Election Audits Ensure Intent of Voter Prevails in Elections
"Audits are one of the most important means for ensuring the accuracy of election outcomes, and for allowing observers to verify that accuracy. There is a strong consensus among those who study election security about what is needed to make audits effective. . . .Voter-verified paper ballots are essential to ensure that elections can be audited. . . .
Voting systems are supposed to record and tally the votes that express the will of the voters in electoral contests. Given that no system is perfect, in order to ensure that the will of the voters is accurately captured by the voting system and the outcomes are correct, election officials must deploy safety-checks on the entire system. Contest specific recounts [GAVV editor's note: This is not possible with paperless DRE voting systems such as that currently used in elections in Georgia] sometimes will clarify the outcome in particularly close races, but the bar to initiating full recounts is high so they are too intermittently applied to serve as an essential spot-check. Instead, officials must conduct random manual audits of a smaller set of ballots.
A random manual audit means that ballots to be audited are selected through a random process and counted manually, and the resulting hand tallies are compared with tallies made by the voting system to check for accuracy. In cases where the tallies differ, additional records may be audited to determine the outcome."
"The Concept of Software-Independence in Voting Systems"
"A voting system is software-independent if a previously undetected change or error in its software cannot cause an undetectable change or error in an election outcome. In other words, it can be positively determined whether the voting system’s (typically, electronic) CVRs are accurate as cast by the voter or in error. In SI voting systems that are readily available today, the determination can be made via the use of independent audits of the electronic counts or CVRs, and independent voter-verified paper records used as the audit trail.
A simple example of this is op scan, in whic h a voter marks (by hand or using an EBM) the paper ballot. The voter verifies the paper ballot is correct, thus it is voter-verified , and the paper ballot is “outside” or independent of the voting system, i.e., it cannot be changed or modified by the voting system. As a consequence of these two factors, the paper ballot can be considered as independent evidence of what the voter believed he or she was casting. After the paper ballots are scanned, they can subsequently be used to provide an independent audit , or check, on the accuracy of the electronic counts.
If an undetected change or error in the optical scanner’s software were to cause erroneous counts, subsequent audits would show the errors . Even if malicious code was inserted into the scanner’s software, the audits would detect resultant errors in the counts. Therefore, the correctness of the scanner’ s counts does not rely on the correctness of the scanner’s software, and thus op scan is software independent: change s or errors in its soft ware will be reliably detected by independent audits of its electronic counts. Thus, the primary ingredients to SI as illustrated in op scan are (1) voter-verified records that are (2) independent of the voting system used in (3) audits of the scanner’s electronic counts. "
2004 RABA Trusted Agent Report AccuVote: "The Independent
Testing Authorities validate functionality but do not perfor m security analyses. In
consideration of these facts, we strongly recommend that the SBE require their
vendors to provide independent source-code level security assessments for their
products. Proprietary concerns should never be allowed to mask security through
2004 "Threats to Voting System Transparency," submitted to the U.S. Election Assistance Commission, Gaithersburg, Maryland, September 20, 2004, Douglas W. Jones, associate professor, The University of Iowa Department of Computer Science
Cryptography for Security | Ballot Secrecy
"The use of cryptographically secure authentication to protect transmission of election data from precincts to election management systems is a specialized context, in which the basic assumptions under which DES was cracked may not apply. There are two ways in which an adversary may attack this transmission path in a voting system:
First, the adversary may attempt a man-in-the-middle attack, trying to crack the authentication, edit the vote totals and forge new authentication data for the edited totals. In jurisdictions where polling places transmit totals by public networks, for example, by telephone, there is usually a fairly short window during which the data must be transmitted, on the order of an hour. If data is hand-delivered, for example, in an electronic cartridge, the delivery window will be longer to allow for physical travel, but this does not give the adversary much more time for computation. Attacks that take many hours would be of no use here.
Second, the adversary may forgo cracking the authentication keys and attempt a trial-and-error attack, hoping to deliver an acceptable forgery before the authentic data is transmitted. Alternately, the trial-and-error strategy could be forced on a man-in-the-middle attack when a complete crack of the authentication keys is impossible. In either case, if even one bit of authentication information is wrong, the attack can be detected. All modern voting systems offer alternative channels that can be used when an attack is discovered, so trial-and-error is unlikely to pay off. In short, very weak authentication is sufficient if the attacker gets only one shot at a trial-and-error attack."
...."One critical requirement for any voting system used in the United States is that it protect the secrecy of the voter's ballot. The order in which voters enter a particular voting booth is no secret, any observer can record this. The ballots themselves are also only weakly guarded....For the I-Mark/Global/Diebold AccuTouch system, for example, a well-known and very weak linear congruential random number generator was used. Unfortunately, when Compuware Corporation evaluated this same system, they concluded that this generator posed no risks. Curiously, they did note that the pseudorandom number generators used for this purpose by ES&S and Sequoia were seeded from the real-time clock, showing some awareness of the limits of randomness.
Unfortunately, a brute-force exhaustive search through all possible 32-bit seeds is remarkably fast on a modern computer. Furthermore, the sample size, typically around 100 ballots per voting machine, is large enough that an exhaustive search may well be sufficient to reveal the seed that put the ballots into particular slots within the ballot box. As a result, simply seeding a weak pseudorandom number generator from the time of day clock may offer no real privacy."
Douglas W. Jones, associate professor, The University of Iowa Department of Computer Science
GAVV editor note: The Ohio Compuware Technical Security Assessment Report asserted that the internal, proprietary computer software 's capture of data in audit logs in the Diebold AccuVote-TS are adequate to prevent fraud and can be regarded as a "paper audit trail." These assertions has been refuted by top computing security and technology experts, as presented in linked studies and testimony here [for example, #4], primarily because data from elections that resides in internal computer memory audit logs are software dependent and are not tranparent sources for 3rd party verification.
2005 Florida Diebold Denied Certification for AccuVote-TSX ballot station. "Additionally, my staff has noted an additional recurring problem
with the AccuVote-TSX that freezes the ballot station and requires it to be rebooted. After
extensive testing, these problems remain unresolved. Therefore, I have determined that the AccuVote-TSX ballot station with AccuView Printer
Module, as currently presented for certification, is not suitable for the purpose for which it is