Voting: October 2008 Archives

 

October 28, 2008

Another year, another set complaints about recording errors from DREs (ES&S, Hart). The general situation here is that voters report they tried to vote for candidate X and the machine reported a vote for candidate Y. Wallach's analysis of the Hart machines suggests that the machines are functioning as designed but that users are finding the UI confusing. The ES&S is a touchscreen machine and the alleged source of the problem is calibration errors. there's no inherent connection between the displays on the DREs and the sensors used to register your vote (see this article by Doug Jones) and they can get out of sync, registering the wrong votes.

Note that these aren't security issues: they're pure systems design issues, but that doesn't mean they don't present a problem. The calibration issues with ES&S machines present a particular difficulty, because the touchscreen can drift after it leaves election central, and then it relies on pollworkers or voters to notice the problem. Given how confusing these interfaces can be (cf. Wallach's post about Hart), it's an open question how many voters just assume it's their own fault and back up and correct their votes. This is especially likely if the machine is just slightly miscalibrated, since a slightly off-center press may register incorrectly, but a more careful on-center press will register correctly, leading the voter to attribute any problems to user error.

Assuming there's no easy software fix for the calibration drift (which I suspect there isn't) it's not exactly clear what to do. Potentially you could recalibrate for every user, but that adds time to the voting experience and is potentially another thing to confuse them. I've heard suggestions for bigger buttons, but that video looks to be off by inches (which actually makes me worry it's not a calibration issue but some other kind of bug), so that wouldn't fix it.

 

October 18, 2008

In the comments, "Student: writes
I have never understood the deal with voter registration. It seems very odd to me.

The state is supposed to know who are allowed to vote. If the state can't even keep track of this you are bound to have cheating. So, why not just register everybody who are allowed to vote and tell them where they are supposed to vote. Works perfectly in Sweden. Unless you vote by mail you get the place where you are supposed to vote assigned to you (usually within a reasonable distance of where you live). Everybody votes on paper. The votes are counted by hand in each district several times and the results from 99% of the districts are in the same evening.

How does America manage to make voting such a hard problem?

I'm not going to defend the registration thing, but I get the impression a lot of non-Americans don't understand how different the American political system is and how it changes the dynamics of voting. In a typical foreign election, there may be one or two contests (my Swedish sources tell me it's often one). Americans vote on everything. My absentee ballot for the November general election (I'm working the polls so they recommended I vote absentee) has 24 separate contests (President, Senator, US Representative, State Senator, State Assembly, Superior Court Judge, County School Board, 12 state-wide propositions, 1 county proposition, 3 district propositions, and 1 local proposition). This isn't that unusual in California, and Joe Hall's thesis says that some counties can have up to 200 contests. So, the required level of effort in the us is between one and two orders of magnitude greater than in many other countries.

Experience with hand counting ballots in New Hampshire, which still does a fair amount of hand counting gives an estimate of about 6 seconds per contest/ballot pair in teams of 3 with the sort-and-stack method (reference from Joe Hall). If we assume 5 seconds for convenience, that gives 15 man-seconds per contest/ballot pair. If Palo Alto were to do a hand count of this election, then you would need about 6 man-minutes/voter and your team of 3 does about 30 ballots/hour. Looked at another way, if you want to get results in 3 hours on election night, you need 7 teams of 3 each for a precinct of about 1000 registered voters (this assumes about 2/3 turnout). For reference, in the 2004 General Election, Santa Clara had about 600,000 votes cast. In order to get results that night (which the current electronic systems do) you would have needed approximately 3,000 counters at a cost of about $1.39/ballot (estimate from Anthony Stevens of New Hampshire). As a reference point, California polling places can be staffed by around 5 people (and Stevens's numbers assume that the counters haven't spent the past 15 hours watching people vote), so you're probably looking at increasing the total number of people the County needs by a factor of 3-5.1

This isn't to say that voting in the US is somehow perfect, but for politico-structural reasons that have nothing to do with the technology employed, the scale of the election is quite different than in many other countries, so you can't really draw comparisons without adjusting for that.

Thanks to Joe Hall for helpful discussions about this post.

1.Hall reports that the Los Angeles County 1% manual recount can take weeks.

 

October 17, 2008

The Supreme Court has ruled for Ohio Secretary of State Jennifer Brunner. The background here is that there were a lot of new voter registrations in Ohio and the Republican party was trying to challenge many of those registrations on the basis of mismatches between the registrations and other databases (e.g., driverse license records). The Supremes ruled for Ohio on technical grounds, namely that HAVA doesn't provide a private right of action that the Republicans can sue under.

I don't have an opinion on who should have won this lawsuit—that's a question for lawyers—but it certainly seems likely that many of thee discrepancies are innocuous, as suggested by the Times:

Voting experts and state election officials have raised concerns about treating flagged voters differently because the databases used to check registrations are prone to errors. Most non-matches are the result of typographical errors by government officials, computer errors and use of nicknames or middle initials, not voter ineligibility, they said.

In one audit of match failures in 2004 by New York City election officials, more than 80 percent of the failures were found to have resulted from errors by government officials; most of the remaining failures were because of immaterial discrepancies between the two records.

For example, I generally don't use my middle name on official forms. My driver's license doesn't have my middle name on it, but my passport does, so what do I put on my voter registration? And when I move, do I have to remember what I had last time? That said, it's not clear how to resolve these issues in a system like the one we have now, where a lot of people don't register and we don't have any universal system of identification.

 

October 13, 2008

Senate Bill 381, signed by Governor Schwarzenegger, on October 1st, provides for online voter registration. Here's the statement from SoS Debra Bowen.
"Californians can pay bills and file their taxes online. Being able to register to vote online is the next logical step in making it easier for Californians to participate fully in their democracy," said Secretary of State Debra Bowen, California's chief elections officer. "This measure prevents fraud by limiting online voter registration to people who confirm their identity in a secure manner."

The online registration system will require registrants to provide their birth dates, the last four digits of their Social Security numbers, and the numbers from either a valid California driver's license or identification card. The Secretary of State may require additional information if it's necessary to establish a registrant's identity.

Registrants will be able to complete voter registration online using their digitized signatures that are already on file with the California Department of Motor Vehicles.

Unsurprisingly, there are some security concerns about a system of this type. I would break the major issues down as follows:

  • Authentication of voter registrations.
  • Corruption of the voter registration database via intrusions.
  • Privacy of voter data.

Let's take these in turn.

Authentication of Voter Registration
The first question to ask is whether the authentication here will be acceptably strong. I.e., will I be able to pretend to be you and reregister you to vote in King City, with the effect that when you go to your usual polling place you can't vote? I'm not talking about compromising the registration site, just lying on the form. Currently in order to register to vote in California you need to know your address, SSN or DL # and your birthday, plus you need to sign the form. The online site requires both the last four digits of your SSN and your DL #, plus the other information, but there's no need for you to sign your form. They just take your digitized signature off your drivers license.

Arguably, then, the online scheme is less secure: in the paper-based scheme, the SoS can compare the signature on your form to whatever signature they have on file for you (assuming they have one) and this presumably presents some barrier to forging registrations. That said, though, I suspect they don't do a very good job of verifying signatures on registration forms (actually, I don't know that they do any; credit card companies don't), and anyone who knows your SSN and DL #, probably has a good enough idea of what your signature looks like and they only need to get close enough for casual inspection.

On the other hand, because the online attacker needs both the DL # and the last four digits of the SSN, it's perhaps more difficult to impersonate a valid registration—though not very much so—than the paper-based system where only one of these is required. So, overall, this doesn't seem like a huge security hit from going to an online system.

Corruption of the Voter Registration Database
No matter what mechanism is used for authenticating users, any online system brings the risk that attackers could remotely compromise the registration site and corrupt the database correctly. Compromise of single voter registrations is already possible by simpler mechanisms (see above), but an attacker who had direct access to the database could do significantly more damage, for instance massively corrupting the database. Obviously, this creates a new opportunity for a major DoS on the election, especially if it went undetected before election day.

There are a number of mechanisms that could in principle be used to mitigate this kind of attack. The simplest is to have an airgap between the website and the database. For instance, you could have the server print out registration forms which are entered into the database in the usual way. Obviously, this removes a bunch of the efficiencies of having an online system, so it's not really attractive from that perspective. Alternatively, you could have some sort of frequent backups coupled with rate limiting of the number of changes allowed per day, but these checks themselves depend on the software doing the checks being uncompromised, which is hard to guarantee (though defense in depth is possible).

Compromise of Voter Privacy
If the voter database is directly connected to the registration site, then an attacker who compromised the site could potentially get a complete copy of the database. If the database contains sensitive information (the last four digits of your SSN qualifies here), then this is a potential vector for information disclosure. Again, this could be mitigated by having an airgap between the site and the database. Other potential mechanisms include encrypting the sensitive mechanisms in the database (this seems to be specified in the CalVote specification). [Technical note: you probably have to use public key cryptography here so that the site can encrypt the sensitive information before storing it in the database but even an attacker who has completely compromised the system can't decrypt the data.]

Bottom Line
The mass compromise issue seems to be the difficult issue here, both because it's so serious and because it's so different from the current situation. Superficially, it's a fairly standard computer security problem and it may be possible to mitigate it via the usual mechanisms, but the scale of elections and the time pressure under which they are conducted make it especially challenging.

 

October 6, 2008

I was down at the Santa Clara Registrar of Voters today they seem to be pretty interested in having you vote by mail, what with all the signs offering you to sign up for permanent vote by mail status. There was a chart on the wall, which I forgot to take a picture of that indicated their target of 400,000 v-b-m voters by the general election (there were ~600,000 votes in Santa Clara in the 2004 election). The clerk who I talked to tells me that it used to be really hard to sign up for v-b-m (you had to demonstrate serious hardship for in-person voting) but that now it was really easy. In any case, if we get to the point where a really large fraction of voters vote by mail rather than in person, then we may need to seriously adjust the threat model to match.

In particular, one of the issues that often gets a lot of airtime in discussions of new voting systems is how to prevent vote-buying (or coercion) attacks, including those where the voter cooperates with the attacker. But in vote-by-mail scenarios, it's pretty easy for the attacker to have you give them a copy of the ballot and then fill it in and mail it themselves (especially if voters aren't allowed to change their vote after the ballot is submitted, but I doubt that even if you can revise your ballot most people will bother to in order to cheat.)

Oh, i should mention: if you plan to work the polls, they recommend you vote early or by mail because you probably will be assigned somewhere else than your own precinct and so won't have time to vote yourself on election day.