\documentclass{article}
\usepackage{../style}


\begin{document}

\section*{Handout 2 (E-Voting)}

In security engineering, there are many counter-intuitive
phenomena: for example I am happy (more or less) to use online
banking every day, where if something goes wrong, I can
potentially lose a lot of money, but I am staunchly against
using electronic voting (lets call it e-voting for short).
E-voting is an idea that is nowadays often promoted in order
to counter low turnouts in elections\footnote{In my last local
election where I was eligible to vote only 48\% of the
population have cast their ballot. I was, I shamefully admit,
one of the non-voters.} and generally sounds like a good idea.
Right? Voting from the comfort of your own home, or on your
mobile on the go, what could possibly go wrong? Even the UK's
head of the Electoral Commission, Jenny Watson, argued in 2014
in a Guardian article that the UK should have e-voting. Her
plausible argument is that 76\% of pensioners in the UK vote
(in a general election?), but only 44\% of the under-25s. For
which constituency politicians might therefore make more
favourable (short-term) decisions is clear. So being not yet
pensioner, I should be in favour of e-voting, no?

Well, it turns out there are many things that can go wrong
with e-voting, as I like to argue in this handout. E-voting in
a ``secure way'' seems to be one of the things in computer
science that are still very much unsolved. It is not on the
scale of Turing's halting problem, which is proved that it can
never be solved in general, but more in the category of being
unsolvable with current technology. This is not just my
opinion, but also shared by many security researchers amogst
them Alex Halderman, who is the world-expert on this subject
and from whose course on Securing Digital Democracy I have
most of my information and inspiration. It is also a
controversial topic in many countries:

\begin{itemize}
\item The Netherlands between 1997--2006 had electronic voting
      machines, but ``hacktivists'' had found they can be
      hacked to change votes and also emitted radio signals
      revealing how you voted.

\item Germany conducted pilot studies with e-voting, but in
      2007 a law suit has reached the highest court and it
      rejected e-voting on the grounds of not being
      understandable by the general public.

\item UK used optical scan voting systems in a few trail
      polls, but to my knowledge does not use any e-voting in
      elections.
      
\item The US used mechanical machines since the 1930s, later
      punch cards, now DREs and optical scan voting machines.

\item Estonia used since 2007 the Internet for national
      elections. There were earlier pilot studies for voting
      via Internet in other countries.

\item India uses e-voting devices since at least 2003. They
      used ``keep-it-simple'' machines produced by a
      government owned company.

\item South Africa used software for its tallying in the 1993
      elections (when Nelson Mandela was elected) and found
      that the tallying software was rigged, but they were
      able to tally manually. 
\end{itemize}


The reason that e-voting is such a hard problem is that we
have requirements about the voting process that conflict with
each other. The five main requirements for voting in general
are:

\begin{itemize}
\item {\bf Integrity} 
  \begin{itemize}
  \item By this we mean that the outcome of the vote matches
        with the voters' intend. Note that it does not say
        that every vote should be counted as cast. This might
        be surprising, but even counting paper ballots will
        always have an error rate: people after several hours
        looking at ballots will inevitably miscount votes. But
        what should be ensured is that the error rate does not
        change the outcome of the election. Of course if
        elections continue to be on knives edges we need to
        ensure that we have a rather small error rate. 
          
  \item There might be gigantic sums at stake and need to be
        defended against. The problem with this is that if
        the incentives are great and enough resources are
        available, then maybe it is feasible to mount a DoS
        attack agains voting server and by bringing the
        system to its knees, change the outcome of an
        election.                
  \end{itemize}

\item {\bf Ballot Secrecy}
  \begin{itemize}
  \item Nobody can find out how you voted. This is to avoid
        that voters can be coerced to vote in a certain way
        (for example by relatives, employers etc).
         
  \item (Stronger) Even if you try, you cannot prove how you
        voted. The reason is that you want to avoid vote
        coercion but also vote selling. That this is a problem
        is proved by the fact that some jokers in the recent
        Scottish referendum tried to make money out of their
        vote. 
  \end{itemize}

\item {\bf Voter Authentication}
  \begin{itemize}
  \item Only authorised voters can vote up to the permitted
        number of votes (in order to avoid the ``vote early,
        vote often'').
  \end{itemize}
  
\item {\bf Enfranchisement}
  \begin{itemize}
  \item Authorised voters should have the opportunity to vote.
        This can, for example, be a problem if you make the
        authorisation dependent on an ID card, say a
        driving license: then everybody who does not have a
        license cannot vote. While this sounds an innocent
        requirement, in fact some parts of the population 
        for one reason or the other just do not have 
        driving licenses. They are now excluded. Also if
        you insist on paper ballots you have to have special
        provisions for them.  
  \end{itemize}
  
\item {\bf Availability}
  \begin{itemize}
  \item The voting system should accept all authorised votes
        and produce results in a timely manner. If you move
        an election online, you have to guard agains DoS 
        attacks.
   \end{itemize}
\end{itemize}

\noindent While these requirements seem natural, the problem 
is that they often clash with each other. For example

\begin{center}
integrity vs.~ballot secrecy\\
authentication vs.~enfranchisement
\end{center}

\noindent If we had ballots with complete voter
identification, then we can improve integrity because we can
trace back the votes to the voters. This would be good when
verifying the results. But such an identification would
violate ballot secrecy (you can prove to somebody else how you
voted). In contrast if we remove all identification for
ensuring ballot secrecy, then we have to ensure that no
``vote-stuffing'' occurs.

Similarly, if we improve authentication, \ldots

To tackle the problem of e-voting, we must first have a look
into the history of voting and how paper-based ballots 
evolved. We know for sure that elections were held in Athens
as early as 600 BC, but might even date to the time of
Mesopotamia and also in India some kind of ``republics'' might 
have existed before the Alexander the Great invaded it.
Have a look at Wikipedia about the history of democracy for 
more information.



%\subsubsection*{Questions}

%Coming back to the question of why I use online banking, but 
%prefer not to e-vote. 

%Why do I use e-polling in lectures?

%Imagine you have a perfectly secure internet voting system, by
%which I mean nobody can tamper with or steal votes between
%your browser and the central server responsible for vote
%tallying. What can still go wrong with such a perfectly secure
%voting system, which is prevented in traditional elections
%with paper-based ballots?

\end{document}

%%% Local Variables: 
%%% mode: latex
%%% TeX-master: t
%%% End: