Player is loading...
Adventures in electronic voting research
Dan Wallach, Professor at Rice University, Houston, USA
Thursday, June 6, 2019 · 10:14 a.m. · 53m 50s
Embed
Transcriptions
Note: this content has been automatically generated.
00:00:00
if you believe that either bridge just okay
00:00:11
area okay thank you very much it's a real pleasure to be here to our to be invited my name's dan
00:00:17
well like i'm gonna be talking to you about some
00:00:19
of my adventures some of my country's adventures in electronic voting
00:00:25
so needless to say when you start talking about voting it's hard to know where to start rumours stop
00:00:32
we have to worry about broadcasting in telling but we also have to
00:00:36
worry about gerrymandering how we draw the districts and boundaries that selector politicians
00:00:42
more recently it seems we have to worry about other countries trying to mess with our our actions
00:00:47
and that might happen through direct cyber attack
00:00:50
on the election infrastructure or indirectly through fake news
00:00:55
so today i'm gonna try to give you a sense of where we are and where we're going
00:01:00
um so i'm gonna start the story in august twenty sixteen
00:01:05
and the the big presidential election as you see is just a couple months away
00:01:11
right everybody think where was i in august twenty sixth well this was
00:01:16
the big news that russian hackers initially we only her that they targeted arizona
00:01:22
and later on we learned from our president back when we
00:01:26
had a president who told us useful things that we believed that
00:01:31
but you know we're directly at fusing russia by name which that was a very rare thing
00:01:38
was on commented directly name a country without serious evidence
00:01:44
and we learned that thirty three states in eleven counties are
00:01:47
local election officials have requested help from the department of homeland security
00:01:52
um later on we learned that thirty nine states have been compromised
00:01:56
and we're still trying to learn what compromise actually in its um
00:02:03
so here's a lovely article only that quote
00:02:07
i would love to know the rest of this story
00:02:11
you'll bali ministrations so concerned that they complain directly to mask
00:02:16
out exactly what was said on this phone call we don't know
00:02:20
we wouldn't you love to know what was said 'cause it might it must've been really you really interesting thread
00:02:27
'cause in the end whatever the russians unlikely been planning sigh from the
00:02:31
whole fake news thing didn't happen at least we don't think it happened
00:02:36
what do they do what the russians due to my country
00:02:41
well back around you've perhaps heard of email fishing you've all probably received an email like dear sir
00:02:49
i've been requested by the national i'd you're in national petroleum company you've all seen emails like this
00:02:55
this is fishy it's a spam email usually broadcast to as many people as possible
00:03:00
and the goal is to either get some kind of bank account data
00:03:03
or money out of you or just to get your passwords in credentials
00:03:07
through which they could log in and do other things the response
00:03:10
rate is very very small but somehow they still make money so that's
00:03:15
fishing but i wanna talk about spear fishing so this is john pedestal he was
00:03:20
who will we've brought them clinton's campaign manager in twenty sixteen and he received backs
00:03:27
which if you look at it looks very much like the sort of
00:03:31
colours and fonts and style that google might actually send any of you
00:03:37
and the best uh said roy supposed to click this or not and he asked is
00:03:41
i. t. guy what was supposed to do that you guys like yeah yeah click it
00:03:46
big mistake
00:03:49
and the thing is all the normal detections that we have
00:03:52
to protect against regular fishing attacks particularly just behind volume of them
00:03:57
doesn't work these kinds of attacks are of crafted and sent to a very small number of people
00:04:04
and so do if if you work on which email teen this kind of thing is very very difficult for you to defeat
00:04:11
which leads us to this character really into such a self styled hacked industry ran boutiques
00:04:18
and yeah actually in the early two thousand seems like well known in
00:04:22
the functional programming hacking literature is a serious computer scientist or well us
00:04:27
and then he had this idea that they were gonna collect
00:04:31
information disseminated widely i got started believe it or not by
00:04:34
setting up a tour exit node and just capturing all the traffic leaving their tour exit node and looking for anything tasty
00:04:42
and later on they they really became better known as a direct result of
00:04:47
the uh so chelsea manning was then a us army intelligence officer of some sort
00:04:53
who leaked a bunch of things including video of a of a us
00:04:57
military strike on civilians and that that's what put wiki weeks on the map
00:05:03
but uh so much to know is this but us intelligence as some i don't
00:05:08
claim to believe them when they say that machine intelligence collected on hillary clinton's campaign
00:05:14
the democratic national committee and other aspects of that campaign
00:05:20
exactly how they did we don't know what's for certain but we do know that they used fishing against the best
00:05:26
and that they used wiki weeks as a cutout organisation that's intel speak for you that
00:05:32
which which probably didn't even know they were dealing with the russians they probably
00:05:36
thought they were dealing with some other source but it was really the russians
00:05:39
similarly there were these other persona as of the time easy leaks inclusive for two point oh
00:05:46
you know in later on in a july twenty eighteen about the us special counsel
00:05:51
robert muller indicted twelve russian g. r. u. agents by name saying these people were behind
00:05:59
so let's back up and talk about propaganda it's always always been a part
00:06:03
of military strategy that you wanna win the hearts and minds of the people
00:06:07
it it's not enough to defeat the other army you wanna get people on your side
00:06:12
and this is a lovely photo i found of the u. s. b. football
00:06:16
so it's yeah everybody has done this this isn't just a specifically russian thing
00:06:21
but in modern russian military theory a room they have this term recall hybrid warfare
00:06:26
which includes cyber attacks propaganda everything it's all
00:06:30
part and parcel of of modern military action
00:06:33
a job here had a similar or diagrams like this when you have
00:06:38
propaganda and you want to get people riled up at sometimes called object prop
00:06:43
so we saw a lot of this in in both european
00:06:47
and american history whether it's anti jewish anti capitalist anti american
00:06:53
a lot of sophistication in energy has gone into building these things so then we can yes
00:07:01
you think come on release
00:07:04
right but this is a face book add purchased by
00:07:08
their actions that ran throughout us targeted us visitors soft yes
00:07:14
and we're movie you some fraction of the were moved hope not too many but perhaps enough here's another one
00:07:22
so the yeah march for trump that's russians
00:07:26
but here's the actual tennessee republican party retreating
00:07:30
good propaganda has the ability to entice legitimate people to pass it on
00:07:38
um and it's important to point out that the russians weren't just targeting the american right
00:07:43
they were also targeting the american left so this black activist a persona is also the russians
00:07:51
so they were just rounding up one side of they're trying to get all of
00:07:55
america angry at each other and having lived through it it what people were quite angry
00:08:01
which brings us to this group so texas anti for
00:08:05
uh so supposedly anti fascists of texas actually the russians
00:08:10
and there's the statutes a five minute walk from my office of rice statue of sam houston
00:08:16
among other things he was the president of these can be the they're
00:08:19
the republic of texas what during the brief time it was a standalone country
00:08:23
and they're saying oh we supported slavery we're gonna remove the statue and
00:08:27
this cost actual real what right wing groups to create that counter protest
00:08:34
so here are some photos this is literally a five minute walk
00:08:37
from my office and you know nobody ever plan to touch the statue
00:08:43
i i i could tell you all about the history of sam houston he's a colourful and
00:08:47
interesting character actually own slaves but he was against the us the the confederacy split he was
00:08:54
complicated in conflicted character perhaps but nonetheless in defence of him
00:08:58
we have actual people like those uh those flags are real
00:09:03
booklets clan things these are actual real honest to god white
00:09:08
nationalist people standing outside and not being ashamed of their horrible beliefs
00:09:16
but it's not just that they were the russians were doing things that you would be like come on really
00:09:22
they were to be but so here's a study by this fall with the u. s. c. and birds school
00:09:27
and he collected all the treats you could find looking at
00:09:32
the negative paws around star wars the last july because you
00:09:36
know it had like a strong female be the horrors right and
00:09:42
um the his conclusion was that bush controls were well i think star wars criticism as an
00:09:48
instrument of information warfare like it kind of makes your head explode really really it's that work
00:09:57
well the social networks have started responding to this
00:10:02
perhaps not enough but they are doing things at enough to piss off the russians so r. t. that's russia today
00:10:09
yeah and of course the russian buttercup if ever if if the
00:10:12
russian parts are complaining about crack downs and something is probably working
00:10:17
um here's an article from the washington post whatever is sweeping
00:10:21
out fake accounts like never before that sounds like a good thing
00:10:25
um face but this is mark soccer bird under the very hot glare of
00:10:30
of being a as subpoenaed to speak in front of the us congress and
00:10:35
you can see that he doesn't look terribly happy about this so that's probably a good thing
00:10:42
um there's been so much written about this it's hard to know where to start but here's a upholstered who worked
00:10:50
in the clinton campaign he said the campaign data shows
00:10:53
that in battleground states and then usually higher proportion of residence
00:10:58
of of democratic likely voters were what your posters invent uh nicknames
00:11:04
for groups of like people in this case their nicknames hillary defectors
00:11:09
and that means people who were considering leaving room the the democratic
00:11:13
party to wrote vote just this one time 'cause they didn't like hillary
00:11:17
and took their conclusion was all i had to do was to these people put and then hillary could of one
00:11:23
but they weren't aware that the russians were pushing the same
00:11:27
buttons and that might have been the thing that through the election
00:11:31
so
00:11:33
alright let's move on to another election in twenty eighty what happened there
00:11:39
i us military response this is amazing because you never
00:11:45
ever read about us military cyber action in the press
00:11:49
it's always like super duper secret it if you're a whole bunch of articles all appeared right around the same time
00:11:56
and they say and it it's not the old way of doing business
00:12:02
anymore i mean but the school at the bottom is from a us senator
00:12:06
saying you know the fact that the twenty uh like twenty eighteen election
00:12:09
process move forward with out successful russian intervention was not a coincidence wow
00:12:17
so it was unfair was talking about maybe we should have a geneva convention on cyber
00:12:22
well yeah with this action have been legal under that should have been the go under that i don't know
00:12:28
in the the kinds of cyber policy diplomacy
00:12:34
your your brain just kind of explodes trying to think what can and should or shouldn't be done
00:12:41
but i i'm a technologist other computer scientist i've spent
00:12:45
several minutes now talking to you about elections how that
00:12:49
election machines and equipment how good are those voting machines themselves
00:12:54
well in houston texas just the force you to be third largest city in the us
00:13:00
we vote on these particular electronic paperless machines from a company called parking or civic
00:13:05
and that was part of a team that the state of california hard to do a
00:13:09
a software analysis were locked in a room for months reading analysts in their source code
00:13:14
and so this is just one of several vulnerabilities that we discovered
00:13:19
so at the end of the day all of the voting machines are connected to
00:13:22
a computer called server oh that a selection management downloads all the data within that sector
00:13:28
and so each voting machine one by one is plugged
00:13:31
in in the data is downloaded uploaded in all good but
00:13:36
what if there's one voting machine that'd been tampered with somewhere in the field
00:13:42
turns out that these voting machines have a port on the back they had it it's their own proprietary
00:13:47
weird network protocol but it has messages that let you
00:13:50
read and write arbitrary memory addresses including the code segment
00:13:56
you can hear the computer scientists going uh_huh no oh yeah s.
00:14:01
and so if you can connect to that port on the back of the machine you can make arbitrary changes
00:14:06
and it turned out that the server machine big surprise
00:14:09
has a buffer overflow vulnerability because of course it does
00:14:14
and then it can then use that very same reading right arbitrary memory address
00:14:19
attack any can tamper with every subsequent voting machine so now one machine attacked once
00:14:26
then regular poll workers election officials doing their regular
00:14:30
job the whole three can be now running mel
00:14:34
you should hopefully be thinking oh my god that's terrible
00:14:38
guess what we still use them
00:14:41
and there has been no software patches or changes of any kind since our study
00:14:47
which was a lot of them well years ago crazy
00:14:54
um this news just came out yesterday so i had to add it to my slides that
00:15:01
so never mind the voting machines what about all the rest of the uh technology managing bowed insist
00:15:07
in particular voter registration vote tabulation there's all kinds
00:15:11
of computers that make election officials jobs go more efficiently
00:15:17
had turns out that use computers like any computer software
00:15:21
is obscured hard to run in you need technical assistance
00:15:25
and there was a company called v. are are all actions i. b. or something
00:15:29
and the way that they did tech support for their customers um including
00:15:34
florida and several other states was they installed remote access software on the um
00:15:39
machines inside the election officials uh i'm not normally you have like a
00:15:45
stuff far walled off area or you just disconnected from the internet altogether well
00:15:50
here we have this company which oh by the way the russians had attacked and
00:15:55
that company set itself up with remote access you know like windows remote desktop access
00:16:01
to all of the election officials machine so that we could do better technical support
00:16:08
uh and
00:16:10
you know a senator ron widen from or again in this article is saying how come
00:16:15
we're just learning about this now it's been going on for two years are you kidding me
00:16:20
so this this is the this kind of
00:16:25
the correct response that you should have is oh my god and the fact that we're only
00:16:30
learning about some of the stuff now even though it's been going on for a while it's crazy
00:16:36
i don't have any good news anything actually got better well in the posts twenty sixteen environment
00:16:43
one of the things that was controversial at the time before the election of donald trump was that up
00:16:50
they declared voting equipment to be what critical infrastructure
00:16:54
and everybody's questions what does that term mean what is the legal definition of critical infrastructure
00:17:01
the answer is it allows the government to us government to put funding
00:17:06
and resources into improving a thing so like power grids that's critical infrastructure
00:17:12
um you know that sort of thing and so increasingly we see the use of two factor authentication
00:17:19
which is good we have this new a thing called the
00:17:22
election infrastructure information sharing and analysis centre which is an awful
00:17:28
um i sacks are actually fantastic thing the probably one of the
00:17:33
better known ice axes the financial services i stack f. s. i. psych
00:17:38
which is where all of the big banks get together and share a threat intelligence
00:17:43
oh i got this weird email all i got weird packets from that be something that
00:17:48
and they have an explicit car about from antitrust law as long as what you're talking about is defending yourself
00:17:55
some cyber attack then it's not anti trust you can
00:17:58
get together and share and collectively defend yourselves as an industry
00:18:02
and so this is a hard this is a mechanism
00:18:05
that's been around us law for twenty years years and
00:18:10
it allows the federal government to give assistance uh
00:18:15
things are getting better there's some money that's allocated but not
00:18:18
nearly enough to replace the existing machines my summary at the nothing
00:18:24
but inadequate
00:18:27
then this happened so deaf con is a big hacker convention that happens every
00:18:31
august in las vegas 'cause where would you rather be in august and the desert
00:18:37
um and that for the past two years that have what they call voting village
00:18:41
so they just bought a bunch of all voting equipment on e. bay in wherever else they could find it
00:18:46
how awesome is that and then they just set it up and said
00:18:49
here have added and people went and found a whole pile of vulnerabilities
00:18:55
at this generated a lot of press which is a good thing
00:18:59
and that among other things has helped lead to news like that's the
00:19:03
state of california is trying to push all fifty eight of its counties
00:19:08
to replace old paperless electronic voting machines with newer systems but
00:19:14
you know brandon solar for justices uh n. y. u. in new york they they they do a lot of studies in this area
00:19:21
thirty eight states including by state of texas are using discontinued equipment vendor doesn't sell it hasn't
00:19:28
supported it in over a decade and all that stuff is still gonna be used in twenty twenty
00:19:36
so i know oh let's vote on the internet that's what could
00:19:41
be that'll work great how you know a bit will be convenient
00:19:45
you can do banking on the internet while avoiding in him no use plot chain that'll solve everything right now
00:19:56
so let me just briefly try to argue against internet
00:19:59
voting issue number zero not everybody actually has a computer
00:20:04
so this this data is a little bit older but what
00:20:07
you'll see is you'll be these are pretty these bars or percentages
00:20:11
and you can see that you know even switzerland is less than
00:20:16
a hundred percent that those are the uh uh the red bars there
00:20:20
um so when you are start when you're looking at adding internet voting you're
00:20:26
adding it for the people who have computers which means that that's not necessarily everybody
00:20:33
a much bigger issue is cool version
00:20:37
bribery vote for my guy under fire horrible for my guy and i'll
00:20:42
give you a bottle of whiskey how you know it's the same problem
00:20:46
when you have vote by mail which is the only way that
00:20:50
people in oregon and washington state about half of california votes this way
00:20:55
vote by mail ballots are widely known to be subjected to bribery uncut version
00:21:00
i'm in texas along the uh the the texas mexico border area have this lovely nash of of english
00:21:07
and spanish for the people who buy and sell these ballots the cut the call them vote to carrots
00:21:12
so vote like is an english word in carroll's you know like spanish for like do it's so they're the vote dudes
00:21:19
anyway this is a very real problem and the same problem could happen with
00:21:24
internet because somebody can be watching over your shoulder while you do it um
00:21:29
also even if you do have a computer your computer is insecure i found this lovely diagram
00:21:35
showing what fraction of computers in different countries lotus with ruins looking pretty good on the starter
00:21:42
um no no less when you have an older computers are more likely to have vulnerabilities
00:21:49
um here's some related android data this is the uh the latest entry distribution uh
00:21:55
information that they publish roughly once a month they haven't put june data out yet
00:22:00
so anything older than a hundred forgot for means that a a
00:22:04
google can't patch the browser and a bunch of other core infrastructure
00:22:08
so three point eight percent of enjoy devices are wildly insecure and
00:22:12
should never be used by anybody ever if they're still out there
00:22:16
um and only just slightly about half of a hundred devices have the kinds
00:22:22
of features you really wanna hang in internet voting system like harbour at a station
00:22:27
the ability for the hardware to say i'm running the correct
00:22:30
software stack the correct up always the correct apps and nothing else
00:22:35
those features are only there on maybe half the devices
00:22:41
and the internet itself could be subject to attack um the russians allegedly
00:22:46
did this to stone yeah in their own actions in two thousand seven
00:22:50
there's a lot more we could talk about the stone elections i don't really have
00:22:54
time to get into it but you know the internet is not always there for
00:23:00
and if you have the internet there's a server somewhere and that's server also can be insecure
00:23:07
so the uh city of toronto canada was looking at adopting internet voting and they did a study
00:23:13
and they i mean just the most basic things like getting your asses cell stack configured correctly
00:23:19
and their conclusion was that no proposal provided adequate
00:23:23
protection against the risks inherent in internet brody um
00:23:28
related lee the say the same start the same conclusion from this estonian study
00:23:32
still onions in stone is internet voting systems
00:23:35
blindly trust the election servers and the voters computers
00:23:40
so if there's now we're on either side it it's not gonna work
00:23:46
one commonly proposed way of getting around this problem as a technical code coding
00:23:53
the idea is that you may all the voter through just on paper
00:23:57
a set of uh codes here i just use random four letter i codes
00:24:04
so if you wanna vote for alice you would type in tae g.
00:24:07
h. w. and then the server would send you back t. s. yeah
00:24:11
and you would know that no amount of people now we're on your personal computer could fake that
00:24:17
if you get the correct verification code back then you know that the remote server sawyer but
00:24:23
so could loading mitigates against client side now
00:24:27
where but does nothing for server side now where
00:24:30
nothing for um the the the the rest the
00:24:34
internet going down and the usability for this terrible um
00:24:40
on a typical ballot that i might vote in houston i might have eighty questions that i'm supposed to answer
00:24:46
in texas we vote for all these charges and sometimes constitutional amendments
00:24:51
eighty if i have to do that like type in a four digit code eighty times
00:24:56
the error rate will be unacceptably high that that he will be high it's just no no
00:25:04
and and there's the crypt of fairy dust i to figure out how
00:25:08
to type and oh gee on my computer just to get this right um
00:25:12
there are a number of companies that make irresponsible claims i just picked up this one at random
00:25:18
i'm not picking on them especially there was the first one that happened
00:25:22
so here's directly from their website they say that you know we surpass government standards there
00:25:28
are no government standards so you're surpassing the empty set that that's not that's not interesting
00:25:36
and they say it's end and verifiable build awesome and if they collect cast
00:25:42
iron you know it must be so how it or at least heavy um
00:25:48
these kinds of claims are meaningless without proves to back them up and
00:25:52
we saw the same thing here in switzerland when the swiss posts collaboration recital
00:25:59
well in the and and number of grip talker first looked at this unions that were
00:26:04
published in town significant box and that resulted in the swiss post pulling the trial and
00:26:11
i last i heard it's not coming back i don't know it's just this news is changing quickly
00:26:16
so to summarise internet voting these just no no
00:26:23
alright
00:26:25
the topic so what if if i don't like internet voting and if i don't like
00:26:29
paperless electronic voting machines and i don't i told a lot of things i don't like
00:26:34
well what what's what what should we do that what's next so the current big debate in the
00:26:40
us boils down to two different technologies hand marked paper ballots which can then be scammed by computer
00:26:47
or machine marked paper ballots so i'll show you some examples of that
00:26:53
so first hand marked paper is something that everybody tentatively understands your piece of paper
00:26:58
you find the name you want about forget fill in the bubble everybody gets it
00:27:02
it has some very nice security properties there's no computer
00:27:06
in between the voter and the record of the voters intent
00:27:10
there's nothing that the evil russians can do between the
00:27:14
voters brain in their hand and the pencil and paper
00:27:18
they can try to confuse you with propaganda but they can't manipulate the pencil it's not a computer
00:27:24
um there are usability limitations if you have low motor control as if your if
00:27:30
your blind if you have if you're a literate than there are real problems with this
00:27:35
and those large texas pellets i described are like four sheets of paper
00:27:40
that you have to flip through and it's still it's a lot of work
00:27:44
but the real killer is turns out to be ambiguous marks
00:27:48
so every one of the fifty us states as a different
00:27:52
legal standard most states have a standard called intent of the voter
00:27:56
which is to say if there's weird lines narrows in scratch out some things
00:28:01
then it's up to human beings to try to guess what that boulder mat
00:28:05
and that's all fun and games until you get something like this this is
00:28:08
a famous example from a closely contested senate race in minnesota in two thousand eight
00:28:14
election nerds call this the lizard people ballot everybody knows this one bite me
00:28:19
'cause these were litigate everyone of these went to court 'cause the election was
00:28:23
so tiny that both sides were arguing about the interpretation of ambiguous ballots like this
00:28:29
so is that a vote for al frank in because the bob was filled in or is it in over vote because it has
00:28:35
a lizard people down in the riding area but without the bottle
00:28:38
filled an but ah this kind of thing drives election officials crazy
00:28:44
the nice part about an electronic voting machine is they get rid of all this ambiguity
00:28:50
um well okay but i haven't i haven't gone to electronics yeah when you have
00:28:54
paper ballots that are standby machine now we have to worry about the scanner being evil
00:29:01
yeah i saw professor at u. c. berkeley named philip stark who is
00:29:05
the chair of their statistics department came up with this really clever idea
00:29:09
called risk limiting arts what you do is you were statistically
00:29:13
sampling the paper ballots by rolling dice you literally roll dice
00:29:19
actually that's see the random number generator that gives you doubt identifiers but really you're just rolling
00:29:24
dice you you pull up the ballot and the paper ballot and electronic image of it should match
00:29:31
and if they match you continue and if they don't match that's bad
00:29:35
and the the the name of the statistical games to prove that the error rate
00:29:41
is smaller than the margin of victory your goals to try this from the same thing perspective figure
00:29:47
out whether the correct when irwin which means the larger the margin of victory the smaller the number samples
00:29:54
and it's completely independent of the number of cast but it's just a beautiful the math is awesome
00:29:59
we're talking you know typical action you might have to touch thirty balance very very reasonable amount of work
00:30:08
and if you do find discrepancies this the generates two of full manual rico
00:30:13
so that provides very strong protections against now where in the scanning computer
00:30:19
alright so that was planned one we're gonna vote on paper first plan to
00:30:24
we have some kind of a touch screen computer this is and yes unless express vote
00:30:29
and the way it works is you put up you put a blank sheet of paper in it's it's normal paper
00:30:36
and then use make all your selections and then it prints out the ballot um they
00:30:41
had a bunch of really terrible engineering decisions so if you look at this up close
00:30:47
you see that the actual text is very small and hard to read and why do we have all these bar codes
00:30:55
'cause now you have to worry that what if the machine is evil and then the
00:30:58
bar codes may or may not represent the same thing as the the the human readable part
00:31:05
to me this is engineering ways yes o. c. r.
00:31:08
software is very very accurate for especially for some of those
00:31:12
printed by machine and then to be scanned by another machine there's just this they were really easy as an engineering there
00:31:19
also oh by the way when you decode the bar codes they give you x.
00:31:23
y. coordinates of where the filling bubble would've been had it been a normal bubbled out
00:31:29
that's what the bar codes or encoding just x. y. coordinates
00:31:33
anyway
00:31:35
but why do election officials love these things the answer is
00:31:39
that have lots of features that make ministering large elections efficient
00:31:43
i'm in uh in this city the size of houston there
00:31:47
will be literally three to four thousand this thing to ballot styles
00:31:53
based on all the crazy little precinct lines and how they overlap so depending
00:31:58
on exactly where you live you know you your your neighbour down the street
00:32:02
and you might have a very different ballots style and what that means is
00:32:06
you have to make sure that each folder is presented with the correct style ballot
00:32:11
it's it's nice when you when you don't have to worry about reprinting three thousand styles ballots
00:32:17
and of course you could have button boxes headphones and all sorts of
00:32:20
accessibility devices and interesting open question those how do you do risk limiting or
00:32:25
so this is a picture i took that's the button box you can see that it has braille markings so this makes it
00:32:32
it's engineer to be widely used in usable by the broadest
00:32:37
voting population what actually tried voting with it i put on the headphones like tried to your was on the screen
00:32:44
so see that button that says back and forward and you write in vote it gives you a picture of a
00:32:49
keyboard and you'd think that back and forth an up and down or like to the navigation on the keyboard look
00:32:56
up and down or like a. b. c. d. and then back and forward change which race you're looking
00:33:03
it's astonishingly counter intuitive it's a it's it's a usability disaster
00:33:10
ah so can anybody to this right so los angeles tries try
00:33:16
this is a picture of one of their prototypes so los angeles is
00:33:21
the award los angeles county as opposed to the city of los angeles
00:33:26
essential is county has the most voters of any continuous it's huge it's using it so what they did
00:33:33
is they had they saved up their money and they spend spend years and years designing this thing
00:33:40
as you have a a touch screen device you can see human
00:33:44
little picture that box hanging over the back at the ballot box
00:33:47
and you can see on the right side of the screen but they of a paper ballot
00:33:52
that's full size it's human readable and you you put the ballot you on when it's blank
00:33:59
actually it just has the right precinct identifier on top reads that gives you the correct route style
00:34:05
put in what you want and then it shows it back out again so you can look at
00:34:09
at that point if you have a if if you're the kind of order who has lower controller blind or whatever
00:34:16
then you can just hit the i'm done button and it sucks it right back in and drops it in the box on the other hand
00:34:21
if you if you wanted so see it optional to touch it but it's available to touch
00:34:28
so that they tried very hard to be both usable and secure
00:34:32
the the security story here isn't about fancy grip though
00:34:35
it's mostly about locking the loader and trusted hardware that's what's
00:34:41
um i worked with travis county which is austin texas we designed the thing called
00:34:46
star remote that i could spend a whole hour telling you how great it is
00:34:50
the general idea was that we had a touch screen user interface and we had
00:34:54
fancy and and gripped harbour fee which i'll talk a little bit about the middle
00:34:58
in in in a minute um this is a prototype we built it rice you can see that for like
00:35:04
the machine that that pulled the paper into the ballot box we re purpose to cheat h. p. in jet
00:35:10
once you get rid of the injured part of the printer what you're left with a reliable device for grabbing a piece of paper impolite
00:35:18
so the printer part was terrible but but the paper grabbing part is very overlap
00:35:23
anyway this whole thing with howard by raspberry pie and we use this for usability studies rights
00:35:32
bowling in crypt harbour fee actually get along really well i'm josh fellow got
00:35:38
his p. h. d. from mit in eighty eighty nine working on voting in retarded
00:35:43
and the big announcement of the year ago was that microsoft actually the notes became more recently
00:35:51
a year ago they made the deal microsoft is building what they call election guard a software
00:35:57
development kit that includes all the state of the art ripped a graphic tricks for voting and
00:36:02
they're making it open source a microsoft hired gal while which is a research lab in portland
00:36:08
yeah well is best known for software verification technologies
00:36:12
they are big users of software verification tools and techniques it's
00:36:17
so together they're building something that could potentially be really exciting
00:36:21
so i'm gonna briefly tell you what exactly is it the crypt harbour fee can do in the space about it so
00:36:29
you made or for this phrase into and this is the only equation today
00:36:33
so i'm trying not to be too scary so we can define our encryption system
00:36:39
ryan crypt a in the user discounters zero one and
00:36:43
i can define an operation here i'm calling it circled plus
00:36:47
and i can take to encrypted counters i can do an
00:36:50
operation and it says if id crypt did added and re encrypted
00:36:56
and this is easy to implement under the what it looks like
00:37:00
public equipped arbour fee that most of you should have some familiarity with
00:37:04
what this means is that we still have all the usual properties we like from for target
00:37:10
voter cannot decrypt their vote but the voter can go home with their encrypted well that's right
00:37:17
and everybody can we compute encrypted total everybody can verify that there's your
00:37:23
boat is in battle some really really nifty properties come out of us
00:37:29
we also have something called a non interactive zero knowledge
00:37:33
proof this was one of the things that silo got wrong
00:37:37
but what i'm not what an easy proof does as i can say i've encrypted uh number
00:37:42
i'm not gonna tell you what it is but i'm gonna prove to you that
00:37:45
it's either zero or one but you can't tell which but definitely not anything else
00:37:51
we don't want somebody in crippling you know a million and then being able to push the the totals crazy
00:37:57
so music's can be used to prove the each individual counter is well formed
00:38:03
they can be used to prove that all of the counters for one race add up correctly that you know
00:38:09
if they're five candidates for president that the some of the counters is also zero or one
00:38:14
likewise at the end of the day when election officials to decrypt an operation they can prove to you that they did it correctly
00:38:22
um there's a broad family of technical threshold crypt arbour
00:38:26
feet so rather than talking about the election officials decrypt
00:38:31
no i can choose let's just call them trustees so that might be the chair of
00:38:36
the republican party that you're the democratic party the newspaper editor the the chair of that
00:38:42
you pick any end people and any pay out of those
00:38:47
and can get together and do an operation which is the description
00:38:51
and if less than play out of enter together then they cannot do any description about
00:38:56
and again collectively they produce a proof that the output is correct awesome stuff and
00:39:03
not not block chain hash chaining is very appropriate in the space
00:39:08
so every ballot we see we're gonna printer receipt for every voter and that we see is
00:39:13
really just the hash the cipher text every vote but also the hash of the prior one
00:39:18
which means that it's the hash of the one before that before that before that so if you vote at
00:39:24
the end of the day you walk away with a hash that protects all the votes earlier in the day
00:39:30
and that gives you incredible power to detect last missing or tempered votes
00:39:36
and this to me did the start of design we said all these are all just computers connected together in a local network but
00:39:43
just make copies everywhere so every machine has a copy of the full history of all of the machines storage is cheap why not
00:39:50
um
00:39:52
this sounds suspiciously similar to be quite but there's one really important
00:39:57
difference which is all of the crypt occurrences are designed to produce consensus
00:40:03
that even if somebody's trying to fork the block chain that's somehow unless
00:40:08
they control fifty one percent of all of the of the computational power
00:40:13
that both were still gonna have some kind of convergence well here i don't want consensus i don't want the
00:40:20
majority to over rule than already when the minority might have the only evidence of some l. seasons that happens
00:40:26
instead the model is we're just gonna collect evidence and if at the end of the
00:40:31
election the evidence is inconsistent then we call the police we go to court something bad happened
00:40:37
and it becomes if not for consensus algorithm but for a
00:40:41
job sort of action official to decide which version of history's correct
00:40:47
so i mention josh panel earlier years his clever idea for how that what if the machine sheets right but
00:40:53
if i vote ellis for president in the machine records a cipher text for bob how white figure that out
00:40:59
well the voters gonna make a selection and we wanted have whatever tower first call commitment one
00:41:05
of course the machine to generate the encryption of remote before knows what's gonna happen with it
00:41:10
so that means that it might printout that we see now
00:41:13
the voting machine can't change the cipher text without breaking the receipt
00:41:18
and now the voter gets of shorts did you wanna actually cast that valid or not
00:41:24
and so if you say well i guess i didn't wanna cast the ballot and we're done no problem
00:41:29
but if you say actually i didn't i i made a mistake i i boarded the wrong candidate for president
00:41:35
so now we're gonna spoil without which is a completely normal
00:41:39
thing believe it or not texas law you get three tries
00:41:43
the impact of baseball on voting policy um you get three tries so means you
00:41:49
can spoil to balance it's built right into texas selection lot most states have something similar
00:41:54
and any ballot that you don't vote is a ballot that the election system has to decrypt for
00:42:00
and if you voted hours for president and it recorded a cipher text
00:42:05
for bob you have assigned confession but the machine she'd that's a big deal
00:42:10
so how not to do and to encourage are pretty well
00:42:16
the the side all people i think demonstrated that thoroughly so i'm not gonna spend
00:42:21
too much more effort on it more interesting question is a selection guard gonna be better
00:42:26
right now it's it's it's it's not really you can't buy it they're working actually
00:42:30
i just signed a contract i'm gonna go work for them and align help them um
00:42:36
how are microsoft research and go wow gonna do better than side
00:42:41
legit question well all i can tell use these organisations have people who
00:42:45
are really really good grip talker fee and that's offered verification uh and
00:42:52
they're planning to build a prototype similar to start road actually like copied all of our stuff like over solid
00:42:57
works for the ballot box you know i i have i have high hopes for them but we're gonna see
00:43:04
but i wanna say that even with the world's greatest prepare people and software
00:43:08
verification people we still wanted to run in precinct because internet voting still about like
00:43:16
so wrapping things up are we ready for the twenty twenty us selection
00:43:22
my biggest concern is is not actually the voting machines you
00:43:25
will they have vulnerabilities my biggest concern is the voter registration data
00:43:29
which are databases that says the ten wallet lives at this address has not voted yet
00:43:34
um i can go to any one of forty locations in houston
00:43:39
to vote early into in the two weeks before the election and then there's an online database the checks off that i bought it
00:43:45
that database has to be online because i can go to any place i was given by ballot
00:43:52
which means if it's online it's potentially ball it's putting it so i it might have a vulnerability that gets played
00:43:59
um and and voting sadly i love it but it's it's still
00:44:05
years away from production years and i still think in that idea
00:44:09
so i'll wrap up and say that this is no i'm just i'm building
00:44:14
on on i'm talking about a lot of work i've done some of it
00:44:18
this is you know i was part of an n. s. f. research
00:44:20
centre that looked at a centre for correct usable reliable audible in transparent elections
00:44:27
you can't do research in computer science that having a clever acronym
00:44:31
and we also had some support for microsoft alright thank you very much
00:44:42
hi i think if we have time for questions absolutely alright to have microphones moving round
00:44:47
has work guy see one microphone over there you do it's alright so please find a microphone
00:45:00
oh
00:45:03
well there
00:45:05
strolls um thanks for the wonderful talk yeah and i really enjoyed
00:45:10
the fact that you were talking about some of the more fundamental issues
00:45:14
that are not necessarily technological but shouldn't factors
00:45:20
when you do e. voting in this mechanism even if it isn't necessarily on the where
00:45:26
how do you still a work around those human factors such as writing the phone or work or something
00:45:34
well this is a fundamental challenge and building a the
00:45:38
us has so long and glorious history of election fraud
00:45:42
um in my grin migrate state of texas in nineteen forty eight there was a
00:45:48
a senate primary race with lyndon begins johnson who later on became president
00:45:53
uh versus i forget the name of the guy and the way that elections worked back then
00:46:00
was that there was like a two week period where each of the counties could report corrections
00:46:05
so they're totals so it was like teamwork each each local county boss would try that up their vote tallies
00:46:13
to try the big they're gonna when this in c. a. and that
00:46:18
was normal in the nineteen forties election fraud is just along in glorious history
00:46:24
and it's not it's human nature people will i mean this is why i'm a big fan of loading in
00:46:30
the polling place because it's really it's mandatory privacy it's
00:46:35
mandatory that nobody can watch over your shoulder while you
00:46:39
and that's the only way that we know i'll tell honestly capture voter intent
00:46:45
um the estonian system has this concept that you can cast your vote multiple times in the last one wins
00:46:52
and so you can take your bride from ten different people and then go your own way the eleventh time
00:46:57
that's the estonian idea the problem is here's how i force you i say okay you're gonna vote a certain way
00:47:03
and now give me your national id card i'll give it back to you
00:47:06
after the elections over 'cause they have a smart card id card without that okay
00:47:12
so you know bribery incursion is always gonna be a part of elections and it's something we have to worry about
00:47:20
thank you very much
00:47:28
continuing conversion topic harm a yes or are
00:47:33
you know eroding and mail i'm a are totally
00:47:38
overboard to kind of course you can you talk about how itself fees oh gosh yeah ah but
00:47:48
if you allow of order have their smart phone in the holes
00:47:53
then they can you know people wanted a it's it's patriotic look here i am i voted
00:47:59
and you know you can take that picture outside of the polling place with bottles i voted sticker
00:48:05
but no people wanna do it inside the paul's and for all the obvious reasons
00:48:11
that if if you if if a poll worker no if it doesn't notice a
00:48:15
no phones earphone away if if if you're allowed to have a phone and then
00:48:19
you just said to video mode do the whole voting thing and that video is
00:48:23
very hard to fake and that means that it can also prove how you voted
00:48:30
um believe it or not texas allows you to bring each each on paper
00:48:36
so uh that's the only way i can remember how i won't vote for all these traditional racism constitutional amendments
00:48:42
so i make it shine spreadsheet i i printed out multiple pages i take that with me that's legal
00:48:49
but i yeah the only way i don't know for for them for gonna
00:48:53
keep winning the battle like one augmented reality video classes and all that takeover
00:48:59
i don't know how ever gonna stop would be a problem
00:49:07
you would like to well actually on one question that are ah which is the point to
00:49:12
you has addressed the um it's it to utility function of the whole c. right because um
00:49:19
d. i. d. your free please see that's it's a traditional system by something easily strongly
00:49:26
um we is that we believe that some improvement is e.
00:49:31
of course you see that bit of people but it's relevant speech reconstruction group
00:49:36
so you bring convenience for c. d. t. d. t. on votes by people who are
00:49:43
she didn't move oh well prudence it's hard but i mean how big is
00:49:49
it me why because you we've been talking about this you rooting for the kids
00:49:55
your conclusion is fairly pessimistic i'm not surprised
00:50:02
so sue but still we're used to push
00:50:06
to do it just just see how everything is going to
00:50:09
be featured license one we still don't have an identity notice right
00:50:14
a fifty fifty years of to ditch the right so
00:50:19
so things we are moving pretty sure decision but things
00:50:24
some of these much much boutique a lot of time to how
00:50:27
come and clearly mankind can not digits iced every c. c. ha
00:50:33
so how crucial it is it's too cool boots
00:50:40
well there are several large macro trends are pushing us towards a
00:50:47
one large trend in america's the americans
00:50:50
with disabilities act a a which requires accessibility
00:50:55
and that that covers not just boring that covers everything you know like
00:50:58
how somebody going to attend this talk to are most of your rent and
00:51:06
eighty eight regulates boating technologies as well
00:51:09
it's it's a boarding technologies must be accessible
00:51:14
and accessible for which disability answers all of
00:51:19
and that gets you to a lot of complicated engineering
00:51:23
that's one big macro trend is increasing
00:51:27
the ability for people to vote without assistance
00:51:31
uh another big trend in the us anyway is workable centres or early voting
00:51:38
which is rather that traditionally you must vote on election day how
00:51:43
your local precinct there's one place where you can vote and no roles
00:51:47
and many people find that inconvenient many people find that undesirable
00:51:52
i wanna be able why can't live on your right were quite have trouble you're
00:51:56
right but i can't i've orderly why why do i have to vote on election day
00:52:00
and so the trendy you the other thing is
00:52:03
that many traditional polling places are in churches and schools
00:52:08
and and the especially the schools don't wanna have strangers
00:52:11
walking around anymore because in america were crazy with the gardens
00:52:15
and among other reasons so what that's leading
00:52:18
to is a smaller number of larger polling places
00:52:23
like one place i can go vote is a huge supermarket near right with it
00:52:27
and kind of crazy when i'm standing in the indian food while and there's like
00:52:32
you know chinese section over there and the music is mexican and you know i'm
00:52:38
a it's a it's an international it's united nations supermarket effectively ramp loading local it's awesome
00:52:45
but that's um that's a big trend as well and the ability to have these boats centres
00:52:51
means that you cannot have pretty printed paper ballots 'cause there are thousands of distinct ballot styles
00:52:57
and that the desire to support that convenience drives us towards electronics
00:53:06
so those are the two things that have nothing to do with
00:53:08
security at all that are big driving factors in the elections universe
00:53:13
but much of that is addressed by just what which the school system
00:53:17
here yeah and the state of oregon one hundred percent i bought by they'll
00:53:23
washington state hundred percent vote by mail california fifty percent is evil the
00:53:28
western us states low vote by mail the rest of us not so much
00:53:35
right so we think we we um
Conference Program
Welcome address
Martin Vetterli, President of EPFL
June 6, 2019 · 9:48 a.m.
1565 views
Introduction
James Larus, Dean of IC School, EPFL
June 6, 2019 · 9:58 a.m.
127 views
Introduction
Jean-Pierre Hubaux, IC Research Day co-chair
June 6, 2019 · 10:07 a.m.
227 views
Adventures in electronic voting research
Dan Wallach, Professor at Rice University, Houston, USA
June 6, 2019 · 10:14 a.m.
When foes are friends: adversarial examples as protective technologies
Carmela Troncoso, Assistant Professor at EPFL
June 6, 2019 · 11:09 a.m.
169 views
Low-Latency Metadata Protection for Organizational Networks
Ludovic Barman, LCA1|DeDiS, EPFL
June 6, 2019 · noon
148 views
Interactive comparison-based search, and who-is-th.at
Daniyar Chumbalov, INDY 1, EPFL
June 6, 2019 · 12:06 p.m.
137 views
Decentralized, Secure and Verifiable Data Sharing
David Froelicher, LCA1|DeDiS, EPFL
June 6, 2019 · 12:09 p.m.
102 views
Communication Efficient Decentralised Machine Learning
Anastasia Koloskova, MLO, EPFL
June 6, 2019 · 12:11 p.m.
732 views
Detecting the Unexpected via Image Resynthesis
Krzysztof Lis, CVLab, EPFL
June 6, 2019 · 12:14 p.m.
188 views
Sublinear Algorithms for Graph Processing
Aida Mousavifar, THL4, EPFL
June 6, 2019 · 12:16 p.m.
878 views
Protecting the Metadata of Your Secret Messages
Kirill Nikitin, DEDIS, EPFL
June 6, 2019 · 12:18 p.m.
342 views
Teaching a machine learning algorithm faster
Farnood Salehi, INDY 2, EPFL
June 6, 2019 · 12:21 p.m.
570 views
Secure Microarchitectural Design
Atri Bhattacharyya, PARSA/HexHive, EPFL
June 6, 2019 · 12:23 p.m.
3463 views
Security testing hard to reach code
Mathias Payer, Assistant Professor at EPFL
June 6, 2019 · 1:50 p.m.
297 views
[via Skype] Flash Boys 2.0: Frontrunning, transaction reordering, and consensus instability in decentralized exchanges
Ari Juels, Professor at Cornell Tech
June 6, 2019 · 2:49 p.m.
497 views
Best Research Presentation Award Ceremony
Bryan Ford, Jean-Pierre Hubaux, Deirdre Rochat, EPFL
June 6, 2019 · 3:54 p.m.
211 views
Recommended talks
The upbringing of the Swedish digital citizen
Kristin Heinonen, Digital Trend Analyst, identifying communication trends & emerging user behavior
Feb. 11, 2016 · 2:38 p.m.
109 views