Election auditing verifies that the systems and procedures work as intended, and that the votes have been counted correctly. If a problem arises, forensic techniques enable auditors to determine what happened and how to compensate if possible. Current audit trails record incomplete information, or unnecessary information, thereby hindering validation of the election results and the correctness of the process, and determination of the causes and effects of problems.
Complicating both tasks is that the audit trails enabling analysis of failures may contain information that either exposes the identity of the voter (enabling voter coercion, for example); or that communicates a message to a third party (enabling vote selling).
The goal of this project is to determine the information needed to assess whether the election process in general, and e-voting machines in particular, operate with the desired degree of assurance, especially with respect to anonymity and privacy. This project also seeks to describe the requirements that an infrastructure supporting e-voting machines must meet. It reflects a novel approach to discovering, analyzing, and balancing security, auditability, privacy, and anonymity in a real environment. Real election processes in California will be used to test practicality of the approach and dissemination of knowledge. Given the involvement of the election officials, and the analysis of real voting procedures and systems, the anticipated outcome of this project include a better understanding of auditing requirements and processes for elections by voting machine manufacturers, election officials, forensic analysts, and researchers.
Our principal objective for this research project was to examine the conflicts inherent between privacy, anonymity, and the recording of detailed audit trails that enable verification and analysis of correct operation of electronic voting machines; and to investigate methods and/or conditions for removing or reducing those conflicts. In an election, auditing verifies that the systems and procedures work as intended, and that the votes have been counted correctly. If a problem arises, forensic techniques determine what happened and how it can be compensated for (or determine it cannot be). Complicating this problem is that the purpose of voting machines in particular are to allow voters to cast their votes from locations in which procedures are enforced by poll workers with limited training, expertise, and authority, and are therefore not controlled explicitly by election officials. As those officials cannot rigorously control the environment in which voting machines operate, auditors must have enough data to validate those assumptions. We took steps to do this. To do this, in particular, first, we extensively analyzed the Scantegrity voting system (www.scantegrity.org/) and the voting records and audit logs that it generates. We focus on Scantegrity not to single it out as a vulnerable system but because it is open source and it is a popular system that has actually been used in practice, it may contain design flaws and vulnerabilities that might exist in other systems of similar designs, current or future. Therefore it is our hope that the vulnerabilities that we bring to light will be considered by current and future designers of electronic voting systems, and that the solutions that we propose will also be considered as possible remediations. Second, we conducted interviews with Marin and Yolo county election officials about audits and and examined characteristics of logs typically generated by voting machines in actual, large, public elections. Third, we considered areas outside of elections in which collecting audit logs might have similar problems as with elections and that there are conflicts between the goals of validating integrity of the system and maintaining confidentiality of some kind. In particular, in high-security environments, there may be multiple levels of classification but there might exist compartments within those levels. That is, just because somebody has a particular level of security approval does not mean they should have access to everything at that level of security. They may have a certain degree of blanket knowledge but within that are only privy to certain subsets of that knowledge. On the other hand, by fully auditing everything, there is an implicit decision that is made that the system administrators who are arguing those audit logs should have access to everything within all sub compartments at a given level of security. This is similar to elections, but in that domain it may be either illegal or contrary to public policy. We found a variety of vulnerabilities in Scantegrity in general as well as specific vulnerabilities relating to audit logs. Our work on examining the Scantegrity system suggests that auditing is considerably better than systems in production use in California, but are at significant risk of compromising anonymity and privacy, as the machine was not designed with these goals in mind. We also found that a number of potential solutions do exist. For example, some of the access control issues with Scantegrity can be resolved by preventing any one election official from being able to view all ballots. This will make it difficult for an individual election official to determine how people voted, because the probability that the official has access to the ballots that the official wishes to verify decreases as the number of ballots accessible to an individual decreases. The audit logs may also be sanitized to a greater extent: instead of revealing how each individual ballot is cast, the audit logs can present a summary of how groups of ballots were cast, where the groups can be sequential anonymized identifiers. The results of this analysis can be generalized. In particular, given that electronic voting systems are widely deployed and even Internet voting systems are being considered, there is a clear need to understand the vulnerabilities that exist in our systems of any kind and learn how to adapt them to the other systems that are used in practice as well as to more general IT infrastructure. But the outcome of our work is clear: there is a need to balance the benefits of audit logs with potential downsides to confidentiality, anonymity, and privacy.
