Скачать презентацию e-Governance and Electronic Voting Week 11 — April Скачать презентацию e-Governance and Electronic Voting Week 11 — April

39c3c810968c2ee216aa7fb2a7541819.ppt

  • Количество слайдов: 151

e-Governance and Electronic Voting Week 11 - April 3, 5 Computers and Society • e-Governance and Electronic Voting Week 11 - April 3, 5 Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 1

Demonstration: Property in Allegheny County – Online n What is the government doing? n Demonstration: Property in Allegheny County – Online n What is the government doing? n Why are they doing it? n Should(n’t) they do it? n What are some benefits? n What are some downsides? Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 2

What is e-Governance? Citizens Computers (ICT) Government n There are two dimensions within the What is e-Governance? Citizens Computers (ICT) Government n There are two dimensions within the term e. Governance • Computers • Government Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 3

What are the Modes of e-Government? n Typically thought of as connection between citizen What are the Modes of e-Government? n Typically thought of as connection between citizen and state • There is often more than one layer of government Geography Departmental • Parallel to B 2 C in the e-commerce world What about B 2 B equivalent? What about C 2 C equivalent? – Protests helped bring down the government in Philippines via texting (SMS) There is also Government to Business Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 4

E-government involves more than IT European Commission defines e-government as “The use of ICT E-government involves more than IT European Commission defines e-government as “The use of ICT in public administrations combined with organizational change and new skills in order to improve public services and democratic processes and strengthen support to public policies” Source http: //www. egov-goodpractice. org/download. php? &fileid=58 Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 5

Web-based applications transform the government and democratic processes Gartner Group defines e-government as “The Web-based applications transform the government and democratic processes Gartner Group defines e-government as “The continuous optimization in the public service delivery, access to public information and citizens’ participation by the internal and external transformation of relations based in the use of the information and communication technologies” Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 6

e-Government Encompasses 4 or 5 Stages of Development C o s t / c e-Government Encompasses 4 or 5 Stages of Development C o s t / c o m p l e x i t y Transformation Transaction Interaction Presence Beginning Time Gartner’s e-government model Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 7

Underlying Governmental Structures are Fundamental n The process is important • • Democracy? Freedom Underlying Governmental Structures are Fundamental n The process is important • • Democracy? Freedom of Information? Accountability? Constitutional framework? Judiciary is especially important – Enforcement – Arbitration n e-Governance also can involve third parties (not government or citizens) • Interested parties such as businesses, interest groups (NRA, environmentalists, etc. ) Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 8

Hopes of e-Governance n Increased access to government • What does a government need Hopes of e-Governance n Increased access to government • What does a government need to do for this? n Greater transparency in operations • What are the implications of this? n Greater participation in policy • Will everyone participate equally or even similarly? n Greater efficiency and service delivery • Asymmetric information remains a challenge Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 9

"Good governance is perhaps the single most important factor in eradicating poverty and promoting development. " — Kofi Annan UN Secretary General Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 10

Access n Consumer side • Need to be “online” n Supply side • Governments Access n Consumer side • Need to be “online” n Supply side • Governments need to made information available and accessible • The back-office really matters • Inter-departmental issues are important Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 11

Transparency n “Govt. in the Sunshine Act” n Just because you have a right Transparency n “Govt. in the Sunshine Act” n Just because you have a right to certain information • • Do you have to ask? Is it sanitized? Is it delayed? Is it real? n At an international level, corruption is a major issue Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 12

Efficiency n One hope is for a “single window” for interactions • Especially true Efficiency n One hope is for a “single window” for interactions • Especially true for clearances and licensing • Inter-departmental issues are key to efficiency n Greater participation should lead to greater efficiency (markets) Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 13

Participation n Voting is only one aspect of governance (subsequent slides) n How else Participation n Voting is only one aspect of governance (subsequent slides) n How else do citizens participate? • • Taxes Direct interaction Intermediated interaction Polls n There is evidence ICT reinforces some divides, but also opens up new access Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 14

US e-Government Websites n Federal • www. firstgov. gov/ n State • http: //www. US e-Government Websites n Federal • www. firstgov. gov/ n State • http: //www. state. pa. us/ n County • http: //www. county. allegheny. pa. us/ n City • http: //www. city. pittsburgh. pa. us/ n… Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 15

International e-Governance n Globally, most efforts are top-down instead of bottom up n Much International e-Governance n Globally, most efforts are top-down instead of bottom up n Much greater challenge of access n (often) Poorer governance n Much more intersection into commercial activities • Many countries still have State Owned Enterprises (SOEs) PTTs, Power Company, Airlines, Banks, Cement company, etc. Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 16

Global e. Governance Source: UN Global E-Government Readiness Report 2004: Towards Access for Opportunity Global e. Governance Source: UN Global E-Government Readiness Report 2004: Towards Access for Opportunity Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 17

Difficulties with e-Governance n Metrics • Poor metrics lead to misallocation of resources or Difficulties with e-Governance n Metrics • Poor metrics lead to misallocation of resources or even bad outcomes n Land-records are a major interface in developing countries (and elsewhere) • Digitization projects Hoped to reduce corruption and speed up the process Did it work? – Depends who you ask – Those in the system benefited, those outside were worse off (e. g. , Bhoomi project in India) Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 18

Other Issues n Privacy • Governmental • Inter-citizen n Censorship, wiretapping, etc. n China Other Issues n Privacy • Governmental • Inter-citizen n Censorship, wiretapping, etc. n China • Unique has 99% of connectivity is within country n Use of ICT for Security • Wireless mesh across New Orleans Reported to reduce crime Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 19

How to Improve e-Governance n Supply vs. Demand • Partly a chicken and egg How to Improve e-Governance n Supply vs. Demand • Partly a chicken and egg problem n Latin American Countries • Improve content regardless of user base • e-Governance becomes a “killer app” Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 20

“Killer Apps” for ICT and Governance n Taxes • Brazil had ~95% of income “Killer Apps” for ICT and Governance n Taxes • Brazil had ~95% of income taxes filed online (2003) n Contracting • Sharing information • Actual transactions n Voting • Not yet online, but computerized, nonetheless Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 21

Electronic Voting n Somewhat controversial, esp. in the US • Why? n Electronic voting Electronic Voting n Somewhat controversial, esp. in the US • Why? n Electronic voting needs to be in the context of voting overall • • Access and participation Informed decisions Influence of money Reduction of errors and fraud How do these compare to paper voting? (“Ballot Stuffing”) Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 22

Design of Electoral Systems The problem and a Comparison: US and India Builds on Design of Electoral Systems The problem and a Comparison: US and India Builds on work by Eswaran Subrahmanian (CMU) Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 23

Goals of an Electoral System: Voters and voting process n Ensure that every body Goals of an Electoral System: Voters and voting process n Ensure that every body that is eligible to vote has an opportunity to vote n Ensure that any eligible voter is allowed to vote only once n Voters get the information on candidates in a fair and consistent manner n Ensure the ability to register n Ensure orderly process of voting n Minimize fraud in the process Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 24

Goals of the Electoral Systems: Candidacy and canvassing n Allow for a citizen to Goals of the Electoral Systems: Candidacy and canvassing n Allow for a citizen to be able to participate as a candidate in the election n Allow for the candidate to express their political position to the Voters n Minimize the number of candidates competing in the election: Low but sufficient barrier to entry n Minimize the influence any one interest group on the candidate Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 25

Goal of the Electoral System: Voting Mechanism n Ensure that the mechanism registers votes Goal of the Electoral System: Voting Mechanism n Ensure that the mechanism registers votes n Ensure that the mechanism cannot be tampered with n Ensure that the mechanism allows for accurate counting n The vote cast is correctly registered and attributed to the right candidate n The votes cast are correctly tabulated to decide the winner Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 26

Decision Variables: Voters and Voting Process n Criteria for eligibility to Vote: Age, Criminal Decision Variables: Voters and Voting Process n Criteria for eligibility to Vote: Age, Criminal record, Citizenship n Criteria for determining the identity of the voter: Voter id card format and content n Criteria for determining that the voter votes only once: Check list, ink marker n Locale of voting: on location, absentee n Security of the Process: Army, local police, national guard, Party officials, State employees n Fairness and standards for dispute resolution Verification of Process: Internal observers, international observers Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 27

Decision variables: Candidacy n Criteria for being a candidate: • • • Measure of Decision variables: Candidacy n Criteria for being a candidate: • • • Measure of support (100, 000 signatures) Deposit money (~$5000) Party affiliation: none, only registered parties etc. Citizenship: Born, naturalized Age by position sought President: 45 and over Congress • Registering: number of days before election Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 28

Decision variables: Candidacy n Types of positions: Legislator, Senate, Mayor etc n Definition of Decision variables: Candidacy n Types of positions: Legislator, Senate, Mayor etc n Definition of electoral region for candidacy: (population per district etc) n Responsibility of demarcation of region: State government, Election commission n Method of demarcation: arbitrary, grid based, Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 29

Decision variables: Canvassing n Start of canvassing for Election: Days before election n End Decision variables: Canvassing n Start of canvassing for Election: Days before election n End of canvassing: days before election n Modes of Information Dissemination: Street rallies, Flyers, TV and Radio Ads n Scope of content of electoral material: Offensive, personal attacks etc n Money spent on Canvassing - Limits or no limits n Financing of Canvassing: Public, private n Limits on citizen financial contribution: upper bound Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 30

Decision Variables: Voting Mechanism n Type of Mechanism: paper, mechanical, electronic n Security of Decision Variables: Voting Mechanism n Type of Mechanism: paper, mechanical, electronic n Security of the mechanism: Special paper, type of locking n Counting model: Hand count, Machine count, cumulative count Verification Models: Human, automated verification, committee Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 31

Design of the Electoral Systems: Responsibility n Centralized: India • Independent election commission like Design of the Electoral Systems: Responsibility n Centralized: India • Independent election commission like the supreme court • Central and state election commissions(EC) • Electoral laws executed by Central EC and reforms proposed by CEC • CEC is central coordinator and enforcer n Decentralized and Mixed Mode: US • • • Canvassing - Central Candidacy - Federal and State Voter eligibility: State and Federal Voting Mechanism: Local (County) Security - Local Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 32

Last Indian National Election (2004) n 337 million voters n 600 million eligible/registered voters Last Indian National Election (2004) n 337 million voters n 600 million eligible/registered voters • Registration is CEC responsibility: not individuals • Computerized nation electoral roles • Registration verification in Community halls in villages n 1. 2 security officials n 1 Million electronic voting machines • Training and demonstration across the country n 4 million Poll officers n Election over 3 weeks n Official results in 3 Days Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 33

US election: First Tuesday of November n One day n Numerous electoral rolls n US election: First Tuesday of November n One day n Numerous electoral rolls n Numerous types of machines n Official result expected in 3 - 4 weeks n Non-uniform electoral laws n Minimal security Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 34

India: Electronic Voting Machine (EVM) n Introduced in 1998 n Indigenous -produced by 2 India: Electronic Voting Machine (EVM) n Introduced in 1998 n Indigenous -produced by 2 Public Sector Companies - BEL and ECIL n Run on batteries - Tamper proof n Votes recorded by pressing a button n Votes stored in memory n Result retrieved by press of button n General Elections 2004 conducted fully on EVMs n Around 1, 075, 000 EVMs were used n Can be modified as per the requirement Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 35

How to Improve Electronic Voting n Simplicity, Simplicity • Less loopholes Accidental Malicious n How to Improve Electronic Voting n Simplicity, Simplicity • Less loopholes Accidental Malicious n Standardization • India benefits due to Federal Standards n Open Source? n Voter Verifiable Audits/Paper Trails[? ? ? ] • Many experts doubt the value of this • Cryptography can be more secure than paper Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 36

Computing’s Impact on Elections n Polls n Blogs • FEC ruled to exempt them Computing’s Impact on Elections n Polls n Blogs • FEC ruled to exempt them from some restrictions • Hoped these are grass-roots and a great equalizer Are they? n News and media Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 37

Thinking Points on Voting n Should you be voting online? • • Is it Thinking Points on Voting n Should you be voting online? • • Is it safe? Issues of timing? Is it deliberative? Is it asymmetric (e. g. , discriminates by class) n Internet voting is a narrow subset of electronic voting (more later) n Should I be able to know how you voted? NO! • But, what about transparency? www. fundrace. org – By looking at whom you paid money to, can guess whom you voted for Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 38

History of Voting n “Ballots” from Italian ballotta, meaning “little ball” n Ancient: clash History of Voting n “Ballots” from Italian ballotta, meaning “little ball” n Ancient: clash of spears, balls in urns, division by groups, wooden tickets (tabellæ) n American colonies: voting aloud to public official n 1857: Australia introduces secret paper ballot n 1888: Australian ballot introduced in U. S. (KY, MA) n 1892: Mechanical lever machine to “protect mechanically the voter from rascaldom” n 1960 s: Punched cards n 1970 s: Optical scan n 1978: Direct-recording electronic systems n 2000: Internet voting in primaries 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 39

Voting Jurisdictions n Voting in the U. S. is conducted by the states • Voting Jurisdictions n Voting in the U. S. is conducted by the states • 50 states + DC + territories • Supervised generally by Secretaries of State • Delegated to 3170 counties n ~10, 000 voting jurisdictions (cities, school boards, …) n ~200, 000 precincts (avg. 60 -70 per county) n > 1, 400, 000 poll workers (avg. 7/precinct, 440/cty) n 150 million registered voters, 105 million actually vote n Federal government has very little power over elections 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 40

PENNSYLVANIA 41 PENNSYLVANIA 41

Pennsylvania Voting Methods 2004 ALLEGHENY COUNTY Optical Punch Card Lever DRE Paper Mixed N/A Pennsylvania Voting Methods 2004 ALLEGHENY COUNTY Optical Punch Card Lever DRE Paper Mixed N/A SOURCE: ELECTIONLINE. ORG Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Allegheny County CITY OF PITTSBURGH 43 Allegheny County CITY OF PITTSBURGH 43

5 th Ave. (Precincts) 44 5 th Ave. (Precincts) 44

Pittsburgh East End Wards and Precincts 5 th Ave. 14 th City Ward 45 Pittsburgh East End Wards and Precincts 5 th Ave. 14 th City Ward 45

Pittsburgh East End Political Districts 8 th City Council District 46 Pittsburgh East End Political Districts 8 th City Council District 46

Pittsburgh East End Political Districts 11 th County Council District 47 Pittsburgh East End Political Districts 11 th County Council District 47

Pittsburgh East End Political Districts 23 rd Pennsylvania House District 48 Pittsburgh East End Political Districts 23 rd Pennsylvania House District 48

Pittsburgh East End Political Districts 43 rd Pennsylvania Senate District 49 Pittsburgh East End Political Districts 43 rd Pennsylvania Senate District 49

Pittsburgh East End Political Districts 11 th County Council 8 th City Council 23 Pittsburgh East End Political Districts 11 th County Council 8 th City Council 23 rd House 43 rd Senate 50

Functions of a Voting System 1. Authenticate voter 2. Present candidates and issues to Functions of a Voting System 1. Authenticate voter 2. Present candidates and issues to voter 3. Capture voter’s preferences 4. Transport preferences to counting location 5. Add up vote totals (tabulation) 6. Publish vote totals (reporting) 7. Provide audit mechanism But: vote must be secret • • CS ISSUES SECURITY PRIVACY HCI SOFTWARE ENGINEERING 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 51

Authentication n In each precinct, only registered voters are allowed to vote n Need Authentication n In each precinct, only registered voters are allowed to vote n Need a registration system before the election n Need authentication mechanism on Election Day • Only registered voters vote • No one can impersonate a voter • Each voter can only vote once n In this course, we will not discuss voter registration Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Voting System Requirements n Secrecy n Security n Accuracy n Auditability n Accessibility to Voting System Requirements n Secrecy n Security n Accuracy n Auditability n Accessibility to disabled n Protective counter (votes cast since manufacture) n Public counter (votes cast today) n Conform to state voting provisions (e. g. write-ins) n Meet Federal standards Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Election tasks n Registering voters n Validating/authenticating voters n Distributing/collecting ballots n Tallying votes Election tasks n Registering voters n Validating/authenticating voters n Distributing/collecting ballots n Tallying votes How are these tasks accomplished in the elections in which you have participated? • • Government elections Stock holder elections Student government elections Professional society elections Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 54

Desirable properties of secret ballot elections n Accuracy n Convenience n Privacy n Flexibility Desirable properties of secret ballot elections n Accuracy n Convenience n Privacy n Flexibility n Verifiability n Mobility n Invulnerability (Democracy) n Trustworthy Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 55

Accuracy n Votes cannot be altered n Validated votes cannot be eliminated from the Accuracy n Votes cannot be altered n Validated votes cannot be eliminated from the final tally n Invalid votes will not be counted in the final tally Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 56

Privacy n Neither election authorities nor anyone else can link any ballot to the Privacy n Neither election authorities nor anyone else can link any ballot to the voter who cast it n No voter can prove that he or she voted in a particular way Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 57

Invulnerability (to ballot box stuffing) n Only eligible voters can vote n Each eligible Invulnerability (to ballot box stuffing) n Only eligible voters can vote n Each eligible voter can vote only once The accuracy property ensures that ballots are not lost or altered after being submitted to the ballot box The invulnerability property ensures that only valid ballots are accepted into the ballot box Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 58

Verifiability n Anyone can independently verify that all votes have been counted correctly • Verifiability n Anyone can independently verify that all votes have been counted correctly • Weaker version: voters can verify that their own votes were counted correctly • Achieved through audit trails and/or cryptographic verification Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 59

Convenience n Voters can cast their votes quickly, in one session, and with minimal Convenience n Voters can cast their votes quickly, in one session, and with minimal equipment or special skills Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 60

Flexibility n A variety of ballot question formats are permitted including open ended questions Flexibility n A variety of ballot question formats are permitted including open ended questions Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 61

Mobility n There are no restrictions on the location from which a voter can Mobility n There are no restrictions on the location from which a voter can cast a vote Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 62

Trustworthy n Voter feels that • Vote was counted • Vote was private • Trustworthy n Voter feels that • Vote was counted • Vote was private • Nobody else can vote more than once • Nobody can alter others’ votes n People believe that the machine works correctly and that its behavior cannot be modified n These have to do with perception n It is also important that these perceptions are true Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 63

Computers used for Predicting Elections n Irony: 1952 US Presidential Election • UNIVAC computer Computers used for Predicting Elections n Irony: 1952 US Presidential Election • UNIVAC computer • Based on just 1% of the vote, predicted sweeping Eisenhower victory • No one believed the computer TV networks ignored its prediction • It was right! Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 64

Ballot Types n Document ballot • Paper ballot • punched-card • optical scan n Ballot Types n Document ballot • Paper ballot • punched-card • optical scan n Non-document ballot • Lever machine • DRE (Direct Recording Electronic) machine Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

US Voting Equipment Trends Source: Election Data Services Computers and Society • Carnegie Mellon US Voting Equipment Trends Source: Election Data Services Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 66

Paper (. 6%) n Advantages • Simple • Captures voter intent • Not subject Paper (. 6%) n Advantages • Simple • Captures voter intent • Not subject to equipment malfunctions n Disadvantages • Time consuming to count • Does not prevent over votes or under votes • Many ballot fraud schemes involving paper ballots Ballot box stuffing Ballot invalidation Pre-marked ballots Ballot theft Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 67

Paper Ballots 10/29/1864 1/27/1925 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 Paper Ballots 10/29/1864 1/27/1925 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 68

New York Times, April 4, 1855 BALLOT BOXES DESTROYED INJURIES IN RIOTS MORE BALLOTS New York Times, April 4, 1855 BALLOT BOXES DESTROYED INJURIES IN RIOTS MORE BALLOTS CAST THAN NAMES ON THE POLL LIST 69

Florida’s Solution “The ballots shall first be counted, and, if the number of ballots Florida’s Solution “The ballots shall first be counted, and, if the number of ballots exceeds the number of persons who voted … the ballots shall be placed back into the box, and one of the inspectors shall publicly draw out and destroy unopened as many ballots as are equal to such excess. ” F. S. § 102. 061 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 70

Why Do We Use Voting Machines? n To prevent fraud • Lever machine (1892) Why Do We Use Voting Machines? n To prevent fraud • Lever machine (1892) “To protect mechanically the voter from rascaldom” n Faster, more accurate counting Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Lever Machines (14%) SOURCE: MICHIGAN SOS 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT Lever Machines (14%) SOURCE: MICHIGAN SOS 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 72

Lever Machines (14%) 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL Lever Machines (14%) 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 73

Lever Machines (14%) 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL Lever Machines (14%) 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 74

Lever Machines 75 Lever Machines 75

Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 76

Punched-Card (14%) Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia Punched-Card (14%) Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Punch Card Voting n Used by about 14% of the U. S. in 2004 Punch Card Voting n Used by about 14% of the U. S. in 2004 n Used in 69 of 88 counties in Ohio (PA only has 67 counties) n Began in the 1960 s with the IBM Porta-Punch n By 2000 was used in 37% of the U. S. , until Florida

Votomatic Punch-Card System BALLOT FRAME VOTING SETUP VOTING BOOTH VOTING STYLUS BALLOT SEALS 17 Votomatic Punch-Card System BALLOT FRAME VOTING SETUP VOTING BOOTH VOTING STYLUS BALLOT SEALS 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 79

Punched Card (14%) SOURCE: MICHIGAN SOS 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT Punched Card (14%) SOURCE: MICHIGAN SOS 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 80

Chads SOURCE: PETER SHEERIN Computers and Society • Carnegie Mellon University • Spring 2007 Chads SOURCE: PETER SHEERIN Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Hanging Chad SOURCE: NEW YORK TIMES 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT Hanging Chad SOURCE: NEW YORK TIMES 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 82

Palm Beach County “Butterfly” Ballot SOURCE: SOUTH FLORIDA SUN-SENTINEL 17 -803/17 -400 ELECTRONIC VOTING Palm Beach County “Butterfly” Ballot SOURCE: SOUTH FLORIDA SUN-SENTINEL 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 83

Votomatic Punched-Card System The infamous Butterfly Ballot 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 Votomatic Punched-Card System The infamous Butterfly Ballot 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 84

Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 85

Buchanan Vote by County (Florida, 2000) GRAPH COURTESY OF PROF. GREG ADAMS CARNEGIE MELLON Buchanan Vote by County (Florida, 2000) GRAPH COURTESY OF PROF. GREG ADAMS CARNEGIE MELLON & PROF. CHRIS FASTNOW CHATHAM COLLEGE (PURPLE ANNOTATIONS ADDED) LINEAR FIT WITHOUT PALM BEACH, BROWARD, MIAMI-DADE Pinellas (St. Petersburg-Clearwater) Hillsborough (Tampa) Broward (Fort Lauderdale) Miami-Dade Orange (Orlando) SOURCE: PROF. GREG ADAMS 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 86

Datavote n Uses a die to punch a clean hole n Employed in a Datavote n Uses a die to punch a clean hole n Employed in a small fraction of punch card counties Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Counting Punched Cards SOURCE: NEW YORK TIMES 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 Counting Punched Cards SOURCE: NEW YORK TIMES 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 88

Recount n When a ballot is handled, it can be changed n The voter’s Recount n When a ballot is handled, it can be changed n The voter’s intent must be determined n Suppose only one of four corners is detached. It is a vote? n Dimpled chad, pregnant chad: how to count? 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 89

Punched-Card Problems n n Can’t see whom you’re voting for Registration of card in Punched-Card Problems n n Can’t see whom you’re voting for Registration of card in ballot frame Must use stylus: no positive feedback on punch Hanging chad: chad that is partially attached to the card • How may corners? • Hanging chad causes count to differ every time n Dimple: chad that is completely attached but shows evidence of an attempt to punch • Dimple can turn into a vote on multiple readings 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 90

Mark Sense, Optical Scan (34%) TIMING MARKS START OF BALLOT 17 -803/17 -400 ELECTRONIC Mark Sense, Optical Scan (34%) TIMING MARKS START OF BALLOT 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 91

Mark-Sense, Optical Scan (34%) n Scanning methods • Visible light • Infrared n Issues: Mark-Sense, Optical Scan (34%) n Scanning methods • Visible light • Infrared n Issues: • Dark/light marks • Some scanners require carbon-based ink • Voter intent may not be captured by machine n Machine does not see what the human sees 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 92

AN OPTICAL SCAN BALLOT SOURCE: SANTA BARBARA COUNTY 93 AN OPTICAL SCAN BALLOT SOURCE: SANTA BARBARA COUNTY 93

SOURCE: Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • SOURCE: Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 94

Precinct Count v. Central Count n Precinct count • Voter marks ballot, inserts into Precinct Count v. Central Count n Precinct count • Voter marks ballot, inserts into machine • Machine rejects overvoted (and maybe undervoted) ballots n Central count • Marked ballots are transported to a central location for counting • No opportunity for correction of overvotes/undervotes 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 95

ES&S Model 110 Precinct Tabulator Voter inserts ballot, receives immediate overvote/undervote notification SOURCE: ES&S ES&S Model 110 Precinct Tabulator Voter inserts ballot, receives immediate overvote/undervote notification SOURCE: ES&S 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 96

ES&S Model 650 Central Tabulator Ballots counted centrally, away from voter. No overvote/undervote notification ES&S Model 650 Central Tabulator Ballots counted centrally, away from voter. No overvote/undervote notification SOURCE: ES&S 97

Optical Scan Vote Reading n Is it reliable? n Is voter intent captured? n Optical Scan Vote Reading n Is it reliable? n Is voter intent captured? n Can it be manipulated? n Infrared v. visible light • Problem: machine “sees” marks differently from voter n What is a valid vote? 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 98

Effect of Humidity SOURCE: DOUG JONES 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT Effect of Humidity SOURCE: DOUG JONES 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 99

Direct-Recording Electronic (31%) DEMO SOURCE: SHOUP VOTING SOLUTIONS 17 -803/17 -400 ELECTRONIC VOTING FALL Direct-Recording Electronic (31%) DEMO SOURCE: SHOUP VOTING SOLUTIONS 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 100

Direct-Recording Electronic (31%) SOURCE: SHOUP VOTING SOLUTIONS 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 Direct-Recording Electronic (31%) SOURCE: SHOUP VOTING SOLUTIONS 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 101

DRE Systems n DRE means “direct recording electronic” n There is no document ballot DRE Systems n DRE means “direct recording electronic” n There is no document ballot n Voter votes by interacting directly with a machine, not by marking a piece of paper n “Electronic voting system” means a system in which one or more voting devices are used to permit the registering or recording of votes and in which such votes are computed and tabulated by automatic tabulating equipment. The system shall provide for a permanent physical record of each vote cast. Pa. Elec. Code. 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 102

A Well-Designed e-Voting Machine NO PORTS, NO CONNECTORS, NO MODEM, NO WIRELESS, NO INTERNET A Well-Designed e-Voting Machine NO PORTS, NO CONNECTORS, NO MODEM, NO WIRELESS, NO INTERNET PROPRIETARY OPERATING SYSTEM (NOT WINDOWS) SOFTWARE FROM A TRUSTED SOURCE (NOT THE VENDOR) BALLOT SETUP DATA VOTER CHOICES READ-ONLY MEMORY RANDOM ACCESS MEMORY INTERNAL PAPER TRAIL WRITE-ONCE MEMORY TOTALS REPORT SIGNED BY ELECTION JUDGES WRITE-ONCE MEMORY TO COUNTY BOARD 16 -HOUR BATTERY MACHINE SEALED WITH PAPER TRAIL Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Advanced (formerly Shoup) WINvote DRE USES WIRELESS NETWORK SOURCE: ADVANCED VOTING SOLUTIONS Computers and Advanced (formerly Shoup) WINvote DRE USES WIRELESS NETWORK SOURCE: ADVANCED VOTING SOLUTIONS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Diebold Accu-Vote ACCU-VOTE TS TOUCHSCREEN ACCU-VOTE TSX TOUCHSCREEN ACCU-VOTE OS OPTICAL SCAN SOURCE: DIEBOLD Diebold Accu-Vote ACCU-VOTE TS TOUCHSCREEN ACCU-VOTE TSX TOUCHSCREEN ACCU-VOTE OS OPTICAL SCAN SOURCE: DIEBOLD Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

ES&S i. Votronic Touchscreen DRE 1. INSERT PEB 2. MAKE SELECTIONS 3. REVIEW BALLOT ES&S i. Votronic Touchscreen DRE 1. INSERT PEB 2. MAKE SELECTIONS 3. REVIEW BALLOT 4. CAST BALLOT Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ SOURCE: ES&S

Guardian 1242 (formerly Danaher) Full-face DRE SOURCE: GUARDIAN Computers and Society • Carnegie Mellon Guardian 1242 (formerly Danaher) Full-face DRE SOURCE: GUARDIAN Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Liberty Election Systems Full-face DRE LIBERTYVOTE SOURCE: LIBERTY Computers and Society • Carnegie Mellon Liberty Election Systems Full-face DRE LIBERTYVOTE SOURCE: LIBERTY Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Microvote INFINITY DRE MV-464 DRE ABSENTEE CARD READER SOURCE: MICROVOTE Computers and Society • Microvote INFINITY DRE MV-464 DRE ABSENTEE CARD READER SOURCE: MICROVOTE Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Sequoia Pacific AVC Advantage Full-Face DRE SOURCE: SEQUOIA Computers and Society • Carnegie Mellon Sequoia Pacific AVC Advantage Full-Face DRE SOURCE: SEQUOIA Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Sequoia Pacific Edge DRE DEMO SOURCE: SEQUOIA Computers and Society • Carnegie Mellon University Sequoia Pacific Edge DRE DEMO SOURCE: SEQUOIA Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Sequoia Pacific Edge DRE DEMO SOURCE: SEQUOIA Computers and Society • Carnegie Mellon University Sequoia Pacific Edge DRE DEMO SOURCE: SEQUOIA Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Hart e. Slate SOURCE: HART INTERCIVIC Computers and Society • Carnegie Mellon University • Hart e. Slate SOURCE: HART INTERCIVIC Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Known Issues: The Hursti Exploit n Discovered by Finnish security expert Harri Hursti n Known Issues: The Hursti Exploit n Discovered by Finnish security expert Harri Hursti n Works against Diebold optical scan voting machines n Diebold Accu. Vote OS has a PCMCIA memory card with ballot setup information, vote counters and predefined report formats PRINTER INSIDE OPTICAL BALLOT LCD DISPLAY FRONT OF MACHINE BACK OF MACHINE Source: M. Shamos Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 114

The Hursti Exploit n Memory card created at county, inserted in machine: ELECTION DATA The Hursti Exploit n Memory card created at county, inserted in machine: ELECTION DATA TO PRODUCE TABULATION: • CANDIDATE NAMES • PARTIES • BALLOT POSITIONS VOTE COUNTERS ACCUBASIC. ABO FILES FOR REPORTS, NOT TABULATION n Counters are short integers; overflow is not trapped n Large positive numbers act as negative numbers, e. g. 65, 520 is equivalent to -16 since 65, 520+16 = 65, 536 = 0 Source: M. Shamos n Hursti Exploit, Part 1: Preload the card with some negative and some positive counts in a race. Make sure the net sum is zero. n Hursti Exploit, Part 2: Replace the zero report. abo file with one that always prints zeros regardless of counter values. n Result: Votes added to some candidates, subtracted from others, but the total count does not exceed the number of voters. n Result: When memory card counters are overwritten at the close of polls, no electronic record of the exploit exists. NOT CERTIFIED Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 115

Help America Vote Act of 2002 n Payments to states to replace paper and Help America Vote Act of 2002 n Payments to states to replace paper and level machines: $3 billion n Establishes Election Assistance Commission n Reforms the standards process (National Institute of Standards and Technology) n Provisional voting n Statewide registration systems n Complaint procedure Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

The Problem n Voters do not trust DRE systems n Why? • • Numerous The Problem n Voters do not trust DRE systems n Why? • • Numerous irregularities around the country “Black box” phenomenon Reports by computer security specialists Warnings by computer scientists Jurisdictions rushing to replace old systems Secretive vendor behavior Public awareness of computer vulnerabilities Newspaper editorials, e. g. New York Times Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

The Problem n Are DRE systems untrustworthy? • Some are, some aren’t n DRE The Problem n Are DRE systems untrustworthy? • Some are, some aren’t n DRE systems used for 25 years without a single verified incident of tampering • • Much more difficult to alter computerized records than paper Proprietary operating systems Redundant encrypted memories Testing n None of this matters. Perception governs n What to do? Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Statutory Requirements n HAVA Sec. 301(a)(2)(i): “The voting system shall produce a permanent paper Statutory Requirements n HAVA Sec. 301(a)(2)(i): “The voting system shall produce a permanent paper record with a manual audit capacity for such system. ” n Maryland Election Law 9 -102(c): “Standards for certification. - The State Board may not certify a voting system unless the State Board determines that: (1) the voting system will: … (vi) be capable of creating a paper record of all votes cast in order that an audit trail is available in the event of a recount” Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Paper Trail Proposal n Allow each voter to see her choices on paper before Paper Trail Proposal n Allow each voter to see her choices on paper before casting a vote n If the choices are incorrect, they can be corrected n The paper becomes the official ballot n If there is a discrepancy between the paper record and the computer record, the paper governs n Why? Because that’s the one the voter verified Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

VVPAT n Voter-verified paper audit trail n Produce a paper document that the voter VVPAT n Voter-verified paper audit trail n Produce a paper document that the voter can view before casting the ballot to verify that the vote was captured correctly n Retain the paper document to be used for a recount, if necessary. DEMO n Concept: if someone has tampered with the machine, the correct count can be obtained from the paper records n [Assume for the purposes of this talk that the statement is accurate. It isn’t, but assume it is. ] Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Paper Trail Advantages n Demonstrates to the voter that the machine captured her choices Paper Trail Advantages n Demonstrates to the voter that the machine captured her choices correctly n Creates a sense of security among voters Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Paper Trail Disadvantages n No guarantee vote was counted, will ever be counted or Paper Trail Disadvantages n No guarantee vote was counted, will ever be counted or paper will be in existence if a recount is ordered n Massive paper handling and security problem n Slow counting • • Sacramento experiment 06/04: took an average of 20 minutes per ballot to tabulate and verify results Recounting California would take 450 years n Accessibility issues n Voter confusion • Must remember a lengthy ballot n Machines questioned when nothing is wrong n Increased demand for recounts n Creates doubt among voters (Cal. Tech-MIT Report) 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS

Voting Problems n Machine won’t operate n Machine fails during the election n Intruder Voting Problems n Machine won’t operate n Machine fails during the election n Intruder tampers with paper records NOT ADDRESSED BY PAPER TRAIL • Stuffing, removal, alteration n Machine captures choices incorrectly n Intruder alters vote totals after election n Machine maliciously or erroneously switches votes SOLVED BY PAPER TRAIL DEPENDS ON PHYSICAL SECURITY OF PAPER TRAIL Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Legal Requirements n Election law defines the process of democracy n PA Election Code Legal Requirements n Election law defines the process of democracy n PA Election Code is extremely long and complex n Every voting system used in PA must comply with the PA Constitution and the Election Code n A system that violates the law cannot be used, no matter how good or desirable it may be n Determination whether to certify a voting system is made by the Secretary of the Commonwealth based on report from an appointed examiner Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Mandatory Requirements n Voter secrecy “All elections by the citizens shall be by ballot Mandatory Requirements n Voter secrecy “All elections by the citizens shall be by ballot or by such other method as may be prescribed by law; Provided, That secrecy in voting be preserved. ” Pa. Const. Art. VII, Sec. 4. 1. Secrecy Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Mandatory Requirements n Ballot non-identifiability “No ballot which is so marked as to be Mandatory Requirements n Ballot non-identifiability “No ballot which is so marked as to be capable of identification shall be counted. ” Pa. Election Code, 25 P. S. 3063(a) n Purpose: to prevent vote-selling 2. Non-identifiability Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Mandatory Requirements n Can’t allow voter a take-home receipt showing how she voted n Mandatory Requirements n Can’t allow voter a take-home receipt showing how she voted n Could be used as proof of vote n Would promote vote-selling 3. No take-home receipts Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Mandatory Requirements n Voter-verified ballots must be voter-verifiable n If the ballot contains anything Mandatory Requirements n Voter-verified ballots must be voter-verifiable n If the ballot contains anything that is not readable by the voter that could be used to change or invalidate the vote, it’s not voterverifiable n The voting system must be “suitably designed for the purpose used. ” 25 P. S. 3031. 7(11) 4. Nothing unverifiable Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Sequoia Veri. Vote Paper Trail CONTINUOUS ROLL OF PAPER Voter Choices Problems: 1. No Sequoia Veri. Vote Paper Trail CONTINUOUS ROLL OF PAPER Voter Choices Problems: 1. No secrecy. Ballots are printed in sequential order 2. Each ballot is identifiable by serial number Ballot Serial Number Two-dimensional Barcode with Voter Choices Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Vote. Trakker Cut-Sheet From an Avante whitepaper: Wrong! The “check-code” makes the ballot identifiable Vote. Trakker Cut-Sheet From an Avante whitepaper: Wrong! The “check-code” makes the ballot identifiable AND not voter-verifiable NJ 021111002026 482961 Feb 26, 2001 President / Vice President GEORGE WASHINGTON, Andrew JACKSON US Senator John HANCOCK House of Representative Ben Franklin County Clerk John Quincy ADAMS Board of Chosen Freeholders Paul REVERE Board of Chosen Freeholders William H TAFT Board of Chosen Freeholders Theodore ROOSEVELT Public Question 1 Yes Public Question 2 No Public Question 3 Yes Thank you for voting! Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Populex Ballot Marking System n Machine only MARKS a ballot; does not tabulate n Populex Ballot Marking System n Machine only MARKS a ballot; does not tabulate n Ballot is tabulated by a separate scanner that reads the barcode Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

A Populex Ballot Problems: 3. Voter can take ballot home 4. Not voter-verifiable 5. A Populex Ballot Problems: 3. Voter can take ballot home 4. Not voter-verifiable 5. No ballot integrity HUMAN-READABLE SELECTIONS MYSTERIOUS BARCODE Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Accu. Poll Cut-Sheet System Accu. Poll Cut-Sheet System

Accu. Poll Paper Trail BALLOT KEY, 2 D BARCODE OCR SCANNABLE CHOICES HUMAN-READABLE CHOICES Accu. Poll Paper Trail BALLOT KEY, 2 D BARCODE OCR SCANNABLE CHOICES HUMAN-READABLE CHOICES Problems: 3. Voter can take ballot home 4. Not voter-verifiable 5. No ballot integrity Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Voter Verifiability n Having each voter be able to verify that 1. her vote Voter Verifiability n Having each voter be able to verify that 1. her vote was understood by the machine 2. her vote was counted by the machine 3. her vote was counted as part of the final tally 4. no unauthorized votes were counted n Paper trails provide (1), but not (2), (3) or (4) n Systems exist that provide all four Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/

Voter’s Private Key Voter’s Public Key Tallier OT Validator Tallier’s Public Key LL BA Voter’s Private Key Voter’s Public Key Tallier OT Validator Tallier’s Public Key LL BA Voter A Simplistic Voting Protocol Tallier’s Private Key OT BALL Tallier and validator can collude to violate privacy Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 137

Can Cryptography Help? n Yes – using “mix-nets” (Chaum) and “voterverified secret ballots” (Chaum; Can Cryptography Help? n Yes – using “mix-nets” (Chaum) and “voterverified secret ballots” (Chaum; Neff) n Official ballot is electronic not paper. n Ballot is encrypted version of choices. n Ballots posted on public bulletin board. n Voter gets paper “receipt” so she can: • Ensure that her ballot is properly posted • Detect voting machine error or fraud SOURCE: RON RIVEST 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 138

Voter needs evidence n That her vote is “cast as intended”: n That her Voter needs evidence n That her vote is “cast as intended”: n That her ballot is indeed encryption of her choices, and what her ballot is This is extremely challenging, since She can’t compute much herself She can’t take away anything that would allow her to prove how she voted n So: she takes away evidence that allows her (as she exits polling site) to detect whether cheating occurred, and receipt to prove what her ballot is SOURCE: RON RIVEST 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 139

Everyone needs evidence n That votes are “counted as cast”: n That mix-servers (“mixes”) Everyone needs evidence n That votes are “counted as cast”: n That mix-servers (“mixes”) properly permute and re-encrypt ballots. This is challenging, since Mixes cannot reveal the permutation they applied to ballots n That trustees properly decrypt the permuted ballots This is relatively straightforward, using known techniques. n This is “universal verifiability” SOURCE: RON RIVEST 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 140

Electronic Voting in 2004 n From the e-voting viewpoint, the 2004 election was not Electronic Voting in 2004 n From the e-voting viewpoint, the 2004 election was not very interesting n 1444 reports to the Election Incident Reporting System n Reports fell into three categories: • Fantasies (allegations of fraud with no evidence) • Misunderstandings (truthful but misinterpreted allegations) • Genuine problems n Problems exist that were not reported, e. g. voter privacy problems 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 141

Reported Problems n Machine unreliability n Changed votes n Lost votes 17 -803/17 -400 Reported Problems n Machine unreliability n Changed votes n Lost votes 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 142

Enthusiasm for e-Voting Growing n Despite increasing realization of problems n Technology solves all Enthusiasm for e-Voting Growing n Despite increasing realization of problems n Technology solves all sorts of other problems, why not voting? n People like the vision of voting in their PJs n Belief that e-voting will increase voter turnout Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 143

Internet Voting n Where? • • Polling place Kiosks Home Anywhere 17 -803/17 -400 Internet Voting n Where? • • Polling place Kiosks Home Anywhere 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 144

Internet Voting Benefits n Convenience • Accessibility in all weather, all ages • Vote Internet Voting Benefits n Convenience • Accessibility in all weather, all ages • Vote anywhere, maybe even from cellphone • Availability of candidate information n Maybe lower operating cost (maybe not) • if regular polling places are eliminated 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 145

Internet Voting Risks n Digital divide • People without Internet access • People without Internet Voting Risks n Digital divide • People without Internet access • People without computer skills n Security, trust n Casual environment n Open to the world 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 146

Internet Voting Security Risks n n Bugs Backdoors to manipulation Malicious code COTS (Commercial Internet Voting Security Risks n n Bugs Backdoors to manipulation Malicious code COTS (Commercial Off-the-Shelf Software), e. g. Windows, may contain exploits n Insider attacks • Compromising results • Compromising privacy n Client attacks • Operator (for Internet cafes) • Worms, viruses, Active. X, spyware 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 147

Internet Voting Security Risks n Denial of Service • DDOS attacks on server • Internet Voting Security Risks n Denial of Service • DDOS attacks on server • Selective disenfranchisement n Spoof websites • Fake “official” site – captures voting credentials, issues fake acknowledgement, then casts real vote differently n Promotion of coercion • Automated credential-selling • Installation of watcher software 17 -803/17 -400 ELECTRONIC VOTING FALL 2004 COPYRIGHT © 2004 MICHAEL I. SHAMOS Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 148

Gauging election risks and threats n Risks and threats vary depending on: • Type Gauging election risks and threats n Risks and threats vary depending on: • Type of election (public vs. private) • Consequences of a successful attack • Value of election outcome to potential adversaries • Expertise, skill & resources needed to disrupt • Level of motivation of potential attackers • Amount of disruption needed to sway the election or call its outcome into doubt • Consequences of a perception of unfair outcome Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 149

Internet voting in public elections n Social issues: • Vote coercion • Vote sale Internet voting in public elections n Social issues: • Vote coercion • Vote sale • Vote solicitation (click here to vote, banner ads) n Technical issues: • • Securing the platform Securing the communications channel Assuring availability of the network Registration issues, one vote person, no dead voters • Authentication in each direction • Maintaining equitable costs (no poll tax, e. g. smartcard reader) Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 150

What Will Electronic Voting NOT Fix? n Getting people to vote (turnout) • Brazil What Will Electronic Voting NOT Fix? n Getting people to vote (turnout) • Brazil has mandatory federal elections n Value of a vote • Electoral College (where winner takes all, mostly) n Access to voting • Registration • Logistical constraints (Tuesdays are working days) n Limited choices - Two Party System n Power of incumbency • Congress – over 98% success rate • Redistricting makes it much worse n Influencing Elections • Money • Special Interest Groups Computers and Society • Carnegie Mellon University • Spring 2007 • Cranor/Tongia • http: //cups. cmu. edu/courses/compsoc-sp 07/ 151