Electronic and Internet

Voting
David Jefferson

Compaq Systems Research Center

130 Lytton Ave.
Palo Alto, CA 94301

jefferson@pa.dec.com
Technical desiderata for public elections
• General elections are a matter of national security
– Successful external attack must be essentially impossible

• Voting transactions do not resemble e-commerce

transactions!
• Emphasis on prevention of failure or fraud
– Problems often cannot be fixed after the fact
– Lost or spoiled votes cannot be recovered
– Fraudulently-cast votes usually cannot be fixed
– Election cannot be postponed or re-held

• Privacy and secret ballot

– Protection against vote coercion and vote selling
– At poll site, people vote alone, with observers to enforce and testify
• Erosion of this right as a result of mail-in voting
– List of voters, votes are public; association between them is secret
– Voter may reveal how s/he voted, but there must be no proof of it
Technical desiderata for public elections
• Nontransferability of right to vote
– Strong authentication of voter
– Possession of token or secret does not suffice

• Protection against failures and insider fraud

– No undetected loss of votes
– No undetected changing or forging of votes, or record of who voted

• Openness / transparency / observability / verifiability

– Elections must not only be fair, but be seen to be so
– Open standards / open source
– Strong audit trail
– Cryptographic universal verifiability
 Voting systems will change rapidly
• Hardware
– Device specs, e.g. touch screens
– Size, weight, form factor, power
– Modem  10-base-T  wireless communication
– Security and/or authentication hardware

• Software
– Constant upgrades for bug fixes and security patches
– Changes to internet security protocols
– HTML  XML
– Changes to election law

• Changes to certification process

– recertification of systems put to other use
– continuous certification and decertification

• Changes to “business model”

– capital purchase gives way to leasing, renting, financing, dual-use, and
other options

• Changes to training and management

Classification of Electronic Voting Systems
• All-electronic voting (DRE) at the precinct
– Voting only at local precinct
– Voting on touchscreen device
– Voting machine secured by election officials
– Voters authenticate themselves to election officials
– No networking
• Poll-site Internet voting
– Same, except ballots transmitted via Internet to county servers
• Attended kiosk voting
– Same, except voters can vote anywhere in the county or jurisdiction
– implies online protection against multiple voting
• Unattended kiosk voting
– Same, except voters authenticate themselves to voting machine instead
of election officials
• Remote voting
– Voters or 3rd parties control client configuration
– Vote from home, office, or “any platform, anywhere”
 All-electronic (DRE) systems
• Ballot layout conventions and human interface
– Screen size, resolution, color conventions
– Ballot navigation, interaction, feedback, confirmation

• Fault/failure tolerance
– Power failure
– Software failure (even mid-transaction)

• Software certification, verification, signature checking

• Procedural safeguards against insider fraud

• Transparency, audit-trail, recount and challenge

procedure
• Open specs, open source
 Poll-site Internet voting

• Operation even if all connectivity is lost (via failure or

attack)

• Lockdown / firewalling against external penetration

attacks on clients

• Key distribution, encryption of transmissions

• Authentication of clients to servers

 Attended kiosk voting

• Human-assisted authentication and double vote

protection must work in the face of loss of
connectivity
 Unattended kiosk voting
• Tamper-resistant, self-checking architecture
• Operation in the face of communication failure
• Double-vote detection even with communication
failure
• Machine authentication that voter is registered
in the jurisdiction
– Authentication must be nontransferable
– Biometric?
– Must be acceptable to voters
• Fundamental privacy/coercion problem

• Perhaps suitable only for military voting

 Remote Voting
• Profound security problems with voting from unsecured
platforms (i.e. conventional PC + OS + browser)
• Large numbers of votes could be changed, discarded,
spied upon, or bought/sold—undetectably—by anyone
in the world. No fixes in sight.
– Trojan horse attacks (pre-existing or delivered by virus)
– Remote management software attacks
– Authentication of voting software
– Spoofing/DNS attacks
– Denial of service attacks
– Automated vote selling schemes
• Vast combinatorial space of platforms to support
– Technical and legal problems
 Research agenda
• Human factors in ballot layout, navigation, etc. using touchscreens
• Client HW and SW architectures allowing security against Trojan
horse infection, etc.
• Nontransferable voter authentication mechanisms acceptable to
the public
• Software authentication—verification that software running on a
platform is the same that was certified
• Voting architectures with clear criteria for audit trail and recount
• Practical, universally-verifiable backend canvass protocols
• Internet infrastructure protection against:
– Penetration attacks
– Spoofing
– Denial of service attacks
• Thinking out of the box:
– Election architectures that do not fit in this spectrum
END