Ph.D. Dissertation Defense
Rebecca Mercuri

Electronic Vote Tabulation
Checks & Balances

University of Pennsylvania
School of Engineering and Applied Science
Department of Computer and Information Systems

Friday, October 27, 2000
Moore 554, 2:30PM

Committee:
Norm Badler - Internal Advisor
Peter Neumann - External Advisor
Mitch Marcus -  Committee Chair
David Farber - Committee Member
Lyle Ungar - Committee Member

The subject of electronic vote tabulation involves a unique combination of technological, computational, and sociological problems that produce a set of constraints upon the systems used for ballot entry and vote counting.  This thesis identifies the various types of voting systems; the constraints under which they are required to operate; and the numerous checks and balances that need to be provided for accuracy and integrity.  The thesis involves a detailed assessment of the limitations of electronic vote tabulation systems using the framework of the ISO's Common Criteria.  Specifically, it demonstrates the existence of an application area where the Common Criteria is flawed in its ability to assure a simultaneously private and secure system.  The result has broad implications within various commercial arenas, particularly those involving anonymous data delivery.

This presentation will be a top-down discussion of the major results of the thesis, including: the codification of the Common Criteria into an generalizable assessment process; the additional critera which need to be added for voting systems; the counterindications among criteria requirements; and the unresolvability of this in the voting setting. Other topics (as time permits) are: Internet voting, open source software, encryption, access controls, trust, data, and secure channels.  The recent California Internet Voting Task Force report is also examined with regard to its security shortcomings.  Conclusions and recommendations will be suggested.


Thesis Abstract

The subject of electronic vote tabulation involves a unique combination of technological, computational, and sociological problems that produce a set of constraints upon the systems used for ballot entry and vote counting.  This document identifies the various types of voting systems; the hierarchy of constraints under which they are required to operate; and the numerous checks and balances that need to be provided in order to ensure accuracy and integrity.  The thesis work involved a detailed assessment of the limitations of electronic vote tabulation systems using the framework of the ISO's Common Criteria.  A minimal voting system was described, along with a procedure by which existing and proposed voting systems may be evaluated for potential flaws.

The result demonstrated the existence of a category of systems for which the Common Criteria can be deemed inadequate.  The Criteria provides for assessment of system dependencies, but does not account for counterindications.  Specifically, the requirement for ballot privacy creates an unresolvable conflict with the use of audit trails in providing security assurance.  This result has broad implications within other commercial arenas, particularly those involving anonymous data delivery.  Other results involved an appraisal of possible election risks (such as global denial of service and Trojan horse attacks) that are enhanced by the deployment of electronic balloting systems, along with recommendations of considerations that can assist in reducing these vulnerabilities.  A discussion of some issues related to the 2000 Florida Presidential election, recount, and litigation is included.
 

The thesis document was formally accepted by the University of Pennsylvania on April 30, 2001.
All of its contents are covered by U.S. Copyright, all rights reserved.