Bryan Meng-Hong Tsai
Security Properties for Electronic Voting
- Eligibility and Authentication. Only authorized voters should be
able to vote. 
- Voter registration management. In the context of
today's voting systems, voter authenticity are typically handled
procedurally, initially by presentation of a birth certificate or other
means of supposed identification, and later by means of a written verifying
signature. In future systems in which remote voting will be possible, some
sort of electronic or biometric authentication may be required (in the form
of digital signature or something). A electronic voting should have the
ability to manage such a database of all eligible voters. 
- Authentication compromises such as guessing and
enumeration must be prevented. Also, capturing and replaying either a token
or a PIN must not be successful. 
- Non-repudiation is also necessary, preventing the
authenticatee from later saying that the authentication had been
subverted by a masquerader.
- Authentication must be easy for the voter to use, with
system operation as invisible as possible. The human interfaces to computer
systems and token-generating devices should be inherently fail-safe,
fool-proof, overly cautious in defending against accidental and intentional
misuse, and unobtrusive.
- Uniqueness. No voter should be able to vote more than one time.
- Each eligible voter should vote only once, and only for
the office for which she is authorized to cast a vote. 
- Accuracy. Election systems should record the votes correctly. 
- Extremely small error-tolerance. In normal reliable systems, a probability
of failure of 10**(-4) or 10**(-9) per hour may be enough. However, such
measures are too weak for voting systems. For example, a one-bit error in
memory might result in the loss or gain of 2**k votes (for example, 1024 or
- Ideally, numerical errors attributable to hardware and
software must not be tolerated, although a few errors in reading cards may
be acceptable within narrow ranges. Efforts must be made to detect errors
attributable to the hardware through fault-tolerance techniques or software
consistency checks (note also that any software-implemented fault-tolerance
technique is itself a possible source of subversion.).
- Any detected but uncorrectable errors must be monitored,
forcing a controlled rerun. However, a policy that permits any detected
inconsistencies to invalidate election results would be very dangerous,
because it might encourage denial-of-service attacks by the expected losers.
- Integrity. Votes should not be able to be modified, forged, or
deleted without detection. 
- It should be impossible for a validated vote to be eliminated from the final tally. It
should also be impossible for an invalid vote to be counted in the final
- System integrity. The computer systems must be tamperproof. Vote
counting must produce reproducibly correct results. Ideally, system changes
must be prohibited throughout the active stages of the election process. That
is, once certified, the code, initial parameters, and configuration
information must remain static. No run-time self-modifying software can be
permitted. End-to-end configuration control is essential. System boot-load
must be protected from subversion that could otherwise be used to implant
Trojan horses. 
- Data integrity and reliability. All data (including votes, vote
counts ...) involved in entering and tabulating votes must be tamperproof.
Votes must be recorded correctly without being altered during transit,
processing, or in storage. 
- Non-alterable media may provide some
assistance for integrity, but not if the system itself is subvertible. 
- There must be no trapdoors --- for example, for maintenance and setup ---
that could be used for operational subversions. 
- Verifiability and Auditability. It should be possible to verify
that all votes have been correctly accounted for in the final election tally,
and there should be reliable and demonstrably authentic election records. 
- Vote audit. Provide an independent audit (such as paper print-out ballot) which can
ascertain the content of the true ballots cast. The audit can be checked by
the voter visually before deposit and used by the election board in the case
of recount. Without such an audit, system defects may be revealed years after
an election, making all earlier results questionable. 
- System accountability. All internal operations must be monitored,
without violating voter confidentiality. Monitoring must include votes
recorded and votes tabulated, and all system programming and administrative
operations such as pre- and post-election testing. All attempted and
successful changes to configuration status (especially those in violation of
the static system integrity requirement) must be noted. Furthermore, monitoring must be non-bypassable --- it must be impossible to turn off or circumvent. Monitoring
and analysis of audit trails must themselves be non-tamperable. All operator
authentication operations must be logged. 
- Read-only media can help ensure nontamperability of the
audit trail, but nonbypassability requires a trusted system for data
- Reliability. Elections systems should work robustly, without loss
of any votes, even in the face of numerous failures, including failures of
voting machines and total loss of Internet communication. 
- Fault-Tolerance. The votes must be captured
accurately in redundant and non-volatile storage within the voting client.
Once that happens, all other failures can in principle be tolerated and
recovered from. In the case of the failure of communication link, voting
systems must include the functionality of a direct recording electronic (DRE)
system and be able to revert to DRE mode without losing a single vote.
- System reliability. System development (design,
implementation, maintenance, etc.) should attempt to minimize the likelihood
of accidental system bugs and malicious code. 
- Voter Anonymity and Non-Coercibility. Neither election authorities
nor anyone should be able to determine how any individual voted, and voters
should not be able to prove how they voted. 
- No voter can prove that he or she voted in a particular
way. It is important for the prevention of vote buying and extortion. Voters
can only sell their votes if they are able to prove to the buyer that they
actually voted according to the buyer's wishes. 
- Data confidentiality. Votes must be protected from
external reading during the voting process. 
- Anonymous channel. All communication between voter
and election authorities occurs over an anonymous channel. An anonymous
channel could be secured through the use of a chain of World Wide Web
forwarding servers. 
- Flexibility. Election equipment should allow for a variety of
ballot question formats, be compatible with a variety of standard platforms
and technologies, and be accessible to everyone including disabilities. 
- Efficiency. Election systems should be efficient. 
- Interface Usability and Convenience. Voters should be able to cast
votes quickly with minimal equipment or skills. 
- Complicated operator interfaces are inherently risky,
because they induce accidents and can mask hidden functionality.
- Transparency. Voters should be able to possess a
general knowledge and understanding of the voting process. 
- Certifiability. Voting systems should be testable so that election
officials have confidence that they meet the necessary criteria. 
- The source code must be open for random inspection at any time
(including documentation), despite cries for secrecy from the system vendors.
It need not be open-sourced, but the source code should at least be
available to designated security experts when certification/inspection is
- Trusted Path. A reliable mechanism for delivering cast vote
to the election server in a timely manner. The path must be trusted (secure)
throughout the period during which votes are transmitted.
- Authenticated communication link must be used between
client and server, and encryption of the data being transported is needed to
preserve data confidentiality. 
- System availability. The system must be protected against both
accidental and malicious denials of service, and must be available for use
whenever it is expected to be operational. 
- Defenses against spoofing (fake voting sites). 
- Documentation and assurance. The design, implementation,
development practice, operational procedures, and testing procedures must all
be unambiguously and consistently documented. Documentation must also describe
what assurance measures have been applied to each of those system aspects. 
- System Management and Operation.
- Many systems provide intentional trapdoors in case of
failures of the authentication mechanism or loss of ability to authenticate.
Such trapdoors should be avoided, and if unavoidable must be audited
non-bypassably. All persons authorized to perform system-administration
functions must be nontrivially authenticated (not to mention well-trained
and experienced!), with no exceptions. 
- Local operating control. Voting systems must be
amenable to easy use by local election officials, and must not necessitate
the on-line control of external personnel (such as vendor-supplied
- Dedicated system. Voting systems should better not be
shared with other applications running concurrently. 
- Warning messages must occur during elections whenever
- Vote counting and reporting. The official canvass
should include counts not only of the number of votes for each candidate,
but also counts of the disputed votes where one member of a vote counting
team held that the vote was for one candidate while the opposing member held
that the vote should be excluded for one reason or another. 
- Disputed ballots must be set aside during the initial
count, with documentation of what votes were disputed by which vote
- At each level in the reporting process leading to the
official canvass, in addition to reporting the number of votes for each
candidate, the number of overvotes, undervotes and disputed votes should be
reported, and the sum of these must equal the total number of ballots
counted in all precincts covered by this report. 
- Machine detected overvotes that were not corrected by the
voter should be subject to a hand count if their number exceeds the margin
between the leading candidates. 
- Recount. Voting system must provide functions for
recounting, either providing vote audit for manual recounting or some other
means in case there's any question about the final voting result.
of the National Workshop on Internet Voting: Issues and Research Agenda,"
by Internet Policy Institute,
Criteria for Electronic Voting," by
Peter G. Neumann, 16th National Computer Security Conference, September,
Considerations for Remote Internet Voting," by
Avi Rubin, AT&T Labs.
- "Accuracy, Integrity, and Security in Computerized Vote-Tallying," by R.G.
Saltman, NBS (now NIST) special publication, 1988.
Voting Technology," by
Douglas W. Jones, Testimony before the United States Civil Rights
Commission Tallahassee, Florida, January 11, 2001.
- "Design and
Implementation of a Practical Security-Conscious Electronic Polling System,"
Lorrie Faith Cranor and Ron
Voting - Evaluating the Threat," by Michael Ian Shamos,
Risks," by Peter
G. Neumann, Addison-Wesley, 1995.
- "Voting and
Technology: Crypto-Gram -- December 15, 2000," by
Mercuri's Statement on Electronic Voting," by
in Computerized Elections," by Peter
G. Neumann, Inside Risks, 5, CACM 33, 11, p. 170, November 1990.
by design: voting systems and the election process," by Susan King Roth,
Information Design Journal, Volume 9, No. 1, 1998.