Voter Registration Databases: Some Security and Privacy Issues

Transcription

1 Voter Registration Databases: Some Security and Privacy Issues Jim Horning Chief Scientist Information Systems Security Operation SPARTA, Inc. 1

2 Security A word with a variety of meanings. [CSTB 1] In this context, I take security to mean Reasonable assurance that the complete system will function as required and intended. The complete system most definitely includes all the people involved. And the policies and procedures that they follow. The total system should do what it is designed to do. Neither more nor less. The voting public deserves understandable reasons for confidence in the system s correct operation. Before, during, and after the election. 2

3 Security is Hard, but Necessary Even experienced professionals often don t get it right. Vulnerabilities lead to Exploits, which lead to Damage, which eventually leads to Patches, which are Expensive (and not always right). But without security, there can be no assurance that a system will Be usable Be reliable Produce accurate results Protect privacy 3

4 Security and Insurance Analogous in many ways. Both are umbrella terms that cover a wide variety of tools for the mitigation of risks. The kinds you need most depend on the main risks you face. Two broad classes Against natural risks (flood, fire, equipment failure, typos, ) Optimize for the expected cases and their likelihood. Against intelligent adversaries (burglary, embezzlement, fraud, ) Prepare for the worst case. You can never be sure that you have enough. But there are limits to how much you can afford. 4

5 VRDBs What are the Main Risks? Equipment malfunctions hardware software Operator errors by election officials and monitors by voters Environmental problems interfering with the system s operation interfering with voters Any of the above can be accidental or malicious safeguard against them differently 5

6 Complicating Issues Avoiding both Type I and Type II errors. False positives padding the rolls. False negatives voter disenfranchisement. A vote maliciously canceled can be as effective as a vote added. Distinguishing accidental from malicious problems. System must have appropriate responses for both. Dealing with contingencies in real time. Many problems will first surface on election day. It is expensive to test such human-intensive systems under full load. Large number and geographic dispersal of the authorized users. Validating a VRDB against the original data sources will probably be difficult and expensive. 6

7 Attacks on VRDBs VRDBs are high-value targets. They influence who votes. [KS] They are large, potentially valuable collections of personal information. Will return to this under privacy. There is a flourishing and prosperous malware underground. Nation-states are developing serious infowar capabilities. Therefore: Design and implement VRDBs under the assumption that they will be subject to intelligent, well-funded attacks. The weakest links will be identified and stressed. No single individual or computer can be completely trusted. An attack-resistant design will also strengthen resilience against many accidental mishaps. Some attacks will probably succeed, despite best efforts. So have a plan and tools to cope with the damage. 7

8 Q2: What principles guide your security decisions? How might these apply to voter registration databases? Transparency The system should be secure and be shown to be secure. Authentication [CSTB 3] and Authorization Accountability for every action. Least Privilege Give each participant only the minimum access needed at the time to perform the specific assigned task (e.g., role-based access control). Redundancy The only way to detect errors, and to possibly correct them. Isolation Minimize the connection to other systems, and guard it with firewalls. Develop fault detection and recovery procedures and test them. Under more than the anticipated maximum load. 8

9 Q2, contd. Audits Critical for both detection and deterrence. Have independent parties do the audits, according to published policies. Where possible, compare to original data source or system requirements. Cross-check against other available sources. Use professional auditors (in addition to any amateurs). Check a statistically significant fraction of everything. The complete system design, The hardware and the software, and The VRDB s data (before, during, and after the election). Use commercial best practice as a starting point. VRDBs are more important and have a larger constituency. Be explicit about the level of error and fraud the audits should detect. Tamper-resistant permanent audit trails at each level. Who did what, when, where, on what authority? Allow additional public review of all aspects of the system. Any interested person or group. Tap information known in the neighborhood, i.e., down at the precinct level. 9

10 Privacy Another word with a variety of meanings. [CSTB 2] In this context, I take privacy to mean The system does not release personal information to unauthorized parties. The complete system most definitely includes the people involved. The function of a voter registration database requires the release of certain information to the general public or to specific parties. Voters deserve justified assurance that any other information that is collected will be held in confidence. Before, during, and after the election. If the VRDB doesn t need it, don t collect it. 10

11 Privacy: Is the Battle Lost? After reading the news, privacy protection may feel more like sticking your finger in the river than in the dike. Identity theft/fraud is one of the fastest-growing criminal enterprises. An astonishing amount of information about individuals is now available online. From both legal and criminal sources. Still, VRDBs should contribute to the solution, not the problem. It s the right thing to do. We have to start somewhere. Governments should set a good example. Even seemingly innocuous personal data can be correlated to reveal much more. E.g., 5-digit ZIP Code plus birthday generally identifies a single person. 11

12 12

13 13

14 Q1: What privacy considerations need to be taken into account? Stick to Fair Information Practices. [FIPs] Collect and maintain only the information actually needed. Notify each voter of every disclosure that is not legally mandated. Keep sensitive information encrypted except when and where it is actually needed. Never transmit it in the clear. Be very cautious about key management. [CSTB 4] Keep an audit log of all accesses, and audit that log. Was the correct thing done? Was the access by an authorized person doing an authorized task at an authorized place and an authorized time? Who authorized it? Broadly publish all privacy-relevant policies and practices. 14

15 Q3: What standard, adversarial test could be applied against each state's database? What would you include in such a test? Have an independent third party take a copy of the full live VRDB and corrupt it in the following ways: Delete ~5% of the voter records. Add ~5% synthetic voter records. Modify ~5% of the voter records in ways that would disqualify a voter. Test the system as follows: Run all the standard pre-election audits and determine what fraction of each type of corruption is detected. Remedy the detected corruptions and determine time, cost, and accuracy of the remediation. Leave all the remaining corruptions in the database, run a 150% full-load test of the system, and determine whether the procedures for election-day remediation are fully capable of handling the remaining corruptions without compromising the timeliness and accuracy of voter authentication. 15

16 Summary VRDBs will be corrupted, both by mischance and intentionally. Audit, Audit, Audit. Put a substantial fraction of effort into problem remediation. Remediation procedures should be tested under the maximum foreseeable load, plus a generous safety margin. Don't put anything private into a VRDB, because it won't stay private. Store only the minimum personal information needed for the voter registration function (avoid mission creep). Guard even public information very carefully. Caveat: This brief discussion has necessarily grossly simplified almost everything it touched on. See the references for details. 16

17 References [CSTB 1] Toward a Safer and More Secure Cyberspace, Seymour E. Goodman and Herbert S. Lin, eds., National Academies Press, [CSTB 2] Engaging Privacy and Information Technology in a Digital Age, James Waldo, Herbert S. Lin, and Lynette I. Millett, eds., National Academies Press, [CSTB 3] IDs Not That Easy: Questions About Nationwide Identity Systems, Stephen T. Kent and Lynette I. Millett, eds., National Academies Press, [CSTB 4] Trust in Cyberspace, Fred B. Schneider, ed., National Academies Press, [FIPs] Several similar sets of Fair Information Principles/Practices are available. There s a good survey at [JH 1] Nothing is as simple as we hope it will be, (blog) Security. [JH 2] Nothing is as simple as we hope it will be, (blog) Privacy. [KS] Insider Risks in Elections, Paul Kocher and Bruce Schneier, Communications of the ACM, July [USACM 1] Statewide Databases of Registered Voters: Study Of Accuracy, Privacy, Usability, Security, and Reliability Issues, [USACM 2] U.S. Election Assistance Commission Hearing, Testimony on Implementation of Statewide Voter Registration Lists,