13-06-2014, 02:16 PM
A Biometric-Secure e-Voting System for Election
Processes
A Biometric-Secure e-Voting System.pdf (Size: 630.28 KB / Downloads: 35)
Abstract
In this paper we propose a multifaceted online e-voting
system. The proposed system is capable of handling
electronic ballots with multiple scopes at the same time,
e.g., presidential, municipal, parliamentary, amongst
others. The system caters for integrity of an election
process in terms of the functional and non-functional
requirements. The functional requirements embedded in
the design of the proposed system warrant well-secured
identification and authentication processes for the voter
through the use of combined simple biometrics. The
design of the system guarantees that no votes in favor of a
given candidate are lost, due to improper tallying of the
voting counts, with the proper incorporation of system
FLAG’s. Transparency of voting follows through in all
phases of an election process to assure the voter that
his/her vote went in favor of his/her candidate of choice.
Besides its main functional properties, the proposed
system is designed to cater for several essential nonfunctional
requirements. Of utmost importance are the
requirements for correctness, robustness, coherence,
consistency, and security. To verify the robustness and
reliability of the proposed system, intensive computer
simulations were run under varying voting environments,
viz. voter density, voter inter-arrival times, introduced
acts of malice, etc. Results of the simulations show that
security and performance of the system are according to
expectations. These results provide the proper grounds
that would guide the decision maker in customizing the
proposed system to fit his particular voting needs.
Introduction:
In a manual, paper-based election, the electorates cast their
votes to select their candidates, where they simply deposit
their designated ballots in sealed boxes distributed across
the electoral circuits around a given country. By the end of
the election period, all these boxes are officially opened
and votes counted manually in the presence of certified
representatives of all the candidates until the numbers are
compiled. This process warrants transparency at vote
casting time as well as at counting time.
Often times, however, counting errors take place, and in
some cases, voters find ways to vote more than once,
introducing irregularities in the final count results, which
could, in rare cases, require a repeat of the election process
altogether! Moreover, in some countries, purposely
introduced manipulations of the electoral votes take place
to distort the results of an election in favor of certain
candidates. Here, all such mishaps can be avoided with a
properly scrutinized election process; but when the
electoral votes are too large, errors can still occur. Quite
often international monitoring bodies are required to
monitor elections in certain countries.
This naturally calls for a fully automated online
computerized election process. In addition to overcoming
commonly encountered election pitfalls, electoral vote
counts are done in real time that by the end of elections
day, the results are automatically out [1, 2]. The election
process can be easily enhanced with various features based
on the demand and requirements of different countries
around the world.
Due to worldwide advancements in computer and
telecommunication technologies and the underlying
infrastructures, online voting or e-Voting is no longer a
North American or Western phenomenon. This high tech
method of casting a ballot has spread far beyond the
United States, expanding throughout the entire world. EVoting,
along with its benefits and mishaps, can now be
found from the developed countries of Europe to the
developing countries of Asia and South America. The
introduction of electronic voting has been the biggest
change to the Irish electoral system since the establishment
of the state over 80 years ago. E-Voting may soon become
a global reality or a global nightmare [3 - 5]. Besides
Proceeding of the 5th International Symposium on Mechatronics and its Applications (ISMA08), Amman, Jordan, May 27-29, 2008
reliable e-Voting technologies, there is a dire need for
international standards to govern the technology, the
software reliability and accuracy, the processes and
algorithms deployed within the technology, and the
verification of all hardware, software and protocols
involved. Such standards will eventually allow elections to
proceed in any part of the world without the need for
monitoring bodies.
II. Authenticity of the Voting Process
and Privacy of the Voter Rights
Certain factors play out big in a given voting process in
any particular country. Culture itself and the underpinning
social factors/values largely determine the rules and
regulations that govern any voting process. In countries,
where election results are determined through the voter
counts that are tallied by directly depositing specially
designed voting cards into the voting boxes, there are
tendencies that electoral votes can get misappropriated in
many ways; some voters would tend to attempt to vote
more than the number of times permissible by law for a
given candidate; other voters may try to vote in lieu of
other illegible voters so that the voter count would weigh
favorably towards one candidate or another, to mention
just a few. Counterfeit/Malice is yet another issue that can
jeopardize the integrity of an election process. Automating
an election process, while relying on state-of-the-art in
computer and ICT technologies, can significantly mitigate
many of the factors that would hamper a healthy progress
of an election process. Nonetheless, relying totally on
available information technologies can only warrant the
authentication/validation of the identity of a given voter,
but, still, would not have the capacity to block any
attempted abuse of the voting system, viz., those voters
who simply try to vote on behalf of others (fraud). Without
additional measures, the integrity of a voting process,
within the proper context, is far from any acceptable
standard/s; the incorporation of biometrics would
definitely have an added value towards achieving the
required levels of election integrity.
Present day applications, including banking applications,
guarding of high-security establishments, monitoring of
passengers across border posts, amongst many others are
witnessing increasing levels in the use of biometric
technologies and devices. Biometrics is best defined as
measurable physiological and / or biological characteristics
that can be utilized to verify the identity of an individual.
They include fingerprints, retinal and iris scanning, hand
geometry, voice patterns, facial recognition, Gait
recognition, DNA and other techniques. They are of
interest in any area where it is important to verify the true
identity of an individual. Initially, these techniques were
employed primarily in specialist high security
applications; however, we are now seeing their uses and
proposed uses in a much broader range of public facing
situations.
Essentially, a biometric system follows two characteristic
traits: identification and verification. The former involves
identifying a person from all biometric measurements
collected in a database. The question that this process
seeks to answer is: “who is this?” It, therefore, involves a
one-compared-to-many match. Verification involves
authenticating a person’s claimed identity from his/her
previously enrolled pattern. “Is this who he claims to be?”
is the question that this process seeks to answer. This
involves a one-to-one match [6, 7].
Verifying the identity of a person against a given biometric
measure involves five phases that the system needs to go
through. At the beginning, input data is read from the
person through the reading sensors. Collected data is, then,
sent across a network to some central database hosting a
biometric system. The system will, then, perform identity
matching using standardized and/or custom matching
techniques. Figure 1 illustrates data flow in a typical
biometric identification process.
The Proposed e-Voting System:
In this paper, we propose client/server web-enabled e-
Voting software architecture. The architecture is illustrated
in Figures 2a and 2b shown right across.
Besides the main functional properties of a voting system,
as described in the previous section, the eVoting system
must cater for several essential non-functional
requirements. Of utmost importance are the requirements
for correctness, robustness, coherence, consistency, and
security.
On the server side, a global database is maintained for all
registered voters and candidates. Also, the server runs in
real-time and provides backend statistics for the entire
election process.
On the client side, two more requirements are necessary.
In order to reduce the traffic rate on the network links, a
local database at the client side is required to host the data
which pertains to the local voting center. This DB is a
rather dynamic one, in the sense that the data stored in its
tables may vary over the election time period. The size of
the local DB at any voting center is only a small fraction
of the global DB at the server side. The use of a local DB
enhances the performance of the voting process. However,
this approach creates a synchronization problem, which
will be addressed later in this section.
The second requirement is the transparency of the voting
process. In essence, a voter at an electronic voting station
casts his/her vote to a computer. The voter does not have
an insight on how his/her vote is translated and/or counted.
In a paper-based election, the ballot is filled out by the
voter and dropped into a sealed box by the voter
himself/herself. Votes are counted in the presence of
candidates or their representatives. The voter is certain that
his/her cast ballot with his/her vote selection is in the right
box. Of course, ambiguity in the ballot formats (as was the
case in the US presidential election in 2000) may render
the transparency a rather deceiving one. In an electronic
version, the voter puts his trust into computer hardware,
software and network infrastructure that processes his/her
vote. Hence, the e-Voting system in its broadest form may
render the process a non-transparent one
We propose a two-sided solution to the transparency
problem. On the one side, the system prints a hardcopy of
the vote cast by the voter. The voter verifies the accuracy
of his/her vote and retains the copy for his/her records. On
the other side, the system generates another copy of the
vote with a new unique key identifier; the name and
identity of the voter is concealed. This copy is saved in a
secure box and can be used later to verify the correctness
of the votes as stored in the final DB destination. This side
of the copy can be printed out as a bar code which can be
easily scanned and read automatically. Only a randomly
selected set of these copies need to be tested. This two
sided process guarantees transparency by providing
verification of the accuracy of how the cast vote is input
into the system and then how it is, finally, stored in the DB
tables.
One of the challenges facing an e-Voting system is to
insure that no voter can impersonate another voter and no
voter can vote more than one time. In the proposed system,
we use an identification followed by an authentication
process. The identification is done via a card reader which
reads the official ID card of a voter and pulls the voter
record from the local DB or loads the record from the
central DB if it is not found in the local one. The voter
record includes a biometric description of the voter. In this
study, we use a fingerprint authentication method. The
voter will be rejected if his/her fingerprints do not match
the stored ones. In order to reduce false rejections, we
store for each voter several copies of his/her fingerprints
taken at different time intervals. Fingerprints are stored as
an encoded text in order to reduce storage consumed by
images. This dual process should guarantee that no one
can falsely impersonate a voter.
In order to prevent two or more votes per voter, we use a
“voting status flag” in the voter record. This flag is
initialized to FALSE. The voting status flag is set to TRUE
in the central DB whenever a voter identity is verified
(before authentication takes place). If the authentication
fails, the flag is reset to FALSE. If the voter leaves the
station without completing a vote, the flag is also reset to
FALSE; thus allowing the voter another chance to try
Hardware:
Card Readers
Image Scanner
Finger Print
Candidates Voters
Correctness
Authentication
Coherence
Consistency
Security
OS: Windows/
UNIX/ IO Drivers
Local Database
Administration
Client Side Software System
Voting
Process
Statistics
Hardware
Candidates Voters
Correctness
Robustness
Coherence
Consistency
Security
OS: Windows/
UNIX
Database
Administration
Server Side Software System
Statistics
Figure 2: a) Server b) Client
Proceeding of the 5th International Symposium on Mechatronics and its Applications (ISMA08), Amman, Jordan, May 27-29, 2008
again to cast his/her vote. If the voter completes the voting
process, the flag remains set to TRUE. Note that even if
the result of the vote is not committed to the central DB in
due time, the flag in the voter’s central record is set to
TRUE, thus eliminating the possibility of another
attempted voting by the same voter, or by someone who
carries a counterfeit ID card. This requires that whenever
the record of a voter is accessed for identification, even
when the record is found at the local DB, the flag on the
central record must be checked. If it has already been set to
TRUE, the voter is denied access and his/her attempt fails.
If two people carrying the same ID card (one is real while
the other is counterfeit) attempt to vote at the same time,
the first one to access the record will set the flag to TRUE,
load the record and prevent the other one from accessing
the record. Of course if the one with the counterfeit card
obtains the record, the vote cast will fail at the next
authentication step. It is possible that a record gets loaded
into two different voting centers due to block transfer from
the central DB into local DB’s. When a voter attempts to
access the record at any of the stations, the client will
verify the central record flag. If it has been set to TRUE,
access is denied; otherwise it sets the flag to TRUE and
access is granted. Note that simultaneous requests to the
same record will be synchronized by the DB query
serialization process (only one query may access any table
at any give time). This mandatory check of the flag in the
central DB, however, will add extra overhead on the
network. This overhead will be further evaluated in the
simulator, but will not be reported in this study due to time
and space constraints.
Another synchronization resolution is required when a
vote is to be registered in the record of a candidate. If a
candidate is being selected by several voters at the same
time, then a certain assignment plan needs to be placed in
order so that all votes will be tallied (no misses) and added
to the candidate’s record. Again we use a “count”
flag/mutex for the candidate’s record. The COUNT flag is
set initially to FALSE. When the record is selected by a
voter, the flag is set to TRUE until the record count is
updated, then the flag is reset to FALSE. All votes for the
same candidate will be queued until the flag is reset to
FALSE. A copy of the vote will be printed only when the
vote is successful and the candidate’s record is updated.
This requirement, initially made for transparency purposes,
provides a final test for the accuracy and correctness of the
process, especially in the presence of thread hangups. The
correctness and accuracy of the system using the two flag
attributes is demonstrated (physically present) in the
current simulation study. When the flags were turned OFF,
we noticed several violations and accuracy problems.
Those were remedied when the flags’ attributes were
turned ON.
The voting process, as discussed above, is shown in the
flow diagram of Figure 3. The overall architecture of the
system is shown in Figure 4. The central database, Figure
4, which is mirrored out for reliability reasons, is used to
store all relevant information on the candidates and voters.
Voting centers are distributed around the country. One or
more voting centers could share a local database. At a
voting center, each voting station is equipped with a card
reader, a fingerprint scanner, a touch screen, and a
multimedia subsystem. The multimedia subsystem is used
for people with special needs (physically challenged), such
as the blind and those with difficulties in reading or
comprehending images, texts, or sounds.
The proposed system is capable of handling electronic
ballots with multiple scopes at the same time, e.g.
presidential, municipal, parliamentary, and others.
However, the simulation environment in this study is
designed only for a single voting scope.
Simulation Results:
A simulation model has been built in order to test and
evaluate the behavior of the proposed electronic voting
system. The simulation is, also, useful for providing proper
guidance on configuring the eVoting system in terms of
server requirements, network bandwidth, voting stations,
and the like.
The simulation environment includes an Oracle database
system for voters and candidates. Besides personal
identification information, the records include
authentication information and locality of a voter and/or a
candidate. The simulator, also, includes modules which
emulate the arrival of voters at voting centers and the
voting process itself. The simulator allows a voter to cast a
vote at any voting center, irrespective of his actual voting
district (locality). This is one of the main advantages of e-
Voting systems.
Voters arrive at a voting station according to a Poisson
arrival process, and the temporal distance separating the
various arrivals is modeled as an exponential random
variable. The hypothetical maximum number of voters
arriving at a voting center is set by the system admin a
priori; this is explained by the fact that the number of
voters in a given voting district is known beforehand. Each
voter would swipe his/her official identification card
through a magnetic card reader, at which point he/she
would be prompted for his/her finger print upon
completion of which a candidate screen would pop up
showing pictures of candidates in the electoral circuit of
the voter. If the voter’s record indicates other needed
forms of display/presentation (as embedded in the
information on the voter’s ID card), such as sound, then
those forms will be used instead of the candidate image
display/s. The voter would select his/her candidate of
choice at the touch of an image displaying the picture of
his/her candidate of choice. The system also allows the
voter to cast the vote via audio means for those voters with
special needs. At this point the voting process for a given
voter is complete and the voter count is tallied in favor of
the chosen candidate.
In the simulator, the speed of the voting process is
governed by a number of limiting factors: First, a growing
queue length was seen to adversely impact the rate at
which voters were able to cast their votes. Second, the
response time of the system, right from the minute a voter
would step into a voting center until the cast vote is tallied
in favor of one candidate or another, is adversely impacted
by the database response at the server end. Third, the
network response time, viz., available network bandwidth,
plays out big at determining the transaction time per voter.
In our simulations, and for the particular purpose of this
paper, we have assumed that the network bandwidth is
infinite. We will investigate the network impact on the
voting process in an ongoing study. However, using the
client/server model with the embedded local DB
infrastructure, we anticipate minimal impact of network
constraints on the overall process.
Although we have conducted a fairly large number of
simulations of the proposed voting system, taking the
number of voters over a sample range starting at 5000
voters per voting center and ending at 20,000 voters per
voting center, and due to space limitations of this
publication, we restrict our assessment of the model to
5000 voters per voting center as our case study. The total
number of voters at a given center is fairly constant, since
it depends mostly on people who reside in the vicinity of a
voting center. So we chose to fix the number of voters at a
given voting station in the simulator. In reality, this
number may vary by a small percentage due to the fact that
people will be allowed to vote at any other center they
choose for the sake of voting convenience, especially those
voters residing at townships outside their voting districts,
or those voters casting their votes through embassies
outside their home country.
Conclusions:
In this paper, we have proposed an online e-voting system
which can tackle all earlier issues encountered in a
conventional (manual) voting system. The new system
maintains voting statistics in real-time while preserving the
integrity of the voting process from the minute a voter
steps in to cast his/her vote until the cast vote is registered
in favor of the chosen candidate at a globally allocated DB
repository. While observing full-fledged voting
transparency, at the voter as well as the system levels, the
proposed system is capable of denying access to any
illegal voter/s, preventing multiple votes by the same
voter, and blocking any introduced forms of malice that
would adversely affect the voting process altogether.
Moreover, the proposed voting system caters for the needs
of the physically challenged voters by providing special
multimedia amenities that would facilitate voting to a
voter’s convenience.
While carefully observing the security needs of the system,
at all levels in the voting process, the design of the system
also caters for a number of important functional and nonfunctional
requirements, which are sufficiently addressed
in every facet of system design which entail hardware,
software, and the underlying encryption and network
infrastructure.
Simulation results of the system, while running a live DB
backend server, reveal a number of important factors that
ought to be assessed carefully by the party adopting a
system like this one, for any form of election activities,
prior to its final deployment. These factors address the
number of voting stations needed at any voting center, as
outlined by the voting needs of a given voting district, the
network bandwidth requirement by a given voting center,
the size of the local DB to support the needs of a given
voting locality, amongst others. The system, via these
simulations, has shown ruggedness and sustained
reliability in terms of preventing multiple votes by the
same voter, and maintaining internal system audits that
would warrant no missed votes, per candidate, in the
process of voting.
With the use of an e-voting system, as the one proposed in
this paper, many of the issues, that have challenged
traditional voting systems in the past, are bound to be
resolved providing peace of mind to both voters and
election candidates. It is well expected that with a well
administered/designed e-voting system, countries that have
long been observed by international monitoring bodies,
while carrying out election processes of their own, will
soon be able to work on their own and, yet, achieve the
election integrity they have longed for.