Untitled

**from Securing Digital Democracy by J. Alex Halderman**

01 Voting as a security problem

In the digital age, voting can be a very big computer security problem.

Is technology being used appropriately and safely in our voting process? Can it be?

**The Security Mindset**

Trying to make a system fail; trying to see what could go wrong with a system as a result of human forces.

**The Adversary** - computer security studies how systems behave in the presence of an _adversary_ - someone trying to make the system fail. a.k.a "the attacker", etc.

_Thinking like an attacker:_

- find the weakest links

- identify assumptions that security depends on - are they false?

- think outside the box - the attacker won't be constrained by the system designer's worldview

_Thinking like a defender:_

Security policy:

     - what are trying to protect?

     - what properties are we trying to enforce?

Threat model:

     - who are the potential attackers? Capabilities? Motivations?

     - what kind of attack are we trying to prevent?

Risk assessment:

     - where are the weaknesses of the system?

     - what will successful attacks cost us?

     - how likely are they?

Countermeasures:

     - costs vs benefits?

     - technical vs nontechnical? Nontechnical defenses could be things like the police, the legal system, etc.

**Security Requirements for Voting**

__Integrity__: the _outcome_ matches _voter intent_.

- Votes are cast as intended.

- Votes are counted as cast.

(there's room for fraud/error in both parts).

_Ballot Secrecy_:

- Weak form: ensure that nobody can figure out _how you voted_...

- Strong form: ...even if you _try to prove it to them_

The strong form can help protect against coercion/buying votes/other pressures against you voting how you want to vote.

_Voter Authentication_:

- Only _authorized voters_ and can cast votes

- Each voter can only vote up to the permitted number of times

_Enfranchisement_:

- The right to vote

- All authorized voters have the _opportunity_ to vote.

_Availability_:

- The election system is able to accept all votes on schedule and produce results in a timely manner.

These security requirements can be in tension with each other. For instance, a system high in integrity could be at the sacrifice of some ballot secrecy.

_Other important properties:_

- Cost effectiveness

- Accessibility

- Convenience (can't be too difficult, esp. in places of non-compulsory voting)

- Intelligibility (can't be too complicated)

**02 How We Got Here**

**_Voice voting_**, or "viva voce".

     - Voters just announce out loud who they want to vote for.

     - Voters are sworn in, they announce who they are, and then they cast their vote

     - Multiple clerks for redundant record keeping

     - Done in the presence of their community, so some basic identity security (i.e. people will recognize if someone doesn't belong)

     _Problems:_

     - No ballot secrecy whatsoever

     - Coercion/voter intimidation

               - The political candidates might be present at the polls

               - Physical coercion

     - Vote buying

**_Early paper ballots_**

     - Voting by ballots & tokens has been around for awhile

     - c. 1870, US - wooden ballot box

          - had a lock on it

          - at the beginning of voting, the box would be opened to show that it was empty

          - vote is just slipped into the slot at the top

          - voters had to provide their own paper ballots

          - at the end of voting, the slot would be sealed, such as with wax

          - each vote is taken out of the box by clerks, examined, and then recorded

               - done under the watch of representatives from the community

     _Problems:_

          - those observers from the community could easily be excluded from the process

          - ballot boxes could be replaced by "cheater's" ballot boxes with false sides or bottoms with precast ballots behind them. When the box is opened, it _looks_ like the box is empty. Later the false sides/bottoms are removed.

          - the ballot box locks weren't very secure; could be pressured open even w/o the key

     - 1884, US - glass ballot box - made it harder to incorporate false sides, esp. when the glass ballot box was a sphere. problems of ballot secrecy though.

     - c.1880, US - Acme voting machine - a voting box with a crank & gears inside.

          - the vote is fed in using the crank, then a bell goes off notifying people that a vote had been cast, then a counter on the front of the box would increment

     - 1964, D.C. - cardboard ballot box - cheaper & disposable

     - c.1936, CA - metal ballot box w/ stronger locks

     - early printed ballots printed in the newspaper, sponsored by an individual candidate

     - later printed ballots were sponsored by parties (~1880)

     - you could write in your own candidate, so later ballot designs leave little room for write-ins (~1888)

     - voters could get whole sheets of ballots and cast their votes multiple times

          - inspired voter registration systems, so voters' names could be crossed off once they had voted

     - parties printed their ballots on particular colors, which compromised ballot secrecy (others could tell how you were voting based on your ballot color)

**_The Australian Ballot_**

     - the pre-printed ballot

     - rather than have the voter bring their own ballots or let parties provide their own ballots, the gov't would print and distribute them

          - had to determine who was on the ballot in advance

     - ballots looked the same except for where the voter made their marks, so increased ballot secrecy

     - around this time, voter registration was coming into use, as were voting booths

          - increased complexity and costs, though more secure

     _Problems:_

          - counting of the ballots

               - Boss Tweed & New York's Tammany Hall, controlled NYC's political system…dishonest counting (among other things)

               - with the simplified marking on the ballot, it was easier for counters to add marks to ballots

                    - someone could add more marks, so that the person "overvoted", thus nullifying that vote

          - the law discounts any ballots with any unique identifying marks, other than the marks used to vote

               - so someone else could just add these extra marks to get that ballot discounted

          - **chain voting** - an alternate method to buying votes (since w/ Australian ballots you can't check if someone voted how they said they would)

               - an adversary waits by the voting booths and provides pre-filled ballots that the voter brings in and uses, then returns the adversary the blank ballot they didn't use, and repeat

               - one defense is having a serial number on every ballot so you can ensure they return the same ballot they were given, but now that vote can be traced to an individual

                    - an even better approach is to have the serial numbers as detachable stubs that you rip off after the ballot has been submitted

**_Mechanical Voting Machines_**

![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-09%20at%208.03.30%20PM.png)![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-09%20at%208.03.25%20PM.png)

     - end of the 1800's**

     - make a direct record of a vote

     - used well into the 1900's

     - purported to have "absolute secrecy"

     - Lever Voting Machines

     ![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-09%20at%208.04.38%20PM.png)

     ![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-09%20at%208.05.24%20PM.png)

     - physical manifestation of voting rules, such as only voting for one candidate

     - a counter mechanism inside the machine, under lock-and-key (this is the only record of the votes!)

     - a big lever to close the curtains, little levers to make your votes, then the big lever again to open the curtains, tabulate the votes, & reset the machine

     - eliminated threat of chain voting

     _Problems:_

     - the fact that the counter mechanism is the only record of vote was a problem

     - complex machines, so failure occurred often. for instance, if a tab on one of the counters broke off, it would stop incrementing (and those uncounted votes would be unrecoverable).

          - would be very hard to impossible to distinguish natural mechanical failure and intentional sabotage

     - very expensive

**_Punched Card Voting_**

     - computer punch cards:

          - IBM port-a-punch (1959):

               ![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-09%20at%208.16.44%20PM.png)

     - The Votomatic (punchcard technology applied to voting, developed in partnership with IBM):

     ![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-09%20at%208.17.38%20PM.png)

          - the punchcards would be sent to facility where they'd be counted by an IBM computer.

          - the voter would take a blank punchcard, slide it in at the top, then punch out the holes according to the names in the book. Each page exposes a different column of holes in the punchcard

     ![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-09%20at%208.19.34%20PM.png)

     - these butterfly ballots caused the problems in the 2000 presidential elections


     _Problems:_

     - poor ballot design can make voting difficult, especially figuring out which holes align with which candidates

          - in Florida, this led to people marking the wrong candidates, as evidenced by abnormal vote distributions across candidates, compared to neighboring counties

     - chad, the result of punching out holes, accumulate inside the machine, and if they aren't properly cleaned in the machines, they make the voting more difficult

          - also - "hanging chad"…ambiguous if vote has been made or not:

               ![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-09%20at%208.31.19%20PM.png)

          - the chad are fragile and can easily get modified during the counting process

          - hanging chad could also easily be modified - a dimpled one could be smoothed out, or a hanging one could be torn off. almost impossible to tell if it's been tampered, except under a microscope

In response to the 2000 election, money was distributed to upgrade voting systems to:

![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-09%20at%208.34.03%20PM.png)

**03 Computers at the Polls**

_**Kinds of Fraud**:_

     - _Retail attack_ - attack on an individual voter/vote

     - _Wholesale attack_ - attack on the counting process

     Also:

     - _Insider attack_ - from some person inside the system (i.e. some voting official w/ some privileges)

     - _Outsider attack_ - from some person outside the system

     ![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-12%20at%207.38.15%20AM.png)

     ex. chain voting in the example above is an outsider retail attack, Boss Tweed is an insider wholesale attack.

**DREs & optical scan voting** are both **_computer_** voting machines, which set them apart from previous voting mechanisms.

**_Optical scan voting_**

     - "optical mark sense technology"

     - originally used for scoring standardized tests (w/ the little bubbles)

     - replaces humans with the ballot counting box with an impartial & automated machine

     - voter fills out ballot, slides into machine, the ballot goes into a box directly attached to the scanner. At the end of the voting the machine prints out a paper with the vote counts of all the candidates.

               - most of these machines also have a memory card for a digital record

     - a couple different styles of ballot:

          ![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-12%20at%207.44.07%20AM.png)

     - inside the machine are light sources (LEDs) coupled with light detectors (phototransistors):

     ![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-12%20at%207.45.17%20AM.png)![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-12%20at%207.46.27%20AM.png)

          - the rectangles on the left and right are alignment marks

          - the detectors can only detect brightness or darkness, defined by a preset threshold

          - because of the arrangement of the detectors, the design implications of the ballot are that it must conform to a grid defined by the spacing of the detectors

          -a more modern form of optical scanning are more like a fax machine or scanner, producing output more like what you'd take with a digital camera:

          ![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-12%20at%207.48.35%20AM.png)

          - then, in software, some algorithms take the output and determine whether or not it was marked

     - there are two main styles of optical scan voting:

          - **precinct count** - in the precinct, the voter inserts their ballot right there (less a risk that the ballots get tampered with and can immediately notify the voter if they made any mistakes with their ballot)

          - **central count** - ballots are collected in a more traditional ballot box, then transferred to a central scanner in bulk. have the advantage of requiring less equipment (just the scanner(s) at the central counting location)

     - _Problems:_

          - problems w/ people following the instructions (i.e. #2 pencil, completely fill in the oval, etc). some people use blue or red ink, some just mark "X"s or checks (inappropriate marks might not align with the light sensors in the older scanners and thus not be detected)

          - people's method of marking bubbles is so distinct that you can identify them with it

          - the computer software can be hacked, or the memory card could be compromised

               - Hursti's attack - preloaded a memory card w/ some votes for his preferred candidate (say 10 votes), and then preloaded 990 votes for the opposing candidate, when the opposing candidates votes hit 999, the next vote would roll them over to 0 (that's how the vote counting in those scanners worked). As a result, the number of votes on the memory card will match the number of ballots in the machine. But if fraud is suspected, the individual paper ballots can be counted to check!

**_DRE Voting Machines_**

     - eliminated the paper ballot entirely

     - DRE = "direct recording electronic"

     - functions similarly to a lever machine

     - only record of vote is a digital record (no paper trail)

     - in the 70's + DRE's had a paper of candidates overlaid mechanical switches in a booth much like the lever machine booths

     - in the 90's touchscreen DRE's were introduced

          - candidates displayed screen-by-screen, allowing for flexibility for how they're displayed (so, different languages, different sizes for people w/ bad sight, etc). Made administration of voting easier

     - Diebold DREs:

          - voter handed an authenticating smart card which the voter inserts into the machine, allowing them to cast their votes

               - at the end of their voting, they're presented with a summary screen of their votes

          - the voting officials have a "supervisor card" which gives them access to certain functions at the end of the voting, such as seeing the counts & printing them, which are then sent to a central location

          - there's also a memory card with the counts of the votes that are sent to the central location

     - _Problems_

          - the "black box" - the counting software is developed by a private company and is kept secret

               - counting process should be transparent

               - assuming keeping it secret will help it remain secure is a dangerous assumption

               - **Diebold** wouldn't allow independent security audits of their systems

                    - Bev Harris unexpectedly found the entire source code through a Google search and then a team did a security analysis, and found:

                         - the voter access cards could be easily counterfeited

                         - the encryption was applied incorrectly…all of the voting machines used the same encryption key:

                                   ![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-12%20at%208.17.13%20AM.png)

                         - on the memory card the votes are recorded sequentially so it's relatively easy to figure out who voted according to the order people went into the booth (in a normal ballot box, the ballots are shuffled so this is harder to figure out)

                         - a lot of evidence of poor engineering practices…the comments in the code:

                         ![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-12%20at%208.19.20%20AM.png)

                         - in general, a result of poor, insecure development practice. merely "fixing" the code is not enough!

          - _errors_ - very easy to make a mistake in the software code: design flaws, bugs, glitches, reliability problems

          - _vulnerabilities_ - even harder to write secure software: security, hardware sabotage, data manipulation, privacy leaks

          - maintaining the balance between integrity and ballot secrecy makes it even harder!

          - _system integrity_ - secret software, unapproved software, COTS software (commercial-of-the-shelf), dishonest lookalikes

**_Paper as a defense_**

     - paper provides very important security advantages when coupled with a computer system

     - old technologies can provide a reliable backup for modern systems

          - eg. a simple magnetic compass is required by law in modern airliners

     - redundant electronic & paper records; harder to manipulate _both_:

          ![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-12%20at%208.23.32%20AM.png)

          - optical scan voting does this! and as such, **optical scan voting w/ audits is considered the gold standard for voting technology today**.

          - the problem is auditing to compare the two records is very rare

          - DRE + VVPAT (Voter-verifiable paper audit trail OR voter-verified physical audit trail)

               - a DRE that also prints a paper record of votes, which the voter can see and check if correct at the time of their vote

               - _Problems:_

                    - if the software has been compromised, fake/misleading paper records could be printed

                    - the printing devices used are economical, but not particularly reliable, nor are it's records permanent, and the quality of the printing is low enough that many may not bother to check the record

                    - if the records aren't removed by each voter then there's a trail showing everyone's votes! compromising ballot secrecy

**04 Problems with DREs**

**Diebold AccuVote-TS**

![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-19%20at%2012.07.39%20AM.png)

basically a computer w/ a touchscreen, running windows CE. the voting machine was provided by an anonymous source and the studies completed in complete secrecy to prevent legal interference from Diebold.

_three main layers:_

BallotStation (Internal Flash)

               ^

WinCE Kernel (Internal Flash) - starts the BallotStation program

               ^

Bootloader (Internal Flash or EPROM) - low-level, simple software responsible for turning on the machine & starting up the operating system (WinCE)

_Three main security flaws:_

1\. design flaws in the bootloader that allows people to replace parts of its code. bootloader will run updates from a memory card if certain files are present on it to overwrite itself, the WinCE Kernel, or the BallotStation software. all you had to know were the necessary file names!

2\. including explorer.GLB on the memory card would launch the windows file explorer instead of BallotStation, allowing access to the system's files

3\. could physically hack the hardware to load software from a different memory chip

note that election officials will often use the same memory card on multiple machines (to load votes from them, for instance), providing an easy attack vector for attackers (i.e. with a memory card virus)

there was a lock-and-key over the memory key slot to provide a form of physical security. BUT the same key was used for ALL machines. also, the lock was fairly easy to pick, even with just two paperclips. furthermore, that same key was commonly used for other consumer locked devices, such as jukeboxes or hotel mini-fridges; googling the number found on the side of key was enough to find them for purchase online.

diebold also sold the keys on their site. you had to have purchased voting machines to be able to purchase the key, BUT the photos of the keys were hi-res enough that you could easily copy the key by buying a similar key and filing it down according to the photos.

**2007 - study of all electronic voting machines in CA**

sponsored by the secretary of  state, so machines were provided

Hart, Sequoia, & Diebold machines - all susceptible to memory card attacks and could compromise ballot secrecy. as a result of the study they were all decommissioned

one thing to consider: _if we develop a computer voting machine/DRE that is secure now, will it remain secure over a long period of time?_

machines' security is designed with existing attacks in mind, but new kinds of attacks could crop up in the future.

governments often sell or auction old/decommissioned voting machines, but the data is often not securely erased. but these files are usually encrypted. BUT the encryption key is also available on the machine. but that file is encrypted too. BUT the key for _that_ file is not encrypted. in fact, that key is dependent on the serial number of the voting machine (which is displayed to every voter in the interface!)

the votes in these files are stored in the order that they are cast, thus compromising ballot secrecy!

**05 Security Procedures**

Voting security is more than about the voting machines, but also the whole procedure/process of voting.

**_Voter Registration_**

in the US, voters are required to register in advance (most other countries _don't_ have a system like this)

Helps filter out in advance who are eligible voters, and also helps prevent duplicate voting

Measures have been introduced to make registering easier. Registration law varies from state to state (North Dakota doesn't even have it).

Some places have online registration which introduce other potential security problems.

Almost 1/3 of eligible US citizens aren't registered to vote!

![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-19%20at%207.53.46%20AM.png)

Requires an ID number (varies from state to state, but usually a driver's license number) and a signature.

Also has many accessibility features:

![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-19%20at%207.54.33%20AM.png)

For instance, if you don't have a street address, you can draw a map to where you live (example above).

This info goes into a state-maintained Voter Registration Database (VRD), which has it's own set of security issues.

They often try to match this data against data in other databases, such as driver's licenses databases, to authenticate information.

But how strictly do you match? For instance, convicted felons aren't allowed to vote in some states, but sometimes matching is approximate enough that anyone with the same name as a felon will be barred from voting. However, matching that's too strict makes it harder to match information.

Who can access this data? It's typically publicly accessible and also used by the government for other purposes such as jury selection. It's often used for marketing or campaigning purposes by others.

_Example of unsecure VRD practices:_ Washington State's online voter registration. Provides an online means for voters to see and update their records.

In Washington, most voting occurs by mail.

Say you know the name of someone in Washington and want to redirect their mail-in ballot so they don't receive it.

WA's registration login only requires a first and last name, and a date of birth. If you don't know your target's date of birth, you can look it up in the publicly-accessible voter registration database!!

Now you can login and change their address. But if you try to change it, the site will also ask for a middle name and a driver license/ID number as authentication. But in WA, the driver's license number is calculated from other info about the person. This algorithm is publicly known, so you can find a site that will calculate this license number based on publicly-available information about this person.

**_Voter Authentication_**

How to authenticate voters when they arrive at their polling place?

Most countries have national IDs and use this for voting. The US doesn't have national IDs, but various forms of IDs varying from state to state, making things complicated.

For awhile, voting authentication was accomplished on paper, and signatures would be compared. But often the signature being compared is right next to you as you're signing in.

The voter's name is also called out loud enough for others to hear, so like voice voting, in a small polling place people may recognize that person and see if it's really them or not.

There are authentication machines in some places, which offer the advantage of allowing voters to go to any polling place that's convenient, since the machines are networked and can cross you off the lists of other polling places once you vote. But network access introduces security problems.

~32 states require a form of non-expired gov't issued photo ID. But not everyone has ID - about 8% of the US population don't have a gov't issued ID. Also voting fraud in this way is very small (~50 convicted in a year) and wouldn't have been prevented by this rule, so it may do more harm than good. Also, getting a fake ID is pretty easy and volunteers at polling places aren't very well trained (if trained at all) to spot fakes.

Some places use "indelible" ink which is (supposed to be) impossible to wash off for a few days to mark that you have already voted. But any chemist can tell you how to remove it, so it's not _really_ indelible, and it could be considered a breach of voter privacy since it indicates to others that you have voted (though some countries use an invisible ink to protect against this).

**_Guarding against tampering_**

With a DRE machine, tampering could happen at any time (as opposed to traditional ballot boxes where tampering could only happen between polling and counting).

Need to be stored and transported securely.

"Two-person rule" - have to have at least two people watching/guarding at any time.

In practice, these procedures are far too lax. Sometimes the machines are delivered early and then left unguarded at polling places (called "sleepovers").

![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-19%20at%208.19.51%20AM.png)

Also use "tamper-evident seals" which changes in some way if the machine is tampered with. However there are some procedural checks that need to be followed (e.g. checking the seal serial numbers to see if they've changed) to make them effective. The seals are pretty easy to replace without leaving a mark; even the "high-security" & expensive ones.

Some machines use a lot of different kinds of seals, but they've been shown to also be easily defeated. For instance, some of the sticker tamper-evidence seals can be removed with a heat gun and then replaced. Some tamper-evident screws and padlocks can also be easily removed and replaced without a trace.

One suggested alternative is "anti-evidence" seals, which have some secret information that isn't displayed, but can be proven to know if needed. If the seal is tampered with, this secret information is completely and untraceable destroyed, indicating that it had been tampered with.

**_Field testing_**

_"Zero" tape_ - at the beginning of polling, a DRE will print a receipt indicating there are 0 votes to begin with

_Logic & accuracy testing_ - election officials will have a mock vote just to make sure everything's working, but unlike mechanical voting machines (from which these tests are inherited), with DREs these have little effect in revealing if the software's been compromised (the software could just detect if it's in logic & accuracy testing mode and behave accordingly)

_Parallel testing_ - randomly select some machines on voting day and run mock votes on them according to a script, then print out the results and see if they match the script. But this can also be fooled by sophisticated attacker software by noticing differences between the scripted voting and real voting. Also - if you _do_ detect fraud on voting day, what do you do in response? The votes have already been cast and there's no paper trail.

**06 E-Voting Around the World**

E-voting has been used in many countries - Australia, Belgium, Canada, Brazil, Estonia, Finland, France, etc…

_The Netherlands:_

Used push-button-style DREs. Had a lot of security problems revealed by independent hackers. Afterwards went back to old-fashioned paper ballots, hand counted by citizens.

_Germany:_

A group fought against DRE use in court, and made a constitutional ruling that voting machines/techniques had to be understandable by the average German citizen without requiring any specialized logic, so in effect, because DREs require specialized computer knowledge, DREs became illegal under German law (they mostly went back to paper ballots)

_Brazil:_

Uses paperless DREs nationwide. A public test found some extremely disturbing security problems. For instance, researchers were able to reverse the vote-randomizing process (meant to protect ballot secrecy) to see the votes cast in order (compromising ballot secrecy). In a country with a history of military rule like Brazil, people are especially worried about coercion and thus ballot secrecy is of great importance there.

Adding a paper trail is considered unconstitutional in Brazil because they believe it violates voter privacy. In reality, it would probably help improve the integrity of the system, if it's done properly.

_India:_

![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-20%20at%2011.16.37%20AM.png)

Uses EVMs (electronic voting machines) produced by two gov't owned companies. Over 400 million+ voters, with very unique constraints/conditions. Over 1.4million of these machines deployed in India.

India's EVMs, compared to US/European equivalents, are simple machines & embedded system (as opposed to US/Europe's PC-like designs), and vulnerable in different ways.

Because of the scale at which India requires these machines, they must be cheap & cost-effective (unlike US/European DREs which can cost thousands of dollars). India's EVMs are ~$200 each.

India also has a lot of problems with it's power grid, so these EVMs must run off internal battery power.

They must function correctly across all of India's extreme climate conditions, sturdy to be transported over rocky roads or to places without roads.

India's literacy rate is 66% so 1/3 of the population wouldn't be able to read the ballot. So EVMs include party symbols next to the candidate names.

Since many parts of India don't have any exposure to electronics, the user interface had to be very simple - it just requires one button press, points to who you voted for, and that's it.

"Booth capture" - a problem in India where goons of a particular party would come to a polling place and tell everyone to just go home, with implicit threats of harm. Then they would go in and stuff the ballot box. To guard against this, EVMs can only accept a vote every 10 seconds or so, so ballot box stuffing would go at a lower rate to soften the damage from such an attack.

A control unit is attached via cable to the EVM (box on the right I'm the image above). This is where the votes are stored.

There's no memory card & no printer. Instead there's a series of switches guarded by the gray plastic doors in the image:

![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-20%20at%2011.17.57%20AM.png)

The switches are grouped by "phase" (when they're needed to be used).

The counting process is a public event. The machine counts the votes and the election official holds up the machine for all to see the number of votes for candidates.

Inside the machine is a micro controller with the election firmware, which is programmed at the factory and can't be changed later. There are two memory chips that store redundant copies of the votes (but the data isn't encrypted). Then there's a display board that displays the numbers.

Indian election officials made very grand claims about the machines being "tamperproof", "infallible", and "perfect".

The machines are often stored together in large volumes in not-so-secure places, such as a school. They used tamper-evident seals but they aren't very high-tech (they are candle wax + paper + string). Thus an attacker could conceivably get access to these machines to hack them with the following attacks:

A team mimicked the display board but hide extra components underneath the LED displays. This intercepts the messages from the machine's own micro controller and re-writes numbers on the fly to send to the displays. There's also a small bluetooth chip embedded under one of the displays, which connects to an application allowing you to pick which candidate you want to win.

A team also built a simple, small electronic device that attaches to the memory chips and rewrites the votes on them.

The firmware on the micro controller has some problems too. The Election Committee doesn't own or ever see the source code, only "3-4 guys" at the companies "know what's in the code", and the Election Committee can't even verify that the chips contain the original code.


**07 Human Factors**

Voting systems have to be designed to be easy to use. So usability is a big factor - how accurately/correctly are people able to use the system, such that the outcome matches voter intent.

For instance, the effects of banner blindness can cause voters to completely skip sections in poorly designed ballots. Also problems of slow response machines & poorly calibrated touch screens.

Most DREs present a review screen at the end of voting so voters can look over their choices. however, in a usability study where changes were made to their votes on the review screen, 95% of voters reported checking the review screen, but 63% failed to detect the changes made to their votes!

Banner blindness example:

![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-20%20at%2011.50.29%20AM.png)
![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-20%20at%2011.50.47%20AM.png)(banner blindness for the top section)

_Usable paper ballots:_

![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-20%20at%2011.52.39%20AM.png)

The highlighted section on the right is actually the first question on the ballot, but 10% of voters skipped it because it looks like it's part of the voting instructions (which most voters don't read - everyone assumes they know how to fill out a piece of paper).

![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-20%20at%2011.53.59%20AM.png)

Here the vote for governor is split across two columns. 12% didn't cast a valid vote for governor, probably because they made a choice in each section and had their vote invalidated due to over voting.

_Accessibility:_

In the US:

1.8 million unable to see

2.7 million use a wheel chair

9.1 million need a cane, crutches, etc.

1 million unable to hear

(people 15 & older, based on US census bureau data)

DREs thought to be the answer to accessibility with their potential for modularity. But this isn't necessarily true. For instance, DRE audio ballots can be drawn out, with every word being read in low quality audio & excessively long pauses, making it a bad experience for disabled voters.

Suggested solutions: adding a braille template overlay for paper ballots, or developing special modular machines for the disabled.

_Absentee Voting:_

Voting for when the voter can't make it to the polls - maybe traveling or in the military or otherwise immobile.

There a few forms of absentee voting:

_Early voting_ - allow the voter to show up at the polls a few days before the election. Means that the DREs or ballot boxes must be supervised from that point until the general population's voting day.


_Proxy voting_ - having someone else vote for you. Of course has vote integrity concerns and compromises your own secrecy.

_Remote voting_ - most commonly postal voting (vote-by-mail). In some states postal voting is the most common method of voting general. Voter fills out the ballot at home, encloses it in a provided privacy envelope, which is enclosed in another envelope, signed by the voter, sent to an election official. The inner privacy envelope isn't opened until the votes are ready to be counted.

![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-20%20at%206.42.57%20PM.png)

_Problems with postal voting:_

- Ballot misdirection is a potential problem, where a hacker has mail-in ballots sent to the wrong addresses so that voters can't vote.

- Blank ballots could be taken out of the mailbox and sold.

- The filled-out ballot could be taken out of the mailbox.

- You could sell the ballot to someone to fill for themselves.

- Coercion is a greater problem since election officials have less/no control over voting conditions

- Mail system might be too slow for voters out-of-country. Ballots often aren't decided until only a few weeks before the election. Some jurisdictions allow voting by fax or by e-mail which have the same problems as postal voting and more. A better solution would be to download the ballot online and then send it in by mail (but this isn't a perfect solution either).


**08 Internet Voting**

Seems like the logical next step, but…

A "bad idea".

Some countries have internet voting (in limited forms). Estonia has the most pervasive internet voting.

Pilot projects in the US: West Virginia, Arizona, and DC. DC stopped using it.

Greater amount of potential attackers: traditional fraudsters discussed before, online fraudsters, "hacktivists", foreign states

![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-21%20at%201.43.20%20PM.png)

_Client-side threats_

- coercion, such as coercion in the workplace, if you're voting at work, or spousal coercion, or peer pressure

     - weak protection of ballot secrecy

- credential theft - someone getting your password/identity card; phishing attacks

- impostor sites - someone directing voters to the wrong site so they_ think_ they've voted, but they really haven't

- malware

     - could steal personal information for logging in & voting

     - might actively change your vote as you're trying to cast it, changing it while making it look like you voted how you intended

- botnet:

          ![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-21%20at%201.51.22%20PM.png)

          infects other computers with a botclient to control these other computers. then access to this botnet is rented out to criminals. can be very difficult to detect.

_Server-side threats_

- denial of service (DDOS - distributed denial of service attack, can be accomplished with a botnet)

     - flooding the server

     - used by hacktivists such as anonymous

- insider attacks

     - includes people who develop the software, run the voting, install the software, etc

- remote intrusion

     - if there's certain flaws in the software then hackers can gain access to the server and modify its content (i.e. change the votes)

     - Advanced persistent threat (APT) - a hacker that has devoted all his/her resources into attacking a single target, which makes it very hard to defend against (typical hacking is more about acquiring more bots for a botnet as opposed to a targeted attack). Even google & the pentagon have a hard time defending against APTs

- state-sponsored attacks

     - for example: stuxnet

These attacks are much easier to carry out on the internet than say with postal voting.

A lot of the security measures with online banking can't be replicated with voting because of voting's specific requirements, such as ballot secrecy and integrity. It's also easier to identify fraud in online banking - I can tell when my money's missing. With voting, it's very hard to know if fraud has been committed. Online banking already suffers losses of millions of dollars due to online fraud, but it's just a cost of doing business. The same can't be said for voting.

A lot of the problems with internet voting are problems with internet security in general, and very hard to solve (everyone's trying to solve them).

**09 Using Technology Wisely**

_Criteria_

- **transparency** - voters can observe and understand the process

     - a fully transparent election system supports accountability as well as public oversight, comprehension, and access to the entire process.

- **verifiability** - voters have some means to convince themselves that the outcome is correct _without_ _having to blindly trust_ the technology or the election authorities

     - DREs with black-box software is not verifiable

- **auditability** - the system can be manually checked after the election to ensure that the votes have been counted properly

- **software independence** - a voting system is software-independent if an undetected change/error can not possibly cause an undetectable change in an election outcome (so any potential fraud must be "catchable")

_Post-Election Auditing_

Manual recounts = important security feature

DREs have limited opportunities for manual recounts (other than just clicking the print button again; there's often no paper trail)

Recounts of paper ballots can be slow and costly, so they only happen in specific circumstances. Anyone can request a manual recount so long as they pay for the cost (which can be as much as $1+ per ballot)

_An alternative to manual recounts are post-election audits:_

Some systems have redundant records: for instance, with optical scans you have the original scantron (slow and difficulty but verifiable) and then the memory card (fast & easy to count but unverifiable)

Using these redundant records,

pick some precincts randomly for a paper recount, if electronic tallies disagree, recount everywhere

These places must be picked randomly and can't be announced beforehand (or else the attacker could change their plan accordingly)

Standard practice is to use a fixed fraction of precincts (e.g. 10%) but a better practice is to use the number of percents required to have a 99%  (or so) confidence level that hand-counting _all_ of the paper records would match the digital records

It may be cheaper/more efficient to do _ballo__t-_based auditing rather than precinct-based auditing

![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-24%20at%2010.27.17%20AM.png)

But it's difficult to do this without compromising the secret ballot (because how would you match individual ballots to their digital records? by serial number?)

_A solution: _machine-assised auditing__

![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-24%20at%2010.33.06%20AM.png)

Say we have a set of paper ballots and computer tolls (i.e. digital vote record).

_Step 1_: Check electronic records against paper records using a recount machine, after original voting. This recount machine scans in the ballots and produces a digital record of the votes with ballot numbers, then prints out on the ballots that same ballot number. Since this is after the original voting the ballots will have been shuffled. Now the records are compared with the original records.

But how do we know we can trust the recount machine?

_Step 2_: Audit the recount machine by selecting random ballots for human inspection

Machine-assied auditing is way more efficient. In 2006 Virginia US senate race, for 99% confidence, machine-assied auditing only required 2,339 ballots, rather than 1,141,900 ballots in the alternative precinct-based method

**The Gold-Medal Standard in Voting Today:**

Precinct-count optical scan at the polling place + mandatory risk-limiting post-election audits, before election results are declared

_End-to-end verifiable voting_

E2E voter-verifiability allows voters to be sure that:

     - their vote is cast as intended

     - their vote is counted as cast

     - all votes are counted as cast

     - no voter can demonstrate how he or she voted to a third-party

Voting happens normally but at the end of the process they get a verifiable receipt with an encrypted record of their vote

![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-24%20at%2010.38.32%20AM.png)

These votes are listed in their encrypted form with identifying information of all voters

![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-24%20at%2010.39.54%20AM.png)

But:

How do voters know that their receipt matches their choices?

How are voters convinced that the published encrypted votes correspond to the announced tally?

Solution: Voter-initiated auditing:

Once you cast your vote and receive your receipt, you can either _accept_ the receipt/cast your ballot or _challenge_ it, which then makes the ballot officials decrypt your vote and show you that it matches your choices.

Helios - E2E internet voting, but not yet ready for public elections. still too many problems with internet voting in general, not sure if E2E can resolve them

Scantegrity - E2E + optical scan, system with most use/real-world experience.

1\. first given ballot with bubbles that are pre-printed with verification codes written in invisible ink. You are given a special pen to mark the bubbles that reveal the verification codes that correspond to each choice you made. the voter can write these numbers down with the serial number of their ballot and that forms their cryptographic receipt.

2\. then voters can go and check online to verify they match

![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-24%20at%2010.47.53%20AM.png)

The verification codes are cryptographically generated

Verifying the scantegrity results (happens in software):

![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-24%20at%2010.49.16%20AM.png)

![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-24%20at%2010.52.03%20AM.png)![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-24%20at%2010.53.13%20AM.png)![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-24%20at%2010.57.30%20AM.png)

1)

Table on the left:

Shows for each verification code for each candidate (here candidates A and B) on each ballot

The column order doesn't match the order of the candidates on the ballot to protect voter secrecy

The table in the middle:

Correspondence between entries in the left table and in the right table (also in shuffled order)

The table on the right will be where the voter choices are recorded

2) The voted choice table is calculated through the other two tables, and then

3) Only encrypted versions ("cryptographic commitments") of the first two table's cells are published. The choices that voters have actually made on their ballots are left unencrypted in the confirmation code table. The entries that have votes will be revealed in the correspondence table but it won't be revealed what those votes correspond to (i.e. all that's shown is that a vote has been made in that row).

The voted choice table is made public.

4) election officials pick a random number, then for each row in the correspondence table they will decrypt either the encrypted value on the left or the one on the right. This way you won't be able to see a direct path from the confirmation code to the voted choice.

However, since the values were published after they were encrypted (i.e. the "cryptographic commitment") officials can't go back and change what's in one of those encrypted "envelopes" after the results have been revealed.

E2E still has some problems:

- it's very complex - would this work on a large scale?

- usability - can regular voters understand how to follow and use this system?

- comprehensibility - can regular voters understand why/how this works?

- security - still some potential problems; researchers trying to find them all

**10 E-Voting and Public Policy**

_Election policy in the US_

Begins at the federal level:

     - ensuring citizens'  civil rights are upheld (it's strongest role)

     - sets minimum standards for elections

     - provides advisory guidelines for states

Most of the policy is set at the state level:

     - set requirements for elections within their borders

     - perform certification of election equipment

     - central focus of election administration

     - usually the state's secretary of state is responsible for administering elections & resolving issues

Most of the work happens at the local level:

     - equipment purchases

     - implementation

     - run elections

     - mostly done by volunteers

State Laws:

     - lack of uniformity or consistency across states

          - country-wide voting systems have to conform to each states' laws which can make them very complex

     - vendors try to influence state law to ensure their products have a market (and make it harder for competitors to sell their products)

          - leads to "regulatory capture": where the laws end up favoring certain vendors and then the vendors try to reinforce those laws in a loop

                    ![](assets/Securing%20Digital%20Democracy/Screen%20Shot%202012-11-24%20at%2011.06.57%20AM.png)

     - antiquated rules (can emerge from regulatory capture)

1990 FEC standards (FEC = Federal Election Commission)

     - voluntary minimum standards, eventually adopted by majority of states

     - but weren't very good at addressing security needs of voting

After 2000 florida recount, Congress passed Help America Vote Act (HAVA) in 2002.

- mandated states to replace punched cards and lever machines, $2 bil provided to states to do so, deadline in 2006 (pretty short timeframe, driving states to go out and buy DRE machines to meet the deadline, and driving vendors to push products out to take advantage of the federal subsidy in this timeframe)

- created a new agency, the Election Assistance Commission (EAC), responsible for setting guidelines for standards of voting (Voluntary Voting System Guidelines, VVSG)

     - first VVSG standards took effect 2007 (but this was after the 2006 deadline, so states had already purchased all their equipment)

VVSG - developed using an improved process by the Technical Guidelines Development Committee, managed by NIST (one of the most scientifically-focused government agencies)

     - 2005 guidelines became effective in 2007

          - much more detailed than the 1990 FEC standards

          - but still had large loopholes (e.g. COTS/commercial off-the-shelf software, doesn't require paper trail)

     - 2007 draft guidelines, never adopted by the EAC

          - complete rewrite

          - software independence required

          - open-ended vulnerability testing, much better

The Holt Legislation

     - require a voter-erified paper record (later: a voter marked paper ballot)

     - prohibit undisclosed software

     - prohibit internet connection as part of the software

     - mandatory random audits

but never managed to pass the house, despite broad bipartisan support

At present, 31 states require a paper ballot

_Testing and certification_

Independent Testing Authorities (ITAs) test the equipment, small private companies that specialize in testing.

     - majority of states incorporate federal guidelines

     - require machines to be tested for compliance by ITAs

     - ITAs want to please vendors (because thats' their source of business) they may be more likely to publish glowing reports rather than critical ones

     - the testing process doesn't necessarily have a lot of transparency

     - evidence that their testing standards aren't adequate, using conformance testing

          - Conformance testing

               - checklist approach

               - mechanical inspection and application of tools

               - presence of required mechanism

               - basically, just seeing if some pre-defined stuff/checklist items are there

          - Better approach: _open-ended testing_

               - adversarial approach (i.e. thinking like an attacker)

               - creative application of security mindset

               - demonstrates presence of exploitable vulnerabilities

               - but can be expensive and also not 100% guaranteed to find all flaws

For example, Diebold DRE machine passed ITA certification but many, many groups of researchers, using open-ended testing, found many, many security flaws

_Recommendations_

- strengthened, uniform standards

     - standards that cover the _entire_ election system, not just equipment

     - address accuracy, security, accessibility, usability, transparency

     - require public reporting and disclosure of problems

- election administration

     - ensure transparency and public participation in the process, thus increasing voter confidence

     - provide adequate resources to election officials

     - reduce number of races, simplify ballot design

- routine testing and auditing

     - auditability must be a technical requirement

     -mandate realistic pre-election testing of usability and function

     - mandate routine risk-limiting post-election audits to high confidence

     - allow time to conduct audits and recounts before certification

- conservative approach to new technology

     - internet voting should be prohibited for the foreseeable future

     - ensure new technology _really_ solves an _actual_ problem

     - open technology to realistic, public, independent review and simulated adversarial testing

     - systems used for counting votes must be software independent