On the security of ballot marking devices

08/05/2019 ∙ by Dan S. Wallach, et al. ∙ Rice University 0

A recent debate among election experts has considered whether electronic ballot marking devices (BMDs) have adequate security against the risks of malware. A malicious BMD might produce a printed ballot that disagrees with a voter's actual intent, with the hope that voters would be unlikely to detect this subterfuge. This essay considers how an election administrator can create reasonable auditing procedures to gain confidence that their fleet of BMDs is operating correctly, allowing voters to benefit from the usability and accessibility features of BMDs while the overall election still benefits from the same security and reliability properties we expect from hand-marked paper ballots.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Every voting system must protect against a variety of security threats. It’s the essential purpose of any voting system to provide evidence that its stated outcomes are correct, even in the face of adversaries who may wish to tamper with it. Every voting system must also provide usability and accessibility features, because errors in human voters’ operation of the voting system can lead to changes in the outcome, particularly if the margin of victory is smaller than the margin of human error.

In the early 2000’s, paperless electronic voting systems gained prominence for their ability to offer important accessibility features (e.g., optionally large text, button boxes, multiple languages, headphones), but these systems also created unacceptable security vulnerabilities. Tampered or even buggy software could corrupt or destroy all evidence of voters’ original intent.

Electronic ballot marking devices (BMDs) would seem to bridge the gap between the fundamental security properties of paper, which cannot be overwritten or tampered by any computer and thus create the potential for elections to be software independent, and the variety of usability features available with computers, which cannot be provided in an equivalent manner by paper-and-pen. BMDs thus have the potential to provide the best of both worlds.

A recent whitepaper by Appel, DeMillo, and Stark, “Ballot-Marking Devices (BMDs) Cannot Assure the Will of the Voters”111https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3375755 has staked out some important security claims and has been used to argue against BMDs. Appel et al. use strong language in their public statements, e.g., “The paper describes the ESSENTIAL SECURITY FLAW of electronic voting machines”, in a July 13 tweet from DeMillo (emphasis original). Appel et al.’s abstract states the essence of their argument:

It is not easy to check whether BMD output accurately reflects how one voted in every contest. Research shows that most voters do not review paper ballots printed by BMDs, even when clearly instructed to check for errors. Furthermore, most voters who do review their ballots do not check carefully enough to notice errors that would change how their votes were counted. Finally, voters who detect BMD errors before casting their ballots can correct only their own ballots, not systematic errors, bugs, or hacking. There is no action that a voter can take to demonstrate to election officials that a BMD altered their expressed votes, and thus no way voters can help deter, detect, contain, and correct computer hacking in elections. That is, not only is it inappropriate to rely on voters to check whether BMDs alter expressed votes, it doesn’t work.

To unpack this, we need to consider exactly how often a voter might notice an error, what common electoral processes will do next, and how they might be enhanced. We’ll also need to discuss the properties of hand-marked paper ballots, considered by Appel et al. and many others to be the “gold standard” for election security.

2 What, exactly, is a BMD?

Fundamentally, a BMD is a device that knows about all the different ballot styles that a voter might see. By inserting an unfilled ballot, or perhaps a blank sheet of paper with only a barcode indicating the specific ballot style, the BMD can then present a touch-screen interface to the voter to select their choices. BMDs typically include a variety of accessibility features (button boxes, headphones with audio output, font size settings, and other features as a supplement to the touch-screen), allowing a larger number of voters to operate these devices without assistance. When the voter is finished, a BMD does what its name says: it prints a marked ballot.

After that, BMDs come in two varieties: stateful and stateless. The former retains an electronic copy of every ballot, while the latter promptly forgets what it saw and starts over again. Stateful BMDs might allow for faster tallies, and provide redundancy against catastrophic failures (e.g., lost ballot boxes). Stateless BMDs might be simpler to construct, and provide stronger guarantees against the impact of malware within the machine.

For the rest of this essay, we will focus primarily on the stateless variety, wherein the paper ballot is the only way to know the voter’s intent. This simplifies our discussion, and makes it clear exactly what we mean when we say “the ballot”. In particular, this makes it clear what happens during a recount, where “recounting the ballots” means looking at paper ballots, not electronic records.

What happens with the paper ballots after they’re printed varies from vendor to vendor. Typically, the voter will carry it by hand to a ballot box, which then has a scanner on top. For hand-marked ballots, these scanners can flag common error modes, including when a voter has indicated more than one vote in a contest which allows at most one vote (i.e., “overvoting”, which can never happen with a BMD, but is possible with hand-marked paper). Some vendors offer “privacy sleeves” to allow poll workers to do this operation on behalf of voters who do not have the necessary manual dexterity, while still preserving the voter’s privacy. One system, Los Angeles County’s VSAP222https://vsap.lavote.net/, has the printer and ballot box integrated together, so that the entire process can be completed independently and privately.

3 What can evil software in a voting machine accomplish?

Every BMD is just a computer. Like any computer, it might have bugs in its software that don’t turn up in testing and might then impact the voter’s experience. Also, like any computer, its software could include malware, not intended by the manufacturer or election official to be present, but perhaps surreptitiously inserted when nobody was looking. Plenty of opportunities for this exist in modern elections, where voting machines may be delivered days or weeks in advance of an election. (This is colloquially referred to as the “sleepover voting machine problem”. A variety of physical security protocols have been deployed to mitigate these threats, but this is beyond the scope of this essay.)

In the mid-2000’s, we were really concerned with how this sort of attack might play out with paperless electronic voting systems (which typically went by the unwieldy acronym “direct recording electronic”—DRE), since a voting machine might appear to be operating correctly, displaying exactly what the voter intended, but secretly record the ballot internally in a very different fashion. A related issue is that a paperless electronic system can also retain the ballots in the order cast, or randomize them in a reversible fashion, allowing ballot secrecy to be compromised by anybody who observers the order in which voters arrive at the polls.

The mitigations that were used against these attacks, at the time, were not particularly impressive. Logic and accuracy testing (commonly shortened to “L&A”), conducted prior to the start of the elction, would run a small and pre-determined set of tests votes through the machine, verifying that the proper tally appeared at the end. Of course, if the machines watched their internal clocks, they could behave correctly while under test and then be malicious only on Election Day. Similarly, the number of votes used in L&A is typically much smaller than will appear in a real election, providing additional opportunities for a voting machine to distinguish between test conditions and a real election, and thus behave properly during L&A.

A more aggressive mitigation, only used in a handful of jurisdictions, was to conduct a parallel test. With a this, some fraction of the voting machine population is randomly selected and then, rather than being deployed to the field, is instead set up in the elections warehouse where an operator enters a full day’s worth of votes according to a script. As with L&A, the post-election tally from these machines under test has a known correct outcome and any deviation from this would indicate a serious problem. Because no real votes are being cast, video can also be captured to ensure that operator data-entry errors can be differentiated from malicious vote flips.

A thought experiment on how to defeat this, which we believe can be attributed to Avi Rubin, is to have a secret knock. This is an input that no rational testing process would ever contain, but which malware would look for. The canonical example is a write-in vote for Mickey Mouse, although that might well happen in practice, so an attacker would need to select something more obscure. The general idea, then, is that the malware will act identically to the legitimate software until it sees the secret knock, and only then start misbehaving. This would be effectively undetectable without potentially destructive forensic testing, although it requires co-conspirators to perform the secret knock during the real election, creating significant risks for the conspiracy.

4 Would all these attacks and defenses still work in a BMD?

This is the crux of Appel et al.’s argument. Malicious software in a BMD can certainly show one thing on the screen and print something else on the paper. This is particularly troublesome with some vendors who print two different encodings of the ballot: barcodes for machine-readable data and printed text for humans. While voters can verify the printed text, no voter will be unable to detect errors in the barcodes. Let’s call this an inconsistent barcode attack. Alternately, the machine might produce a completely consistent paper ballot (i.e., the barcode and the human-readable text are in total agreement), but the paper ballot differs from what the voter entered on the touchscreen. Let’s call that a switched intent attack.

There’s a very simple solution to the inconsistent barcode attack: get rid of the barcodes and have the only record of the voter’s intent be human-readable text. Any computer-printed text that’s readable by a voter will also be readable by a computer scanner with exceptionally high accuracy333

To achieve the necessary accuracy, the OCR software likely needs to use state-of-the-art “deep learning” techniques. Until such an OCR technology can be proven out in practice, barcodes will be necessary as a bridging technology.

. While many current BMDs do not operate this way, this can be addressed through regulatory mandates and software updates from the vendors.

4.1 Audit processes

So long as paper ballots have both human-readable text and a barcode, we need to consider how existing audit processes can be adapted to detect these attacks. A number of audit processes, including recounts and risk limiting audits (RLAs), provide these opportunities.

If even a single ballot is inconsistent, that’s evidence of a serious problem—either a major software bug or an inconsistent-barcode security attack—that would require emergency procedures (discussed below in Section 8). Because of this, we expect that inconsistent barcode attacks are unlikely to be mounted by attackers in the real world, because even a single inconsistent ballot represents incontrovertible evidence that something has gone wrong. Attackers who wish to quietly manipulate an election outcome would not want to leave this kind of evidence so easily available for discovery.

What about a switched intent attack then? This seems preferable to an attacker, since it’s not immediately obvious when it occurs. How can we discover one? Appel et al. base their argument against such discoveries on three factors: that voters are unlikely to notice these attacks, that even if a voter does discover such an attack there is no good process to respond to such discoveries, and that there’s no alternative process in place that might reliably detect the attacks.

4.2 Will voters notice a switched intent attack?

We conducted a several studies at Rice, a decade ago, where we created a paperless voting machine that deliberately lied on its summary screen. Our goal was to detect how many of our research participants, drawn from the general Houston population, would notice that we’d changed their inputs and would then, hopefully, go back and fix their mistake. Depending on exactly how we set up the experiment, between 1/3 and 1/2 of the voters noticed our introduced errors. In most of our experiments, the participants were given made-up names on a printed sheet and asked to vote for them. It’s entirely possible that with real candidate names, in a real election, particularly at the top of the ticket where name recognition will be higher, voters might be more likely to notice discrepancies. This suggests that, if there were systemic vote flipping malware, something that tried to move thousands or tens-of-thousands of votes, that we would have large numbers of regular voters who recognize the error when it happens.

What happens if a voter notices an error? Most voters will likely head back to the poll workers’ table, perhaps sheepishly admit to having made a mistake, and request a chance to repeat the process with a fresh ballot. This process, commonly called ballot spoiling, is a completely standard part of any election process involving paper ballots. In Texas, for example, a voter is entitled to three attempts.

We can expect there to be a certain background rate of spoiled ballots, no matter the correctness of the ballot marking devices, so it’s only when the spoilage rate gets reliably above the background rate that we’ll have a useful signal. Clearly, poll workers need to track every time a voter spoils a ballot and election administrators need this data available as the election is ongoing, giving them real-time situational awareness of problems as they manifest.

Given all this information, what should an election official do when the spoiled ballot rate is higher than expected? Preferably, they would have a variety of different responses available, from deploying additional auditors to more serious emergency procedures.

5 Live auditing of BMDs

Election officials need procedures for conducting audits on BMDs, in the field, while the election is ongoing. Because BMDs retain no internal memory of cast votes, the only hard requirement for conducting any sort of live audit is that any ballots printed during the audit must be kept out of the ballot box. Such a process will be naturally transparent to voters or election observers, who would be free to witness the process.

Who should conduct the audits? Audits might be conducted by poll workers, as part of their regular duties, or they might be conducted by dedicated auditors, working for the election administration, driving from one polling location to another during the election period. The essential attributes of a good auditing process are that “enough” tests are conducted to observe rare events, and that these tests are sufficiently random that a malicious BMD has no way to reliably determine whether it is operating with a real voter or with an auditor.

If a BMD is going to misbehave, the auditor will have a chance to catch it. And if any auditor, anywhere in the county, catches even one malicious machine in the act, the game is over. Call the police; we’ve got evidence of a serious crime. (See Section 8 for a discussion of emergency procedures.)

5.1 Baseline audits

An election director must conduct some amount of auditing, no matter what, and in the event suspiciously high spoiled ballot rates are reported, the election director might adaptively deploy more auditors.

What is the probability of catching at least one malicious machine in the act? The math is straightforward. Let’s say that a malicious BMD does a switched intent attack with probability

. A randomly audited machine would then be caught cheating, again with probability . Equivalently, the BMD gets away with its malice with probability . The probability of the BMD getting away with it after audits is then . Equivalently, the probability of detecting the malware is . Here are some real numbers for and :

Prob. Cheating () Audits () Prob. Detection
5% 10 40.13%
20 64.15%
30 78.54%
40 87.15%
50 92.31%
10% 10 65.13%
20 87.84%
30 95.76%
40 98.52%
50 99.48%
15% 10 80.31%
20 96.12%
30 99.24%
40 99.85%
50 99.97%

Of particular note, the probability of detecting a switched-intent attack has no dependency on the number of votes cast in the election. This means that the proportional cost of reaching a given detection probability shrinks as the voting population grows.

(Gilbert has also suggested an auditing process like this.444http://www.juangilbert.com/BallotMarkingVerificationProtocol.pdf We’ll discuss additional strategies below.)

6 Stark’s response

After a Twitter discussion of this idea, Stark wrote a rejoinder, titled “Is Parallel Testing of Ballot-Marking Devices Practical?”555https://www.stat.berkeley.edu/~stark/Preprints/bmd-p19.pdf with a one-word abstract: “No”. This section responds to his arguments.

If , then you need to get a probability of catching the attack.

An attacker, going to the effort and assuming the risk of attempting a switched-intent attack would be hesitant to use such a small value. An attack like this needs to be engineered and deployed well in advance of the actual election. If an attacker wants to reliably flip even a very close contest, they cannot trust the margin of victory to be within 1%, regardless of any pre-election poll results.

Furthermore, isn’t out of the question, particularly if the election director has reason to believe an attack may be imminent. In response to this threat intelligence, the director may proactively increase the audit rate while the election is ongoing. (See Section 7 for other ways that an election director may gain a tactical advantage.)

Machines might be more clever about when they flip votes. For example, an attacker could enable the flipping only during a busy part of the day, under the assumption that audits are more likely when machines are idle.

Without a doubt, random audits needs to be randomly distributed through the space of all cast votes. That means that auditing events need to be more likely to occur during the busiest parts of the day, exactly when the lines are longest.

Voter queue lengths are impacted by many factors, including the number of machines provisioned to a given polling place, the size and complexity of the ballot, and rushes that may occur at popular times of the day. While audit procedures represent yet another factor with the potential to impact voter waiting times, they seem unlikely to be as decisive or consequential as these other factors that influence voter wait times. If an election administration has an adequately sized fleet of BMDs, auditing, even during peak periods, should not have a significant impact on voter wait times.

Machines can pay attention to the behavior of the voter and adaptively cheat. For example, only if a voter is clearly leaning in a specific partisan direction does the machine flip a vote.

The audit process needs to be representative of what real voters might do. We would expect that many real voters will be highly partisan, so we must create ballot inputs that resemble the votes cast by real voters. Similarly, the audit process must simulate real voters’ actions, including pausing between candidates, or going backward and changing their minds on previous contests.

7 Can election officials gain a tactical advantage?

As discussed in Section 4.2, election officials gain power from having situation awareness of the rate of ballots being spoiled. As such, election officials can attempt to intuit strategies being taken by malware and adaptively create auditing strategies that might catch the malware in the act. If, for example, signals are coming exclusively from specific neighborhoods, or from precincts with specific demographics, then the election official can deploy additional auditors to those areas, on top of the random baseline of audits. As such, the “game” becomes less like flipping coins and more like playing poker. Statistics still play a role, but the players must spend a significant amount of energy trying to intuit each others’ strategies, including bluffing and other forms of subterfuge.

In the wake of the 2016 election, the Department of Homeland Security declared elections to be “critical infrastructure”. One of the consequences of this is the existence of the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC)666https://www.cisecurity.org/ei-isac/, creating a structured program for the federal government to share threat intelligence information with election officials, as well as for election officials to aggregate and share such intelligence amongst themselves. Certainly, the compressed timetable of elections means that this sort of sharing needs to happen quickly, but if, for example, the various Federal intelligence agencies reach a conclusion that attacks are likely in specific states or localities, then EI-ISAC potentially provides the necessary infrastructure to disseminate this information, allowing election officials to perhaps get ahead of the malware before the election even begins.

8 Responding to an emergency

Stark raises this point in his rejoinder, and it’s an important issue to discuss. While the legal process for managing elections varies from state to state, consider what happens when a natural disaster strikes right before or during an election. Exactly this happened with Hurricane Sandy, which struck the northeastern seaboard on October 29, 2012, causing notably large damage in New Jersey and New York, right before a presidential election. In the wake of this storm, the National Association of Secretaries of State began a push to get states to adopt laws and procedures to take disasters into account (see, e.g., “State Laws and Practices for the Emergency Management of Elections”, released in 2014 and updated in 2017). Ultimately, a cyber-attack on an election can and should be treated much the same as a hurricane or other natural disaster. If the scope and reach of a cyber attack is large enough that the outcome of the election is in doubt, then suitable disaster procedures would allow a governor to declare an emergency and re-run an election, perhaps with a different voting technology.

Note that modern elections are not actually finalized on the night of the election, even though losing candidates will customarily concede to the victors at the time. Instead, all elections have a canvass period after the election. During this period, a wide variety of activities occur, which includes processes like tabulating vote-by-mail ballots and resolving provisionally cast ballots. (See, e.g., California’s canvass information page777https://www.sos.ca.gov/elections/official-canvass/.) The canvass period is typically when a risk-limiting audit will be conducted, and is also a suitable time for cyber-forensics to be conducted on BMDs that were discovered during audits or simply flagged by voters spoiling their ballots.

Still, once a vote has been tampered, you cannot determine the intent of the voter. So what do you do? Procedurally, this should be no different than a ballot box being lost in a flood. It’s an emergency, and you need emergency procedures to resolve the problem. While it would be politically sensitive to declare that a cyberattack damaged an election and as such it had to be re-run, the likelihood of an emergency response mitigates against the risks of cyberattacks. In other words, if the attacker doesn’t think they’ll get away with it, they’re less likely to bother with the attack.

9 Why not just mark ballots by hand?

I’m going to wrap up this piece by addressing a seemingly central question: why bother at all with BMDs? Even if you believe that we can deploy auditing strategies to mitigate the worst of their flaws, it’s still important to recognize the benefits:

  • Not every voter has the ability to do all the tasks necessary to read, mark, and cast a paper ballot. Some voters have low vision or zero vision. Some voters have limited motor control. Some voters are illiterate or dyslexic. Some voters have multiple such issues. BMDs have the potential to make voting far more accessible to these populations. BMDs can also offer a variety of different languages, both in text and voice, offering greater assistance to non-native English speakers. Furthermore, Federal and state laws generally make these features mandatory.

  • Ballot marking devices also have the advantage of eliminating complete classes of voting errors that can occur with hand marked paper ballots. For example, with a BMD it is impossible to “overvote”; the BMD can enforce common rules like “only one vote per contest”. Enforcing such rules is even more important with voting methods that allow multiple selections in a contest, such as rank-choice or instant-runoff voting. BMDs additionally do not allow voters to make stray or ambiguous marks. If a voter needs to change their mind after the ballot is printed, they can “spoil” it and start over again. For contrast, consider the 2008 recount of the very close Minnesota Senate race between Coleman and Franken. Ambiguous hand-marked ballots were individually considered in litigation after the election.

  • A well-designed BMD can also help every voter to accurately convey their intent. For example, a BMD will commonly have a confirmation screen at the end of the process that can highlight contests that a voter might have accidentally skipped. Features like this become even more important as ballots grow longer and more complicated. Likewise, a BMD does not face the space constraints of a paper ballot, allowing each question to appear on a separate screen, and thus help prevent voters from accidentally skipping over a contest. For contrast, consider the paper ballot in Broward County, Florida in 2018, where the contests for U.S. Senate and Congressional Representative were placed under the long ballot instructions in the left column, leading a potentially significant number of voters to miss them entirely888Appel has written a summary of this issue in Florida 2018, alongside other famous ballot layout failures. Bad ballot layout can induce high undervote rates in any voting technology, but at least BMDs can operate without the constraint of compressing a ballot to fit onto a sheet of paper. https://freedom-to-tinker.com/2018/11/14/florida-is-the-florida-of-ballot-design-mistakes/.

  • An important nationwide trend is the consolidation of polling places, both for early voting and on election days. Such “vote centers” allow any voter to cast any one of potentially thousands of distinct ballot styles. To run a vote center with hand-marked paper ballots, this requires having laser printers for “ballot on demand” printing. Unfortunately, laser printers have their own issues. Most notably, they have a significant power draw to warm up the toner drum, which can cause problems in buildings with older wiring. Because of this, laser printers cannot operate on consumer-grade UPS batteries. If the power goes out, the election is dead in the water. Conversely, BMDs generally use thermal printers, which are low power and have no consumables like ink or toner cartridges. Commercial BMDs have (or should have) enough battery to run for hours without power. BMD-based elections will be more robust in the face of power failures.

  • And most notably, unlike the paperless electronic voting systems that BMDs are being purchased to replace, the paper ballots that come out of BMDs give us the ability to consider the security procedures contemplated here. BMDs give us the security benefits of paper with the accessibility benefits of computers.

And lastly, BMDs give us the opportunity to build more sophisticated voting systems with “end to end” security guarantees. While none of today’s BMDs have features like this, the research literature has a variety of designs that give voters a “receipt” that allows them to prove that their vote was correctly included in the final tally (i.e., “counted as cast”). There are also some clever techniques that can be used to audit voting devices to catch them if they’re cheating (i.e., verifying that voters are “cast as intended”). If we ever want to have e2e elections, then we have to have BMD-like devices which produce regular paper ballots as well as computing the necessary cryptography. If we eliminate BMDs, we also eliminate the potential for the significant improvements in election integrity that e2e cryptographic techniques can provide.

How realistic is it that e2e will make the jump from the research literature to commercial production? To pick one example, Microsoft is investing in an open-source toolkit called ElectionGuard999https://blogs.microsoft.com/on-the-issues/2019/05/06/protecting-democratic-elections-through-secure-verifiable-voting/, and they’ve announced partnerships with many of the big players in the election equipment space. It’s quite likely that the next generation of BMDs, and perhaps even current-generation BMD hardware with new software, will adopt these techniques.

So, let’s please have an eye toward the larger picture. The risks of malware in current-generation BMDs are non-trivial, but they can be mitigated through human-centered ballot design, careful auditing procedures, and suitable election emergency laws. They also keep the door open to new cryptographic techniques, such as used in ElectionGuard, that have the potentially to protect against a variety of other election threats.

Acknowledgements

I would like to thank my colleagues for reviewing drafts of this essay and offering a variety of constructive suggestions: Claudia Acemyan, Ben Adida, Mike Byrne, Joseph Hall, Philip Kortum, and Whitney Quesenbery.