\documentclass{article}
\usepackage{../style}
\begin{document}
\section*{Handout 2 (E-Voting)}
In security engineering, there are many counter-intuitive
phenomena: for example I am happy (more or less) to use online
banking every day, where if something goes wrong, I can
potentially lose a lot of money, but I am staunchly against
using electronic voting (lets call it e-voting for short).
E-voting is an idea that is nowadays often promoted in order
to counter low turnouts in elections\footnote{In my last local
election where I was eligible to vote only 48\% of the
population have cast their ballot. I was, I shamefully admit,
one of the non-voters.} and generally sounds like a good idea.
Right? Voting from the comfort of your own home, or on your
mobile on the go, what could possibly go wrong? Even the UK's
head of the Electoral Commission, Jenny Watson, argued in 2014
in a Guardian article that the UK should have e-voting. Her
plausible argument is that 76\% of pensioners in the UK vote
(in a general election?), but only 44\% of the under-25s. For
which constituency politicians might therefore make more
favourable (short-term) decisions is clear. So being not yet
pensioner, I should be in favour of e-voting, no?
Well, it turns out there are many things that can go wrong
with e-voting, as I like to argue in this handout. E-voting in
a ``secure way'' seems to be one of the things in computer
science that are still very much unsolved. It is not on the
scale of Turing's halting problem, which is proved that it can
never be solved in general, but more in the category of being
unsolvable with current technology. This is not just my
opinion, but also shared by many security researchers amogst
them Alex Halderman, who is the world-expert on this subject
and from whose course on Securing Digital Democracy I have
most of my information and inspiration. It is also a
controversial topic in many countries:
\begin{itemize}
\item The Netherlands between 1997--2006 had electronic voting
machines, but ``hacktivists'' had found they can be
hacked to change votes and also emitted radio signals
revealing how you voted.
\item Germany conducted pilot studies with e-voting, but in
2007 a law suit has reached the highest court and it
rejected e-voting on the grounds of not being
understandable by the general public.
\item UK used optical scan voting systems in a few trail
polls, but to my knowledge does not use any e-voting in
elections.
\item The US used mechanical machines since the 1930s, later
punch cards, now DREs and optical scan voting machines.
\item Estonia used since 2007 the Internet for national
elections. There were earlier pilot studies for voting
via Internet in other countries.
\item India uses e-voting devices since at least 2003. They
use ``keep-it-simple'' machines produced by a
government owned company.
\item South Africa used software for its tallying in the 1993
elections (when Nelson Mandela was elected) and found
that the tallying software was rigged, but they were
able to tally manually.
\end{itemize}
The reason that e-voting is such a hard problem is that we
have requirements about the voting process that conflict with
each other. The five main requirements for voting in general
are:
\begin{itemize}
\item {\bf Integrity}
\begin{itemize}
\item By this we mean that the outcome of the vote matches
with the voters' intend. Note that it does not say
that every vote should be counted as cast. This might
be surprising, but even counting paper ballots will
always have an error rate: people after several hours
looking at ballots will inevitably miscount votes. But
what should be ensured is that the error rate does not
change the outcome of the election. Of course if
elections continue to be on knives edges we need to
ensure that we have a rather small error rate.
\item There might be gigantic sums at stake and need to be
defended against. The problem with this is that if
the incentives are great and enough resources are
available, then maybe it is feasible to mount a DoS
attack agains voting server and by bringing the
system to its knees, change the outcome of an
election. Not to mention to hack the complete
system with malware and change votes undetectably.
\end{itemize}
\item {\bf Ballot Secrecy}
\begin{itemize}
\item Nobody can find out how you voted. This is to avoid
that voters can be coerced to vote in a certain way
(for example by relatives, employers etc).
\item (Stronger) Even if you try, you cannot prove how
you voted. The reason for this is that you want to
avoid vote coercion, but also vote selling. That
this can be a problem is proved by the fact that
some jokers in the recent Scottish referendum tried
to make money out of their vote. \end{itemize}
\item {\bf Voter Authentication}
\begin{itemize}
\item Only authorised voters can vote up to the permitted
number of votes (in order to avoid the ``vote early,
vote often'').
\end{itemize}
\item {\bf Enfranchisement}
\begin{itemize}
\item Authorised voters should have the opportunity to vote.
This can, for example, be a problem if you make the
authorisation dependent on an ID card, say a driving
license. Then everybody who does not have a license
cannot vote. While this sounds an innocent
requirement, in fact some parts of the population for
one reason or another just do not have driving
licenses. They are now excluded. Also if you insist on
paper ballots you have to have special provisions for
blind people. Otherwise they cannot vote.
\end{itemize}
\item {\bf Availability}
\begin{itemize}
\item The voting system should accept all authorised votes
and produce results in a timely manner. If you move
an election online, you have to guard agains DoS
attacks for example.
\end{itemize}
\end{itemize}
\noindent While these requirements seem natural, the problem
is that they often clash with each other. For example
\begin{center}
integrity vs.~ballot secrecy\\
authentication vs.~enfranchisement
\end{center}
\noindent If we had ballots with complete voter
identification, then we can improve integrity because we can
trace back the votes to the voters. This would be good when
verifying the results or recounting. But such an
identification would violate ballot secrecy (you can prove to
somebody else how you voted). In contrast, if we remove all
identification for ensuring ballot secrecy, then we have to
ensure that no ``vote-stuffing'' occurs. Similarly, if we
improve authentication by requiring a to be present at the
polling station with an ID card, then we exclude absentee
voting.
To tackle the problem of e-voting, we should first have a look
into the history of voting and how paper-based ballots
evolved. Because also good-old-fashioned paper ballot voting
is not entirely trivial and immune from being hacked. We know
for sure that elections were held in Athens as early as 600
BC, but might even date to the time of Mesopotamia and also in
India some kind of ``republics'' might have existed before the
Alexander the Great invaded it. Have a look at Wikipedia about
the history of democracy for more information. These elections
were mainly based on voting by show of hands. While this
method of voting satisfies many of the requirements stipulated
above, the main problem with hand voting is that it does not
guaranty ballot secrecy. As far as I know the old greeks and
romans did not perceive this as a problem, but the result was
that their elections favoured rich, famous people who had
enough resources to swing votes. Even using small coloured
stones did not really mitigate the problem with ballot
secrecy. The problem of authorisation was solved by friends or
neighbours vouching for you to prove you are elegible to vote
(there were no ID cards in ancient Greece and Rome).
Starting with the French Revolution and the US constitution,
people started to value a more egalitarian approach to voting
and electing officials. This was also the time where paper
ballots started to become the prevailing form of casting
votes. While more resistant against voter intimidation, paper
ballots need a number of security mechanisms to avoid fraud.
For example you need voting booths to fill out the ballot in
secret. Also transparent ballot boxes are often used in order
to easily detect and prevent vote stuffing (prefilling the
ballot box with false votes).
\begin{center}
\includegraphics[scale=2.5]{../slides/pics/ballotbox.jpg}
\end{center}
\noindent Another security mechanism is to guard the ballot
box against any tampering during the election until counting.
The counting needs to be done by a team potentially involving
also independent observers. One interesting attack against
completely anonymous paper ballots is called \emph{chain vote
attack}. It works if the paper ballots are given out to each
voter at the polling station. Then an attacker can give the
prefilled ballot to a voter. The voter uses this prefilled
ballot to cast the vote, and then returns the empty ballot
back to the attacker who now compensates the voter. The blank
ballot can be reused for the next voter.
The point is that paper ballots have evolved over some time
and no single best method has emerged for preventing fraud.
But the involved technology is well understood in order to
provide good enough security with paper ballots.
\subsection*{E-Voting}
If one is to replace paper ballots by some electronic
mechanism, one should always start from simple premise taken
from an Australian white paper about e-voting:
\begin{quote} \it ``Any electronic voting system should
provide at least the same security, privacy and transparency
as the system it replaces.''
\end{quote}
\noindent Whenever people argue in favour of e-voting they
seem to be ignore this basic premise.
%\subsubsection*{Questions}
%Coming back to the question of why I use online banking, but
%prefer not to e-vote.
%Why do I use e-polling in lectures?
%Imagine you have a perfectly secure internet voting system, by
%which I mean nobody can tamper with or steal votes between
%your browser and the central server responsible for vote
%tallying. What can still go wrong with such a perfectly secure
%voting system, which is prevented in traditional elections
%with paper-based ballots?
\end{document}
%%% Local Variables:
%%% mode: latex
%%% TeX-master: t
%%% End: