Notes from the research seminar Citrizen security in electronic environments. The case of electornic voting, by Jordi Puiggalí, held at the Open University of Catalonia, Barcelona, Spain, on January 28th, 2010.
Citrizen security in electronic environments. The case of electornic voting
Jordi Puiggalí, Scytl
Electronic voting is the natural evolution of the electronic count in elections. Two main kinds:
- Face to face: people still go to polling stations, but vote in polling machines
- Remote voting: you vote from home
- Count of votes is faster and exact
- Cost saving in paper and printing (though there are added costs, especially in face to face electronic voting)
- Increase of accessibility for disabled people. Also avoids identifying who was the voter (e.g. there’s only one blind voter in town: the ballot-paper in Braille is theirs)
- Flexibility to include last-minute changes
- Support for multiple languages. This, at its turn, avoids errors and avoids identifying who was the voter (e.g. there’s only one voter in town that speaks arabic: the ballot-paper in arabic is theirs)
- Prevents involuntary errors that can end up in spoiled ballot-papers
- Economies of scale (specific of remote voting)
- Eases citizen participation (specific of remote voting)
- Increases the mobility of the voter, as they can vote from anywhere (specific of remote voting)
- Eases access to the voting process thus increasing participation (specific of remote voting)
In traditional polling, the voter has a direct relationship with their vote and the polling station, committee, etc. Electronic voting adds an infrastructure layer that implies that the relationship between voter and vote becomes indirect/mediated. This mediation poses 4 security risks
- The digital nature of the votes means that they can be easily added, erased, manipulated, and the privacy of the voter compromised at large scale;
- The complexity of the systems at use, with the possibility of hardware functioning errors, bugs in the software, etc.;
- Lack of transparency, as the technological infrastructures are more difficult to audit (e.g. how can you tell whether someone cracked the system?);
- The introduction of new actors with privileges in the voting process, like system and platform administrators that can have privileged access to the voting process.
Side note: these threats can be extrapolated to the case of health records and many other cases.
How to address risks?
- Avoid physical access to the protected device
- This cannot be done in remote voting, at least not in the whole process
- Who has access to what
- They necessarily have to be accompanied by monitoring measures (intensive log recording)
- Intensive monitoring can lead to knowing who’s voting what
- Automatic security measures
- Easier to audit
- Logic measures can, at their turn, be attacked themselves
- Logic measures must not interfere (or even alter) the normal voting process
- Information privacy: guarantee that no one knows what you did (e.g. your vote)
- Information integrity: guarantee that information is not altered
- Non-repudiation: avoid that you cannot deny having done something that you actually did
- Authentication: ensure that the person that claims to have done something is that person
- Authorization: you can do what you are allowed to do
- Auditability: be able to track the system and assess its performance
- Availability: always available.
One of the big differences between circumventing security in off-line voting and online voting is that scalability of the attack is much higher in online environments. E.g. identity theft in the offline world can be easy to do once, but not several times in the same polling station, but if done once in the online world, it is very likely that it can be done again, and very quickly, ad infinitum.
Electronic voting can identify which votes are valid and which ones not. You need not invalidate the whole polling station, but only the invalid votes.