Electronic Voting:
Danger and Opportunity
J. Alex Halderman
Department of Computer Science
Center for Information Technology Policy
Princeton University
Joint work with …
Joe Calandrino
Ari Feldman
Ed Felten
2000 Recount Debacle
Legislative response:
Help America Vote Act
Provided $3.9 billion to states
to upgrade voting machines by
November 2006
DREs to the Rescue?
Direct Recording Electronic – Store votes in internal memory
DREs are Computers
=
Diebold’s History of Secrecy
• Used NDAs to prevent states from allowing
independent security audits
• Source code leaked in 2003, researchers at Johns
Hopkins found major flaws
Diebold responded with vague legal threats,
personal attacks, disinformation campaign
• Internal emails leaked in 2003 reveal poor security
practices by developers
Diebold tried to suppress sites with legal threats
We Get a Machine
(2006)
Obtained legally from an
anonymous private party
Software is 2002 version,
but certified and used in
actual elections
First complete, public,
independent security audit
of a DRE
Research Goals
• Conduct independent security audit
• Confirm findings of previous researchers
(Hursti, Kohno et al.)
• Verify threats by building demonstration attacks
• Figure out how to do better
Who wants to know?
Voters, candidates, election officials, policy makers, researchers
SH3 CPU 32 MB SDRAM
128 KB EPROM
16 MB Flash
Removable Flash Memory Card
Our Findings
• Malicious software running on the machine
can steal votes undetectably, altering all
backups and logs
[Feldman, Halderman & Felten 2007]
Correct result: George 5, Benedict 0
Our Findings
• Malicious software running on the machine
can steal votes undetectably, altering all
backups and logs
• Anyone with physical access to the machine or
memory card can install malicious code in as
little as one minute
[Feldman, Halderman & Felten 2007]
The Key
Our Findings
• Malicious software running on the machine
can steal votes undetectably, altering all
backups and logs
• Anyone with physical access to the machine or
memory card can install malicious code in as
little as one minute
• Malicious code can spread automatically and
silently from machine to machine in the form
of a voting machine virus
[Feldman, Halderman & Felten 2007]
Voting Machine Virus
Viral Spread
California “Top-to-Bottom” Study
Bill Zeller
Alex Halderman
Harlan Yu
Joe Calandrino Debra Bowen
Ari Feldman
California “Top-to-Bottom” Results
Hart
Sequoia
Diebold
E-Voting Advantages
Voters prefer it
Faster reporting
Fewer undervotes
Improved accessibility
Potentially increased
security*
Electronic + Paper Records
Touch-screen (DRE) machine,
plus voter-verifiable paper trail
Hand-marked paper ballot,
machine-scanned immediately
Failure Modes
Paper Ballots
Physical tampering
“Retail” fraud
After the election
Electronic Records
Cyber-tampering
“Wholesale” fraud
Before the election
Redundancy + Different failure modes = Greater security
Proposed Legislation
H.R. 811: Voter Confidence and
Increased Accessibility Act
• Voter-verifiable paper record and
random manual audits
• Access to voting software and source
code, to verify security
• Additional money for states
Rep. Rush Holt
How to Audit
Redundancy only helps if we use both records!
Electronic records fast and cheap to tally.
Paper records very expensive and slow to tally.
But: verified by voter
How to Use Paper Records?
Use a machine to count the paper records
Too risky
Count the paper records by hand
Too expensive
Check a random subset of paper records by hand
…but which subset?
Standard Approach
Pick some precincts randomly.
Hand-count paper records.
Should match electronic records.
Statistical Auditing’s Goal
Establish, with high statistical confidence, that
hand-counting all of the paper records would
yield the same winner as the electronic tally.
Audit Example
Alice:
Bob:
55%
45%
Goal: Reject hypothesis that
≥ 5% of ballots differ between
electronic and paper
For 95% confidence, hand-audit 60 precincts
Cost: about $100,000
An Alternative Approach
Precinct-based auditing
Ballot-based auditing
100 marbles, 10% blue
6300 beads, 10% blue
How large a sample do we need?
Audit Example
Alice:
Bob:
55%
45%
Goal: Reject hypothesis that
≥ 5% of ballots differ between
electronic and paper
ballots
For 95% confidence, hand-audit 60 precincts
Cost: about $100,000
$1,000
Why Not Ballot-based?
● Alice
○ Bob
Voting
Machine
○ Alice
● Bob
Alice
Bob
Alice
● Alice
○ Bob
Need to match up electronic with paper ballots.
Compromises the secret ballot!
Secret Ballot
Prevents coercion and vote-buying
Requirements:
Nobody can tell how you voted.
You can’t prove to anyone how you voted.
You can be confident in these properties.
Serial Numbers
1
● Alice
○ Bob
Voting
Machine
2
○ Alice
● Bob
1 Alice
2 Bob
3 Alice
3
● Alice
○ Bob
“Random” Identifiers
325631
● Alice
○ Bob
Voting
Machine
218594
○ Alice
● Bob
325631 Alice
218594 Bob
810581 Alice
810581
● Alice
○ Bob
Machine-Assisted Auditing
○ Alice
● Bob
○ Alice
● Bob
1
Alice: 510
1
2
Bob:
...
419
Bob
Alice
929 Bob
Step 1. Check electronic
records against paper records
using a recount machine.
=
[Calandrino, Halderman & Felten 2007]
Machine-Assisted Auditing
○ Alice
● Bob
○ Alice
● Bob
1
Alice: 510
1
2
Bob:
...
419
Bob
Alice
929 Bob
=
[Calandrino, Halderman & Felten 2007]
Machine-Assisted Auditing
○ Alice
● Bob
○ Alice
● Bob
321
1
● Alice
○ Bob
716
1
2
Bob
Alice
...
=
321 Bob
716 Alice
929 Bob
Step 2. Audit the recount
machine
= by selecting random
ballots for human inspection.
[Calandrino, Halderman & Felten 2007]
Machine-Assisted Auditing
Machine Recount
Manual Audit
We can
use a machine
As efficient
as ballot-based
auditing,
without
having
trust ballot.
it!
while
protecting
thetosecret
Evaluation
2006 Virginia U.S. Senate race
0.3% margin of victory
We want 99% confidence
Precinctbased
# ballots
1,141,900
# precincts
1,252
Machineassisted
2,339
1,351
Doing Even Better
Alice:
Bob:
55%
45%
Goal: Reject hypothesis that
≥ 5% of ballots differ between
electronic and paper
Goal: Reject hypothesis that
≥ 5% of ballots are marked
electronically for Alice but
on paper for Bob.
Only need to audit ballots marked for Alice.
In General …
Key idea: Probability of auditing a ballot
should depend on how that ballot is marked
Full algorithm accounts for:
multi-candidate races
multi-seat races
undervotes and overvotes
write-ins
Evaluation
2006 Virginia U.S. Senate race
0.3% margin of victory
We want 99% confidence
Precinctbased
# ballots
1,141,900
# precincts 1,252
Machineassisted
2,339
1,351
Contentsensitive
1,179
853
E-Voting: Opportunity
Used correctly, new technology can make
voting cheaper, faster, and more reliable.
Where possible, should design technology so
that we don’t need to trust it.
Research points the way…
Making rapid progress—on some problems.
In practice, we have a long journey ahead.
Electronic Voting:
Danger and Opportunity
J. Alex Halderman
Department of Computer Science
Center for Information Technology Policy
Princeton University