Voting System TechnologyRon Bandes

April 19th, 2017

PA Department of StateHarrisburg

http://kenstonlocal.org/kenston/technology/http://www.where-is-my-vote.org/how-a-proper-voting-system-should-work/

Involvement in Elections

• CyberSecurity member of PA Legislature’s SR394 Committee on Voting System Technology

• VVSG CyberSecurity Public Working Group

• Election Verification Network

• Election laws review committee, League of Women Voters PA

• Task force to design Remote Ballot Marking System for the National Federation of the Blind

• Judge of Election in Mr. Rogers’ Neighborhood (WQED polling place)

• President, VoteAllegheny (a non-partisan, election integrity organization)

• Presenter on Election Security to FBI Infragard, B-PEP, and others

http://www.focusawards.org.uk/newly-developed-qualifications/

Topics for Today

•Collaboration between PA DoS and Carnegie Mellon University

•Risk-Limiting Audits

https://www.123rf.com/photo_18101709_meeting-topics.html

Collaboration between PA DoSand CERT Division @ CMUSecurity Standards for Voting System Examinations

http://www.paulkeijzer.com/if-you-want-people-to-collaborate-put-them-next-to-each-other/

https://twitter.com/carnegiemellon

https://www.environmentalleader.com/2013/01/pennsylvania-accepts-first-benefit-corporations/

Voting System Components

• Voting Systems include more than just voting machines• Voting Machines (DRE, precinct-level ballot scanners)

• e-Pollbooks

• Central-site ballot scanners (for absentee, emergency backup, provisional, and possibly regular ballots)

• Election Management System

http://www.essvote.com/products/1/2/tabulators/ds850/http://www.elections.state.md.us/voting_system/voting_equipment.html

http://99ksit.com/secretary-of-state-ed-murray-pleased-by-the-success-of-e-pollbooks-and-vote-centers/

https://www.usenix.org/legacy/event/evt08/tech/full_papers/aviv/aviv_html/

Voting System Certification

• PA Counties choose which voting systems to purchase from a short list

• The short list comprises voting systems certified by the PA Secretary of State (SoS), following examinations of various vendors

• Only systems certified by the federal Election Assistance Commission are eligible to be examined in PA

• Ten citizens of PA may cause a re-examination to be performed

• The SoS may decertify voting systems, as he did with the AVS WINVote in 2007

https://www.aasect.org/aasect-certification

Voting System Examination

• In the past, Voting Systems have been examined for compliance with the PA Election Code and for Pennsylvania-specific functions.

• They have not been subjected to robust security testing. VVSG 2005.

• The PA DoS wishes to perform security testing that reflects the changes since 2005.

• Will establish the areas of potential vulnerabilities so the examiners can design test cases for specific equipment. Integration tests.

• PA DoS is in talks with the CERT Division of Carnegie Mellon University to create security testing standards

https://www.123rf.com/photo_4725390_a-doctor-or-nurses-reflex-hammer-and-stethoscope-on-a-white-

background.html

CERT – Cyber Security Leader

https://books.google.com/books/about/CERT_Resilience_Management_Model_CERT_RM.html?id=2xvR3g9XZW8C&source=kp_cover&hl=en

https://www.amazon.com/CERT-Guide-Insider-Threats-Information/dp/0321812573

https://www.amazon.com/Cyber-Security-Engineering-Practical-Assurance/dp/0134189809/ref=sr_1_4?s=books&ie=UTF8&qid=1491506167&sr=1-4&keywords=cert+software+engineering

The Nature of the Statement of Work

• CERT will enumerate the types of tests that must be performed on voting systems

• CERT will provide an examination compliance checklist, with emphasis on cyber-security best practices

• The examiner, contracting with the Dept of State, will develop test cases peculiar to a specific voting system that comply with the enumerated types of tests

Components of Security

•Confidentiality

•Vote Anonymity

• Information Integrity

• System Availability

•Auditability

•Recountability

Confidentiality

From the time the voter begins to mark a ballotuntil the ballot choices are cast and recordedthe system must maintain the confidentiality of the ballot

Vote Anonymity

From the time a ballot is cast,the identity of the voter must be disassociated from the ballot.

It must not be possible for the voter’s identityto be re-associated with the voter’s ballot.

Information Integrity

The voting system must give assurance to the voterthat his/her ballot choices are being recorded, counted, and reported as marked and cast.

The voting system should not permit an undetected change or error in software to cause an undetectablechange/error in an election outcome (software independence).

System Availability

The voting system must be available in normal operating mode to the voter during the entire period of voting hours.

The voting system must not have a single point of failure that could result in the loss of information from cast ballots.

Auditability

The Voting system must keep logs of events, such as:• Voter events

• admission to the machine, selection of ballot style, casting of ballot

• Data must be kept in a form close to that generated by voter: only voter-generated data can be considered evidence of voter desires and actions

• System events – hardware and software failures, resource exhaustion

• Pollworker events – actions performed on a voting system requiring special privilege, such as cancelling a ballot, opening & closing the system for voting

• System Administrator events – performing tests, changing configuration

Recountability

The system must retain data in a form close to that generated by the voter.

It must be possible to re-examine voter actions or marks in order to re-evaluate the voter’s intention.

Risk-Limiting Auditshttps://www.123rf.com/stock-photo/audit.html?mediapopup=27783205

Many Types of Audits

• Pollbook Audit – ensures number of voters checked-in matches the number of ballots

• Procedures Audit – ensures that pollworkers are following procedures correctly

• Chain-of-Custody Audit – ensures that ballots, memory devices, and voting machines have proper custody at all stages of election and are not tampered

• Post-Election Vote-Tabulation Audit – ensures that the voting systems are working correctly: properly interpreting ballots and counting votes

Recounts

• Not a type of audit, but related

• Ensures that the correct outcome of an election is determined

https://mic.com/articles/160446/how-does-a-us-election-recount-work-the-deadlines-history-and-rules-for-recounts#.jbye0g4Ex

What is a Vote-Tabulation Audit?

• An audit examines evidence of some voters’ intent, and compares outcomes with the vote-counting system• Examination could be done with a different computerized system

or manually

• Evidence consists of records of voters’ choices

• Types of Vote-Tabulation Audits:• Fixed percentage sample• Fixed number sample• Statistical sample (many ballots for close race, few ballots for wide

margin)

Quality of Evidence

• Best evidence is closest to voters’ actions & verified by voter• Best – hand-marked paper ballots

• Good – voter-marked (perhaps with assistive technology) paper ballots

• Acceptable – voter-verifiable paper audit trail

• Unacceptable – electronic records (without paper)

https://www.shapethefuture.org/elections/2016/nov/votingoptions/paperballot/

http://www.essvote.com/products/6/13/ballot-marking-devices/automark%C2%AE/

Risk-Limiting Audits (RLA)

• A type of post-election, vote-tabulation audit• Determines how well voting systems interpret cast ballots

• Determines how well tabulating systems tally the votes

• Puts a predetermined limit on the risk that the audit won’t detect an incorrect outcome

• May also serve as a recount• If wrong outcome is detected

• and Law allows

https://www.projectsmart.co.uk/10-golden-rules-of-project-risk-management.php

Types of Risk-Limiting Audits

• Ballot-level comparison audits (most efficient; can be used in more contests)

• Voting-system interpretation of individual ballots (usually Cast Vote Records) is compared with the audit interpretation of the same ballots

• Comparison audits at the batch level (least efficient)

• E.g., auditing the voting system’s subtotals for certain precincts

• Ballot-polling audit• Based on random sample of ballots without reference to the voting system

interpretation of those ballots

• Useful when paper ballots cannot be associated with voting system ballot images

Requirements forBallot-Level Comparison Audits• Voter-verified paper records

• Hand-marked paper ballots are inherently voter-verified

• Chain-of-Custody of ballots & electronic records must be preserved

• The means to correlate paper records with electronic cast-vote records• Having a ballot scanner apply a ballot ID number after the ballot is separated

from the voter’s identity

• Laws in the election code allowing for the above requirements

Advantages of Risk-Limiting Audits

• Won’t audit too few ballots – known, acceptable risk of failing to detect an incorrect outcome – provides strong evidence

• Won’t audit too many ballots – saves money, time, and manpower. Makes resources available for more audits.

https://www.shutterstock.com/image-illustration/conserve-vs-waste-words-on-toggle-351245189https://emergencymedicinecases.com/em-quality-assurance-individual-responsibilities/

Questions?