors
14. 11. 2007
0 views

Electrical motors

Plant Adaptations
23. 11. 2007
0 views

Plant Adaptations

Davis powerpoint
03. 10. 2007
0 views

Davis powerpoint

8 1 intro unix
29. 11. 2007
0 views

8 1 intro unix

model
07. 12. 2007
0 views

model

Coparmex Laboral Yanis Raptis
11. 12. 2007
0 views

Coparmex Laboral Yanis Raptis

moodys 1
26. 10. 2007
0 views

moodys 1

Careers English
05. 11. 2007
0 views

Careers English

Ford Carter 1975 1980
07. 11. 2007
0 views

Ford Carter 1975 1980

Nitrogen Asphyxiation Bulletin
12. 11. 2007
0 views

Nitrogen Asphyxiation Bulletin

Class10
16. 11. 2007
0 views

Class10

Susantha Bangkok Bioethics
21. 11. 2007
0 views

Susantha Bangkok Bioethics

rciabc en
21. 11. 2007
0 views

rciabc en

SMMGEuler
30. 12. 2007
0 views

SMMGEuler

mod18 1
01. 01. 2008
0 views

mod18 1

RICGPSlideshow
03. 01. 2008
0 views

RICGPSlideshow

Space Wortzel
03. 01. 2008
0 views

Space Wortzel

CTSAs Today Part 3 Wall
04. 01. 2008
0 views

CTSAs Today Part 3 Wall

Nano Paris Oct2006 a5
07. 01. 2008
0 views

Nano Paris Oct2006 a5

pocketcheffmkt
12. 12. 2007
0 views

pocketcheffmkt

ABSLec5
27. 09. 2007
0 views

ABSLec5

Rain Drops
03. 10. 2007
0 views

Rain Drops

04 Livestock Contributions
26. 11. 2007
0 views

04 Livestock Contributions

exor sigcomm
23. 12. 2007
0 views

exor sigcomm

Ici
20. 02. 2008
0 views

Ici

Family and Social Change
24. 02. 2008
0 views

Family and Social Change

InventorsWorkshop042 006
27. 02. 2008
0 views

InventorsWorkshop042 006

Lewis ISDS 2007stp
27. 03. 2008
0 views

Lewis ISDS 2007stp

Neu259 2006 2 photon
20. 11. 2007
0 views

Neu259 2006 2 photon

ASI Presentation
28. 11. 2007
0 views

ASI Presentation

MonetaryPolicyInChina
13. 04. 2008
0 views

MonetaryPolicyInChina

Team Tracer Presentation
14. 11. 2007
0 views

Team Tracer Presentation

NISL History current2
30. 10. 2007
0 views

NISL History current2

Hewitt
02. 10. 2007
0 views

Hewitt

Schmidt
08. 11. 2007
0 views

Schmidt

marineFallOffDuty
06. 11. 2007
0 views

marineFallOffDuty

muzi
29. 10. 2007
0 views

muzi

patty abramson russian
01. 10. 2007
0 views

patty abramson russian

tufts web
19. 11. 2007
0 views

tufts web

WkshpPres
26. 11. 2007
0 views

WkshpPres

thetis
31. 10. 2007
0 views

thetis

2 06 dela croce
05. 11. 2007
0 views

2 06 dela croce

RenaissanceArt
31. 10. 2007
0 views

RenaissanceArt

Gautam Handout
28. 12. 2007
0 views

Gautam Handout

WillgerodtAllRoads
01. 11. 2007
0 views

WillgerodtAllRoads

Planning Change 5C2
01. 12. 2007
0 views

Planning Change 5C2

Moving with EUROUSA
06. 11. 2007
0 views

Moving with EUROUSA