You are here

Common Pitfalls in Electronic Voting

Error message

Notice: unserialize(): Error at offset 82 of 82 bytes in variable_initialize() (line 1252 of /home4/snurb/public_html/includes/bootstrap.inc).

Vienna.
The final speaker in this EDEM 2009 session is conference organiser Alexander Prosser, whose focus is on a recent ruling related to e-voting by the German Federal Constitutional Court that raised questions about transparency in e-voting. In 2008, for example, 200 e-votes disappeared in a Finnish election; in 2007, software support in a UK election staff manually edited ballots as they would not fit into the counting software, and key processes were performed on vendor-supplied notebooks; in Australian student union elections in 2009, a harddrive with e-voting data needed to be protected by firefighters (hm?) as it was taken to an erasure service, as it would have allowed matching voters and their votes - so questions about transparency and accountability in e-voting are certainly very real.

In Germany, some 2 million votes could have been cast using voting terminals in polling stations, and there were substantial complaints about a lack of auditability. The interior ministry noted that the public could observe how election staff copied the machine results into the overall tally, and the machines had been certified by a reputable government organisation - but neither machine source code nor certification were published, so there remained a feeling of limited transparency.

Eventually, the Federal Court ruled in favour of the complaints against this voting procedure: voting terminals were barred, the decree enabling their use was cancelled, and there was strong support for greater transparency - but no requirement for a publication of source code and certification reports. This contradicts the mainstream in the e-voting community. In other words, the Court ruling suggests that the election needs to be auditable - not the software, which does not "decisively contribute" to the e-voting process. The Court ruled that "the voter must reliably ascertain that their vote was counted and included in the tally correctly."

There are two schools of thought on this. Individual verification is seen as either irrelevant or useless (there is no way voters should be able to say 'they're counting my vote now'), and it is global verification which is crucial - was the ballot box initially empty, can only authenticated voters vote, can they submit only one vote, were only rightfully submitted votes included, etc. The question becomes - was it possible to manipulate the vote (and who would have been able to do so), and how substantial was the manipulation?

Common pitfalls include having a procedure with a single point of manipulation, such as a 'mixer' stage - the ballot box has a public key which is used in voting; the election authority accesses the box using a private key to receive the vote in the order they were submitted, a mixer then re-encrypts the votes using another public key after shuffling the order of the batch of votes, and that shuffled set of votes is then submitted for counting. If the mixer is corrupt, then, it is possible for them to substitute a manipulated batch of votes.

A second common pitfall is an overreliance on the analogy with paper votes. Say that e-voting takes place using enveloping algorithms - the votes are encrypted with a public key by the election authority, and a digital authentication signature is added by the voter as an 'outer envelope'. This signature is checked by the receiving authority, the envelope is stripped and the vote is passed on to the vote tallying process (which may again include a mixer stage, of course). But in paper votes, if the ballot is removed from the envelope, the connection between the two is severed - in electronic form, an analogy to this physical situation does not necessary exist, as information leaves other traces.

What is required, then, is independent verification of the voting right; the authentication of ballots must maintain voting secrecy; and this requires anonymisation not after, but before the vote is cast. All of this must be controlled by the election committee and allow for independent recounts - these are not a luxury item, but a necessity.

Technorati : , , , , , ,
Del.icio.us : , , , , , ,