Electronic Voting
Ian Brown (with some slides from Matt Bishop, UC
Davis)
Overview
•
•
•
•
•
•
Voting procedures
What’s broke?
E-voting options
UK government plans
Security problems
US situation
Properties
•
•
•
•
Voter must be able to vote
Votes are secret
Votes are anonymous
Voter can verify votes at any point before dropping
ballot into ballot box
Requirements
• Must be available
• Must provide simple to use, easy to understand,
hard to misuse interface for voter
• Must not be able to associate votes with a
particular voter
Requirements (2)
• Must allow voter to discard votes up to the time the voter
officially casts ballot
• Must prevent voter from casting more than limited number
of votes per race, or once per ballot
• Voter must be able to verify vote up to time vote is cast
Key Ideas
• Separation of Privilege
– Observers can check everything in paper election
• Not with e-voting systems to the same degree
• Auditability
– Maybe with e-voting systems …
Paper elections
•
•
•
•
•
Go to polling place and give name, address
Get ballot paper, enter booth
Use pencil to mark paper to indicate vote
Fold ballot paper
Leave booth, drop paper into ballot box
What’s broke?
• Low turnout in elections – 61% in 2005 general
election (compared to historical figures of 70—
80%), 20—30% local elections
• Especially prevalent among younger voters (40%
of 18—24 year olds voted in 2001)
• Voters only get their say roughly once every four
years on national government
UK government plans
• Add options for casting vote – expand postal vote,
introduce telephone, SMS, digital TV and Internet
voting
• Trials in local elections
• Want to use in next-but-one general election
• Might eventually lead to greater use of
referendums
May 2002 trials
• New voting methods trialled in council elections
• 30 local authorities tested various combinations of
all-postal voting and remote electronic voting
technology
Trial results
• Some local authorities saw a doubling of turnout in
postal votes
• Technology methods seemed to make no
significant difference to turnout
• Scope found that disabled voters felt accessibility
was improved
• Use of polling station equipment not seen as a
useful way forward
Potential security problems
• Insider attacks – hard to fully audit code, esp. if proprietary,
closed source
• Computer compromise – how can you guarantee the
machines used to vote aren’t infected by vote-stealing
viruses
• Network problems – how do you make sure Denial of
Service attacks don’t take down network infrastructure or
servers
• Server protection – easier as centralised and under direct
govt control
• Public confidence – how do you convince voters that
election was fair?
Local e-democracy National Project
• Aim is to improve democratic participation between
elections
• Piloting projects to allow council meeting documents to be
tracked online, enable micro-consultations, online petitions
and citizen panels
• Provide evidence to councillors of effectiveness of web
pages, e-mail, and other online consultation mechanisms
• Research tools to promote social inclusion of groups such
as the disabled and less literate
US situation
• Each ballot paper tends to contain MANY options
for voters – local officials (e.g. sherrifs),
referendums – perhaps >100
• Makes hand count of ballots impracticable
• Machines have been used for many years, but
problems (e.g. hanging chads) led to Help
America Vote Act
• HAVA funding new computerised terminals across
the US
AccuVote-TS Terminals
Compromise
• All locks have the same key
– Can duplicate it in any hardware store
– Pick locks in under 1 minute (first timer), 10 seconds (with some
knowledge)
• In bay lie PCMCIA card, PS2 port
– Hook up keyboard, hit F2 or Enter and you’re a Supervisor!
• Jam card reader
• Disconnect monitor
Voter Verified Audit Trail
• How can voter know whether her votes tallied accurately?
– Some sort of paper trail
– NOT just a printout from a voting machine, but a printed slip that
voters can check when casting vote
– Stored in machine or ballot box
– May be optically scanned
– Can be used as basis for recount when required (and randomly to
verify machine operation)
– Required by law in California for all new e-voting machines after
March 2004, and cannot use e-voting machines without them after
2006
Pentagon SERVE project
• Secure Electronic Registration and Voting
Experiment
• US project to allow 100,000 overseas personnel to
cast votes remotely for primaries and general
election using the Internet
• Shut down after damaging report from Security
Peer Review Group: “There really is no good way
to build such a voting system without a radical
change in overall architecture of the Internet and
the PC”
Conclusions
• Election security is hard – anonymity requirement and high
stakes – and has been evolving for over a century in the
UK
• New voting mechanisms have been suggested as way of
increasing turnout, but is “how” or “why” more important?
• Trials in 2002 UK local elections found no significant effect
on turnout of new technology
• UK government still pressing ahead with e-voting, but eparticipation projects might have more immediate impact