LWV-CIAC Secure Voting 2018 – Part 2


MATT: –and it’s for two
seats, how do you make sure that most people vote for two? Some of these are easy to do. But like I say, they’re
interesting questions to ask. The big one here, I think, is
number two and number three. Number two is, “what
assumptions do you make about the procedures
and the support?” Because very often
the procedure is, well, let’s call the
voting machine company and get some help. And that may be good,
that may be bad, but it’s something
you should know about. Then the next one is, “how
do you verify the voting system accurately where
recorded votes cast independent of the system?” There are cryptographic methods
for doing this that work assuming all software works. Paper trails works as well. In fact, in California,
at least in our county, they don’t count the
votes cast electronically, they count them by taking
out the paper tapes and reading the paper tapes. In the last election we had 20
people vote on the machines. The first time they
were used, there were 200 people voting
on the machines– this is out of 40,000. And what was really
interesting was that many of the
election officials who were in the polling
stations had no idea how to use the machines. Our registrar set up a small
group of high school students and undergraduates to go
around and help them do this. And in one case,
they found a machine with a big sign taped on
it saying, “free kittens.” There was a box of
kittens under the machine. So the reactions were
very interesting. Then, again, “what
are the requirements and how do you
know it meets them? How do you handle
updated software?” As I mentioned, that
was an issue before. What happens if
something goes wrong? Do you lose votes? In one of the
machines we tested, we asked that we
kick the plug out and the machine lost two votes
that had not been kept– to two and hadn’t been fully stored. Is that a problem? Well, that’s something
you need to know. And also, what about corruption? Who will guard the people
who are guarding the systems? This is as old as Rome, which is
why I put it up there in Latin. [LAUGHTER] So also, when you do the
testing, one of the problems we had was getting access
to the voting machine software and documentation. And in fact, in the top to
bottom review test, which was five weeks long, we
got a lot of the documents the week before the
test was to end. And that’s simply not enough
time to do the type of analysis you want. In another case, we asked for
a particular piece of software and we did not get it until
one day before it ended. Didn’t really matter
because it was the software that
would load program onto the voting machine. When we realized we were
going to trouble getting it, the source code team
and the penetration team got together, spent an
afternoon in Sacramento and figured out the protocol. So we got what we wanted even
before they gave us the source code. And that’s a good example, by
the way, of when people say, well, we can’t tell you that. We can’t show you our
machine or our software because that would let
the bad people see it and otherwise, it would
be completely nonsecure. Saying that is good as
one step of security. Saying that as bad
as the only step. So I guess a couple
of takeaways. Know the requirements
of an election so you can define what you want. This is absolutely critical. What I’ve said
depends very highly on the requirements
of current elections. Change those and a lot
of what I have said will probably go out the window. The second one is,
with in security, you always assume
something can go wrong. And it’s not necessarily
because of malevolence, it may simply be because
someone didn’t know what they were doing. And you have to be prepared
to compensate for that. And also, internet
voting poses great risks. The specific risks
depend on how you do it. I’ve seen some internet
voting that uses cryptography that is atrocious. I’ve seen other schemes that
use cryptography that is superb. The problem there
is not the crypto, it is getting the
information to the crypto. Now, again, the close with
an old saying and a new one. The first one has been
attributed to dictators under the sun, “those
who vote decide nothing. Those who count the
votes decide everything.” I’d like to modify that by
saying, “those who vote decide nothing, that which records,
sends, gathers, and counts the votes decides everything.” I’ve updated it. And with that, I
think I’ll conclude. First of all, if there
are any questions, I’m happy to take them. If there are any
answers you may have– [LAUGHTER] [APPLAUSE] Yes, sir? AUDIENCE: What do you think of
the various open source efforts for doing election software? MATT: OK, to answer that,
my view of transparency is that everything in the
election should be observable. This is me speaking as a
citizen, not as a scientist. Other scientist doesn’t define
those requirements, others do. Given that, my previous
open source is essential. My big fear though,
is people will say, well, this machine
can’t be attacked. I mean, it’s open
sourced so you know everything that’s going on. And that’s a big mistake. So I consider open source– again, my– AUDIENCE: It’s a prerequisite
that is not sufficient.. MATT: Right, in my
view as a citizen, it’s necessary but
not sufficient. Yes, sir? AUDIENCE: So we use
mail-in ballots. MATT: Yes. AUDIENCE: What are
our weak points? MATT: OK, it depends a lot on
exactly how it’s implemented. But here are two right off. First of all, what’s
called coercion. AUDIENCE: Who’s counting? AUDIENCE: [MURMURED “NO”] MATT: No, who’s count– actually– AUDIENCE: Sorry. MATT: The way, at
least our county, does things, mail-in
ballots, once they hit the election
central are actually handle the same way provisionals
are and it’s very safe. What they do is, they
take the envelope and validate the signature. If it doesn’t match, they look
to see if anyone else lives at that address. And if it’s a married
couple, then the validate the signature
against the spouse. If not, they will call
the person and say, did you send this in? Then what they do
if it’s validated, they open up the outer envelope,
take the inner envelope and walk it across the
room and put in a pile. Walk back, someone
else comes in and opens that envelope and that breaks
the association between name and person. So who’s counting them– the only threat
would be if somebody intercepted it and opened both. However, coercion is
a bit of a problem. The US Mail can be
a bit of a problem. And also, you can argue that
selling your vote is a problem. However, the issue there is you
take a picture of your ballot before you mail it. The problem with
selling your vote is if you’re a
dishonest person, you take a picture of the ballot,
you then change your vote, and then you mail it in. In California, we use what’s
called intent of voter standard. So two things are marked and
one of them scribbled over, the scanners kick it out. But the election official will
take one look at it and say, no. Take this vote, pointing to the
one that’s not scribbled out. Of course, we had someone
do that and the person signed their name. That invalidates
the entire ballot immediately because in
California, anything on the ballot that
points to the voter means the ballot can be used. It’s one of the
problems we’re going to have if we switch to
cryptographic systems involving random numbers because the
ballots will be uniquely marked and that’s not
allowed under the law. So there are a lot
of issues here. Anyway, vote by mail,
I don’t know if that increases participation. The League of Women
Voters would know that much better than I do. AUDIENCE: Just a little bit. MATT: A little bit? OK. Yeah, I do know
that the test they did in Hawaii with vote by phone
with fewer people involved. But the security issues there
are simply the coercion, selling the vote, and
the denial of service and not delivering it. AUDIENCE: So, in general, it
sounds as good as anything. MATT: No, because
there are ways to avoid the coercion and the
selling your vote and the denial of service. So I would say, no. AUDIENCE: OK. MATT: On the other
hand, again, it’s a judgment of the body
politic whether or not the disadvantages
of doing it that way outweigh the advantages
of doing it that way. And that’s something
I’m not, again, I’m not going to talk in this forum. Other questions? Yes, sir? AUDIENCE: Do you think it
would be good, reasonable, bad to have a single
procedure nationwide? MATT: I’m sorry. A single? AUDIENCE: Way nationwide. MATT: Single procedure. AUDIENCE: For voting, to better
manage the whole process. MATT: OK, two comments. The first one is
that, I don’t think you could do that even if you
wanted to because of the way the states work. The second comment is that if
you have one single procedure then the flaws are going
to be the same everywhere. The third question is,
how detailed are you going to make that procedure? Because in California,
the state law controls how people
run elections. But each of the 58 counties
have slightly different ways of doing it. And so, if you take
that away, the laws will have to go into
a lot of detail, for example, about the what
machines they’re going to use and so forth. So I’m not sure
about that much. Yes? AUDIENCE: So what’s
the safest way to vote? It sounds like
everything’s flawed. MATT: That’s right. AUDIENCE: So one isn’t
any better than the other? AUDIENCE: What’s the question? MATT: Oh, sorry. The question is, so what’s
the safest way to vote? As of now, probably in person. AUDIENCE: Ahh. AUDIENCE: OK. SPEAKER: We’re going to go
and stop questions here. But, again, another
round of applause. [APPLAUSE] And we’re going to have more
time for questions at the end, as well. So if you’ve still got
something on your mind, be sure to save it. MATT: I’m going to sit by Josh. SPEAKER: So our
next speaker will be discussing end-to-end
verifiable elections, which allow a vote to verify that
their vote is both cast and counted accurately. Josh Benaloh is a
senior cryptographer at Microsoft Research and
an affiliate professor at the University of
Washington’s school of Computer Science and Engineering. His 1987 dissertation,
Verifiable Secret Ballot Elections, introduced the
use of homomorphic encryption and its application to
achieving election integrity without requiring trust in
election officials, vendors, or equipment. Welcome, Josh. [APPLAUSE] No… JOSH BENALOH: I probably
shouldn’t put that in there. What I realized that
I should have put in and I failed to mention
the most salient thing, but I didn’t include it–
is that I’m currently serving on the National
Academies of Science Engineering and
Medicine Committee on the Future of Voting. And we expect to issue
a report in late summer. Hopefully it will
be interesting. Point you to that, it’s
going to direct you. Late summer we should have
some interesting things to say. That came up, that’s good. And I want to
amplify a lot of what Matt said, only things that
are in many cases worse. What he said about blockchain
voting, it’s worse. There’s so many thing
wrong with that. Yet, the state of West
Virginia yesterday announced the
blockchain voting pilot. They’re employing it. MATT: Oy vey. JOSH BENALOH: Yep. Yesterday. So I guess the
place I’ll start is looking at how bad things are. And that, yes, I
agree with everything that you included, but
I will also add to that. Let me get this on. AUDIENCE: Um… JOSH BENALOH: A quote
from Alex Halderman at the University of Michigan,
who Matt mentioned was part of that DC pilot attack. Alex said that “his
undergraduate security class could have changed the
results of the 2016 election,” and I can completely believe it. AUDIENCE: Why didn’t he rig it? JOSH BENALOH: Yes. [LAUGHTER] [APPLAUSE] You are not the first one
to have asked that question. AUDIENCE: You never said
that for exactly that reason. JOSH BENALOH: Yes. Yes. But he was heavily involved
in the recount in Michigan and in many other states. And some of the things
he saw were horrifying. You would think that it’s
hard to attack many counties at once, but there were actually
three little tiny companies of about 12 to 20 employees
each with no IT departments or anything that are
responsible for most of the county’s elections. Basically, they
service the machines, they deploy the machines,
they send out the ballots. Attack them and you’ve got
the whole state, basically. And there are other
forms of attack. But yeah, it’s really bad. And it’s worse in some
ways because of this. We should, of course, be using
best practices doing the things that Matt is very good
at, doing the things that we can to avoid all the bad
practices that are out there. We should certainly
be doing that. But, it’s not enough. And it’s not enough, in
part, because this threat is asymmetric. Yeah, I would like it if
King County and Island County in San Juan County and
every county in this state, for instance, we’re doing
everything they could. But do I really
think the San Juan County is able to stand
up to the Russian FSB? Or APT1 in Shanghai? Or a North Korean
governmental attack. And the King county also. I don’t want to pick on
small counties in the state. There is no way that
we can reasonably expect that we can defend
against the kinds of attacks that going to be out there. So what can we do? Now’s the time when I turn
around and actually offer a glimmer of hope. [LAUGHTER] Now when things are darkest. So Kristen mentioned
a little bit about end-to-end
verifiability, and this is technology that
actually permits any inaccuracies, any tampering
at all, to be detected. And when I say detected, I’m
not just talking about detected by election officials. Things can be detected
by candidates, by media, by individual voters. An individual voter
can check and see if something went wrong. And when I say
something went wrong, I don’t just mean an
attack by the Russian FSB. This includes internal
tampering, tampering and corruption by
election officials, by equipment vendors,
anywhere along the line. This is actually possible. Sounds wonderful, right? Sounds great. Well, this technology is called
end-to-end verifiability. And an election is
end-to-end verifiable if two properties are met. One, is that voters can verify
that their own selections have been correctly recorded. And second requirement
is that, anybody can verify that all
the recorded votes have been accurately counted. It seems really, really
good if we could do this. Well, I’d love to
tell you about how. I could probably
do it thoroughly in about 90 minutes– give you some detail. I’ll give you the
90 second version. Because I don’t have
90 minutes to do that. But before I do, I want
to amplify one other thing that Matt was talking about. A little teaser here. The importance of privacy in
elections and the hard thing being, that in elections,
voters must not be able to disclose how they
voted, even if they wanted to. And in the Washington case– I’ll give a quick
anecdote about this– I was doing some data entry
at local party headquarters the 2016 election. Basically, canvassers were
sent out to go and ask people, have you received your ballot? Have you returned your ballot? Will you share information
about who you voted for? Who do you like? Whatever. All voluntary, of course. And the canvassers will
go out and fill out these little bubble sheets. And I was back at
headquarters doing data entry on these bubble sheets. And I had drop down menus– there’s nothing that I
can do it with anything but filling in the bubbles. And as soon as I filled this
in, the canvasing information gets shredded. So there’s no reason for
anybody to write anything other than filling in the bubbles. That’s the only
thing that’s kept. But some of the
canvassers really felt obligated, in some cases. And I was seeing some
really interesting things. And one thing I saw many times
just my small little case– I’ll give the clearest
example of it. The response to, “have
you returned your ballot?” Was written in, “I don’t
know, my husband took it.” AUDIENCE: Wow. JOSH BENALOH: That exists
in Washington State. And I saw a lot of similar
things to that also. That’s just the most
concise example. So this is the kind
of thing that we enable with remote voting. When we’re not voting in person. Just to be aware of that. OK. It would, however, be
really nice from a security and integrity perspective
if we could have open ballot elections. It’d be so much easier. And this is not
something that is just, sort of, a crazy thought, we
would never had done this. Most presidents in the US were
elected without the benefit of secret ballot. It was actually 1892 that secret
ballot first became common. This is what elections used
to look like in the US. It’s sort of a
completely open process. You go up and you announce
your vote and people are listening and whatnot. I’m not proposing that
we go back to this. Believe me. I don’t want to do it. But let’s just look
and think about what it would do for election
integrity if we did this. And I’ll give you the
modern version of that. A website where you
capture everybody’s vote. Everybody can look and say, yup,
my vote is up there accurately. All the other voters,
they’re on the rolls. Whether the voter rolls
are accurate or not is, sort of, a side issue– that’s important
as well, of course. But they’re supposedly
legitimate voters. And see whether
they’re on the rolls. They go with… They have an opportunity
to check for themselves. And I can check the
count for myself. This is really a high
integrity election. And this meets all
of the requirements of end-to-end verifiability,
that I just gave you. OK. But I cheating, right? I’ve gotten rid of
privacy and achieved end-to-end verifiability. So how can we do
that and actually have a secret ballot also? And here is where the little
bit of cryptography comes in, and I’m not going to go
through this in detail. But it’s possible to
encrypt all the votes, still post all the
encrypted votes, and then what you have to
do is provide two things. You have to provide
voters a way that they can tell what their vote is
and see that their vote is accurately recorded without
being able to show anybody else with their vote is. And it turns out,
this is possible. And the other thing we
have to be able to do, and this is another
cryptographic track, is show that set
of encrypted votes really corresponds to that town. And this is all math. And I’m not going to
talk about that now, if anybody wants to
learn more about it, I’m happy to talk
to you offline. I don’t want to bore
people with that. The interesting thing
is this front end part, where voters get to check
how their vote is recorded. And basically, the
trick is that voters get to see something at the time
that they are voting that can give them convincing evidence. And then they go
away with a receipt, exactly the sort of receipt
that Matt was talking about would be very nice if you were
having to look up how they voted. But the receipt doesn’t
say how they voted. The receipt just matches
up with the encryption that they had an
opportunity while they were voting to make sure it
matched up with their vote. So they can check this
receipt and they can see, yep, my vote hasn’t changed from
the time that it was recorded and I knew what it was. But I have no way
to prove to anybody else what my vote is because
it’s like a UPS tracking code at this point. It doesn’t show how I voted. OK. It’s not something that’s
speculative out there. This is actually technology
that’s existed for decades. And it’s not just one thing. There are multiple,
very different ways of achieving these things. But there have been
a lot of refinements have been made recently that
make this practical, just in a time when we
really could use this. So what’s the experience? Is anyone actually doing this? There have been some small
cases in public elections, in the Netherlands,
Takoma Park, Maryland is a suburb of Washington DC
that spells its name weirdly. [LAUGHTER] They used technology that
does this in public elections a couple times. There’s an internet
based system, which I wouldn’t recommend
for public elections, but many university elections
and professional society elections are using
this kind of system, rather than sending out
paper ballots, which is expensive and complicated
and inaccurate for them. And this works
pretty well there. I was a part of a
team that designed an end-to-end verifiable
system for use in Austin, Texas a couple of years ago. It was paper based. It really met their
needs very well. Beautiful system. We loved it. We did it in concert with the
officials in Travis County, they really wanted to do it. Just a quick look. It looks very much like
what you would expect. You go in. You sign in. You go to one of these
ballot marking devices that Matt mention. You make your selections. You get out a piece
of paper, which indicates your selections. And you get one
of these receipts, these taking home receipts. And you then can drop the ballot
in the ballot box, go home. What most people
will do with this take home receipt is
probably crumble it up and throw it away, that’s OK. But they can check it on a
website and say, oh, yeah. Look at that. My vote’s still there. I can’t show anybody
what the contents are. But I can see my vote. I can check it. Went really well until a few
months ago it got canceled. Long, sad story. I’m happy to give
you something– well, sad to give you details. But I will provide
details on request. Basically, they
ran out of money. Even though, in the end, it
would have cost them much less. But there was an upfront cost
that they just didn’t have. And the existing
election companies really pushed hard
to try to get this killed because it
would have disrupted their whole current model. But it would have
been much cheaper. They could have used off
the shelf equipment instead of this ugly, custom hardware
that the current vendors sell at grossly inflated prices with
huge maintenance contracts that are even worse. Because once you buy them,
you got to maintain them. They could have bought
cheap laptops instead if they’ve done this. But they couldn’t get the money
for the initial development. OK. Is more being done? Here’s the centralization
question that came up. The Election Assistance
Commission in the US, they’re the federal
agency that’s in charge of trying
to create standards, has new standards
coming at mid-2018. And one thing they’ve
done in their standards, and the standards that
are being developed. This is a draft, they
haven’t been issued yet. But the draft of
these standards say, that elections, to meet the
requirements in the future, should be either
paper based or have this end-to-end
verifiable property. And they can be both. Starvo was both. That’s the best idea. But the reason for
this is they really want some way of
providing accommodations for voters with various
disabilities, especially blind voters. Paper and blind voters
don’t go very well together, even a paper is really good
for elections in many ways. And this is saying,
OK, here’s a way to make accommodations
for one voters, use this end-to-end
verifiability and that’s good enough as well. That provides a lot of this and
there’s a paperless instance. End-to-end verifiability
achieves the software independence that Matt
was talking about. Together with
hardware independence and human independence. Basically, if any of those
things that go wrong, we can check. So what’s next? Well, Matt talked about
internet voting a little bit. There’s a lot of push, a lot of
people, blockchain internet voting other, forms
of internet voting. People want to do it. There’s a big strong
push towards this. Three years ago I
was part of a report that US Vote Foundation
commissioned, and we looked hard at this. And what we said was,
end-to-end verifiability makes internet
voting a lot better than it would be without it. It mitigates a lot
of the problems. Is it good enough? Well, you shouldn’t do
it without, certainly. But you really should
get some experience with end-to-end verifiability
in poll sites first. And then maybe we can start
talking about internet voting later on. But not a great
idea now. So it can make things better
right across the board. Should be done. Would love it to be done. I’m happy to take
more questions. I’ve got another slide where I,
sort of, answer the question– well, I’ll throw this in. My subjective ranking,
because the question was asked earlier– what’s the best voting system? So, here’s my sense. In person, paper based,
end-to-end verifiable is very best you can do. All these things. I think anybody in
the security community would pretty much
agree with this. The next two, I think even
paperless and end-to-end verifiability, in
person is really good. Some people will switch this
with in-person paper-based without internet verifiability. OK. That’s debatable. Those are the
reasonable alternatives. Below this, internet voting
with end-to-end verifiability. I think is probably
the next best. Again, Matt might argue,
others might argue, with this. Paperless, in-person,
gets even worse. As a proud Washington voter, I
love vote by mail as a voter. But? What’s worse than that? Well, just naked internet
voting is even worse. And I know one thing that’s
even worse than naked internet voting, vote by email. I think there’s
general agreement that that’s the worst
that we could possibly do. OK, so that’s all I have to say. SPEAKER: Thank you, Josh. [APPLAUSE] And we’ll save our questions
for Josh until the end. Since we’re running
a little late, we’re going to go right
into our panel here. So if we can have
our panel come on up. We’ve already introduced
Josh and Matt and Barbara. I’d also like to introduce
Representative Zack Hudgins– coming right up here. So Representative Hudgins
has served Washington’s 11th Legislative District. (Speaking to each other about seat positions) JOSH BENALOH: Move over one.

About the author

Leave a Reply

Your email address will not be published. Required fields are marked *