Security Properties for Electronic Voting

Sabina Petride

For an electronic voting system to be secure, it has to be implemented according to a secure design, to function in various environments without information flow or vulnerabilities, to be properly maintained and updated, and the list goes on. Despite the complexity of the problem, some criteria for election systems seem to be unanimously accepted as the core requirements: features that, while present, contribute to the security of the system, and while absent, drastically tamper the election process. The list is by far complete. For example, [9] summarizes a set of variants of the privacy requirement:

If we take into account different details of implementation, we discover more subtle security requirements. As an example, [5] imposes software certification, performance, and integrity by simultaneously verifying certification of software, dedicated operations and uses, together with logical correctness of vote-tallying software. The same report refines the problem of access control by requiring site controls, voting process and telecommunications security controls.

Additional features of voting systems require additional security constraints:

Apart from the above security criteria, there are some desirable properties directly influencing the efficiency of the voting system, and indirectly affecting the security of the election:

There is a simple test showing that these are indeed security properties: a system that does not exhibit at least one of these features is vulnerable. If the system is not transparent, then there is no universally verifiable election protocol allowing each individual that has some knowledge about the way the system works to verify the correctness of the election. And then the system is prone to inside fraud.

An inconvenient system may easily become the victim of unintended attacks, since it is more probable to have errors in an election process that is tedious or complicated, then it is in a quick and simple one. Voters may introduce errors, and a secure system should be able to discard all erroneous data; but if the system is intricate and requires voters with special skills, then many votes are incorrectly cast, and we end up rejecting a large fraction of all the votes. And in this way the result of the election becomes unrepresentative; even more, the segment of population that is more knowledgeable is the one to cast the vote and finally impose their choice. This leads to the opposite of the democracy and violates the principle of universal vote access.

Flexibility has been a vexing problem for the computer industry([7]). A secure system should support ballot design for different platforms to ensure reliability, but at the same time should evenly distribute the votes among groups with different views. It should avoid introducing bias by selecting platforms that are more available to some groups than to others([7]). The choice of the platform, language, ballot format, or devices may seem innocuous, but it may actually prevent small fractions of the voters to cast their vote. A secure system should not disadvantage any of the voters, and so it should also provide devices to assist disabled people.

Providing flexibility adds significantly to the complexity of the system, and increases the cost of testing and certification, and thus may have a negative result on cost-effectiveness. On the other hand, a very expensive system may be impossible to construct in the real world, or may generate negative attitude from the voters if public subvention is required.


There are multiple types of electronic voting: Internet voting, with three alternatives:

and direct recording electronic(DRE): the ballots are cast on an electronic voting machine that may occasionally send the stored votes to a central site. The results of the election should be the same, no matter what type of electronic voting is actually implemented. However, each type of voting has its own characteristics that may facilitate specific errors, or that are more vulnerable to certain kinds of attacks. Some vulnerabilities are due to the structure of the system; for example, as pointed in [7], with remote Internet voting, ballots cannot be stored on client computers since if such records are maintained, then spying and vote selling are facilitated; and this just adds to the long list of network failures or attacks against routers, domain name servers, or the whole network. Different systems have different vulnerabilities, special platforms, specific risks; they also influence voter participation and access, and law enforcement mechanisms. The aim is to maintain the same functionality, at the same level of security. A secure system should: For example, computer software designers may create liabilities that are not under the control of the election officials, and the law should be updated accordingly. These are all legal concerns, but they should not be ignored or underestimated. It is impossible to have a secure election system without specific laws, clear liability, fair means of law enforcement. Public or private systems may present different laws, but a secure electronic voting should not be affected by these differences.

An electronic voting system should be able to defend against:

There are three main vulnerable points: the server (the subsystem that receives all the votes), the client (the subsystem that casts the votes), and the communication path. A secure system must protect all of them. The attacks are usually malicious payload in the form of Trojan horse or remote control program. If such an attack takes place, it may never be detected, while preventing voters from casting votes, modifying or gaining information about ballots and the relationship voter-ballot. The system should be able to circumvent these attacks, independent of the actual type of electronic voting. As an example, for remote voting, the path between the voting client and the server must be secure during vote transmission. The communication along this path should be authenticated, and data should be encrypted to preserve confidentiality.

Many of the above criteria for the security of electronic voting are impossible to achieve at the same time. This justifies the need for a managed risk approach to security. As explained in [7], the concept of risk, as used for this problem, is a measure of both likelihood and the consequence of an adverse event. Different types of electronic voting have different risks. We have to choose the type that minimizes the risk.

Bibliography

  1. D. M. Elliott,Examining Internet voting in Washington

  2. L. F. Cranor,Design and implementation of a practical security-conscious electronic polling system,1996

  3. P. G. Neumann,Security criteria for electronic voting

  4. A. Rubin,Security considerations for remote electronic voting over the Internet

  5. R. G. Saltman,Accuracy, integrity, and security in computerized vote-tallying,1988

  6. M. I. Shamos,Electronic voting- evaluating the threat,1993

  7. Report of the National Workshop on Internet Voting: Issues and Research Agenda,2001

  8. Online voting,Parliamentary Office of Science and Technology,2001

  9. Voting system requirements,Safevote