Evidence-Based Elections Influencers Salon Philip B. Stark 10 - - PowerPoint PPT Presentation

evidence based elections
SMART_READER_LITE
LIVE PREVIEW

Evidence-Based Elections Influencers Salon Philip B. Stark 10 - - PowerPoint PPT Presentation

Dec 06, 2023 423 likes •1.11k views

Evidence-Based Elections Influencers Salon Philip B. Stark 10 October 2020 University of California, Berkeley 1 Many collaborators including (most recently) Andrew Appel, Josh Benaloh, Matt Bernhard, Michelle Blom, Andrew Conway, Rich

slide-1
SLIDE 1

Evidence-Based Elections

Influencers Salon

Philip B. Stark 10 October 2020

University of California, Berkeley 1

slide-2
SLIDE 2

Many collaborators including (most recently) Andrew Appel, Josh Benaloh, Matt Bernhard, Michelle Blom, Andrew Conway, Rich DeMillo, Steve Evans, Amanda Glazer, Alex Halderman, Mark Lindeman, Kellie Ottoboni, Ron Rivest, Peter Ryan, Jake Spertus, Peter Stuckey, Vanessa Teague, Poorvi Vora

2

slide-3
SLIDE 3

https://www.youtube.com/embed/cruh2p_Wh_4

3

slide-4
SLIDE 4

4

slide-5
SLIDE 5

5

slide-6
SLIDE 6

Arguments that US elections can’t be hacked:

  • Physical security
  • Not connected to the Internet
  • Tested before election day
  • Too decentralized

6

slide-7
SLIDE 7

Arguments that US elections can’t be hacked:

  • Physical security
  • "sleepovers," unattended equipment in warehouses, school gyms, ...
  • locks use minibar keys
  • bad/no seal protocols, easily defeated seals
  • no routine scrutiny of custody logs, 2-person custody rules, ...
  • Not connected to the Internet
  • Tested before election day
  • Too decentralized

7

slide-8
SLIDE 8

Arguments that US elections can’t be hacked:

  • Physical security
  • Not connected to the Internet
  • remote desktop software
  • wifi, bluetooth, cellular modems, ... https://tinyurl.com/r8cseun
  • removable media used to configure equipment & transport results
  • Zip drives
  • USB drives. Stuxnet, anyone?
  • parts from foreign manufacturers, including China; Chinese pop songs in flash
  • Tested before election day
  • Too decentralized

8

slide-9
SLIDE 9

9

slide-10
SLIDE 10

10

slide-11
SLIDE 11

11

slide-12
SLIDE 12

https://www.stat.berkeley.edu/~stark/Seminars/AuditPics/MODEMS4.mp4

12

slide-13
SLIDE 13

13

slide-14
SLIDE 14

14

slide-15
SLIDE 15

15

slide-16
SLIDE 16

16

slide-17
SLIDE 17

17

slide-18
SLIDE 18

18

slide-19
SLIDE 19

19

slide-20
SLIDE 20

Arguments that US elections can’t be hacked:

  • Physical security
  • Not connected to the Internet
  • Tested before election day
  • Dieselgate, anyone?
  • Northampton, PA
  • Los Angeles, CA VSAP
  • Too decentralized

20

slide-21
SLIDE 21

21

slide-22
SLIDE 22

22

slide-23
SLIDE 23

23

slide-24
SLIDE 24

24

slide-25
SLIDE 25

25

slide-26
SLIDE 26

Arguments that US elections can’t be hacked:

  • Physical security
  • Not connected to the Internet
  • Tested before election day
  • Too decentralized
  • market concentrated: few vendors/models in use
  • vendors & EAC have been hacked
  • demonstration viruses that propagate across voting equipment
  • “mom & pop” contractors program thousands of machines, no IT security
  • changing presidential race requires changing votes in only a few counties
  • small number of contractors for election reporting
  • many weak links

26

slide-27
SLIDE 27

Security properties of paper

  • tangible/accountable
  • tamper evident
  • human readable
  • large alteration/substitution attacks require physical access & many accomplices

27

slide-28
SLIDE 28

Security properties of paper

  • tangible/accountable
  • tamper evident
  • human readable
  • large alteration/substitution attacks require physical access & many accomplices

Not all paper is trustworthy: How paper is marked, curated, tabulated, & audited are crucial.

27

slide-29
SLIDE 29

28

slide-30
SLIDE 30

29

slide-31
SLIDE 31

30

slide-32
SLIDE 32

31

slide-33
SLIDE 33

32

slide-34
SLIDE 34

33

slide-35
SLIDE 35

34

slide-36
SLIDE 36

Did the reported winner really win?

  • Procedure-based vs. evidence-based elections
  • sterile scalpel v. patient’s condition

35

slide-37
SLIDE 37

Did the reported winner really win?

  • Procedure-based vs. evidence-based elections
  • sterile scalpel v. patient’s condition
  • Any way of counting votes can make mistakes
  • Every electronic system is vulnerable to bugs, configuration errors, & hacking
  • Did error/bugs/hacking cause losing candidate(s) to appear to win?

35

slide-38
SLIDE 38

36

slide-39
SLIDE 39

Risk-Limiting Audits (RLAs, Stark, 2008)

  • If there’s a trustworthy paper record of votes, can check whether reported

winner really won.

  • If you accept a controlled “risk” of not correcting the reported outcome if it is

wrong, typically don’t need to look at many ballots if outcome is right.

37

slide-40
SLIDE 40

A risk-limiting audit has a known minimum chance of correcting the reported

  • utcome if the reported outcome is wrong (& doesn’t alter correct outcomes).

38

slide-41
SLIDE 41

A risk-limiting audit has a known minimum chance of correcting the reported

  • utcome if the reported outcome is wrong (& doesn’t alter correct outcomes).

Risk limit: largest possible chance of not correcting reported outcome, if reported

  • utcome is wrong.

38

slide-42
SLIDE 42

A risk-limiting audit has a known minimum chance of correcting the reported

  • utcome if the reported outcome is wrong (& doesn’t alter correct outcomes).

Risk limit: largest possible chance of not correcting reported outcome, if reported

  • utcome is wrong.

Wrong means accurate handcount of trustworthy paper would find different winner(s).

38

slide-43
SLIDE 43

A risk-limiting audit has a known minimum chance of correcting the reported

  • utcome if the reported outcome is wrong (& doesn’t alter correct outcomes).

Risk limit: largest possible chance of not correcting reported outcome, if reported

  • utcome is wrong.

Wrong means accurate handcount of trustworthy paper would find different winner(s). Establishing whether paper trail is trustworthy involves other processes, generically, compliance audits

38

slide-44
SLIDE 44

39

slide-45
SLIDE 45

Risk-Limiting Audits

  • Endorsed by NASEM, PCEA, ASA, LWV, CC, VV, . . .

40

slide-46
SLIDE 46

Evidence-Based Elections: 3 C’s

  • Voters CREATE complete, durable, verified audit trail.

41

slide-47
SLIDE 47

Evidence-Based Elections: 3 C’s

  • Voters CREATE complete, durable, verified audit trail.
  • LEO CARES FOR the audit trail adequately to ensure it remains complete and

accurate.

41

slide-48
SLIDE 48

Evidence-Based Elections: 3 C’s

  • Voters CREATE complete, durable, verified audit trail.
  • LEO CARES FOR the audit trail adequately to ensure it remains complete and

accurate.

  • Verifiable audit CHECKS reported results against the paper

41

slide-49
SLIDE 49
  • 255 state-level pres. races, 1992–2012, 10% risk limit
  • BPA expected to examine fewer than 308 ballots for half.

42

slide-50
SLIDE 50
  • 255 state-level pres. races, 1992–2012, 10% risk limit
  • BPA expected to examine fewer than 308 ballots for half.
  • 2016 presidential election, 5% risk limit
  • BPA expected to examine ~700k ballots nationally (<0.5%)

42

slide-51
SLIDE 51

Risk-Limiting Audits

  • ~60 pilot audits in AK, CA, CO, GA, IN, KS, MI, MT, NJ, OH, OR, PA, RI, WA,

WY, VA, DK.

  • CA counties: Alameda, El Dorado, Humboldt, Inyo, Madera, Marin, Merced,

Monterey, Napa, Orange, San Francisco, San Luis Obispo, Santa Clara, Santa Cruz, Stanislaus, Ventura, Yolo.

  • Routine statewide in CO since 2017. Statewide audits in AK, KS, WY in 2020.
  • Laws in CA, CO, RI, VA, WA

43

slide-52
SLIDE 52

Voting and COVID-19

44

slide-53
SLIDE 53

45

slide-54
SLIDE 54
  • In-person voting involves congregating & touching common objects (esp. BMDs &

DREs, but also pens, doorknobs), but S. Korea did great job recently

46

slide-55
SLIDE 55

47

slide-56
SLIDE 56
  • Online voting does not require contact, but
  • No way to secure online voting
  • Demonstration hacks by Halderman et al.

48

slide-57
SLIDE 57

49

slide-58
SLIDE 58

50

slide-59
SLIDE 59

51

slide-60
SLIDE 60
  • VBM does not require congregating . . .
  • Klobuchar & Wyden introduced bill requiring everyone to get VBM ballot . . .
  • Serious logistical and security problems:
  • printing & mailing: 3rd parties need more equipment
  • ballots lost in the mail in either direction
  • USPS might be dead
  • potential for DOS attacks
  • ballot harvesting, coercion, vote-selling
  • authentication, signature verification (if any)
  • weaponized to disenfranchise minority voters, e.g., GA
  • need to inform voters of (non) receipt, notify them of problems & allow time to “cure”

52

slide-61
SLIDE 61

53

slide-62
SLIDE 62

54

slide-63
SLIDE 63

55

slide-64
SLIDE 64

56

slide-65
SLIDE 65

Recommendations for November 2020

  • expand vote by mail and early voting
  • minimize use of DREs & BMDs (not secure; vector for coronavirus)
  • secure/monitored kiosks to pick up blank ballots (BOD?) & cast voted ballots
  • ballot tracking; provide adequate notice & opportunity to “cure” problems
  • increase transparency: public video monitoring, etc.
  • rigorous ballot accounting & compliance audits including eligibility
  • risk-limiting audits, at least for statewide contests
  • beware sham RLAs of insecure systems

57

slide-66
SLIDE 66

58