Imperatives of Electronic Voting

January 23, 2007 at 5:17 pm | Posted in Explanations | 28 Comments

Note: This is where the COMELEC Committee on Overseas Absentee Voting (COAV) is coming from, technology- and security-wise.

Conducting an electronic election that involves ballots in digital form is a complex issue that raises a number of security concerns.  The confidence relationships found in traditional elections must be replicated in electronic systems, without losing reliability.  Electronic voting must therefore reproduce the practices of traditional voting methods (e.g.  secure identification of voters, as well as distribution of trust among the members of an Electoral Board).  Additionally, electronic voting faces new requirements (e.g.  new privileged actors such as system administrators) and new technical risks (e.g.  digital ballot formats that are more easily manipulated than physical ones).

Digital security measures are therefore paramount for electronic voting success.  However, conventional computer and network security measures (e.g.  firewalls, intrusion detection systems, antivirus software…) fall short of providing a complete solution to electronic voting.  These generic security measures, although regularly used to secure e-commerce and e-business transactions, are not enough for e-voting. 

Indeed, casting ballots is not an ordinary transaction.  When performed electronically, it must address the following requirements and security concerns:

 

o        Authenticity of ballots Reliable means to verify the origin of a ballot (i.e.  the identity of the voter who casts it) must be used, to ensure the “one voter, one vote” premise.

o        Privacy of voters Despite the previous requirement, it must impossible to correlate the votes to the identities of their respective voters, unless required by law (as it is in some countries).

o        Accuracy of election results It must not be possible for anyone to remove or alter the ballots that have been cast by eligible voters or to add invalid ballots (e.g.  on behalf of abstaining voters).

o        Secrecy of intermediate results To ensure that voters’ choices are unbiased, intermediate results must be secret until the election is completed.

o        Ballot verifiability Voters must be able to independently verify that their ballots have been correctly accounted for. 

o        Uncoercibility The fact that voters can verify their votes must allow some fraudulent practices such as coercion or vote-selling possible

 

The digital security measures for e-voting must meet the requirements above, detecting and preventing fraudulent practices even when they are performed by privileged actors in electronic voting environments (e.g.  electoral authorities or systems administrators). 

Advertisements

28 Comments »

RSS feed for comments on this post. TrackBack URI

  1. The Pinoy IT Community in Singapore gathered to talk about this Internet Electronic Voting project from Comelec and are sad to report the following:

    1) We feel that there is not enough security that is built in the system i.e. we can set up a PC internet voting “center” in Sentosa or Pasir R

  2. Continued…

    in Sentosa Island or Pasir Ris or Holland Village and “rig” the votes. No one would have a clue how the cheating wa done! Singapore has a law on e-voting but will not implement internet voting due to security reasons.

    2) We feel that there are better internet voting products available in the US…why is this European being acquired without competition? Is this a repeat of the 2004 Comelec fiasco?

    3) Why is Comelec in a hurry to do internet e-voting when its has not really sorted out the election fraud problems at home under the manual system? We smell something fishy here.

    This is not good news guys, we’re sorry to report.

  3. Good evening, alfred. Thank you for leaving a comment.

    I agree with you that security is the paramount consideration. Certainly, voters will not accept a system that they cannot trust. Which is why the COMELEC places such emphasis on security. I have materials explaining security provisions further, and I will be posting them up on this site.

    Also, I intend to go to SG on the 3rd, Feb to discuss internet voting with the Filipino community there. Needless to say, I – and the IT experts who are coming with me – will be talking about this system is protected from malicious attacks and whatnot.

    I hope we can meet there so that you can share your concerns with us. Please feel free to contact me at jjimenez1010[at]gmail[dot]com.

    Thanks.

  4. Hi again, alfred.

    As to concern (2), we did put out a request for information asking all election solutions providers to present their solutions to the COMELEC. Most American responses came back with either DRE or OMR solutions.

    In fact, if I’m not mistaken, europe – or more specifically the european association of election management bodies, the ACEEEO – is actually taking the lead in establish e-voting standards.

    as to concern (3), it is very unfortunate that perceptions of fraud still haunt at-home elections. however, should we let these fears at home hamper efforts to deliver the vote to our compatriots overseas?

    One of the principal goals of implementing e-voting overseas is to make it easier for our overseas kababayans to have a convenient means of letting their voice heard. this is especially true in those places where one embassy or consulate, in one country, serves filipinos in two or more other countries. with internet voting, the problem of distance is solved.

    Thanks again.

  5. Sir,
    Thank you. We believe that your intentions are well-meaning but unfortunately, we sense that something is not right for 2 simple reasons:

    1) There is not enough time (even for such a pilot) to successfully do a thorough field test of the system. This is also the message coming from Comelec regarding the in-country automated elections. Implementing e-voting overseas is really no different from implementing in-country. So, why the rush to do it now?

    2) There are many suppliers of such e-voting system. Even local IT companies can do this. Why was there no bidding? The “lack of time” seems to be the excuse for a no-bid situation.

    We wish you the best and hope that this one does not turn out to be a repeat of the past.

    Our position is for No Automation if things are going to be rushed in this way.

  6. Hi Alfred,

    I am interested to know how people can cheat by setting up voting centres in Sentosa or Pasir Ris.

    IVoter

  7. No one really knows that it is the designated registered OA voter that is voting on the other end. If I “buy” the info (including PIN/passwords) from OA voters and perform the actual voting in some remote internet cafe, then wallah!
    If I vote through mail (paper ballot), at least there is physical verification that it is me who is voting and not somebody else on my behalf.
    This is the reason internet voting has not really taken off in the advanced countries.

  8. Hi alfred,

    very briefly on the points you made …

    1) There is not enough time (even for such a pilot) to successfully do a thorough field test of the system. This is also the message coming from Comelec regarding the in-country automated elections. Implementing e-voting overseas is really no different from implementing in-country. So, why the rush to do it now?

    Field testing in-country requires the deployment – setting up and actual use – of counting machines. This is not the kind of field testing required in internet voting. After all, we will really be rolling out only the server and the data center, both of which are located in one place only. Much easier compared to field testing counting machines in the Philippines. And therefore more do-able.

    2) There are many suppliers of such e-voting system. Even local IT companies can do this. Why was there no bidding? The “lack of time” seems to be the excuse for a no-bid situation.

    there are actually very few suppliers of this kind of technology. It’s the security aspect that really matters and, as you must know, this is proprietary – in the nature of trade secrets. So, it ‘s not like counting machines that can really be as simple as automatic calculators – nothing secret about that.

    No one really knows that it is the designated registered OA voter that is voting on the other end. If I “buy” the info (including PIN/passwords) from OA voters and perform the actual voting in some remote internet cafe, then wallah!

    Then that isn’t the problem of internet voting, is it? If you sell your confidential info, then you’re at fault. Just like if you sell your bank PIN, you can’t really complain if you lose all your money.

    If I vote through mail (paper ballot), at least there is physical verification that it is me who is voting and not somebody else on my behalf.

    What about if someone were standing next to you and forcing you to vote at gun point? What about if you sold your vote and voted according to the wishes of the buyer? These are problems that we shouldn’t expect automation to solve. These are problems that the voter must be responsible for.

    Thanks.

  9. Hi Alfred,

    Likewise, you can “buy” the mail vote as well isnt it? If like you say, you “buy” it and make sure that person write the vote of your choice and put it in the mailer, isnt it the same?

  10. 25Jan2007 (UTC +8)

    Hiya James! I can see that there is a big trust issue that COMELEC needs to address for the acceptance of this Internet voting system. Here’s another blogger that says almost the same thing as others:
    http://technews-isaw.blogspot.com/2007/01/is-philippines-ready-for-internet.html

    May I humbly suggest that COMELEC have two focused thrusts in this specific matter? First, on developing & maintaining an information security management system, and the second on winning the trust of the voters. Both tough jobs, I bet.

  11. Sir,
    I’m sorry but field testing isn’t just about installing machines. It’s the whole gamut including software reviews & audit, user & voter education, network & communications testing and so on… There’s no time. Why can’t Comelec be consistent across the board? In RP, Abalos says that there is no time for implementation & that they should not rush things.

    There are many suppliers of internet voting systems. Did Comelec really, truly go out to look for these suppliers? Just google and you will find many suppliers from the Australia, Europe, US & even Asia. Why was there no bidding?

    I can guarantee you that some people there, especially the election lawyers, will cry foul. Hindi na ba tayo natuto from the past?

    Sorry to vent out our frustrations. End of the day, we care about our country. Maybe we’ll just watch from the sidelines from now on. Mr. Laggui is right in his suggestions.

  12. I am all for electronic voting most specifically the DREs with VVPAT ( voter verifiable paper audit trail) but not internet voting. While Syctl claims to have a proprietary security feature above and beyond industry standards, internet voting is not the way to go because how can all these security features guard against organized vote buying which is a reality in our country. Seven years ago, the US Dept. of Defense broached this idea of internet voting and it was quickly shot down mainly because of potential vote buying schemes. While internet voting offers the convenience of voting at any internet ready media, it does not and will not serve the real purpose of clean elections, which is to count accurately the true will of the people. Unfortunately and sad to say but true, some of our countrymen due to economic reasons or indifference to politics, are willing to sell their votes. It only takes a smooth operator to nudge them on and we have a lot of them!

  13. Drexx, I think you are absolutely right. Trust is a major issue. Like internet security.

    Alfred, no need to apologize (hehe. just ask drexx). This blog is here precisely for your comments. And absolutely please do not just watch quietly from the sidelines. Rest assured, even as I try to address your concerns, I am passing them on to the policy makers. We learn much from listening to people like you. Thank you for all your insights.

    Neuralfive, internet voting was looked at because of the need to make voting more convenient for our overseas countrymen. More convenient means more voters actually voting; and more voters actually voting means overseas filipinos get a bigger say in choosing our leaders.

    ivoter, thanks for weighing in too. 🙂

  14. [quote]
    there are actually very few suppliers of this kind of technology. It’s the security aspect that really matters and, as you must know, this is proprietary – in the nature of trade secrets. So, it ’s not like counting machines that can really be as simple as automatic calculators – nothing secret about that.
    [/quote]

    Sir,

    It is an axiom in network security that proprietary security protocols are not to be trusted. People who refuse to have their systems inspected, audited, and verified with claims that their “proprietary rights” and “trade secrets” would be compromised if they do so, should not be trusted. Systems are trusted to be secure not because of the secrets they keep away from the public (i.e. proprietary protocols and trade secret implementation). They are trusted to be secure because we know how they keep the secret and despite that knowledge know that the secret can not be compromised.

    In every election we have means of verifying that the votes are cast and counted. That is, we never trust that black boxes will do the correct count. Whether this black box is an actual person counting (or not counting) the votes in secrecy or it is a “secure” machine counting (or not counting) the votes in secrecy (i.e. proprietary secret protocol) doesn’t change the requirement that we should be able to verify and validate the votes. How is this done through the Scytl system?

    I am sure that you are aware of the problems in the last US elections in Florida where a candidate won by less than 400 votes and a recount could not be done because the system they used didn’t have such safeguards. How have we learned from that experience?

  15. I think the solution is not based on a black box. The system is to be audited by a third party to ensure that it is secure and reliable.

  16. My most recent post addresses some of you concerns, I think. Thanks for sounding off.

  17. [quote]
    My most recent post addresses some of you concerns, I think. Thanks for sounding off.
    [/quote]

    I’ve gone through all your posts and my concerns have not been addressed. Looking forward to your reply. Thanks.

  18. ivoter:
    [quote]
    I think the solution is not based on a black box. The system is to be audited by a third party to ensure that it is secure and reliable.
    [/quote]

    Who is that third party? Have they made public the criteria which they will use to evaluate this system? Until it gets audited and a secure paper trail is instituted, this system should be considered a black box.

  19. 26Jan2007 (UTC +8)

    Bombim, having a “secure paper trail” is not an easy thing to do. Remember, the criteria of keeping the “privacy of voters” is extremely important.

    Auditing the information security of a national election system is not like those, say, a highly guarded banking system or even like a data warehousing system for PLDT’s phone subscribers (just two random examples). In those traditional systems, if the IT auditor finds something wrong in the system, they can simply roll-back the transactions to correct mistakes. You can’t do that on a an ideal national electoral system.

    Another way (or ways) has to be deviced to achieve the same ends, that for the election system to be trusted.

  20. [quote]
    I agree with you that security is the paramount consideration. Certainly, voters will not accept a system that they cannot trust. Which is why the COMELEC places such emphasis on security. I have materials explaining security provisions further, and I will be posting them up on this site.
    [/quote]

    Hi.

    Here’s my 2cents.

    IMHO the system has to a pass public tests first. Then put the system online for a X days and invite as much white/black hats as you can to conduct PEN Tests on it. However this will give you only minimal assurance since most PEN tests have limits on the amount of damage that can be inflicted to the system, additionally black hats can’t be totally trusted since they tend to keep vulnerabilities they find to themselves (or worst, sell it to the highest bidder).

    My second concern is use of [distributed] denial of service attacks ([D]DOS) which is very easy to do compared to the 1st — this is like ballot box snatching the easy way.

    PS: sorry for the technical jargons.

  21. {quote]
    Neuralfive, internet voting was looked at because of the need to make voting more convenient for our overseas countrymen. More convenient means more voters actually voting; and more voters actually voting means overseas filipinos get a bigger say in choosing our leaders.
    [\qoute]

    NOT IF THEIR VOTES ARE BOUGHT!!! This is exactly my point, Mr. Jimenez. The internet voting idea was quickly turned down in the United States because it leads itself to organized vote buying something that is very real. In automating processes through technology, prudence dictates praticality in achieving the goal. If the goal is to eliminate fraud and counting the true will of the people then internet voting is not the way to go. If a voter seriously wants to exercise his right of suffrage, convinience is not a factor. I would rather have a few true votes than many fraudulent votes.That said, I still believe DRE with VVPAT and the physical presence of the voter for authentication is the most effective way to go. Cheers!

  22. Drexx wrote:
    [quote]
    Bombim, having a “secure paper trail” is not an easy thing to do. Remember, the criteria of keeping the “privacy of voters” is extremely important.
    [/quote]

    The paper trail doesn’t have to compromise privacy. The steps explained by Scytl here in https://oaiv.wordpress.com/2007/01/25/how-it-works/ are in the right direction. My only concern is that the individual voter is the one who has to complain whether his vote was miscounted or not. It should not be the voter who has to prove that the count was incorrect. It should be the COMELEC which should prove that the count is correct.

    I suggest the following additions:

    1) When a vote is generated by the user, 2 paper ballots with the appropriate security markings (e.g. barcode, hash, etc) associating the paper ballots with the electronic vote is generated.
    2) The voter inspects the paper ballots to check that his vote is properly registered.
    3) One of the paper ballots is dropped into a ballot box. The other is kept by the voter.
    4) The ballot boxes are sent to COMELEC.
    5) The paper ballots may be tallied against the
    electronic votes.

    Of course, when it is a real Internet vote (i.e. the user may be anywhere as long as connected to the Internet) rather than a Kiosk voting (the user has to be in a particular kiosk to generate the vote), step 3 is impossible. This is why I don’t like an Internet vote.

    [quote]
    In those traditional systems, if the IT auditor finds something wrong in the system, they can simply roll-back the transactions to correct mistakes. You can’t do that on a an ideal national electoral system.
    [/quote]

    This is precisely my point. If you can’t verify the counts and roll-back the wrong transactions, then it is not a good system. It is therefore not an ideal system. It is imperative to be able to have a paper trail to ensure that the votes are correctly counted.

    [quote]
    Another way (or ways) has to be deviced to achieve the same ends, that for the election system to be trusted.
    [/quote]

    For a system to be trusted, it must be demonstrated to be correct. Challengers must have a way to verify and validate the votes.
    One can’t hide behind the claim that their mumbo-jumbo proprietary/secret security procedures are correct but can’t be shown to everyone who cares to read it.

  23. 27Jan2007 (UTC +8)

    Bombim, on your idea (as discussed off channel) of PhP 30M (budget as described in http://technology.inquirer.net/infotech/infotech/view_article.php?article_id=43811) by Filipino programmers instead, it’s great! I’m sure there’s a league here in PH who can do it for about 1/3 the cost. Heck, even make it Open-Source so that it can be trusted by everybody! Then, still very much within that PhP 30M budget, make it ITSEC-certified to E3 (see also http://www.cesg.gov.uk/site/iacs/index.cfm?menuSelected=1&displayPage=12). And still within that PhP 30M budget we can also have COMELEC certified to ISO 27001 (see also http://www.iso.org/iso/en/CatalogueDetailPage.CatalogueDetail?CSNUMBER=42103&ICS1=35&ICS2=40&ICS3=) so that we can be assured that COMELEC has a well-managed information security system.

  24. drexx wrote:
    [quote]
    Bombim, on your idea (as discussed off channel) of PhP 30M (budget as described in http://technology.inquirer.net/infotech/infotech/view_article.php?article_id=43811) by Filipino programmers instead, it’s great! I’m sure there’s a league here in PH who can do it for about 1/3 the cost.
    [/quote]

    I’m sure there are pinoys who can write it. However, in this case, my major concern is not who writes it but the following:
    (1) the code and system must be open for examination
    (2) the system must have the provisions for a manual count back
    (3) it must be bid out

  25. 01Oct2007 (UTC +8)

    Hiya James! So how did our country’s first Internet voting system go? Any good/bad lessons learned?

  26. Follow these guidelines and you will build that new home with little, or no, problems. cincinnati kitchen remodeling can help…

  27. Bose announces Special Festival Offers

    Furthermore, after buying the Bose 321 GSX Home Entertainment System, the company will provide you with an 8 GB Video

  28. I enjoyed reading your post,very informative..
    There are questions that we should also consider about the electronic voting like:
    >How reliable can the computerized (automated) election system be?
    >Is the software in the machines properly tested and proven bug-free?
    Anyway,Thanks for the info.Looking forward to your next post.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Create a free website or blog at WordPress.com.
Entries and comments feeds.

%d bloggers like this: