We presented Scantegrity II at this year’s 2008 USENIX/ACCURATE Electronic Voting Technology Workshop (EVT ‘08).
The paper can be read here [PDF].
| Event Photos |
 Photo: Me giving the talk at EVT08 |
 Photo: Taking questions |
 Photo: David and Jeremy going over the slides beforehand |
Open Voting Consortium and Okori Group offered a new open source voting system solution at LinuxWorld 08. According to the CNET interview:
Dechert says his system is better because it doesn’t use fancy cryptography, it uses a simple chain of custody.
This statement right here is the deal breaker. Why? I would hope it’s obvious:
A solution requiring the non-existence of the very fault-condition it attempts to solve is not a solution.
Folks, accept no substitutes. End-to-end verification: often imitated, never duplicated.
I’ve written before about the social effects likely to be felt by the introduction of online voting. Here is a new one:
A recently published study by Johan Berger (Wharton), Marc Meredith (MIT), and S. Christian Wheeler (Stanford), whose title says it all “Contextual priming: Where people vote affects how they vote.” (Paper). (Hat Tip).
The study of subconscious influence has a long history. People walk slower when primed with words suggestive of old age. They are ruder when primed with aggressive words. People who are asked the number of African countries in the UN, and then asked to spin a wheel with numbers between 1 and 100, tend to guess in a fashion correlated to the random number they spun. A mere picture of watching eyes makes people more likely to leave money for goods sold on the honour system.
It really isn’t a surprise to see evidence that where you vote can influence how you vote. The genius of the study is the palm-to-forehead slap of why didn’t anyone think about this before?
The authors first look at a ballot initiative in the 2000 Arizona general election that proposed an increase in education spending. They divided the precincts between schools and non-schools, and found that voters who voted in a school had a marginal preference (3 points) for the initiative. To test the robustness of the priming explanation, they performed regression analysis that controlled for a number of other possible explanations and found the result still held.
They then conducted a user study in a lab to explicitly test for priming effects during voting. The randomly assigned 327 participants to be shown either pictures of schools or other buildings, under the guise of an unrelated experiment, and then asked them to vote on an education initiative. They also collected, prior to the study, demographic and political preference information to help control against other influencing factors. The results were consistent with a priming hypothesis: voters exposed to images of schools had a preference for the initiative (7 points).
The paper concludes with a discussion of how different polling places may also prime voters: for example, the majority of Arizona’s polling places were churches which may influence votes on social issues. Given the amount of money spent for any edge in an election, I would not be surprised to see parties trying to influence the selection of polling places to those which correspond to specific initiatives they back.
Which leads us to an interesting secondary effect of online voting: does the effect disappear if you get to vote from your home or at least, a place of your choosing? What tactics could parties use to prime online voters?
The great Freakonom, Steven Levitt, argues that the market price of vote selling is effectively zero because of its essentially insignificant weighting in the outcome.
Of course I agree entirely with Ben Adida’s take: the price is effectively zero because the transaction cannot be verified as having been fulfilled.
The design of E2E receipts completely revolves around this idea, and we spend a lot of time on it. It’s also why E2E voting via the internet is such a hard nut to crack.How can you possibly enforce ballot secrecy in that environment? How can you even enforce it in a polling place?
There is another dimension to it that I wanted to talk about.
If you already have a law against vote selling, do you really need the additional enforcement mechanism (booths, envelopes, etc) at the polling place?
Many other criminal laws do not lean on an additional physical protection measure to prevent the crime; being caught and punished is enough.
There’s no particular physical measure preventing someone from robbing someone of $10 (the minimum bid of the ebay vote selling incident), presumably just the risk of a jail term.
Consider a related situation. In Canada (obviously where there is no HAVA) you can assist someone in voting as long as you sign a statutory declaration that you won’t tell anyone how that person voted. The idea being, yes, you could do it, but you have the legal incentive not to, especially that you’re on record. The Crown probably couldn’t even prove the offense in most situations. And yet this measure seems to be effective enough that no cases come to mind.
You can also (again via a statutory declaration) vote at a polling place without being on the voter list. Presumably you just could go around from poll to poll casting ballots. But it’s ultimately the ‘lawonomics’ — the cost of going to jail weighed against the benefit of stuffing 3 or 4 ballots — that seems to prevent this.
We will be presenting Scantegrity II at the 2008 USENIX/ACCURATE Electronic Voting Technology Workshop. Here’s the abstract of our paper:
Scantegrity II: End-to-End Verifiability for Optical Scan Election Systems using Invisible Ink Confirmation Codes
by David Chaum, Richard Carback, Jeremy Clark, Aleksander Essex, Stefan Popoveniuc, Ronald L. Rivest, Peter Y. A. Ryan, Emily Shen, and Alan T. Sherman
We introduce Scantegrity II, a practical enhancement for optical scan voting systems that achieves increased election integrity through the novel use of confirmation codes
printed on ballots in invisible ink. Voters mark ballots just as in conventional optical scan but using a special pen that develops the invisible ink. Verifiability of election integrity is end-to-end, allowing voters to check that their votes are correctly included (without revealing their votes) and allowing anyone to check that the tally is computed correctly from the included votes. Unlike in the original Scantegrity, dispute resolution neither relies on paper chits nor requires election officials to recover particular ballot forms. Scantegrity II works with either precinct-based or central scan systems. The basic system has been implemented in open-source Java with off-the-shelf printing equipment and has been tested in a small election.An enhancement to Scantegrity II keeps ballot identification and other unique information that is revealed to the voter in the booth from being learned by persons other than the voter. This modification achieves privacy that is essentially equivalent to that of ordinary paper ballot systems, allowing manual counting and recounting of ballots.
Both part 1 and 2 dealt with interface problems between the voter and a paper ballot, machine, or computer that records her vote. For this last segment, Surveillance, we discuss the ways the voter can be watched to determine her choices. Because the attacker or a device must be present to carry out these attacks, they are generally considered more expensive to carry out than what we have discussed so far.
Using the same strategy as seen in the previous segment, we will start with simple examples of this attack, move on to more elaborate examples, and end our discussion with how you could defend against these attacks. Again, as we’ve already seen, different flavors of these attacks may or may not require voter cooperation to work.
Simple Surveillance
The simplest paper ballot scenario is the following: the local union boss sits in the polling place. You flash your ballot to him as you take it from the booth to the ballot box or scanner. He checks your name off on his list.
Another, that works for DREs as well, is to take a cell phone picture or video of your ballot just before or as you are casting it. If the DRE has an audio interface, you may also be able to hook up an audio recorder and record your vote casting experience on tape.
Another class is the “over the shoulder” attack. The voter or poll workers may or may not have to cooperate for it to work. In some cases you may be able to succeed at a significant distance.
Hacking the Machine
The optical scanner or computer (or even lever machine), by definition, records voter choices. It could be modified to keep a serial record this input. The attacker can record the serialization to each voter by recording the order of who uses the machine, and retrieve the record after the election.
Because of the trail it would leave, this class of attacks is undesirable. However, our current testing practices and laws are such that this information might be public record, as seen in Ohio after the 2006 election.
Going High Tech
Mini wireless spy cameras sell for as low as $70, possibly lower. That is well within the range of affordability. In addition, the relative predictability of how polling places are set up means the cameras could be there days before the election begins. A bag or pen equipped with this technology would have no problem recording voter choices.
The camera does not have to be limited to the visible light spectrum. An infrared or other kind of camera might be much easier to hide. In some cases, your body might not be enough to block its vision.
It may not even need to be a camera. Sensors or microphones in the polling booth might be enough to correlate voter choices. You can recover typed text using audio, it’s not a huge jump to do it for voting.
TEMPEST Attacks
A TEMPEST attack is one which records electronic emanations that reveal information being processed by the computer. A dutch group created a great video showing how this works. Take a look:
My favorite TEMPEST hack, from what I have seen, is an MP3 player for CRT monitors. Just tune your AM radio and enjoy.
Defeating Surveillance
In general, it’s an arms race. As technology progresses and becomes ever more affordable, the situation gets worse. Unless you can strip each voter and scan for optical eye and other types of implants, election officials will eventually lose.
The strategy here should be to drive up costs and take precautions. Make machines that meet the TEMPEST standards. Go to each polling place and do a scan for wireless emissions. Look for cameras and sensors when you set up the polling place. Do not allow voters to take cell phone cameras or bags into the voting booth. As long as it is prohibitively expensive, the laws are harsh, and there is the threat of being caught, it is hopefully not worth it.
According to one Minnesota voter’s story:
A college student claimed it was all a joke when he put his vote in this fall’s presidential election up for sale on the Web auction site eBay. But prosecutors didn’t see the humor.
Back in 2000 there was a website specifically for selling votes, but that was taken down fairly quickly, too. Surely, a widespread black market off-shore shop might be possible, but succeeding with this sort of thing usually requires a confidential and limited approach.
The vote selling issue has always been interesting to me. Obviously, it should not possible to make a proof of sale, because that opens the system up to other forms of coercion. However, if you can’t confirm compliance, is there anything to worry about?
My opinion is that these laws should still exist, for two reasons. First, privacy is really hard to guarantee with a voting system, and you can still get lesser forms of “proof” (e.g. cellphone picture of ballot–can be faked but still might be enough). Second, I (weakly) disagree with the major argument that I have heard for vote selling, which is that candidates are buying votes with their positions and promises anyway. Otherwise non-voting voters affect the process for more interested voters. I think that anything that makes a voter change his vote other than the opinion of the candidate is probably wrong.
I am still writing part 3 of the secret ballot series, and I should be finished soon. Have a happy 4th of July!
Computer scientist and election technology analyst Avi Rubin touched on some familiar themes in an interview yesterday:
There are cryptographic techniques that can be used to achieve software independence so that even if there’s a bug in the software, you’ll detect if there’s a problem. But those are not ready for prime time in my opinion.
Though I’m generally more optimistic about this, it’s a fair statement, especially since there hasn’t yet been any definitive event to have changed many minds. The question I put to you, fair reader, is how do we recognize when the time has come? It would seem, as in Rubin’s case, a conservative assessment of the situation would best allow one to avoid taking a premature position on the matter.
I suppose there are only two factors to take into account. One is a stable convergence of the technology with a consistent, set of security ideals. However this by itself may be too abstract to be appreciated by the general public.
Naturally for me as an engineer, the defining characteristic of a technology entering “prime time” is its first successful deployment in the field.
But perhaps we can never say for certain the time has come, only that now is as good a time as any.
