Asking the Right Questions About Electronic Voting (2006) / Chapter Skim
Currently Skimming:
4 Technology Issues
4 Technology Issues
Pages 45-95
The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.
From page 45... ...
Voter registration is a complex process, as one might expect of a decentralized endeavor that involves millions of voters. Historically, voter registration has been a local function, and the primary function of election officials.
|
From page 46... ...
2Florida Department of State, Florida Voter Registration System: Proposed System Design and Requirements, January 29, 2004. Available at http://election.dos.state.fl.us/hava/pdf/ FVRSSysDesignReq.pdf.
|
From page 47... ...
TECHNOLOGY ISSUES 47 check across state boundaries to see if voters are registered in more than one state or if they have voted in two states on Election Day. Though this task sounds like a relatively simple one -- just compare the lists3 -- it is enormously complicated by two facts: (1)
|
From page 48... ...
One class of algorithms developed to handle such problems is Soundex algorithms.5 These algorithms are widely used today for applications involving name matching, and their applications include name matching in comparisons of voter registration databases with other databases. It is useful to distinguish between a "strong match" and a "weak match." A strong match is one in which there is a very high probability that two data segments represent the same person.
|
From page 49... ...
One such use is to purge in local election jurisdictions chosen so that a purge would have differential effects on various voting blocs. Statewide management of voter registration lists reduces the possibility that decisions to purge are made locally, but there may be nothing in state law that in principle or in practice prevents state officials from ordering such purges for political reasons.
|
From page 50... ...
Are the relative priorities of election officials in the purging of voter registration databases acceptable? As noted above, purging databases can be conducted in an overaggressive manner or in an underaggressive manner.
|
From page 51... ...
TECHNOLOGY ISSUES 51 Box 4.1 False Positives and False Negatives Let Pfp = the probability that an eligible voter on the voter registration (VR) rolls is wrongly purged.
|
From page 52... ...
, departments of correction, and departments of vital statistics are not under the control of the state election officials. (Vital statistics are usually under the control of a county or municipality.)
|
From page 53... ...
Voters who lack confidence in the operation of voter registration systems will be uncertain about their ability to vote on election day. Large numbers of such voters will almost surely result in reduced turnouts.
|
From page 54... ...
However, information technology might be used to provide such similar information to poll workers without the need for such a procedure.7 4-9. How should voter registration systems connect to electronic voting systems, if at all?
|
From page 55... ...
asserts that the system in question meets or exceeds the Federal Elections Commission's 2002 Voting Systems Standards (Box 4.2) .8 ITAs are designated by the National Association of State Election Directors, and a vendor pays an ITA for its work in qualifying a system.
|
From page 56... ...
A second round of review for all of the VVSG is expected to follow, resulting in an integrated and forward-looking version of the VVSG that should be available in FY 2006. cedures are followed by poll workers, for example, and any given set of standards may -- or may not -- presume that these procedures are followed.
|
From page 57... ...
And, a small change to a qualified piece of software can in principle render it noncompliant with the relevant standards. For such reasons, election officials may wish to go beyond the qualification process in their assessments of vendor offerings.
|
From page 58... ...
With new technologies being frequently deployed, election officials may face the task of assuring the public that the new systems are in fact secure and reliable, even if no problems arise immediately. At the same time, the consequences of inaccuracy and/or system failure place election officials on the front line of responsibility that could ultimately affect the outcome of any election.
|
From page 59... ...
may be of lesser concern than smaller security holes in another part of the system if the latter can be exploited on a large scale more easily and more anonymously. Cybersecurity experience suggests that there is only one meaningful technique by which the operational security of a system can be assessed: an independent red team attack.12 The term refers to tests conducted by 11National Research Council, Cybersecurity Today and Tomorrow, Pay Now or Pay Later, Washington, D.C.: National Academy Press, 2002.
|
From page 60... ...
A procedural flaw might be a poll worker who can be bribed to take an improper action.) Red team attacks are also unpredictable, in contrast to scripted tests in which the system's developer tests what it believes to be likely attacks.
|
From page 61... ...
In case of doubt, a voting system should be considered unsafe until proven safe, and election officials should refrain from certifying, purchasing, or deploying voting equipment until independent security reviewers are confident that the technology will function as desired.15 The perspective of the election official is quite different. From a public policy perspective, it is desirable for election officials to have open attitudes about election concerns raised by members of the public, to welcome skepticism as a way of reassuring the public about how elections are conducted, to treat every election as precious, and to strive to eliminate 15 David Wagner, University of California, Berkeley.
|
From page 62... ...
The short period available to election officials for declaring a winner means that the time available for public inspection and access is short. And, the political pressures from all sides in an election to know its outcome rapidly mean that election officials have strong incen tives to avoid recounts that might delay the declaration of a winner.1 If election processes -- and in particular, source code -- were available for in spection, critics of electronic voting systems could reasonably be expected to as sume the burden of demonstrating that security problems exist.
|
From page 63... ...
From the point of voter registration to the moment of winner certification, there are many opportunities for something to go wrong -- both deliberately and accidentally -- that can potentially affect an election outcome. As with all public officials, election officials do not have the resources to deal with all problems, and they necessarily leave some unaddressed.
|
From page 64... ...
Election officials and legislators tend to respond to fraud cases that have come to light during their tenure. By this standard, some election officials are skeptical of the claim that electronic voting systems without paper trails are less secure than nonelectronic systems, partly because most proven instances of election fraud to date have involved nonelectronic voting systems.19 And, in response to the possibility of fraud, many election officials have worked to improve procedures and organization that enhance the overall security posture of elections.
|
From page 65... ...
Computer scientists will presume a vulnerability is significant until shown otherwise, but election officials will presume that the integrity of an election has not been breached until compelling evidence is produced to the contrary. This difference in perspective largely accounts for the tendency of some election officials to blame electronic voting skeptics for scaring the public about security issues and for the tendency of some electronic voting skeptics to say that election officials have their heads in the sand.
|
From page 66... ...
Whereas an explicit evaluation seeks to uncover security flaws that might exist in any given implementation, a redundant implementation -- that is, a competing implementation sponsored and created by any political party with a stake in elections -- would require that at least two independent systems be compromised in order to commit fraud successfully. However, the redundant approach has not been adopted for electronic voting, though it has been used in a variety of situations where high reliability and security are required.
|
From page 67... ...
Procedures · Procedures for upgrading or patching software · Procedures for qualifying and certifying patches (or, in fact, the system configuration after a patch has been installed) · Procedures for decertifying or dequalifying software or hardware · Procedures for setting up and breaking down the system in operational use · Procedures for handling vote totals at the close of the polling place SOURCE: Drawn in part from Leadership Conference on Civil Rights and the Brennan Center for Justice, New York University, Recommendations for Improving Reliability of Direct Recording Electronic Voting Systems, June 2004.
|
From page 68... ...
Though election officials -- in their role as purchasers or lessors -- are not responsible for system development or design, they too must undertake a risk analysis to determine if their own concerns about security are reflected in the vendor's analysis. For example, if the threats of concern to election officials are not reflected in the threat model used to analyze risk, the risk analysis is not likely to provide useful guidance to those officials.
|
From page 69... ...
The best example of an adversarial assessment is the use of independent red teams, or "tiger teams," as described earlier.23 Short of a red team attack, an independent adversarial examination of the "internals" of a system (physical construction in the case of hardware, actual code in the case of software) will provide some insight into its ability to resist attack, since it is likely to uncover flaws that an adversary might use.
|
From page 70... ...
The following examples are intended to suggest a range of possible threats against which a system must be designed: · The first person to vote on Election Day in her precinct may well be known to poll workers or others present at the precinct. A voting system that does not randomize the order in which ballots are reported will report this person's vote, and ballot counters will be able to recognize which ballot was cast first and thereby be able to easily deduce how she voted.
|
From page 71... ...
According to the Federal Election Commission's 2002 Voting Systems Standards, one purpose of acceptance tests is to ensure that the units delivered to local election officials conform to the system characteristics specified in the procurement documentation as well as those demonstrated in the qualification and certification tests. To help ensure that qualified voting systems are used consistently throughout a state, ITA labs can file digital signatures of qualified software with the software library of the National Institute of Standards and Technology (NIST)
|
From page 72... ...
· Third parties may masquerade as election officials or vendors and demand access to the voting stations in storage. Or moles (indi viduals with ostensibly authorized access but who in fact have been compromised to work in a partisan manner)
|
From page 73... ...
Thus, some election officials may still try to think of ways to avoid this certification step, particularly if they know that a smooth election process depends on a last-minute fix. A related issue is that despite precautions that have been taken, software may have been compromised through the introduction of an unauthorized patch.
|
From page 74... ...
For example, Party A might try to deny service in an area with large numbers of people from Party B, thus reducing the turnout and vote count for Party B Lack of availability of even a few voting stations for even a short amount of time during peak hours can result in very long lines for voting, leading to voter discouragement and an effectively lower turnout.30 29Source code refers to the software in the form in which it was originally written-usually in a high-level programming language that is understandable to humans.
|
From page 75... ...
An example of data that might support an audit is exit poll data, which might be collected by the state rather than a media organization, for later comparison to actual totals. This point is the primary motivator of various demands for paper trails in electronic voting systems -- the concern expressed by many advocates of paper trails is that a DRE system without such a capability is unaccountable, and that such systems give election officials who are challenged the stark choice between accepting the numbers proffered by the system and redoing the election.
|
From page 76... ...
· Type of certification for software update. · Comparisons of digital signatures of software running on individual voting stations with digital signatures in NIST's National Software Reference Reference Library.
|
From page 77... ...
When electronic voting systems are involved: · Frequency of restarts and reboots required for voting stations. · Descriptions of anomalous behavior during use.
|
From page 78... ...
Parallel testing, which is intended to uncover malicious attack on a system, involves testing a number of randomly selected voting stations under conditions that simulate actual Election Day usage as closely as possible, except that the actual ballots seen by "test voters" and the voting behavior of the "test voters" are known to the testers and can be compared to the results that these voting stations tabulate and report; this exception is not available (because of voter secrecy considerations) if the parallel testing is done on Election Day.
|
From page 79... ...
Poll workers are generally responsible for initializing voting stations so that the internal counts in each station are set to zero and for delivering station totals to the central tabulation authority. Unless special precautions are taken against the possibility of a compromised or partisan poll worker, these are the points on Election Day at which tampering is most likely to occur.
|
From page 80... ...
Manual handling of the numbers and the use of computer-readable media for recording the vote totals both raise issues of physical custody of the ledger or media in transport to the tabulation authority. For example, if precautions are not taken, an adversary could substitute a CD-ROM prewritten with the appropriate vote totals for the CD-ROM taken from a specific voting station.
|
From page 81... ...
In general, computers will be responsible for tabulating the results from individual voting stations. But all of the concerns about software security expressed earlier in the context of individual voting stations apply as well to software at the central authority, with the possible exception that physical security is likely to be easier to maintain in a single place than in many precincts.
|
From page 82... ...
Consequently, different vendors and different election officials can legitimately and ethically make different decisions about how best to present information to the voter and how best to capture the voter's vote. One quantitative measure of a system's usability is the error rate of 31A particularly worrisome scenario is that corrupt partisans might modify vote totals so that the margin of their candidate exceeds that required by law for recounts, precluding a recount or any other subsequent closer examination.
|
From page 83... ...
, 2005. Recount data also provide indicators of error rates, and these are in the 0.5 to 1 percent range; see, for example, Stephen Ansolabehere and Andrew Reeves, "Recounts and the Accuracy of Vote Tabulations: Evidence from New Hampshire Elections 1946-2002," CalTech/MIT Voting Technology Project Working Paper, January 2004.
|
From page 84... ...
Task analysis. A first order of business is to understand what the basic voting task is, not what specific objects or events the voter must see or hear or what particular responses must be made but rather what information must be communicated to the voter (from the machine, the physical environment, and the poll workers)
|
From page 85... ...
It can be augmented by poll workers explaining features of the machine or process that may be confusing. A more sophisticated approach used in some computer-based systems is to embed the training -- that is, have the voter go though a few steps of observation and response to displayed dummy candidates to
|
From page 86... ...
. As one example, election officials are likely to interact with a voter registration database system frequently, whereas voters are likely to interact with a voting system only rarely.
|
From page 87... ...
· Does the system provide adequate feedback that the vote intended was indeed captured? SOURCE: Harry Hochheiser, Ben Bederson, Jeff Johnson, Clare-Marie Karat, and Jonathan Lazar, The Need for Usability of Electronic Voting Systems: Questions for Voters and Policy Makers, Association for Computing Machinery (ACM)
|
From page 88... ...
" While punch card, optical scan, and lever voting systems involve physical artifacts that provide immediate feedback to the voter about the choice or choices that have been made, the workings of electronic voting systems are more opaque from the voter's standpoint. Indeed, in some electronic voting systems, feedback mechanisms must be explicitly designed in.
|
From page 89... ...
In some instances, assistance from poll workers may be necessary.
|
From page 90... ...
Of course, election officials have the option of insisting that a provisional ballot be processed entirely offline. But a vendor may offer such capabilities online.
|
From page 91... ...
This vot er was timed as taking almost 24 minutes to vote, from start to finish; other voters at this same location were observed typically taking from about 5 to 7 minutes to vote using the same electronic voting machines. It is thus reasonable to ask about the nature of usability testing and the range of users involved in such testing.
|
From page 92... ...
, a realistic estimate of error rate is obtainable only by undertaking the measurement under circumstances that are very close to those that would prevail on Election Day.
|
From page 93... ...
Thus, election officials must either conduct usability testing themselves, or engage some other party (parties)
|
From page 94... ...
4-42. To what extent are practice systems available for use before and on Election Day?
|
From page 95... ...
These contrasts illustrate a more general point -- in the design of any computer system, there are inevitably trade-offs among various system characteristics: better or less costly administration, trustworthiness or security, ease of use, and so on. Nevertheless, in the design of electronic voting systems, the trade-off between security and usability is not necessarily as stark as many election officials believe.
|
Key Terms
This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More
information on Chapter Skim is available.