class: blueBack ## Practical Countermeasures for Election Hacking ### Philip B. Stark #### Department of Statistics, University of California, Berkeley #### http://www.stat.berkeley.edu/~stark @philipbstark ### .white[Influencers _Miror_] ### San Francisco, 18 October 2019 --- .center[
] ---
--- ### Arguments that US elections can't be hacked: .medium[ - Physical security - Not connected to the Internet - Tested before election day - Too decentralized ] --- ### Arguments that US elections can't be hacked: .medium[ .red[ - Physical security + "sleepovers," unattended equipment in warehouses, school gyms, ... + locks use minibar keys + bad/no seal protocols, easily defeated seals + no routine scrutiny of custody logs, 2-person custody rules, ... ] - Not connected to the Internet - Tested before election day - Too decentralized ] --- ### Arguments that US elections can't be hacked: - .red.strikethrough[Physical security] .red[ - Not connected to the Internet + remote desktop software + wifi, bluetooth, cellular modems, ... + removable media used to configure equipment & transport results - Zip drives (only used ones for sale) - USB drives. Stuxnet, anyone? + parts from foreign manufacturers, including China; Chinese pop songs in flash ] - Tested before election day - Too decentralized --- ### Arguments that US elections can't be hacked: - .red.strikethrough[Physical security] - .red.strikethrough[Not connected to the Internet] .red[ - Tested before election day - Dieselgate, anyone? ] - Too decentralized --- ### Arguments that US elections can't be hacked: - .red.strikethrough[Physical security] - .red.strikethrough[Not connected to the Internet] - .red.strikethrough[Tested before election day] .red[ - Too decentralized - market concentrated: few vendors/models in use - vendors & EAC have been hacked - demonstration viruses that propagate across voting equipment - "mom & pop" contractors program thousands of machines, no IT security - changing presidential race requires changing votes in only a few counties - small number of contractors for election reporting - many weak links ] --- **Can't have a trustworthy voting system without paper.** -- How the paper is marked, curated, tabulated, and audited are crucial. -- + No feasible amount of testing can tell whether BMD misbehavior altered election outcomes. --- .medium.blue[Did the reported winner really win?] + Procedure-based vs. evidence-based elections - sterile scalpel v. patient's condition -- + _Any_ way of counting votes can make mistakes + _Every_ electronic system is vulnerable to bugs, configuration errors, & hacking + **Did error/bugs/hacking cause losing candidate(s) to appear to win?** --- .medium.blue[Security properties of paper] + tangible/accountable + tamper evident + human readable + large alteration/substitution attacks generally require many accomplices --- ## Evidence-Based Elections: 3 C's .medium[ + Voters .blue[_CREATE_] complete, durable, verified audit trail. ] -- .medium[ + LEO .blue[_CARES FOR_] the audit trail adequately to ensure it remains complete and accurate. ] -- .medium[ + Verifiable audit .blue[_CHECKS_] reported results against the paper ] ---
--- ## Risk-Limiting Audits .medium[ + Endorsed by NASEM, PCEA, ASA, LWV, CC, VV, ... ] -- .medium[ + Large chance of requiring a full hand count of the votes, if that would show the outcome is wrong. (Full hand count corrects wrong outcomes.) ] -- .medium[ + Most efficient options: **ballot-polling** and **ballot-level comparison** ] --- .medium[ + 255 state-level pres. races, 1992–2012, 10% risk limit - BPA expected to examine **fewer than 308 ballots** for half. ] -- .medium[ + 2016 presidential election, 5% risk limit - BPA expected to examine **~700k ballots nationally** (\\(<0.5\\)%) ] --- ## Risk-Limiting Audits .medium[ + ~50 pilot audits in CA, CO, GA, IN, MI, NJ, OH, OR, PA, RI, WA, VA, DK. + CA counties: Alameda, El Dorado, Humboldt, Inyo, Madera, Marin, Merced, Monterey, Napa, San Luis Obispo, Santa Cruz, Stanislaus, Ventura, Yolo + AL, MO pilots planned. + Laws in CO, RI, WA; CA has pilot laws ] --  --- ## RLA pseudo-algorithm -- .large[ ``` while (!(full handcount) && !(strong evidence outcome is correct)) { audit more } ``` ] -- .large[ ``` if (full handcount) { handcount result is final } ``` ] -- .medium[Chance RLA won't correct wrong outcome is less than pre-selected **risk limit**. "Wrong" means full handcount would find different winner(s) ] --- ## Sampling ballots: requirements .medium[ + ballots (25% of US voters don't have) + ballot manifest + good, transparent, verifiable source of randomness - 20 public rolls of translucent 10-sided dice ] --- 