95 defended against. The problem with this is that if |
95 defended against. The problem with this is that if |
96 the incentives are great and enough resources are |
96 the incentives are great and enough resources are |
97 available, then maybe it is feasible to mount a DoS |
97 available, then maybe it is feasible to mount a DoS |
98 attack agains voting server and by bringing the |
98 attack agains voting server and by bringing the |
99 system to its knees, change the outcome of an |
99 system to its knees, change the outcome of an |
100 election. |
100 election. Not to mention to hack the complete |
|
101 system with malware and change votes undetectably. |
101 \end{itemize} |
102 \end{itemize} |
102 |
103 |
103 \item {\bf Ballot Secrecy} |
104 \item {\bf Ballot Secrecy} |
104 \begin{itemize} |
105 \begin{itemize} |
105 \item Nobody can find out how you voted. This is to avoid |
106 \item Nobody can find out how you voted. This is to avoid |
106 that voters can be coerced to vote in a certain way |
107 that voters can be coerced to vote in a certain way |
107 (for example by relatives, employers etc). |
108 (for example by relatives, employers etc). |
108 |
109 |
109 \item (Stronger) Even if you try, you cannot prove how you |
110 \item (Stronger) Even if you try, you cannot prove how |
110 voted. The reason is that you want to avoid vote |
111 you voted. The reason for this is that you want to |
111 coercion but also vote selling. That this is a problem |
112 avoid vote coercion, but also vote selling. That |
112 is proved by the fact that some jokers in the recent |
113 this can be a problem is proved by the fact that |
113 Scottish referendum tried to make money out of their |
114 some jokers in the recent Scottish referendum tried |
114 vote. |
115 to make money out of their vote. \end{itemize} |
115 \end{itemize} |
|
116 |
116 |
117 \item {\bf Voter Authentication} |
117 \item {\bf Voter Authentication} |
118 \begin{itemize} |
118 \begin{itemize} |
119 \item Only authorised voters can vote up to the permitted |
119 \item Only authorised voters can vote up to the permitted |
120 number of votes (in order to avoid the ``vote early, |
120 number of votes (in order to avoid the ``vote early, |
123 |
123 |
124 \item {\bf Enfranchisement} |
124 \item {\bf Enfranchisement} |
125 \begin{itemize} |
125 \begin{itemize} |
126 \item Authorised voters should have the opportunity to vote. |
126 \item Authorised voters should have the opportunity to vote. |
127 This can, for example, be a problem if you make the |
127 This can, for example, be a problem if you make the |
128 authorisation dependent on an ID card, say a |
128 authorisation dependent on an ID card, say a driving |
129 driving license: then everybody who does not have a |
129 license. Then everybody who does not have a license |
130 license cannot vote. While this sounds an innocent |
130 cannot vote. While this sounds an innocent |
131 requirement, in fact some parts of the population |
131 requirement, in fact some parts of the population for |
132 for one reason or the other just do not have |
132 one reason or another just do not have driving |
133 driving licenses. They are now excluded. Also if |
133 licenses. They are now excluded. Also if you insist on |
134 you insist on paper ballots you have to have special |
134 paper ballots you have to have special provisions for |
135 provisions for them. |
135 blind people. Otherwise they cannot vote. |
136 \end{itemize} |
136 \end{itemize} |
137 |
137 |
138 \item {\bf Availability} |
138 \item {\bf Availability} |
139 \begin{itemize} |
139 \begin{itemize} |
140 \item The voting system should accept all authorised votes |
140 \item The voting system should accept all authorised votes |
141 and produce results in a timely manner. If you move |
141 and produce results in a timely manner. If you move |
142 an election online, you have to guard agains DoS |
142 an election online, you have to guard agains DoS |
143 attacks. |
143 attacks for example. |
144 \end{itemize} |
144 \end{itemize} |
145 \end{itemize} |
145 \end{itemize} |
146 |
146 |
147 \noindent While these requirements seem natural, the problem |
147 \noindent While these requirements seem natural, the problem |
148 is that they often clash with each other. For example |
148 is that they often clash with each other. For example |
153 \end{center} |
153 \end{center} |
154 |
154 |
155 \noindent If we had ballots with complete voter |
155 \noindent If we had ballots with complete voter |
156 identification, then we can improve integrity because we can |
156 identification, then we can improve integrity because we can |
157 trace back the votes to the voters. This would be good when |
157 trace back the votes to the voters. This would be good when |
158 verifying the results. But such an identification would |
158 verifying the results or recounting. But such an |
159 violate ballot secrecy (you can prove to somebody else how you |
159 identification would violate ballot secrecy (you can prove to |
160 voted). In contrast if we remove all identification for |
160 somebody else how you voted). In contrast, if we remove all |
161 ensuring ballot secrecy, then we have to ensure that no |
161 identification for ensuring ballot secrecy, then we have to |
162 ``vote-stuffing'' occurs. |
162 ensure that no ``vote-stuffing'' occurs. Similarly, if we |
163 |
163 improve authentication by requiring a to be present at the |
164 Similarly, if we improve authentication, \ldots |
164 polling station with an ID card, then we exclude absentee |
165 |
165 voting. |
166 To tackle the problem of e-voting, we must first have a look |
166 |
167 into the history of voting and how paper-based ballots |
167 To tackle the problem of e-voting, we should first have a look |
168 evolved. We know for sure that elections were held in Athens |
168 into the history of voting and how paper-based ballots |
169 as early as 600 BC, but might even date to the time of |
169 evolved. Because also good-old-fashioned paper ballot voting |
170 Mesopotamia and also in India some kind of ``republics'' might |
170 is not entirely trivial and immune from being hacked. We know |
171 have existed before the Alexander the Great invaded it. |
171 for sure that elections were held in Athens as early as 600 |
172 Have a look at Wikipedia about the history of democracy for |
172 BC, but might even date to the time of Mesopotamia and also in |
173 more information. |
173 India some kind of ``republics'' might have existed before the |
174 |
174 Alexander the Great invaded it. Have a look at Wikipedia about |
175 |
175 the history of democracy for more information. These elections |
|
176 were mainly based on voting by show of hands. While this |
|
177 method of voting satisfies many of the requirements stipulated |
|
178 above, the main problem with hand voting is that it does not |
|
179 guaranty ballot secrecy. As far as I know the old greeks and |
|
180 romans did not perceive this as a problem, but the result was |
|
181 that their elections favoured rich, famous people who had |
|
182 enough resources to swing votes. Even using small coloured |
|
183 stones did not really mitigate the problem with ballot |
|
184 secrecy. The problem of authorisation was solved by friends or |
|
185 neighbours vouching for you to prove you are elegible to vote |
|
186 (there were no ID cards in ancient Greece and Rome). |
|
187 |
|
188 Starting with the French Revolution and the US constitution, |
|
189 people started to value a more egalitarian approach to voting |
|
190 and electing officials. This was also the time where paper |
|
191 ballots started to become the prevailing form of casting |
|
192 votes. While more resistant against voter intimidation, paper |
|
193 ballots need a number of security mechanisms to avoid fraud. |
|
194 For example you need voting booths to fill out the ballot in |
|
195 secret. Also transparent ballot boxes are often used in order |
|
196 to easily detect and prevent vote stuffing (prefilling the |
|
197 ballot box with false votes). |
|
198 |
|
199 \begin{center} |
|
200 \includegraphics[scale=2.5]{../slides/pics/ballotbox.jpg} |
|
201 \end{center} |
|
202 |
|
203 \noindent Another security mechanism is to guard the ballot |
|
204 box against any tampering during the election until counting. |
|
205 The counting needs to be done by a team potentially involving |
|
206 also independent observers. One interesting attack against |
|
207 completely anonymous paper ballots is called \emph{chain vote |
|
208 attack}. It works if the paper ballots are given out to each |
|
209 voter at the polling station. Then an attacker can give the |
|
210 prefilled ballot to a voter. The voter uses this prefilled |
|
211 ballot to cast the vote, and then returns the empty ballot |
|
212 back to the attacker who now compensates the voter. The blank |
|
213 ballot can be reused for the next voter. |
|
214 |
|
215 The point is that paper ballots have evolved over some time |
|
216 and no single best method has emerged for preventing fraud. |
|
217 But the involved technology is well understood in order to |
|
218 provide good enough security with paper ballots. |
|
219 |
|
220 \subsection*{E-Voting} |
|
221 |
|
222 If one is to replace paper ballots by some electronic |
|
223 mechanism, one should always start from simple premise taken |
|
224 from an Australian white paper about e-voting: |
|
225 |
|
226 \begin{quote} \it ``Any electronic voting system should |
|
227 provide at least the same security, privacy and transparency |
|
228 as the system it replaces.'' |
|
229 \end{quote} |
|
230 |
|
231 \noindent Whenever people argue in favour of e-voting they |
|
232 seem to be ignore this basic premise. |
176 |
233 |
177 %\subsubsection*{Questions} |
234 %\subsubsection*{Questions} |
178 |
235 |
179 %Coming back to the question of why I use online banking, but |
236 %Coming back to the question of why I use online banking, but |
180 %prefer not to e-vote. |
237 %prefer not to e-vote. |