Paper as a Defense

Loading...

Del curso dictado por University of Michigan

Securing Digital Democracy

98 calificaciones

University of Michigan

Securing Digital Democracy

98 calificaciones

In this course, you'll learn what every citizen should know about the security risks--and future potential — of electronic voting and Internet voting. We'll take a look at the past, present, and future of election technologies and explore the various spaces intersected by voting, including computer security, human factors, public policy, and more.

De la lección

Computers at the Polls

Voting enters the computing age

Inside the Black Box11:34

Paper as a Defense9:34

More Goes Wrong10:48

Conoce a los instructores

J. Alex Halderman
Associate Professor
Electrical Engineering and Computer Science

If we can't trust computer software to securely and correctly count our votes,

what are we to do? We've already seen that every previous

voting technology has also had problems. But the best defense, the best approach to

voting that's a, agreed upon by, by most researchers in, in the voting security

community, is to add paper as a form of defense.

Now, paper? Really?

Isn't that old fashioned technology? Are, are, are all these scientists turning

into Luddites, people, people might say? But paper actually provides some very,

very important security advantages, especially when it's coupled with, with

some kind of electronic system. So, to see why something like this might,

might be might be the right thing to do, let's look into the cockpit of a modern

jetliner. This jet airliner cockpit is largely

driven by computer software. Critical things like the, the navigation

system are almost entirely computerized. That's the modern way to do it.

But it still makes sense if you acknowledge that computers sometimes are

not going to be available, sometimes are not going to be correct, sometimes are

going to have errors, to have a kind of physical backup to a computer system in

any kind of critical infrastructure like, like a plane, where if things go wrong,

peep, people will suffer or die. So, inside the cockpit of every modern

airliner, one thing that you're going to find by law is a magnetic compass.

A simple, old physical technology that provides a backup to the fancy electronic

systems. This is just common sense to have a backup

to a computer system that's something simple and physical in a case where

problems are going to result in serious damage.

And a voting machine is quite the same situation.

You want to have some kind of physical backup that records the votes just in case

the computer software is insecure or in error.

So, the scheme that, that most researchers believe is the best we can do with

available technology is to combine paper records and electronic records to have

redundant records. And one way to, to think about the, the

advantage of having these two records, is that they have what, what we might say are

orthogonal security modes. So, these are the differences in the ways

they could be induced to fail. With an old fashion paper record stored in

a ballot box, you have the possibility of physical tampering and retail fraud but

this is something that would take a large conspiracy to execute.

You need people at each of the ballot boxes you want to tamper with to change

the votes. With the digital records, things stored in

a, a memory card site, we have the possibility of, of cyber-tampering or, or

electronic tampering that would cause a form of wholesale fraud.

But this would require only a very small conspiracy.

Perhaps, just one person with brief access to the electronics.

So, when you combine these records however, if we checked to make sure that

they agree by performing some kind of auditing process after the election, then

we can have a very, very difficult situation for the criminals.

They need to have a large conspiracy to change paper records to match the

electronic records. And they have to be sophisticated enough

to make sure that they cheat in both records in a way that agrees.

Or else, we're going to notice a miss, mismatch in the audit.

So, by combining these low tech and high tech records, we can have something that's

far more secure than either paper ballots or electronic records on their own.

We can have in a way, the best of both worlds from a security standpoint.

One manifestation of this today, is precinct count optical scan, where you

have an electronic record made right at the ballot box.

The problem is that in many places, in most states, audits to check that the

paper records and electronic records agree are exceedingly rare, and only happen if,

say, there's a, a very large a very small margin of victory rather.

But we'll talk about auditing, and we'll talk about some of those procedural

questions later in the course. For these reasons, most researchers in

this field consider precinct count optical scan with audits to be the gold standard

in what today's technology can do for securing the election.

But there is another way that you can combine paper and electronic records, and

this is a technology that was invented to try to overcome some of the objections to,

to DRE voting machines. The idea is, is pretty simple.

Why not have the DRE every time someone votes, print out a piece of paper with

record of that individual ballot? And this is something that's, that's

called a Voter-Verifiable Paper Audit Trail, or VVPAT.

Also, you'll sometimes see that stand for Voter-Verified Physical Audit Trail.

Emphasizing that it's not paper that's important so much as some kind of physical

non-electronic record. The critical thing about a VVPAT is that

it has to be something that the voter can see and check is correct at the time their

casting their vote. Otherwise the, the DRE could just print

out whatever it wanted if it was behaving dishonestly at the time votes were being

cast. VVPATs are an, an interesting thing to

compare to precinct count optical scan because they have some, some slightly

different failure modes and for this reason, VVPATs although probably better

than paperless DREs are not regarded so highly by, by many researchers.

Before we conclude this week's lecture, I'd like to ask, what could go wrong with

DREs and VVPATs? Let's see if you can spot a couple of the

problems. A Voter-Verifiable Paper Audit Trail adds

some kinds of protections for the correctness and security of the DRE.

It's better than nothing but there's still a, a number of pretty important

criticisms. First of all since the VVPAT is completely

controlled by the computer in the voting machine, if the, the computer software is

dishonest, it could print paper records that don't match the voter's intent.

If the voter doesn't check that these records are what they thought they would

be this creates the opportunity for the, the DRE to cheat and get away with it.

You can imagine variations of this. The DRE depending on the, the specifics of

the design of the VVPAT mechanism might try to print extra ballots when no one is

there interacting with it. It might try to, to cancel and replace the

voter's ballots after the voter walks away.

The devil's in the details but there's all sorts of things that can go wrong with the

mechanism. Another kind of problem has to do with the

most common way of implementing a VVPAT, which is to use a, a cash register tape

style paper similar to what you saw earlier with the, the totals tape that the

Diebold DRE printed out. That kind of printing device is, is

economical. But it's not particularly reliable.

It's not particularly permanent. Those records will fade away to nothing if

you leave them in the sun for too long. And probably, probably, most importantly

it's very hard to read. So, most voters are going to be deterred

from checking just by the poor quality of the print.

Some mechanisms even require the voter to open a door to look at the tape and see

how their votes have been recorded, this is totally antithetical to the security

defense that the paper is intended to provide.

The final problem with having a cash register style tape is similar to the

problem with the Diebold memory cards that we talked in the last segment.

Just that if your not cutting the tape between each voters vote, then you have a

record of all of the votes in the order they were cast.

So, this means that if someone is watching the, the polling place and seeing who goes

up to that particular machine that votes and later they can look at the tape, they

could just figure out that this the, the, the third ballot on the tape and I was the

third voter to use the machine, therefore, they know all of my choices on the

supposedly secret ballot. So, for these reasons and, and, some

others most researchers prefer precinct count optical scan and consider the VVPAT

to be a flawed security enhancement. Then again, it's still probably better

than a purely paperless DRE. So, in the next lecture we're going to see

hands on, some of the things that can go wrong with DREs.

Explora nuestro catálogo

Inscríbete de manera gratuita y obtén recomendaciones personalizadas, actualizaciones y ofertas.

Coursera brinda acceso universal a la mejor educación del mundo, al asociarse con las mejores universidades y organizaciones, para ofrecer cursos en línea.

© 2019 Coursera Inc. Todos los derechos reservados.

Descargar en la App Store

Consíguelo en Google Play