Overseas Absentee Internet Voting

How it works

Note: This is how the process is intended to run.

Opening

The voting process starts at the time specified by the COMELEC. This time will be the same for all the countries – if any, of course -involved in the election

Voter authentication

The authentication mechanism (the same mechanism based on credentials described above) is as follows:

· Using a web browser, the voter connects through a secure channel (e.g., HTTPS) to the voting web page containing the Voting Client (an applet).
· The cryptographic operations of the voting protocol will be performed by this applet. In case the browser does not support the execution of applets, this restriction is detected and the voting process will use a servlet approach for the Voting Client (the same cryptographic operations will be performed but in a server component).
· The voter introduces the voter credentials (e.g. a voter id and password). The applet sends the voter id to the authentication manger that responds sending the voter credential key container.
· The password is then used by the Voting Client for accessing the private key of the credential. This private key is used to authenticate the voter through the authentication manager (strong authentication). If the key is correct, the web browser will display the personalized ballot contents for all races assigned to the voter.

Voting options selection

The voter selects the voting options using the mouse, keyboard or any other pointing device.

Vote encryption

When the voter has made his selections for all the races and is ready to cast the vote, the selected voting options are shown by the Voting Client for confirmation. If the voter confirms them, the vote is encrypted using the election public key. The encrypted vote is then digitally signed using the voter credential private key and sent to the Voting Server located in Manila. The Voting Server verifies if the vote is valid and stores it in the digital ballot box. A confirmation message is sent back to the voter.

Receipt generation

During the encryption of the vote, a unique ballot identifier is randomly generated by the Voting Client. This identifier is also encrypted with the vote and therefore cannot be seen by anyone (with the exception of the voter) until the vote is decrypted by the Central Electoral Board during the Mixing process. This identifier, previously masked by cryptographic means, is sent jointly with the encrypted vote to the Voting Server. If the vote is accepted, the Voting Server digitally signs the masked identifier and returns it inside the confirmation message. The Voting Client uses the unique identifier and the digital signature of its mask to generate a voting receipt that can be printed by the voter. This receipt allows the voter to verify if the vote is present when the contents of the digital ballot box are decrypted by the Central Electoral Board. It is important to note that the receipt does not disclose the selected voting options to prevent the possibility of vote selling or voter coercion.

Closing

The voting process stops accepting votes at the time specified by the COMELEC (May 14th, 2007, at 15:00 Manila local time). Voters in the process of voting when this occurs (already logged in) will be granted the configured session duration time to complete the casting of their votes (this margin is configured during the pre-election configuration and is the same for all voters).

Results
Mixing and Canvassing

After the election is automatically closed, the digital ballot boxes collected by all instances of the Voting Servers are exported and securely transferred to the Mixing Service. This service will be located at the COMELEC’s main offices in Manila.

The digital ballot boxes contain the digitally signed and encrypted votes. The entire digital ballot box file is also digitally signed to prevent the deletion of votes.

Once all the digital ballot boxes are transferred to the Mixing Service, the digital signature on each encrypted vote contained in the ballot boxes is checked to verify that it corresponds to a valid voter. Optionally, a Certificate Revocation List can be used to ensure that the voter credentials have not been revoked. After this process, the Central Electoral Board (or at least, the minimum pre-defined number of its members) must get together to reconstruct the election private key in order to initiate the Mixing Process. This Mixing Process is used to remove the digital signatures from the votes and break the correlation between the encrypted votes and the identity of the voters in order to protect voters’ privacy.

The output from this Mixing Process in the OAV Project is twofold: encrypted votes without digital signatures and the unique ballot identifiers of the voting receipts.

The encrypted votes obtained from the Mixing Process are placed in a server where the authorized Post officials can retrieve them using a web browser, a secure connection and a cryptographic key unique for each Post. Each Post can then proceed to count all the votes cast by OAVs in its country/region.

The votes cast by each voter will be printed by each Post. Each printed vote includes a serial number (to avoid the destruction of votes) and two bar codes: one to facilitate the tallying process and another consisting of a digital signature to proof that the hardcopy of the vote is valid.

The other output of this process is a list of questionable encrypted ballots (if any) which require further investigation in order to be accepted or rejected by the Central Electoral Board. An example of this category of ballots would be those that correspond to credentials that had been previously revoked.

Voter verification

The voting receipts obtained from the Mixing Process (as described above) are made publicly available through a website. Voters can then individually verify (if they wish) whether the unique ballot identifiers of their receipts are included in the list of published receipts. The ballot identifiers were randomly generated in the voters’ Voting Clients and, therefore, were only known to the voters. The presence of a ballot identifier on the list of published receipts means that the corresponding encrypted vote reached the Central Electoral Board.

In order to prevent voters from filing false claims using fake receipts, voters are required to present the digital signature provided as part of the receipts to proof the authenticity of the receipts.

Auditing

The Internet voting platform to be used will include several features to facilitate the audit of the election before, during and after the electoral process:

· The source code can be reviewed by the COMELEC (or designed third party auditors) under a non-disclosure agreement.
· All the software components of the e-voting platform can be digitally signed for integrity and authentication purposes.
· The e-voting platform records logs of all voting transactions, and protects these logs using a special cryptographic mechanism to ensure its authenticity and integrity. Therefore independent auditors can check the accuracy of the logs before starting the audit process.
· The voter, as explained before, can individually check whether his vote was used in the final canvassing, without revealing his voting options.
· Any of the previous audit processes can be implemented without compromising the election accuracy and voters’ privacy.

Imperatives of Electronic Voting

Note: This is where the COMELEC Committee on Overseas Absentee Voting (COAV) is coming from, technology- and security-wise.

Conducting an electronic election that involves ballots in digital form is a complex issue that raises a number of security concerns.  The confidence relationships found in traditional elections must be replicated in electronic systems, without losing reliability.  Electronic voting must therefore reproduce the practices of traditional voting methods (e.g.  secure identification of voters, as well as distribution of trust among the members of an Electoral Board).  Additionally, electronic voting faces new requirements (e.g.  new privileged actors such as system administrators) and new technical risks (e.g.  digital ballot formats that are more easily manipulated than physical ones).

Digital security measures are therefore paramount for electronic voting success.  However, conventional computer and network security measures (e.g.  firewalls, intrusion detection systems, antivirus software…) fall short of providing a complete solution to electronic voting.  These generic security measures, although regularly used to secure e-commerce and e-business transactions, are not enough for e-voting. 

Indeed, casting ballots is not an ordinary transaction.  When performed electronically, it must address the following requirements and security concerns:

o        Authenticity of ballots Reliable means to verify the origin of a ballot (i.e.  the identity of the voter who casts it) must be used, to ensure the “one voter, one vote” premise.

o        Privacy of voters Despite the previous requirement, it must impossible to correlate the votes to the identities of their respective voters, unless required by law (as it is in some countries).

o        Accuracy of election results It must not be possible for anyone to remove or alter the ballots that have been cast by eligible voters or to add invalid ballots (e.g.  on behalf of abstaining voters).

o        Secrecy of intermediate results To ensure that voters’ choices are unbiased, intermediate results must be secret until the election is completed.

o        Ballot verifiability Voters must be able to independently verify that their ballots have been correctly accounted for. 

o        Uncoercibility The fact that voters can verify their votes must allow some fraudulent practices such as coercion or vote-selling possible

The digital security measures for e-voting must meet the requirements above, detecting and preventing fraudulent practices even when they are performed by privileged actors in electronic voting environments (e.g.  electoral authorities or systems administrators).