Electronic Voting

Ian Brown (with some slides from Matt Bishop, UC Davis)

Overview

• Voting procedures• What’s broke?• E-voting options• UK government plans• Security problems• US situation

Properties

• Voter must be able to vote• Votes are secret• Votes are anonymous• Voter can verify votes at any point before dropping

ballot into ballot box

Requirements

• Must be available• Must provide simple to use, easy to understand,

hard to misuse interface for voter• Must not be able to associate votes with a

particular voter

Requirements (2)

• Must allow voter to discard votes up to the time the voter officially casts ballot

• Must prevent voter from casting more than limited number of votes per race, or once per ballot

• Voter must be able to verify vote up to time vote is cast

Key Ideas

• Separation of Privilege– Observers can check everything in paper election

• Not with e-voting systems to the same degree

• Auditability– Maybe with e-voting systems …

Paper elections

• Go to polling place and give name, address• Get ballot paper, enter booth• Use pencil to mark paper to indicate vote• Fold ballot paper• Leave booth, drop paper into ballot box

What’s broke?

• Low turnout in elections – 61% in 2005 general election (compared to historical figures of 70—80%), 20—30% local elections

• Especially prevalent among younger voters (40% of 18—24 year olds voted in 2001)

• Voters only get their say roughly once every four years on national government

UK government plans

• Add options for casting vote – expand postal vote, introduce telephone, SMS, digital TV and Internet voting

• Trials in local elections• Want to use in next-but-one general election• Might eventually lead to greater use of

referendums

May 2002 trials

• New voting methods trialled in council elections• 30 local authorities tested various combinations of

all-postal voting and remote electronic voting technology

Trial results

• Some local authorities saw a doubling of turnout in postal votes

• Technology methods seemed to make no significant difference to turnout

• Scope found that disabled voters felt accessibility was improved

• Use of polling station equipment not seen as a useful way forward

Potential security problems

• Insider attacks – hard to fully audit code, esp. if proprietary, closed source

• Computer compromise – how can you guarantee the machines used to vote aren’t infected by vote-stealing viruses

• Network problems – how do you make sure Denial of Service attacks don’t take down network infrastructure or servers

• Server protection – easier as centralised and under direct govt control

• Public confidence – how do you convince voters that election was fair?

Local e-democracy National Project

• Aim is to improve democratic participation between elections

• Piloting projects to allow council meeting documents to be tracked online, enable micro-consultations, online petitions and citizen panels

• Provide evidence to councillors of effectiveness of web pages, e-mail, and other online consultation mechanisms

• Research tools to promote social inclusion of groups such as the disabled and less literate

US situation

• Each ballot paper tends to contain MANY options for voters – local officials (e.g. sherrifs), referendums – perhaps >100

• Makes hand count of ballots impracticable• Machines have been used for many years, but problems

(e.g. hanging chads) led to Help America Vote Act• HAVA funding new computerised terminals across the

US

AccuVote-TS Terminals

Compromise

• All locks have the same key– Can duplicate it in any hardware store– Pick locks in under 1 minute (first timer), 10 seconds (with some

knowledge)

• In bay lie PCMCIA card, PS2 port– Hook up keyboard, hit F2 or Enter and you’re a Supervisor!

• Jam card reader• Disconnect monitor

Voter Verified Audit Trail

• How can voter know whether her votes tallied accurately?– Some sort of paper trail– NOT just a printout from a voting machine, but a printed slip that

voters can check when casting vote– Stored in machine or ballot box– May be optically scanned– Can be used as basis for recount when required (and randomly to

verify machine operation)– Required by law in California for all new e-voting machines after

March 2004, and cannot use e-voting machines without them after 2006

Pentagon SERVE project

• Secure Electronic Registration and Voting Experiment

• US project to allow 100,000 overseas personnel to cast votes remotely for primaries and general election using the Internet

• Shut down after damaging report from Security Peer Review Group: “There really is no good way to build such a voting system without a radical change in overall architecture of the Internet and the PC”

Conclusions

• Election security is hard – anonymity requirement and high stakes – and has been evolving for over a century in the UK

• New voting mechanisms have been suggested as way of increasing turnout, but is “how” or “why” more important?

• Trials in 2002 UK local elections found no significant effect on turnout of new technology

• UK government still pressing ahead with e-voting, but e-participation projects might have more immediate impact