21-01-2013, 02:59 PM
Addressing the Secure Platform Problem for Remote Internet Voting in Geneva
1Addressing the Secure Platform.pdf (Size: 408.31 KB / Downloads: 24)
Introduction
Elections and votes are at the heart of all democracies. In fact, they
are important bulding blocks and processes for the proper operation of
a democratically legitimated government:
² Elections are used to empower politicians to speak for the people
(i.e., they are used for delegation);
² Votes are used to query the political will of the people (i.e., they
are used to challenge political decisions).
In either case, registered voters must be provided with ballots and
voters must be able to cast their ballots in some prede¯ned way.
In the literature, the term electronic voting, or e-voting in short, is
used to refer to elections and votes that are supported by electronic
means. Independent from the term (i.e., e-voting), the idea of using
electronic means to support elections and votes has attracted many
people in the past. For example, in June 1869, Thomas A. Edison
received U.S. patent 90,646 for an \Electric Vote-Recorder" intended
for use in Congress. Since then, various systems directly or indirectly
related to e-voting have been invented, approved, implemented, partly
revised, or rejected. Some of these systems have been granted patents,4
whereas others have been protected with other means of intellectual
property protection (e.g., trade secrets).
Internet Voting
There are many possibilities to implement Internet voting. For example,
depending on the places where the ballots are casted and who
administers and actually controls the voting clients, platforms, and
operating environments, poll-site Internet voting and remote Internet
voting are usually distinguished.
² Poll-site Internet voting refers to the casting of ballots inside o±-
cial polling places at sites where election o±cials administer and
fully control the voting clients, platforms, and operating environments.
² Contrary to that, remote Internet voting refers to the casting of
ballots at private sites (e.g., home, o±ce, school, . . . ) where the
voter (or a third party acting on behalf of the voter) administers
and controls the voting client, platform, and operating environment.
Considering the media attention that has focused on the prospect of
using the Internet to vote, it is not suprising that the terms \Internet
voting" and \remote Internet voting" are being used synonymously in
the popular press. As discussed later, however, it makes a lot of sense
to cleanly distinguish between the two terms.
In some references (e.g., [Cal00]), an additional distinction is made
between poll-site Internet voting where a precinct polling place must
be used, and poll-site Internet voting where any o±cial polling place
may be used. This distinction is not made in this report and both
possibilities are collectively referred to as poll-site Internet voting.
A third possibility o®ers an intermediate step between poll-site Internet
voting and remote Internet voting.
Security Requirements for Internet
Voting
There are many investigations and studies that elaborate on the security
of Internet voting in general, and remote Internet voting in particular
(e.g., [Cal00,IPI01,Rub01]). The results show that security (including
privacy and reliability) is among the most important engineering considerations
for Internet voting to be successful in the ¯rst place. The
current paper ballot systems set a standard that is adopted as the baseline
for Internet voting. They represent certain tradeo®s between voter
convenience and protection against fraud and abuse. It is generally
required that elections and votes conducted over the Internet are at
least as secure as the current paper ballot systems. If a state allowed
voting by postal mail, however, this would set the security standard for
Internet voting.
Also, it is essential that an Internet voting system provides some
evidence that it is immune from attacks that could a®ect the outcome
of an election or vote. It is not su±cient to argue that a speci¯c attack
is unlikely, or even very unlikely, to happen. An election or vote would
be an extremely tempting target for any motivated party (e.g., a hacker
group, a group of partisans, a foreign government, . . . ).
Evolutionary Strategy
The possible implementations overviewed above have advantages and
disadvantages. From a security point of view, the full implementation
is preferred. A \code number-only" implementation does not make a
lot of sense, because it does not simplify things considerably. Contrary
to that, a \veri¯cation number-only" implementation simpli¯es user
behavior and seems to be a good candidate to enter the ¯eld of code
voting.
In fact, there is an evolutionary strategy that starts with a \veri¯cation
number-only" implementation and leads to a full implementation.
Such a strategy can be recommended for Geneva. In this case, however,
test urnes become even more important (to detect if anything goes
wrong).