Abstract
As paper ballots and post-election audits gain increased adoption in the United States, election technology vendors are offering products that allow jurisdictions to review ballot images—digital scans produced by optical-scan voting machines—in their post-election audit procedures. Jurisdictions including the state of Maryland rely on such image audits as an alternative to inspecting the physical paper ballots. We show that image audits can be reliably defeated by an attacker who can run malicious code on the voting machines or election management system. Using computer vision techniques, we develop an algorithm that automatically and seamlessly manipulates ballot images, moving voters’ marks so that they appear to be votes for the attacker’s preferred candidate. Our implementation is compatible with many widely used ballot styles, and we show that it is effective using a large corpus of ballot images from a real election. We also show that the attack can be delivered in the form of a malicious Windows scanner driver, which we test with a scanner that has been certified for use in vote tabulation by the U.S. Election Assistance Commission. These results demonstrate that post-election audits must inspect physical ballots, not merely ballot images, if they are to strongly defend against computer-based attacks on widely used voting systems.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
The details of how marks are identified vary by hardware and scanning algorithm. See [13] for an example.
- 2.
While the review is made available to the public, the actual images themselves are seldom published in full out of concern for voter anonymity.
References
Adida, B., Rivest, R.L.: Scratch and Vote: self-contained paper-based cryptographic voting. In: ACM Workshop on Privacy in the Electronic Society, pp. 29–40 (2006)
Bajcsy, A., Li-Baboud, Y.S., Brady, M.: Systematic measurement of marginal mark types on voting ballots. Technical report, National Institute for Standards and Technology (2015)
Bayar, B., Stamm, M.C.: A deep learning approach to universal image manipulation detection using a new convolutional layer. In: Proceedings of the 4th ACM Workshop on Information Hiding and Multimedia Security, pp. 5–10. ACM (2016)
Bayram, S., Avcıbaş, İ., Sankur, B., Memon, N.: Image manipulation detection with binary similarity measures. In: 2005 13th European Signal Processing Conference, pp. 1–4. IEEE (2005)
Bayram, S., Avcibas, I., Sankur, B., Memon, N.D.: Image manipulation detection. J. Electron. Imaging 15(4), 041102 (2006)
Bell, S., et al.: STAR-vote: a secure, transparent, auditable, and reliable voting system. USENIX J. Election Technol. Syst. 1(1) (2013)
Benaloh, J.: Administrative and public verifiability: can we have both? In: USENIX/ACCURATE Electronic Voting Technology Workshop, EVT 2008, August 2008
Benaloh, J., Jones, D., Lazarus, E., Lindeman, M., Stark, P.B.: SOBA: secrecy-preserving observable ballot-level audit. In: Proceedings of USENIX Accurate Electronic Voting Technology Workshop (2011)
Bernhard, M., et al.: Public evidence from secret ballots. In: Krimmer, R., Volkamer, M., Braun Binder, N., Kersting, N., Pereira, O., Schürmann, C. (eds.) E-Vote-ID 2017. LNCS, vol. 10615, pp. 84–109. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68687-5_6
Bowen, D.: Top-to-Bottom Review of voting machines certified for use in California. Technical report, California Secretary of State (2007). https://www.sos.ca.gov/elections/voting-systems/oversight/top-bottom-review/
Bradski, G.: The OpenCV Library. Dr. Dobb’s J. Softw. Tools 120, 122–125 (2000)
Carback, R., et al.: Scantegrity II municipal election at Takoma Park: the first E2E binding governmental election with ballot privacy. In: 18th USENIX Security Symposium, August 2010
Chung, K.K.T., Dong, V.J., Shi, X.: Electronic voting method for optically scanned ballot, US Patent 7,077,313, 18 July 2006
November 6, 2018 general election. https://dochub.clackamas.us/documents/drupal/f4e7f0fb-250a-4992-918d-26c5f726de3c
Clear Ballot: ClearAudit. https://clearballot.com/products/clear-audit
Dominion Voting: Auditmark. https://www.dominionvoting.com/pdf/DD
Dominion Voting: Cambridge Case Study. https://www.dominionvoting.com/field/cambridge
Election Integrity Oregon. https://www.electionintegrityoregon.org
Farid, H.: Digital forensics in a post-truth age. Forensic Sci. Int. 289, 268–269 (2018)
Feldman, A.J., Halderman, J.A., Felten, E.W.: Security analysis of the Diebold AccuVote-TS voting machine. In: USENIX/ACCURATE Electronic Voting Technology Workshop, EVT 2007, August 2007
Hall, J., et al.: Implementing risk-limiting post-election audits in California. In: 2009 Workshop on Electronic Voting Technology/Workshop on Trustworthy Elections, p. 19. USENIX Association (2009)
Ji, T., Kim, E., Srikantan, R., Tsai, A., Cordero, A., Wagner, D.A.: An analysis of write-in marks on optical scan ballots. In: EVT/WOTE (2011)
Jones, D.W.: On optical mark-sense scanning. In: Chaum, D., et al. (eds.) Towards Trustworthy Elections. LNCS, vol. 6000, pp. 175–190. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-12980-3_10
Lindeman, M., Halvorson, M., Smith, P., Garland, L., Addona, V., McCrea, D.: Principles and best practices for post-election audits, September 2008. http://electionaudits.org/files/bestpracticesfinal_0.pdf
Lindeman, M., Stark, P.: A gentle introduction to risk-limiting audits. IEEE Secur. Priv. 10, 42–49 (2012)
Lindeman, M., Stark, P., Yates, V.: BRAVO: ballot-polling risk-limiting audits to verify outcomes. In: 2011 Electronic Voting Technology Workshop/Workshop on Trustworthy Elections (EVT/WOTE 2012). USENIX (2012)
Maryland House of Delegates: House Bill 1278: An act concerning election law - postelection tabulation audit. http://mgaleg.maryland.gov/2018RS/bills/hb/hb1278E.pdf
Maryland State Board of Elections: 2016 post-election audit report, December 2016. http://dlslibrary.state.md.us/publications/JCR/2016/2016_22-23.pdf
Maryland State Board of Elections: December 15, 2016 meeting minutes, December 2016. https://elections.maryland.gov/pdf/minutes/2016_12.pdf
McDaniel, P., Blaze, M., Vigna, G.: EVEREST: evaluation and validation of election-related equipment, standards and testing. Technical report, Ohio Secretary of State (2007). http://siis.cse.psu.edu/everest.html
Mebane Jr., W.R.M., Bernhard, M.: Voting technologies, recount methods and votes in Wisconsin and Michigan in 2016. In: Zohar, A., et al. (eds.) FC 2018. LNCS, vol. 10958, pp. 196–209. Springer, Heidelberg (2019). https://doi.org/10.1007/978-3-662-58820-8_14
National Academies of Sciences, Engineering, and Medicine: Securing the Vote: Protecting American Democracy. The National Academies Press, Washington, DC (2018). https://www.nap.edu/catalog/25120/securing-the-vote-protecting-american-democracy
National Conference of State Legislatures: Post-election audits, January 2019. http://www.ncsl.org/research/elections-and-campaigns/post-election-audits635926066.aspx
Rivest, R.: On the notion of ‘software independence’ in voting systems. Phil. Trans. R. Soc. A 366(1881), 3759–3767 (2008)
Ryan, P.Y.A., Bismark, D., Heather, J., Schneider, S., Xia, Z.: Prêt à Voter: a voter-verifiable voting system. IEEE Trans. Inf. Forensics Secur. 4(4), 662–673 (2009)
Sarwate, A.D., Checkoway, S., Shacham, H.: Risk-limiting audits and the margin of victory in nonplurality elections. Stat. Polit. Policy 4(1), 29–64 (2013)
ScannerOne: Kodak i5600. http://www.scannerone.com/product/KOD-i5600.html
Stamm, M.C., Liu, K.R.: Forensic detection of image manipulation using statistical intrinsic fingerprints. IEEE Trans. Inf. Forensics Secur. 5(3), 492–506 (2010)
Stark, P.: Conservative statistical post-election audits. Ann. Appl. Stat. 2(2), 550–581 (2008)
Stark, P.: Super-simple simultaneous single-ballot risk-limiting audits. In: 2010 Electronic Voting Technology Workshop/Workshop on Trustworthy Elections (EVT/WOTE 2010). USENIX (2010)
Stark, P.B., Teague, V., Essex, A.: Verifiable European elections: risk-limiting audits for D’Hondt and its relatives. \(\{\)USENIX\(\}\) J. Election Technol. Syst. (\(\{\)JETS\(\}\)) 1, 18–39 (2014)
Unisyn Voting Solutions: OpenElect OCS Auditor. https://unisynvoting.com/openelect-ocs/
U.S. Election Assistance Commission: Certificate of conformance: ClearVote 1.5, March 2019. https://www.eac.gov/file.aspx?A=zgte4IhsHz
Verified Voting Foundation: The Verifier: Polling place equipment (2019). https://www.verifiedvoting.org/verifier/
Acknowledgements
The authors thank Vaibhav Bafna and Jonathan Yan for assisting in the initial version of this project. They also thank Josh Franklin, Joe Hall, Maurice Turner, Kevin Skoglund, Jared Marcotte, and Tony Adams for their invaluable feedback. We also thank our anonymous reviewers and our shepherd, Roland Wen. This material is based upon work supported by the National Science Foundation under grant CNS-1518888.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Bernhard, M., Kandula, K., Wink, J., Halderman, J.A. (2019). UnclearBallot: Automated Ballot Image Manipulation. In: Krimmer, R., et al. Electronic Voting. E-Vote-ID 2019. Lecture Notes in Computer Science(), vol 11759. Springer, Cham. https://doi.org/10.1007/978-3-030-30625-0_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-30625-0_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-30624-3
Online ISBN: 978-3-030-30625-0
eBook Packages: Computer ScienceComputer Science (R0)