 All right, so the next section is how do we get here history of voting technology hanging chads and help America vote act Matt blaze Cryptographer and associate professor of computing and information science at the University of Pennsylvania We'll take it from here Hey So welcome congratulations on lasting this long So I'm gonna step back a little bit so a little bit about me. I'm a Computer scientist. I focus on computer security and cryptography stuff and I've been working partly on voting technology and other kinds of related systems probably for about a dozen years now and One of the things that I've been very lucky enough to do is participate in several of the state top-to-bottom reviews of voting technology that were done ahead of the 2008 election where a Few people were given access to the source code and the hardware and so on of the most of the electronic voting systems discovered in the country and we were asked, you know our task was to basically say are these things secure and The first question you add you should ask when given that task is Well, what's secure me? But what are the requirements of this system that we're trying to measure against it? And so for a voting system one question at a very high level is What are the requirements for a voting system? That is how do you tell if a voting system is serving democracy whatever that means and as far as I can tell the requirements for a democracy's voting system is These four words right one person one vote. Where do these four words come from? These are in the Constitution, right? Or the Declaration of Independence or Something no who knows it's a slogan, right? So one person one vote. What does that actually mean and that's a good question So first of all voting for what right most of most of our voting is for officials rather than Issues although in California you are asked to make about 6,000 decisions about Various initiatives that's kind of an exception. Mostly. We're asking other people to make our day-to-day Governmental decisions for us and that's who we're voting for but even those officials are appointing other people So we have a kind of representative democracy or a republic or something along those lines That isn't precisely one person one vote on every single thing government does so it's already kind of fuzzy right there The second is that you know now we can look a little bit Well, what does person mean and I think what that means is that the influence of your vote is supposed to be based on whether or not you're a person and You get if you are your person hood entitles you to as many votes as other people's person hoods Do and not some other qualifications. So it's not money or land ownership or noble birth Even though in early US democracy We certainly cared a lot about those things, but once you figured out who is a person Every person is supposed to have the same influence and eligibility and by the way we have the Electoral College in this country which also affects that so We're already kind of qualifying this a lot and we're only kind of halfway through this has evolved over time in the United States You know it the expression used to be one man one vote And you know it took until the 20th century before We Realized that we were a kind of a priori excluding half of the voters in in the United States You know we had this concept of Slavery and automatically disenfranchised citizens who didn't get to vote for the longest time until the 14th amendment and We used to have in many places Tests for eligibility to vote illiteracy tests and so on so again personhood has has Had asterisks next to it throughout this history and it also involves more than merely your eligibility to vote But your access to voting as well as some assurance that your that you don't merely get to vote But you get a vote that counts and so We want some concept of fairness in the elections. Well, what does fairness in the election mean? Well, we can come up with some requirements and as soon as you you're a technologist It becomes really easy to add new requirements to this as soon as you start Listing them, you know, you're you you can't even write them down as quickly as you can think of of them So we want things like equal access to the ballot To be able to run for office to being on the voter rolls to being able to cast ballots So you don't want people to be disadvantaged in any of those things In the United States almost all adult citizens are eligible to vote. Is voting optional or is it mandatory? That's a question in the United States. It's optional There are other countries were voting that we would consider voting that we would consider democracies where voting is mandatory Australia for example We want the accuracy of the count to be something that's assured We want we want people to be confident that all votes were counted and that this has been fair We want there to be no cheating. We don't want it to be possible to cast more than one vote We don't want to prevent other votes from being counted We don't want people to be able to intent be intimidated out of voting and that implies a requirement for secrecy No one can find out how you voted So that they could either reward you or punish you Depending on how your vote happened. We don't want there to be transfer ability You don't want to be able to transfer your ability to vote to another person in the last talk We heard about somebody who let's has their lawyer vote for them for for some reason and You know, that's not supposed to be allowed in our system And then we have Ultimately public confidence in the outcome. We want not only this to be true, but we want people to believe that it's been true Now if you are a computer scientist One of the things you do is you look at the requirements and you say well The best thing I can possibly do when given a set of requirements is show that there's no point in even trying to build a system that meets them because it's theoretically impossible and This is the sort of set of requirements that lends itself to that very quickly because we can kind of see that some of these Requirements kind of contradict each other that you might have to choose between one or the other or make some kind of compromises Down the line Among them. So the one that I want to focus on is secrecy versus transparency We want everybody to be confident in the outcome We want everybody to be confident that their particular vote is Counted, but we don't want to be able to prove how any individual voted or allow somebody else to be able to find out how it was That's pretty hard and it leads to lots of Difficulty in designing very heavily constrained systems one of the things we hear over and over again is Well, hey, we have secure ATM machines Why can't we have secure DRE voting machines? Well in an ATM machine you kind of get a receipt of how much money you withdrew And we really don't want because of one of the requirements to give people a receipt Showing how they voted and so on and so on so this is kind of difficult The best slogan I can come up with is one adult citizen one easily Exercise but non-transferable option to cast a secret accurately counted vote after a fairly conducted public campaign that will determine Their representative for certain issues and that that's kind of the mod. That's kind of the computer scientists version of one person one vote, okay, so There's technology involved here We have been increasingly Using technology to conduct elections, although that has not been true since the beginning Early elections in the US is I think a number of speakers in this track have pointed out basically consisted of a bunch of rich dudes Showing up in a room and raising their hands on election day and everybody kind of agree on what the outcome was from that But that has the problem that it's not secret So we didn't have ballot secrecy from the very beginning in the United States And it's probably doesn't scale very well asking people to all show up in the same room and raise their hand and and count is Probably not something that could scale up to kind of modern population densities So what that means is not just the principles have become important But the mechanisms with which we implement these principles have become Really important and so technologies for voting have evolved over time to increasingly allow to take advantage of new advances in technology to allow voting to scale up and to try to bolster one or Another of the kind of informally stated Requirements that elections have so we have paper ballots Mark something and put it into a box. We have machine counted ballots Mark something in some way and drop it into a box so that it can then be counted and tabulated by some sort of machinery we have Direct recording voting machines Interact with a machine that mechanically will mark a ballot that is then stored inside the machine itself Those were the machines. I grew up on New York State had them These machines with these levers you would Flick the little levers what they would really do is mark a little Advancing piece of paper for each poll when you pull this big lever a chunk happens That's the sound of democracy in action the curtain opens and then you can leave the The room those machines were in use since the late 1930s through around 2000 throughout much of the country another type of Machine is replacing that but with modern computer technology so instead of a lever You touch a screen and instead of marking on a piece of paper you store it on a memory card and Because the voting community is great at catchy names. Those are called direct recording electronic voting machines They're direct recording because they record directly inside the machine. They're electronic because they're computers I prefer to call them as many people in in in the Electronic voting community prefer to remind us that that means they're voting computers And that means that understanding what they do is as easy or hard as understanding what any general purpose computing device does And whether or not it actually works faithfully is as hard or as easy as building bug-free software Now perception and reality are we are linked here public confidence in elections is What gives government legitimacy and now public confidence in elections is not just a matter of whether or not we trust the vote But whether or not we trust all of the technology that led to the ultimate tabulation of the vote so in other words computer science and Building reliable computing systems as we use computers for this Is actually kind of central to whether or not we regard The government we have as legitimately being allowed to govern In other words, you should be in this room thinking about this You should be engaged in this issue as you all are and you should scold people who aren't here for not showing up, right? okay, so What's the threat model is the first question a computer science security type would ask and the Traditional threat model for an election is what? It's the traditional thing that we have to defend an election against What? Well, so we wanted to vote. What would you be trying to do? What would an attacker be trying to do? Fraudulently vote we want to stop people from testing more than one vote per person We want to stop people from being able to sell or buy votes We want to prevent ballot stuffing to prevent somebody from getting elected to dog catcher Without actually the will of the people Being being behind that. Yeah Mm-hmm. So Absolutely, but the threat is ultimately in the service of Cheating on the election that's kind of the traditional threat model that we all are trying to think of and I'm sure you have a lot to say But I get to talk the They the traditional threat model is cheating right trying to alter the outcome To serve you because either you think you get to vote more times than you should or because you're the candidate and you really Want this office instead of that other jerk and in fact, there's a long history of this sort of this sort of fraud in US elections we've had you know people being sent into polling stations to vote by candidates and vote buying and Ballot stuffing and a number of ingenious ways many of which have interacted in remarkably quick ways with a new voting technology where somebody has figured out how to exploit a Flaw in some new voting technology that that has come out and so almost all of the laws and procedures and so on have been Looking at this threat model and one question you have to ask about any new technology easily unplugged and stop the video And And that'll show up in a second so the thing you have to ask about any new technology is Compared with the technology that preceded it. Does this make that threat? Easier or harder, right? Does the does the next technology that comes along? Make us better off or worse off against this threat and the electronic voting community At the time that I've worked in it has largely, you know asked the question our DRE machines better against this sort of traditional threat then Then the paper systems or what have you that they had before? There's also another threat and this is a threat that we haven't we've kind of understood But we haven't understood it at in quite the sharp way that we understand it now Until the most recent national election and that's the threat of hostile state actors That is someone who's not necessarily interested in stealing a local office, but rather interested in Doing that or perhaps other things perhaps disrupting the vote itself to create disorder or Casting doubt on the legitimacy of the winner to govern in the as a hostile state action as an act of of state aggression and This is a very different class of threat This is a class of threat in which first of all the attacker is trying to do is it may be satisfied with many more different kinds of outcomes than someone trying to steal a specific Office who's focused on one thing and is also an attacker who's likely to have vastly greater resources Both to understand the tech under underlying technology as well as to carry out the attack And so a question we also have to ask is does whatever art the technology we're using make this Threat an easier threat or a tougher threat? And that's a question we haven't really been sharply asking for for very long Okay voting in the US everybody knows voting in the US is highly decentralized Federal government only sets kind of broad standards each state has its own laws But elections are run at the local level mostly run by counties There are over 3,000 counties in the United States and then in places where you vote in person Election takes place in neighborhood voting precincts, which might serve you know Hundreds of voters within that precinct and there might be tens hundreds or thousands of those precincts per county itself US elections are more complex than almost anywhere in the world. We make more decisions. We have more races and Within precincts there may be multiple different kinds of ballots because you might be voting not just for president But also for like who represents you on the school board and that might be different From other people voting in the same precinct. So we have really complicated elections and that very much means that computers have a natural role in Simplifying the tabulation process. It's you know, it's not nefarious that people have thought of the idea of using computers for this because it's a pretty natural Consequence of just how complex and and and large scale US elections actually are. Does anyone recognize this photo? So this is What was this photo of? Hanging Chad. So that man was named Chad or So this was this was one of the Florida recount judges In and in a remarkably fortunate capture the moment pose I'm looking at a ballot and examining it from the 2000 Florida election I'm a question for you and and People have different answers to this question. How many people look at this picture and say what an embarrassment that technology is Versus how many of you look at that picture and say what a great thing that technology was how many think what an Embarrassment that technology is in this room. I thought that many Okay, how many people think what a great thing that technology was? Yeah, I probably in that category too. Why? Those are the only two in this room That is not yet. You can rant at me after the talk. Okay the okay, so So I happen to have one here so this is a an example of one of these machines Because Okay, so this is an example of one of these machines, and I have a photo of it I can just show you what the photo is of This is a punch card voting machine And this is the type used in Florida this particular one was From Wisconsin and it has the ballot in it from the ballot card in it from the 2000 election and It's a really interesting technology because the first thing you will notice about this technology is there is no elect There are no electronics involved in this at all The this is 1960s technology These these started to be produced in the 1960s They were used through about 2000 and then something mysteriously happened to make people not like them And the voting experience does not involve any electronics at the polling place There are electronics involved in the tabulating and what do you do? Well, how do you vote? well, what you do is you take a ballot which will are given by your poll worker and This is usually contained in a booth. The booth does have electricity involved you It's for the light above the thing that illuminates it and that's about it We take your ballot and you insert it into the machine and You push it down a little bit. There's a little spring that make sure you let make sure you line it up properly on these two little red knobs and now You can flip through your voting instructions and when you want to vote You pick your candidate. I'm gonna vote down the straight Wisconsin greens Ticket, I have no idea what they stand for. I presume it has to do with moldy cheese And I'm gonna vote for them and now I voted. What have I done? Well, I pull my ballot out and you will notice you can see a little hole in there That I have made it's punched out. These are perforated a little Rectangles associated with each possible position here And so if you voted for somebody one of those little holes would get punched out and you can if you're a suspicious type You might imagine that Hey, wait a minute. How do I know I actually marked the correct position? Well, you would notice that well my candidate was number 68 and I'll look it's box number 68 That's been punched out and now you take your your ballot you rip it apart You put it in the ballot box or wherever it goes and they take a stack of these and they put them through a typical like IBM style punch card hollery card reader and It shines a little light through each card one at a time and produces a Produces a result so all of the technology all of the computer type technology in the electronics are on the back end of the system The voting itself is actually a pretty low-tech process so there's an interesting property of these machines that is Really quite? Remarkable which is that in spite of the fact that there are no computers involved at the polling place There is and I can't decide whether to call it a memory leak or a buffer overflow Attack in the vote casting process and anyone who is alive during late 2000 Learned all about this technology. What would happen? Well at the beginning of the day You put your card in and you punch holes in it And the holes get punched in pretty easily now I want us to move from Wisconsin where people are very hardy to Florida where people are old and have arthritis And imagine that you're kind of old and arthritic You're being asked to perform a little bit of a physical feat in voting You have to take this little stylus line it up and punch through the car, but it's actually fairly easy to do You know, there's a little perforation in here. It's actually fairly easy to You know to punch through the card, but what happens is because of conservation of matter the little pieces of paper that you are punching out go somewhere and Where do they go? Well, this is the machine Well, there's a little kind of piece of rubber with little slits in it behind each of the behind each of the holes in this and they are you're basically kind of just stuffing the pieces of paper Into this little piece of rubber and it's about that thick So it's you know, you're just kind of pushing this into this rubber Slit thing it gives a little tiny little bit of resistance as the day goes on the really popular candidate Accumulates more of these little bits of paper called Chad behind their little hole where you would vote for them and In a typical election where you know, maybe a hundred people show up in a polling place That's fine. There isn't enough to make a difference. But if there's a really big turnout Like say bush versus gore Right where people really cared about the outcome and they knew it was going to be close Lots of people show up at the polling place. So these machines are designed to serve maybe a hundred and fifty people Of course Across the course of the day before you have to open up the machine and kind of vacuum it out But in the 2000 election, it was a pretty popular race And so what happened is that the really popular candidate in any precinct got Physically harder to vote for as the day went on and we have a population of people many of whom Aren't all that physically strong to begin with right? This is this is where your grandparents go to retire and so The people showing up late in the day if they wanted if they were in a precinct where Bush was really popular It was hard to vote for Bush If Gore was really popular it was hard to vote for Gore and In Miami-Dade County that happened a lot. So a normal ballot kind of looks through that like this You have a really strong hole you look at a ballot when this has happened We might have for the less popular office a really straightforward hole in it But for the more popular candidates, they might not succeed in pushing that through all the way They might only kind of dimple it down a little bit, but not Push it through completely. So what would happen there? Well anybody who examines it with their eyes would say someone was clearly trying to vote for somebody there You can kind of clearly do that But if you run it through an optical scan Reader that's just pushing throwing light through this that's going to be opaque And it's going to look as if they didn't vote for anybody And that's called a dimpled Chad a term that did not exist prior to the 2000 election Another possibility is that they'll push it through but not enough to actually dislodge the piece of paper from the ballot and create Like a little flap and that is called a hanging Chad So these terms go from kind of cute sounding dimpled Chad to a little bit dirty sounding hanging Chad as the As you look at the two possible failures Now if you think about you know using something and having it get harder as the day goes on because you know for example you haven't garbage collected the results that just looks like a buffer you know like a Memory leak problem in computer science and they managed to implement a technology with a memory leak without malach involved at all It's really really Really quite impressive. So what did we have to do? Well, that's what led us to this Unfortunate photo now the consequence of this unfortunate photo was that this at the time The caption of this photo was along the lines of what a bunch of idiots in Florida Using this antiquated technology This can't ever happen again. We are America the most technologically advanced country on earth We can't have this in the 21st century be the way we run our elections this can't ever happen again and We had something absolutely remarkable Happen after that Republicans and Democrats have not agreed on whether the sky is blue in a long time But one thing they absolutely agreed on this is bad Congress passed something called the help America vote act with enormous Bipartisan support. It was hurriedly passed after the 2000 election and And what did it do? Well, it provided a giant pile of money for the states to shift to Accessible voting technology that is voting technology that would be easy for the disabled to use It could be adaptive and so on now mostly That technology at the time help America vote act was passed did not exist on the market, right? You couldn't just buy them. There were some machines that that met this requirement But not really very many what it effectively mandated was the rapid development and deployment of Computerized voting technology That was adaptable enough to be useful for the disabled and that basically means touchscreen voting machines in most in most cases Why touchscreen voting machines? Well, it can be adapted to multiple languages very easily You can you select which language you want to vote in very easily it had can have a little audio interface so that if you're Blind you can get Instructions for the profoundly mobility impaired. There are things like sip and puff interfaces that can Be used to navigate the screens It's actually genuinely better for people who are visually impaired mobility impaired and so on than almost any manual Technology, but it largely kind of didn't exist on any kind of large scale at the time the help America vote act past now It also provided Substantial funding for states to buy this by a certain deadline And so what would you imagine if you were an entrepreneur around that time? You know this looks like a pretty great business opportunity to meet this newly created demand that the federal government has Provided money for for all all of the various states and you know the market succeeded at meeting Demand for this unfortunately Security requirements weren't really meaningfully represented in the standards that were mandated by help America vote act um Basically, they had to have some relatively minimal checklist of Reliability testing it was kind of left to the states to say what those particular standards were and Ultimately a Few vendors emerged to have these products that were were sold to the states and this money has been Essentially spent at this point So we saw this very rapid shift to touch screen computerized voting sense the Sense that Okay, now let's I'm just this has been covered a lot earlier Today in other talks and and you know we have examples of this out in the hacking village, but I just want to Talk a little bit about what the technologies are The most common after help America vote act was the direct recording electronic voting machine That's the voting computer that stores its results internally typically uses a touch screen With an adaptable interface for voting. There are other types of Technologies that were permitted under help America vote act one is precinct counted optical scan Which basically is a optical scan like Exams standardized tests back in the 1990s Fill it in with a number two pencil and then put it through something that looks like either a fax machine or a shredder and reads your ballot and Tabulates it internally and then stores the paper ballot. How is that an accessible technology? Well, you can build ballot printer devices ballot marking devices that use the touch screen interface for the visually impaired and for the mobility impaired The country was roughly split and in some states they use both of these technologies and then for absentee ballots. They generally use optical scan centrally counted When you mail your ballot in But in all cases computers are very heavily involved Not just for the tabulation, but at the polling place itself So this essentially mandated pushing computer voting technology out into the field You know hundreds of these specialized devices out at every of the tens of thousands hundreds of thousands of polling places in the US Okay now the security here now depends We've now added the software and hardware of all of these voting computers To the security of the election the correctness of the software depends a lot Is depended on for the integrity of the election and of course compromise of software might be subtle and We don't know what we're doing when it comes to producing large-scale software that actually works hence patch Tuesday Which is actually every day of the week now And you know these are no exception. In fact many of these machines are running under the hood the same platforms that you get Urgent security updates for every day So we have no general technique to determine whether software is correct We have no general technique to even determine how a program behaves under all circumstances And by the way we can even prove that we don't know this You know the this is one of the very few things Software correctness knows which is that general-purpose hardware is impossible to say anything reliable about Complexity kind of makes building correct systems harder and these systems are very very complex It's easy to hide malicious behavior And It's easy to even hide the audit that the system Maintains, okay, so people have been worried about this for a while and the question of whether these machines are secure is one that has been the focus of Excuse me many Computer scientists and election integrity advocates since These machines got introduced about 15 years ago on a large scale But we've had a focus very heavily on the voting machines themselves and I think one of the most important things to keep in mind is that the voting machines themselves are kind of the shiny attractive target These are these are electronic voting machines. We they might be able to be easily compromised and We worry a lot about their Whether or not they have been hacked or have malicious backdoors and that a lot of our focus has looked at these I've been fortunate enough to participate in a number of studies of these systems in which we discovered Horrific vulnerabilities where we were literally limited by our typing speed in writing them down And pretty much everybody has had the same experience who's looked at these has had kind of the same experience Like you open them out of the box and they hit you in the face with some of their with their vulnerabilities but in fact in 2016 we saw What was probably the first? In the United States large-scale attempt to disrupt an election and Interestingly, it appears not to have involved voting machines themselves at all It involved instead the back-end voting systems used by voting Officials to register voters to tally ballots to create the ballot definitions and to manage the day-to-day election operations Why? Given that these machines are so vulnerable would an attacker Not use that as an attack vector But instead would do what looks to be pretty garden variety Fishing and Trojan horse attacks Against election officials to get to their back ends. Why would they do that? Well? The reason is as easy as it is to attack a voting system It's even easier to just mail your malware to a voting official wrapped inside an ostensible doc file And have them open it and install it on the back-end system themselves And so, you know narrowly focusing on the voting machines as the only part of this voting technology is Probably missing a large fraction of the attack surface of these machines So I'm not going to go through the All of the different things that we've discovered with the Existing technology except to say that four major vendors of voting systems emerged after the help America vote act one is called yes and s and Another is called what's called? Diabold Diabold got some bad press Very early on about the security of its voting technology, and so they fixed that by changing their name to premiere and Then selling the being bought by yes and s so the four became three and then there was heart Intracevac and Sequoia Each of these vendors produces both the RE and optical scan systems as well as the back-end provisioning and tallying Software that runs on the network within a county And between yes s and s and premier which are now ultimately owned by the same place that serves kind of 80 percent of the Voting market in the United States So there have been many questions raised about the security of these systems Partly because the software and the firmware running them on them is closely held as a trade secret And so they they're not open to public inspection you have to States had to put a lot of pressure on the vendors to allow independent reviews to happen now fortunately in the most recent round of Exemptions to the digital Millennium Copyright Act the Librarian of Congress granted a very broad exemption to the primary law against reverse engineering these systems and Without permission General exemption for good-faith security testing and specifically called out voting Technology as being one of the important areas that this exemption would apply to so something that would have been very very difficult to do legally has now been largely Blessed as being an important public good if it's done in good faith for the purpose of Improving security. So one of the things that I would encourage everybody to do this weekend is Spend some time use applying your talents in the hacking room learn how these machines work and go wild on them Take them apart because we have a kind of rare opportunity to open up the community of talent looking at these machines Orders of magnitude broader than it's been open Ever before and we you know we're going to learn new things about it But I will point out the exemption only applies to you if it's done in good faith If you're trying to steal an election does not apply to you So please tell us about and publish your results. I think I have a little bit more time for questions. Thanks So yeah Okay, so if the butterfly ballot is the question so on ballots with a lot of different races This unfortunately is not a butterfly ballot, but it could be what they would generally do is have every other hole on Opposite sides of the page so the even numbers would be on this side The odd numbers would be on this side and so one would be you know Nader would be here and then Bush would be here and then Gore would be here and so on and so you'd have to keep looking across The page to see where your hole was that's really confusing from a usability point of view and the Florida ballot in Dade County for the presidential race Was a butterfly ballot called butterfly because it uses kind of both sides of the paper and you can if you use your imagination And pretend this is a butterfly Yeah, sure. I mean we could look we could formal verification has a role here You know absolutely, but it's really important not to to look at formal verification and see it as a panacea because First of all, we don't really know how to build Systems at the scale of the entire closed loop of an election system In a formally verified way in practice And secondly it essentially precludes using any off-the-shelf software for anything at any in any part of the system And then of course if any aspect of the system changes out from under you like the platform because new hardware becomes available That may break all of the things that you're formally verified for so, you know that this is important Absolutely has an important role in improving reliability, but it's it's by no means, you know We don't just get to say formal verification and declare victory You know, I think revests idea of software independence is really important here What we should try to do is aim to make Little or nothing in the system depend on the correctness of software. So for example a Ballot marked by the voter That might be tabulated by computer, but that artifact stays behind Has the property that even if the tabulation software is bad If you get enough of a clue that it might be bad You can go back and count the paper and that's a really really important property. I've been ignoring this side Yeah, so yeah, you know, I would look at what happened after help America vote act as you know Capitalism work the market, you know built what the market demanded and you know what? Voting officials wanted was to be able to buy new voting machines according to whatever their state's requirements were and different states have if there are 50 different sets of of Requirements all slightly different in some states that requires a paper artifact so some states would have a paper Something called a VV pat voter verified paper audit trail Which is a little piece of paper that would print out what your selection is and if you were if you were a conscientious voter You could look at that and see that of the touch screen Thing that I touched is actually being printed and in the event of a recount the paper would be Would be what's counted even that they would get wrong sometimes in the machines that we looked at for one state The way the VV pat worked was it it would print that out But it would also then print a barcode with what your vote was and in the event of a recount what they would count was the barcodes And so you know unless you have a barcode reader with you in the voting booth You have no way of actually verifying that so yeah. Yeah This must baffle you terribly at how stupid we're being Well, so, you know, I mean it I can't speak to the entirety of US politics But you know the short answer is we could automate a lot less than we do But you know the scale of US elections is Like no other in any Any other country in the world we just vote on more issues. We have more different kinds of ballots You know the pressure to automate components of US elections is higher than probably anywhere else in the world But you know, I'm obviously sympathetic to the point of view that that you know The first requirement is that we should have high confidence in the outcome So you had your hand up. Yeah Compared to what followed Yeah Yes Yeah Yeah Well, yeah, this this is a terribly difficult problem, right one one consequence of federalism is we push this down To the state level the states generally push the purchasing decisions down to the local level You know, so that mostly means counties in the US essentially it means that the election budget is competing with building fire stations and roads and You know sewers that don't clog up and other things people want, you know, if you're a county official, you know Do you want to go to your? Constituents and say hey, I got us great new voting machines or you know, I paved that road with all the damn potholes on it So it's you know, that's what the political reality is in most of the US. Yeah So I think the competition for where the weak link is is fierce The competition for where the weak link is here is fierce Yes, very a lot of weak links. Yeah So One of the you know an argument that's made and this argument is is a double-edged sword is that we have high diversity here in both the Operational places that are running elections as well as the technologies that are used, right? We have 3,000 counties in the US, which means 3,000 different Offices all a little bit different running, you know machines from four vendors of which there are multiple versions of them And you know one thing you could kind of trite Conclusion you could reach is that it would be really hard to cover all of this if an attacker wanted to completely Alter the US election, but unfortunately what this means is that first of all an attacker doesn't necessarily have to cover all of them You have to cover enough of them to achieve their outcome and their outcome might simply be Casting doubt on the ultimate result Casting doubt on the legitimacy of whoever is elected It's sufficient to do that to show that at least one of them has been compromised and leave the question about whether the others are compromised So that diversity doesn't necessarily Buy us everything we need the second is as a Cryptographer, you know, we have this kind of strong idea, you know when somebody says well what block cipher should I be using? We just say use AES and then they say but wait a minute if AES is broken You know, what if AES is broken? That would just be terrible and it would have a horribly disruptive Effect on everything, but the nice thing about this is now we've had one system that's been scrutinized So heavily that you know if you discover a flaw in AES You get to be cryptographer of the century And it's a heavily rewarded thing that you know the norm enormous intellectual effort has gone into Understanding what this what the properties are if there were three thousand different versions of it No, one of them would have the level of scrutiny that the really heavily looked for one was so that that's kind of the counterpoint to that Okay, I think we have time for like two more questions if you're quick So one of the best things that happened to concerns about this was when you know once somebody from From both parties has lost an election It stops being a partisan issue and hopefully you know, we'll remember that You know that we've had You know both Democrat and Republican losers of elections since these machines have been introduced And that will help turn this into a less fiercely partisan issue But my ability to predict the future is Sadly limited on how this will go. Hopefully I you know, but I can be hopeful and optimistic Yeah, so so I'm not personally familiar I mean they're using some quantum communication channel as a cryptographer this quantum thing is terribly confusing because we have quantum Computers and quantum communication and they're totally different things and one affects cryptanalysis and the other affects communication but the You know, there are certainly ways to use Technologies that are better than the way we're using them But I think our issues we have to look at the kind of architectural issues first before we can if we're gonna start from scratch I think we have to look at the architectural issues First so you had you had your hand up. I think you get the last word I mean, you're certainly having multiple multiple vendors and so on is Absolutely, you know reasonable thing to be thinking about but when I talk when I think about architectural issues I think about questions of things like software independence and really fundamental questions of what the model is and I think those those will Deserve quite a bit of attention as we move forward on this. So thanks very much everyone and we have a They have a great panel coming up