Seminar Presentation:Electronic voting

7/31/2019 Seminar Presentation:Electronic voting

1/49

Alensvon Geoffrey

Bct2410: Seminar Presentations

Topic: Electronic Voting

Introduction

Electronic voting and counting technologies are being increasingly used around the

world. India, the worlds largest democracy, now uses electronic voting machines

exclusively for national and provincial elections. Brazil, Belgium and the Philippines

also use electronic voting or counting technologies for all of their national elections.

Countries such as Estonia, Indonesia, Kazakhstan, Nepal, Norway, Pakistan, Russia and

the United States are at various stages of piloting or partially using electronic voting

and counting technologies, including the use of Internet voting.

Some countries, however, are moving in the opposite direction. The Netherlands, in

2008, after several decades of increasing use of electronic voting machines, decertified

all of its machines and moved back to paper balloting. Germany, likewise, recently

banned the use of electronic voting machines it had been using, and in Ireland 52

million1 worth of electronic voting machines were bought but only used for a smallpilot project. Furthermore, the use of electronic voting and counting technologies in the

United States is deeply controversial and generates fierce debate between advocates

and opponents of these technologies.

How are we to reconcile these very different approaches to the suitability of electronic

voting and counting technologies? For a country considering electronic voting or

counting technologies, which is the right approach and when is it advisable to proceed

using these technologies?

The answer is, of course, that there is no one answer. The factors which may push one

nation towards an electronic voting or counting technology may not be present for

another nation, or may indicate a different solution. The challenges of moving paper

ballots around large countries such as Russia and Kazakhstan make the use of electronic


2/49


3/49

cast a ballot via text message or SMS. In electronic counting an electronic device is used

to count the ballots cast, whether paper or electronic.

Any combination of manual/electronic voting/ counting is possible. A full electronic

solution involves an electronic voting machine, remote or otherwise, directly recording

the preference of the voter through a ballot interface (e.g., a touch screen), electronically

counting the votes received at the end of polling and providing these results to election

officials. Partial electronic solutions are also available whereby paper ballots are marked

manually but counted by machine (e.g., optical scan solutions) or an electronic device is

used to create a printed vote which is placed in the ballot box and counted by hand or

electronically.

The various technological solutions offered by electronic voting and counting

technologies mean there are many options available for election administrators while

considering the introduction of such technologies. Electronic voting and counting

technology vendors offer different ways of implementing each specific technical

solution.

Brief History of Electronic Voting

1955 -Erich Fromm presents the idea of communicating and decision-making via

interconnected technical devices.

1960 -The first computers for tabulating votes have been developed.

-The first punch card machines are developed and implemented.

1970 -Murry Turoff developed a computer supported Delphi panel, which provided

computer supported voting system. This Emergency Management Information

and Reference Index (EMISARI) was ready in 1972.

1971 -R. Buckminster Fuller introduced the concept of electrified voting in a

theoretical and ideally democratic world.


4/49

1973 -The first efforts and developments in the area of optical scanninghave been

introduced.

1980 -Punch cards as voting technology were questioned regarding the accuracy of

the vote casting process.

1984 -The State of Illinois (US) started testingvote counting systems.

2000 -The United Kingdom launches a vast amount of trials and test projects to

discover the opportunities and challenges of Internet Voting.

2005 -First legally-binding Internet voting channel available at the local elections in

Estonia.

2007 -First Parliamentary elections in Estonia with an Internet voting channel

available for every eligible Estonian voter.

2008 -The German constitutional court ruling demands transparency and verification

mechanisms as an essential requirement for e-voting.

2008 -The Netherlands ban the use of electronic voting machines in elections.

2009 -Internet voting is used as an additional voting channel at the elections for the

Austrian Student Federation in Austria.

Today -In Estonia, 25% of the voters cast their vote over the Internet in the Parliament

elections.

-Norway introduces Internet voting at the municipal elections for predefined

communities.


5/49

-Swiss living abroad have the ability to cast their vote over the Internet.

Points to Consider before Implementing Electronic Voting

General points to consider

Confidence

In recent years it has become clear that an e-voting system can only be introduced if

voters have confidence in their current electoral system. If it is trusted, voters are very

likely to have confidence in new e-enabled elections. However, confidence should not

be taken for granted and states need to do their utmost to ensure that it is preserved, all

the more so as once trust and public confidence are eroded, they are exceedingly hard

to restore. A trusted system gives scope for citizens and other stakeholders to ask

critical questions.

Fostering transparent practices in member states is a key element in building public

trust and confidence. Transparency about the e-voting system, the details of different

electoral procedures and the reasons for introducing e-voting will contribute to voters

knowledge and understanding, thereby generating trust and confidence among the

general public.

Although transparency, with documentation available to voters and other stakeholders,

is important, it will not be possible for everybody to understand the e-voting system. If

they are to have confidence in the electoral process, some voters need to rely on others

who are in a position to understand the equipment and the processes. It is therefore

essential that domestic and international observers as well as the media have as much

access as possible to relevant documents, meetings, activities, etc. Acting in a

transparent manner towards these specific and important groups will boost public trust

and confidence, because without transparency states cannot guarantee that an e-


6/49

enabled election was conducted according to the democratic principles of free and fair

elections.

Some people argue that the introduction of e-voting can also boost public confidence.

However, building trust should never in itself be a reason for introducing e-voting.

Public debate

Before deciding to pilot or introduce e-voting, there should be sufficient public debate

on the subject. This is also a good way of finding out what voters want with regard to

elections. For example, are they in favour of Internet voting or would they prefer to

keep the current system? A public debate can foster the electorates confidence in the

system and provides transparency to the decision-making process. However, if nothandled well it may produce the opposite result. Political parties or other stakeholders

may argue against it because they think they would stand to lose if e-voting did not

engage their own voters.

One also has to be prepared to deal with unfounded allegations. People may claim that

the system does not work, or that they can hack into it (or have already done so). An

attack does not have to be successful technologically to be successful publicly. One has

to decide in advance how to deal with untrue or unfounded statements.

Accessibility

E-voting can provide great opportunities for improving certain groups access to the

election process. The following groups could benefit:

the visually impaired could use headphones connected to DREs and PCs if usingInternet voting;

citizens who are not normally able to go to a polling station to cast their vote cannow vote via the Internet from their own home;

the use of electronic media can also facilitate the use of official minoritylanguages, and this could lead to increasing involvement;


7/49

military personnel overseas find it difficult to vote while on duty, so that e-voting might make it easier for them to participate in elections;

citizens living and working abroad face some of the same challenges as militarypersonnel, and so could similarly benefit from the introduction of e-voting.

E-voting should result in inclusion, never exclusion, of certain groups.

2.3. Technical points to consider

Open-source or proprietary software

Proprietary software is software which is licensed under exclusive legal rights held by

its owner. The buyer acquires the right to use the software under certain conditions, but

not for other purposes such as modification or further distribution. Open-source

software has freely available source codes which can grant users the right to use, study,

change, improve, expand and distribute the source code.

An important decision when defining an e-voting strategy is whether to use open-

source or proprietary software. This is especially relevant to the issue of confidence.

Several e-voting companies use proprietary software, which has the disadvantage that

in most cases the rights holder does not make the source code available to the general

public (or makes it available only partially or temporarily). In some cases a few selected

experts are given the possibility to review the source code. However, this is most likely

to be governed by strict rules, for example non-disclosure agreements barring the

electoral authority from revealing anything about the content of the source code, or its

conclusions or recommendations. This is not a very transparent process and will,

therefore, not contribute to building confidence.


8/49

One advantage of open-source software is that it can increase the confidence of the

population and other parties involved in the e-voting system. This is reinforced by the

fact that the suppliers are independent and there is no vendor lock-in. Furthermore,information security is increased because the source code is available to all, and the

future stability of the chosen e-voting solutions is strengthened as the source code can

also be supported by third parties. Moreover, licence fee costs are lower because open-

source software is generally made available free of charge and the use of open

standards often means that fewer problems of connection to other software are

encountered. Proprietary systems also can, should and do use open standards like

Election Markup Language (EML) to increase interoperability, in conformity withwhatever requirements are set.

A third option is for a proprietary source code to be owned by the government, which

means that the government controls the source code and its distribution. This approach

allows the government, independent bodies and citizens to examine the source code

and to propose improvements if they wish. It is important, however, that governments

refrain from using ownership of the source code as an excuse to restrict distribution to a

select few or to not share it with others at all.

Identification and authentication of the voter

When e-voting is used at a polling station, the voter identification process can stay the

same, but it can also change if an electronic voter register is used. In this case,

arrangements need to be in place to ensure that the voters identity cannot be linked to

his/her vote (see 2.3.3). If biometric features have been used for the registration process

(see 3.4.1), these same features can be used for voter authentication.

Internet voting from home7 is different and a remote electronic identification system

must be developed. Voters could authenticate themselves with an electronic ID card or,


9/49

where no such system exists, authenticate themselves by using a combination of

username and password with a control question (for example, date of birth). It is

important to realise that without a physical token, voter authentication is less reliable

and it is much easier to sell ones vote by disclosing username and password to a thirdperson.

It should be noted that when voters have to make up their own username and/or

password (for example, when registering to vote), they may forget or mislay the

username and/or password. So a system needs to be set up to provide a new username

and/or password at very short notice whilst at the same time ensuring that the voter

can only vote once.

Removing the link between vote and voter

In order to respect the secrecy of the ballot as one of the main principles of democratic

elections, it is important that at some point in the voting process the link between the

identity of the voter and the vote itself is broken. This should preferably happen

immediately after the voter has cast his/her vote.

Since the vote and the voter must not be linked, it is important to establish a procedure

governing who has access to the voting register and the voter registers (preferably

managed by different authorities), when and under what circumstances they will have

access, how long the registers will exist, and how and by whom they will be deleted. In

the case of reversible voting (see paragraph 2.1.2), specific technical solutions must be

put into place.

Design of the electronic ballot paper

Decisions have to be taken about the design and layout of the electronic ballot paper.

There are two possibilities:

the electronic ballot is exactly the same as the paper ballot;


10/49

the electronic ballot has a different layout, for example because the paper ballotsare too large and their design does not lend itself to computer use. In this case a

two-stage approach may be necessary. The voter would first choose a party and

then, on the next screen, vote for his/her chosen candidate. The need to scrolldown the screen should be avoided, because it would jeopardise the equality of

the candidates: those whose names are only visible when a voter scrolls down

would be disadvantaged.

In particular in cases when electronic media are used alongside paper, one has to decide

how to deal with any difference in design, since this could also have legal repercussions

for the election.

Austria

For binding elections to the student bodies in 2009, the law provides in Article 43

HSWO that the electronic and paper ballot should both resemble as closely as possible

the original template in the law. As e-voting was conducted in the week before the

paper-based elections, a data entry error was found on the electronic ballot (one student

partys name was not complete) which could only be corrected on the paper ballot. This

problem can be overcome by certifying the e-ballot before the election starts.

The introduction of new voting technology could also serve as an opportunity to

improve the current design.

Confirmation of the vote

It is advisable to have the voter confirm his/her e-vote. The procedure would be as

follows: first, the voter votes for a party, a candidate, indicates one or more preferences,

casts a blank vote or votes yes or no in a referendum. Next, the voter receives an

overview of all his/her votes and is asked to confirm his/her choices. If the voter is not

satisfied with the overview, he/she should be able to return to the election or


11/49

referendum options and change his/her vote. The voter would then receive a new

overview. Once satisfied, he/she should confirm his/her choices.

Since this is an additional, new step in the election process, special attention should be

paid to informing voters about this new procedure, as it has been found that it is notalways clear. Furthermore, it should be noted that if the confirmation stage is not

completed the voting process is potentially open to fraud, with polling station

personnel tempted to finish the casting of the vote.

Finland

The Finnish Ministry of Justice conducted an experiment with DREs in three

municipalities during the local elections on 26 October 2008. Owing to a usability issue,voting was prematurely aborted for 232 voters. The system required voters to insert a

smart card to identify themselves, type in their selected candidate number, then press

OK, check thecandidate details on the screen, and then press OK again. Some

voters did not press OK the second time, but instead removed for reasons unknown

their smart card from the voting terminal prematurely, with the result that their votes

were not recorded. On 9 April 2009 the Supreme Administrative Court ordered that

new elections be held in the three pilot municipalities.

Voting period

Citizens are generally accustomed to an election held on a single day, but this may be

extended if e-voting at polling stations is used. However, when introducing Internet

voting from home, consideration may be given to extending the voting period from a

few days to a few weeks. One advantage of this is to reduce demands on availability

and capacity. Note, however, that interest in the electoral campaign may wane if a

significant number of voters have already voted long before election day.

As regards the end of the Internet voting period, there are two options. Voting can end:

one or two days before election day. This would give the organizers extra time toupdate the voter register if necessary;


12/49

at the same time as voting at the polling station. This requires that an onlinevoter register be in place.

Different types of electronic tools

1. Direct Recording Electronic computers (DREs). These are machines or computersnormally installed at a polling station, which record and simultaneously store the

vote. This can be done using a touch screen (with or without a specific pen) or

through a device which involves pressing one or more buttons.

2. Voting via the Internet. This can be done in a controlled area like a polling station orin a non-controlled area such as a kiosk or the home.

3. Optical and digital scanning devices which can be used in polling stations or in adesignated counting area to scan ballot papers. These are normally used to improve

the accuracy of the counting process and reduce potential manual counting errors.

However, the quality of the count depends on the correct marking of the ballot

paper and the quality of the ink used by the voter.

4. At a polling station, use of one medium to record the vote, which is then registeredin a ballot box on another device. This system differs substantially from a DRE inthat nothing is stored in the DRE and it is impossible for a voter to manipulate the

memory containing the vote.

Internet Voting Channels

The term Internet voting is used to refer to many different methods, or channels, of

voting. What these channels have in common is the use of the communications

connectivity and protocols provided by the Internet. The Internet is a global

information system composed of hundreds of thousands of independent computers and

networks that are logically linked together by a common set of communication

standards, procedures and formats. It provides the connectivity, message routing and


13/49

end-to-end communication services that enable the development of a constantly

evolving array of information services.7

Figure 1 Internet Voting Classification

Figure 1-1 classifies Internet voting as a subset of electronic voting. For purposes of this

research, an Internet voting system was defined as any system where the voters ballot

selections are transmitted over the Internet from a location other than a polling place to

the entity conducting the election. Hence the term remote electronic voting is oftenused as a synonym for Internet voting. Based on this definition, blank ballot

distribution systems, online marking systems and public switched telephone network

(PSTN) systems are not considered Internet voting systems.


14/49

As indicated in Figure 1-1, the remote voting location can be either a controlled or an

uncontrolled voting environment. A controlled environment means that the voting

platform (i.e., computer used for voting) was supplied by, and was under the control of,

the entity conducting the election. An uncontrolled environment means the votersupplies the computer used for voting, which might be their personal computer, their

workplace computer, or any other public computer.

There are two forms in which the voters ballot selections can be returned: electronic

ballot return, where the entire ballot document, including the voters sections, is

transmitted; or vote data return, where only the voters selections are transmitted.

There are three channels, or methods, for electronic ballot return:

a web-based communications application which uploads a digital representation of avoted ballot (e.g., pdf, jpeg, png) file to a website;

digital facsimile, where a voted ballot is scanned and transmitted as a graphics file;

and

email, where a digital representation (e.g., pdf, jpeg, png) of a voted ballot is

transmitted via email.

There are also three channels, or methods, for presentation of the ballot and vote data

return:

a web browser or computer application which the voter executes to display the ballot,

record selections and transmit selections;

a DRE or kiosk connected to the Internet to transmit vote data; and

a Voice Over Internet Protocol (VOIP) approach for the voter to access the ballot,

record selections and transmit selections.

This report includes examples of Internet voting systems using all of the above channels

of electronic ballot return and vote data return except systems utilizing email and fax

technology.


15/49

Case Studies (Sample E-Voting Projects)

1. Okaloosa Distance Balloting Project (ODBP)Sponsor: Okaloosa County Supervisor of Elections

Election Type: General Election

Date or Voting Period: October-November 2008

Target Population: Military and Overseas voters

Channel: Controlled>Vote Data Return>DRE/KioskTechnology Provider: Scytl

Channel Protection: VPN, SSL, multiple layers of encryption and digitally

signed data

Participating Voters: 93

Authentication: Two factor: In person identification with photo ID,

digital certificate

The Supervisor of Elections in Okaloosa County, Florida, fielded a small pilot project for

the 2008 General Election, known as the Okaloosa Distance Balloting Pilot (ODBP).

There are numerous military installations representing every branch of the military

based in Okaloosa County. There are over 20,000 active duty service members and

dependents registered to vote in the county. To avoid the security concerns raised by

the SERVE project (see SERVE section), voting was conducted in a controlled voting

environment using a computer provided and administered by the local election office.

The voting sites, called kiosks, were set up in hotels in three overseas locations:

Mildenhall, England; Ramstein, Germany; and Kadena, Japan. These locations were

selected because they have U.S. military installations with high concentrations of


16/49

Okaloosa voters. The sites in England and Germany were open for a 10 day period prior

to the election and closed 2 days before Election Day (October 24th through November

2nd). The Japan site was open for only 2 days, due to a last minute issue that required

finding a new location.

Figure 2 ODBP Kiosk Equipment

The ODBP architecture was composed of three segments: kiosk sites, the central servers

hosted in a commercial data center, and the Okaloosa elections office server and voter

registration database. Appendix C shows the physical equipment used at the kiosk

sites. The database was hosted in the county data center. As indicated in the figure that

follows, all communications between the various elements of the system were provided

by VPN connections through the Internet.


17/49

Figure 3 ODBP System Architecture

The configuration of the Voter Authentication System consisted of a hardened laptop

computer, a printer, a bar code scanner and a smartcard reader. This system was used

to verify the voters eligibility; print the state required Voter Certificate; and extract

specified data elements from the voter registration database to encode a smart card

used to activate the voting session at the voting laptop. The Voter Authentication

System was connected to the Okaloosa voter registration database via the Internet to

update voter history data in real time.

The voting laptop configuration consisted of a touch screen connected to a laptop

computer, a smartcard reader and a printer. The entire Operating System (OS) the

voting laptop used (e.g., voting specifications) was written to read-only media, known

as the Live CD. The laptop was connected through a VPN to the central server.

When a voter arrived at the kiosk site, they presented a photo ID to the kiosk worker,

who validated the voters eligibility to vote using the voter registration database. If

verified, a Voter Certificate was printed so the voter could sign the state oath. This

document contained data such as voter name and address, date of birth, election


18/49

identifier, voter registration number, precinct number and ballot style. Selected data

elements were captured in a bar code, which was scanned by the kiosk worker to write

the required voter credentials and ballot style information on a smart card.

The voter inserted the smart card in the reader attached to the voting computer toinitiate the voting session. The smart card data were transmitted to, and validated by,

the central server that returned an electronic ballot, along with the digital certificate

issued for that voter. The voter made their selections and received a paper record of

their choices to compare with the summary screen display. If the voter was satisfied

with their choices, they touched the Vote button. The voting software encrypted the

voters selections, applied the voters digital signature using their digital certificate and

transmitted the voters selections to the central server. A receipt was printed with arandomly generated code that the voter could use after the election to see if his ballot

was counted. Removal of the smart card closed out the voting session. The voter

returned the smart card to the kiosk worker along with the paper record, which was

stored in a receptacle and returned to Okaloosa County as part of the election records.

Since the kiosks were set up in hotel rooms, the only available physical security

measure was to lock the door when the kiosk was not in operation. Consequently, the

Live CD with the voting application and all other sensitive materials were removed

each day when kiosk operations ended and kept under the physical control of the kiosk

workers. Each morning the kiosk workers checked the tamper evident seals on the

computers, initialized the Voter Authentication System, checked the integrity of the

Live CD by verifying the hash, rebooted the voting laptop and established the VPN

link.52

The central server hosted the ballot database, delivered the correct ballot style to the

requesting voter, stored the encrypted voted ballots in an electronic ballot box, and

delivered the ballot box to the Okaloosa County Canvassing Board upon request after

the close of the election. The central server also maintained detailed audit logs of all

system transactions and events. The system software installed on the central servers


19/49

was the same software tested, certified and digitally signed by the Florida Bureau of

Voting Systems Certification.

The computer designated as the mixing server in the architecture diagram is a critical

component of the voting system. This server was operated and administered by theelection office staff. Before the start of voting, the mixing server was used by the

Okaloosa Canvassing Board to generate a public/private key pair for the election. The

public key was used to encrypt the ballots cast by the voters. The private key was used

at the end of the election to decrypt the ballots. The private key was divided into shares,

which were distributed to the Canvassing Board members and then the key was erased

from the system. This ensured ballot contents could not be viewed during the voting

period. Multiple shares were required to reconstruct the key, so no single person coulddecrypt the ballots when the voting period closed. After this process was completed, the

mixing server was stored in the office vault.

At the end of the voting period, the bridge laptop was used to download the encrypted

ballot box from the central server. The ballot box file contained the ballots, which were

individually encrypted and digitally signed by the voters. Then, the entire file was

wrapped in another layer of encryption and transmitted. This file was manually

transferred to the mixing server by means of a USB memory stick because this server

was required to be isolated from any network. The mixing server verified that the

encrypted ballot box file had not been tampered with or corrupted during transmission.

Then the Canvassing Board reconstructed the private key and authorized the

decryption and tabulation of the ballots. This process breaks the correlation between

voters and ballots and mixes the ballot order to preserve anonymity. A tabulation

report was produced and the results manually uploaded to the county election

management system.

Standards Used

The Florida Administrative Rule 1S-2.030 Electronic Transmission of Absentee Ballots

authorized the project.53 This rule permits a supervisor of elections to provide overseas


20/49

voters the option of voting by secure remote electronic transmission if certain

requirements were met. These requirements included the submission of a project plan

for approval by the State Division of Elections. The rule also specified the information

that the plan had to include. The project plan had to be approved by the FloridaDivision of Elections before the project could proceed.54

In addition, the system was required to be tested and certified for use by the Florida

Bureau of Voting Systems Certification. The test plan incorporated the administrative

rule requirements, the applicable Florida Voting System Standards, and additional

security standards defined to cover elements of the system not addressed by the Florida

standards. 55

Level of Risk AssumedThe security controls implemented in the ODBP project were defined following an ISO

27001 risk management approach. Florida Administrative Rule 1S-2.030 was the starting

point for security requirements. After identifying the vulnerabilities and security threats

to which the system could be exposed, a set of physical, logical and procedural security

controls were defined to prevent the materialization of threats or to mitigate their

impact. These security controls are summarized in Section 11 of the June 19 project

plan.56 A third party independent team of voting system experts conducted a software

review and analysis of the security architecture of the system and several elements were

modified based on the findings of this group.57

The level of risk assumed by ODBP personnel was very low due to a number of factors:

1. The system was designed with robust, multi-layered security architecture.2. The system utilized successfully implemented technologies used in a number of

previous government elections.

3. All ballot data was encrypted and digitally signed while in transit and in storage.4. All system communication was performed over dedicated virtual private

networks, established with digital certificates at both ends for strong

authentication.

5. Two levels of firewalls blocked public access to the system.


21/49

6. Alternative communications paths were available to mitigate against denial ofservice attempts.

7. The voting sites were under the administrative control of the election office.8.

The integrity of kiosk voting software was validated each day.58

Entity Assuming Risk

The Supervisor of Elections of Okaloosa County and the Florida Secretary of States

office assumed the risk for this project. The elections supervisor was the system

proponent and the state tested and certified the system for use.

2. Secure Electronic Registration and Voting Experiment (SERVE)Election Type: General Election

Date or Voting Period: Scheduled for 2004 General Election

Target Population: Military and Overseas voters

Channel: Uncontrolled>Vote Data

Return>Web Application

Technology Provider: FVAP, Hart InterCivic

Channel Protection: SSL 3.0 with session keys, and

encrypted and digitally signed data

(SHA1 with DSA)


Authentication: Two factor: User name and

password, X .509 digital certificate

Following the completion of the Voting Over the Internet (VOI) project in 2000, in the

Fiscal Year 2002 National Defense Authorization Act (1604 of P.L. 107-107:115

Stat.1277), Congress instructed the Secretary of Defense to carry out a larger

demonstration project. The States of Arkansas, Florida, Hawaii, North Carolina, South


22/49

Carolina, Utah, and Washington agreed to work with FVAP and ask counties to

participate in the Secure Electronic Registration and Voting Experiment (SERVE) project

for the November 2004 election. Fifty-five counties from Arkansas, Florida, Hawaii,

North Carolina, South Carolina, Utah and Washington chose to participate. However,the SERVE project was cancelled before it was deployed due to security concerns raised

by a group of computer scientists. These individuals publicly issued a critique of the

system contending that the use of personal computers over the Internet could not be

made secure enough for public elections and called for the project to be

terminated.65The Department of Defense, citing a lack of public confidence in the

system because of this report, decided that the project could not continue under these

circumstances.

The SERVE architecture was a central hosting environment with distributed access from

local election officials and voters using any computer that met the minimal

compatibility requirements. 66


23/49

Figure 4 SERVE System Architecture

Nearly all system processing, except tabulation, was performed on the central server

site. The system software consisted of eight integrated subsystems: Identification and

Authentication; Common Services; Voter Registration; Election Administration; Ballot

Definition; Voting; Download and Decryption; and Tabulation. Each participating local

election jurisdiction (LEO) had a dedicated environment on the system to enable them

to independently administer their own election processes from any workstation in their

office.

There was an SFTP connection with the voter registration database server for

downloading the voter registration applications submitted on the system for There was

an SFTP connection with the voter registration database server for downloading the

voter registration applications submitted on the system for processing by the LEO. Each

LEO was provided a hardened laptop for the download, decryption and tabulation of


24/49

ballots from the central hosting environment. Capabilities for local election officials

included voter registration, election definition, ballot, ballot decryption, ballot

tabulation, and voter history.

Voters were required to use a computer running a Windows Operating System witheither Netscape or Internet Explorer as the web browser. The voter needed to have a

SERVE digital certificate. System services for voters included: online voter registration

and updating of voter information online; ballot delivery and vote selection; and review

of their registration and voting status. When the voter finished making vote selections,

the selections were transmitted to temporary storage in the cast vote record database on

the central server.67 A summary was sent back to the voter to confirm the vote

selections as received by the cast vote record database were correct. Upon return of theconfirmation message by the voter, the vote selections were permanently stored in the

database on the central server until downloaded by the LEO.68

SERVE established its own X.509 compliant certificate authority using VeriSign roaming

certificates. 69Personal digital certificates were issued to all system users LEOS,

voters, and system administrators. Machine certificates were provided for LEO servers

exchanging non-ballot data with the central server and for all the central server

elements. This provided a complete audit trail of all user transactions and all machine-

generated events. A minimum of two LEO personal certificates plus a hardware token

with a password were required for the use of the LEO laptop to download, decrypt and

tabulate ballots.

If a voter had a Department of Defense (DoD) Common Access Card (CAC), they could

use that credential to identify themselves to the SERVE system. Upon the systems

verification of this credential against the DoD PKI Certificate Revocation List, the voter

was issued a SERVE certificate for future system access. The reason for replacing the

CAC with a SERVE credential was to enable voters to use any computer to access the

system and not be restricted by needing a card reader. The roaming certificate was

stored on the system and was accessed with the voters user name and password.

Voters who did not have a CAC card were issued a SERVE certificate by physically


25/49

presenting themselves with a suitable identification document to a SERVE trusted

agent.

Figure 5 SERVE Voting Action Summary

Standards Used

The testing regimen planned for the SERVE system was a combined DoD Information

Technology Security Certification and Accreditation Process (DITSCAP), National


26/49

Association of State Election Directors (NASED), and State of Florida certification and

accreditation process. As was the case with the earlier Voting Over the Internet project

(see VOI section), the available voting system standards did not include standards for

the more advanced technologies employed, such as cryptography, digital certificatesand the Internet. The SERVE project team began with the VOI testing requirements and

expanded them to cover all the elements of the system security architecture and

communications links.70In addition to the Florida Voting System Standards and the

2002 Federal Election Commission Voting System Standards, a variety of Federal

Information Processing Standards (FIPS), ISO standards, the Open Web Application

Security Project standards and Common Criteria Protection Profiles Guidelines were

drawn upon to provide the system testing requirements. The results of the SERVEThreat Risk Assessment process identified areas where additional security testing was

needed.

Level of Risk Assumed

The SERVE project used the Facilitated Risk Analysis Procedure (FRAP) methodology

as the basis for its phased risk assessment activity. FRAP uses a diverse team of subject

matter experts to identify the pool of risks and rank them in a comparative fashion. The

process is not designed to create hard risk values but rather comparative risk qualifiers

to give system designers and project managers the ability to focus on the risks with the

highest priority for the project. While different teams of experts might assign different

levels of risk ratings to risk elements, the design of the methodology causes the overall

ranking of the risks to remain generally the same. Portions of the National Security

Agency INFOSEC Assessment Methodology were employed to create information

criticality ratings. NSA, as a detailed and systematic way of examining cyber

vulnerabilities, developed this methodology. The results of the risk assessment were

used in the system security architecture design phase and also factored into the system

testing requirements.


27/49

As a generalized statement of the acceptable level of risk, the SERVE Report states, At

the very least, any new form of absentee voting should be as secure as current absentee

voting systems.71However, a risk assessment has not been performed on the by mail

UOCAVA absentee process, so there is no baseline for making a comparison. The threatprofile for voting by mail is significantly different than the threat profile for Internet

voting.


Different levels of risk applied to each of the entities participating in the project,

depending on their system role. FVAP relied on due diligence of conducting a formal

phased risk assessment throughout the system development cycle; monitoring andreview of system development process; developing system security requirements to be

responsive to risks; collaborative development of system requirements with states and

counties; conducting thorough certification and accreditation testing for conformance to

both functional and security requirements and doing third party penetration testing

prior to deployment.72

After deployment, the use of random third party penetration testing, continuous

monitoring of system performance audit logs with pre-specified alarm conditions, and

random third party review of system audit logs were planned as mechanisms to

maintain awareness of the threat environment.

State election office due diligence consisted of relying on FVAPs due diligence;

participating in the development of system requirements; participating in system

design reviews; approving the system design; participating, reviewing and approving

certification and accreditation testing and possibly doing their own acceptance testing;

and participating in system administration decisions in the event of detected anomalous

activity during the systems operation.73

Local election office due diligence relied upon FVAPs and their States actions,

performing their own Logic & Accuracy testing, and adhering to system operating and

security procedures. 74


28/49

Voters assumed the risk of keeping their personal computers free of malware, properly

protecting their electronic credentials to prevent fraudulent use, reliable service from

their ISP provider, and using an experimental system.

3. Voting Over the Internet (VOI)Sponsor: FVAP; South Carolina (Statewide);

Okaloosa County, FL; Orange County,

FL; Dallas County, TX; Weber County,

UT

Election Type: General ElectionDate or Voting Period: September - November 2000

Target Population: UOCAVA voters

Channel: Uncontrolled>Vote Data Return>Web

Application

Technology Provider: U.S. Department of Defense (DoD)

FVAP

Channel Protection: VPN between central server and

servers at state/county offices; SSL

between voters and central server;

session and object encryption


Authentication: Two factor: User name and password

with hard token DoD PKI medium

assurance (X.509) digital certificate

The Voting Over the Internet (VOI) project was a small project implemented

cooperatively by the Federal Voting Assistance Program (FVAP), South Carolina


29/49

(Statewide); Okaloosa County, FL; Orange County, FL; Dallas County, TX; Weber

County, UT. The pilot project was designed to examine the feasibility of using the

Internet for remote registration and voting in an effort to overcome the time and

distance barriers faced by UOCAVA voters. This was the first time that binding voteswere cast over the Internet for federal, state, and local offices, including the President

and Members of Congress.88

The VOI architecture was composed of three segments: the central server site

administered by FVAP, the local election office (LEO) server sites administered by the

county election offices and the South Carolina State Board of Elections, and the

computers used by the voters.

All system communications took place over the Internet. External communications

connections were configured so that voters could only connect to the central server, and

only the central server could communicate with the LEO servers. An Intrusion

Detection System on the central server monitored all traffic.


30/49

The central server site, administered by FVAP, was the focal point for all system

services. It included a server, operating system, database management software,

application server software, and the VOI custom-developed software. From a functionalperspective, the central server identified and authenticated users, allowed users to

transfer Electronic Federal Post Card Applications (EFPCAs) and electronic ballots to

and from the LEO servers, and performed a postmarking function of time-stamping

all transactions. The content of all transactions passed through the central server in

encrypted form; only the addressing information could be read for message routing.

The central server provided these functions: authenticated voters and objects;

transmitted blank EFPCAs to voters; received completed EFPCAs from voters andforwarded them to LEOs; received blank ballots from LEOs and forwarded them to

voters; received voted ballots and forwarded them to LEOs; received and forwarded

status messages to voters; maintained transaction and security audit logs; and archived

data.89

One of the challenges faced by the project was finding an efficient and reliable method

for converting ballot data from the native formats of the various Election Management

Systems (EMS) and other applications (e.g., Pagemaker) into the format required for

electronic transmission and vote capture. The final solution was to develop a software

application, called the Electronic Ballot Tool. This tool provided the following

functionality: Web interface and step-by-step assistance for the creation of electronic

ballots, including defining races, candidates, questions, oaths and instructions; dual

language capability for those jurisdictions required to provide ballots in languages

other than English; and preparation of final electronic ballot files for transmission to the

LEO workstation. LEOs copied the completed ballot files to a floppy disk to upload to

the LEO VOI server. The ballot tool server did not retain ballot files.90Each LEO site

had a server that connected only to the central server to transmit and receive EFPCAs,

electronic ballots and voter status messages. The server utilized a database of voter

information and ballot assignment information to match each voter with the correct


31/49

ballot style. Each server stored completed EFPCAs, blank electronic ballots, and voted

electronic ballots for its county. The South Carolina server was operated by the State

Board of Elections and contained information for all the counties in the state. After the

close of the voting period, the LEO servers supported ballot reconciliation and ballotprocessing. The LEO server could authenticate objects; maintain transaction and

security logs; print records; and archive data.

Ballot reconciliation is a procedure to ensure that only one ballot is counted for each

voter. Each LEO had a list of voters requesting to participate in the pilot. If anyone on

this list returned a ballot by mail, the ballot was held aside unopened until the end of

the voting period. If a voter returned voted ballots by both channels, the electronic

ballot was counted and the mail ballot remained unopened. Ballot processing is theprocedure whereby the voters identity is separated from the electronic ballot, and the

ballot is decrypted and printed. The LEOs transcribed the votes from the HTML-

formatted ballots to ballots that could be tabulated by the local tabulating process.

To use the VOI system, the voters computer had to run a Microsoft Windows 95/98

operating system, have a connection to the Internet, and have Netscape Navigator

browser Version 4.05 or higher installed. MacIntosh and UNIX platforms could not be

used, nor could Microsofts Internet Explorer browser. Custom software to enable VOI-

specific functions, in the form of a browser plug-in, was provided on a CD-ROM sent

to each voter. The CD-ROM contained the required version of the Netscape Navigator

browser for voters who needed to upgrade their software to be compatible. The voter

needed to have a DoD PKI digital certificate stored on a floppy disk or pre-loaded in the

browser.

The voter used their computer to access the VOI central server; request, complete and

submit an EFPCA; request, vote and submit an electronic ballot; and make a status

request. The LEO server could respond with a number of status conditions such as no

EFPCA received, EFPCA denied, EFPCA pending, E-Ballot available, E-Ballot received.

The voter took the following actions to use the VOI system:

1) Notify their LEO that they wanted to volunteer for the project.


32/49

2) Obtain a digital certificate.

3) Receive the VOI software and install it on their computer.91

After completing these activities the voter could logon to the system as follows:

1) Insert the floppy disk with digital certificate into disk drive.

2) Start Netscape Communicator.

3) Enter the URL provided by FVAP.

4) Enter the certificate password at the login screen.92

Each voter completed and submitted an EFPCA so the LEO had current voter

information to assign the appropriate ballot style. When the form was completed, the

voter received a blank Affirmation Statement. The voter entered their certificate

password again to digitally sign the form before transmitting it to the LEO. In addition

to being a voter registration application and absentee ballot request, this activity

enrolled the voter on the system access list.

After the LEO approved the EFPCA and the voting period began, the voter requested a

blank ballot using the same login process described above. When the LEO received this

request, they transmitted a ballot to the voter. The voter recorded their selections online

and reviewed their choices on a confirmation screen. An affirmation screen appeared

for the voter to enter their digital signature password, and then click on the

Electronically Sign and Send button to transmit the voted ballot to the LEO. The voter

received notification that the LEO successfully received the E-Ballot.

FVAP required all system users, including voters and LEOS, to obtain DoD PKI

medium assurance X.509 digital certificates, to enable the system to identify and

authenticate users with a high degree of certainty. The issuing procedure for these

certificates required the recipient to appear in person before an issuing authority or a

trusted agent and present government-issued photo identification. After receiving and


33/49

signing the certificate document, the recipient had to access the PKI website, download

their certificate to a floppy disk and assign a password.

Standards UsedThe VOI pilot system went through two certification processes -- one prescribed by the

Department of Defense for information systems and the other prescribed by the State of

Florida for voting systems. The two certifications were combined into a single testing

campaign. The DoD Information Technology Security Certification and Accreditation

Process (DITSCAP) is a structured testing process to validate a systems functional and

security features. It provides a comprehensive approach to characterize the anticipated

threat scenario and the type and criticality of the system so appropriate testingprocedures and standards can be applied.93

The State of Florida requires voting systems to be tested against the Florida Voting

System Standards and certified by the State Division of Elections. Other participating

states used the National Association of State Election Directors (NASED) voting system

accreditation process based on the 1990 Federal Election Commission Voting System

Standards. Both of these standards were used as sources of testing requirements for

system functionality and some aspects of system security. However, neither included

security standards for Internet technology. The Federal Information Processing

Standards (FIPS) and other sources were used to develop testing requirements for the

security elements of the system.

The project team spent considerable time and effort reviewing, revising and adapting

testing requirements and procedures from these sources, first with the DITSCAP testing

group and then with the Florida certification experts. This required analyzing each

testing standard or procedure to determine if it could be directly applied to the VOI

system. In those instances where there was not a close fit, the intent of the standard or

procedure was considered and the wording modified to meet the intent. For example, it

was determined that the Florida design, construction and maintenance standards for

durable and reliable voting equipment were satisfied because the system used all COTS


34/49

equipment. In many instances the voting system standards did not apply because they

were intended for other types of voting technology. For example, card stock

specifications were not applicable because they were intended for paper ballots while

the VOI system used electronic ballots.94Level of Risk Assumed

The DoD Information Technology Security System Class analysis performed by the

independent testing organization rated the System Class level of the VOI system at 30

out of a possible 47 points. This rating was based on evaluation of the following factors:

interfacing mode (Benign), processing mode (System High), attribution mode

(Comprehensive), mission-reliance factor (Total), accessibility factor (As Soon As

Possible), accuracy factor (Exact), and information categories (Sensitive butUnclassified). The significance of this rating is that it indicates the level of analysis

required for system certification. VOI was classed as requiring Level 3, Detailed

Analysis.95

Recognizing the risks inherent in the system development process, FVAP and the states

requested pilot voters to also submit a ballot by mail as a back-up measure. This would

prevent an unexpected system outage or other malfunction from disenfranchising any

voters. Fifteen voters submitted only E-Ballots. Seven of the 69 mail ballots received

arrived after Election Day.

The participating states set a limit of 50 participants per jurisdiction to minimize the risk

to any single election.96

White hat penetration testing was performed as part of the system certification testing

process. Random penetration testing was performed as a system security validation

strategy while the system was in operation.


FVAP signed Memoranda of Agreement (MOAs) with all the participating states and

counties describing the roles and responsibilities of the parties.97FVAP was the

program manager and proponent. During the development phase FVAP was


35/49

responsible for funding; defining functional requirements; establishing standards for

security, operations and pubic information; approving the test plan; conducting system

acceptance testing; and obtaining system certification. Pilot jurisdictions assisted in

developing functional requirements and identifying potential voters; and pilotprocedures; provided personnel to operate their portion of the system; provided space,

power, connectivity and security for the system; participated in functional testing; and

pursued electronic voting and digital signature legislation, where needed to authorize

the pilot in their jurisdiction.

During the operational phase, FVAP was responsible for managing the overall system;

administering operating the central server site; providing a help desk for voters and

LEOs; collecting performance data; and assessing system performance. States andcounties were responsible for performing the LEO election process functions;

administering the LEO server sites; collecting and reporting performance data; and

working with FVAP to assess system performance. 98

Through the mechanism of these MOAs, FVAP and the participating states and counties

agreed to mutually undertake this project and accept the associated risks.

Benefits of Electronic Voting

1. Reduced Logistical ArrangementsA significant challenge for election administrators is the finalization of design, printing,

distribution, storage, security and counting of ballot papers. Electronic voting

technology can reduce or eliminate these ballot logistical arrangements.

2. Voter Identification PossibilitiesWhether in the polling station or remotely, the use of technology for the voting process

allows improved mechanisms for voter identification at the point of polling. This can be

done through biometric recognition systems such as automated fingerprint


36/49

identification systems or the use of multiple factor authentication (smartcard and

personal identification number). This significantly reduces voter registration fraud and

ensures that the person voting is the person on the voter register.

3. AccessibilityWhere remote electronic voting technology is used, there is a significant increase in

accessibility to the electoral process. It may make the process more engaging to groups

which are computer literate (e.g., young voters), but also make access to the ballot more

feasible for voting groups which currently struggle to participate in the process. Such

groups may include persons with disabilities, out of country voters (e.g., military and

diplomatic personnel) and residents of remote communities with no polling stationnearby.

4. Increased Speed of VotingIf voting technology is properly designed and sufficient voter education is conducted in

advance, electronic voting machines may lead to a faster voting process as there are

fewer steps. There would be no ballot issued to the voter and no need to fold and place

the ballot in the ballot box afterwards.

5. Ability to Deal With Complex ElectionsElectronic voting and counting technologies are generally able to deal with complex

elections easily. This includes more complex electoral systems, such as preference

voting and block voting, as well as holding multiple elections at the same time (e.g.,

concurrent presidential, parliamentary and local government elections).

6. Late Changes to the BallotWhile any last minute changes to the ballot should be avoided, last minute changes

through late inclusion or exclusion of a candidate or party, possibly as a result of court

cases, do happen. This results in election administrators having to manually amend


37/49

ballot papers which have already been printed. It can be easier to amend ballot design

software in affected constituencies later in the election process with electronic voting

and counting technologies compared to paper ballots; and much easier if voting is done

remotely (e.g., Internet voting).

7. Less Polling StaffWith a simpler process in the polling station, no ballot to be issued and no ballot box to

monitor, it may be possible to reduce the number of staff required for each polling

station. It is sometimes difficult to find staff for polling stations so this may be a

significant benefit. Where the technology also counts the ballots, it means polling staff

do not need to work as long on Election Day.

8. Access for People With Disabilities

Electronic voting and counting technologies can be developed to facilitate casting secret

ballots by voters with disabilities. These voters may normally require assisted voting,

violating their right to a secret ballot.

9. Problems in the Official StampThe need to have an official stamp on paper ballots can cause problems if polling staff

forget to stamp the ballot (thus invalidating the ballot) or if the stamp smudges on the

ballot, making it look like a second mark on the ballot (also invalidating the ballot).

Electronic voting technologies do not suffer from this problem.

10.Increase in TurnoutElectronic voting and counting technologies may increase turnout if these technologies

help improve trust in the electoral process; if the technology makes people more

interested in participating or increases access for certain communities.

11.Elimination of Invalid/Incorrectly Cast Ballots


38/49

In some countries significant numbers of ballots are deemed invalid and not counted.

Those voters are disenfranchised. Where ballots are cast and recorded electronically, the

electronic voting software can be configured to ensure only valid ballots are cast

(although blank ballots may still be allowed). Likewise where paper ballots are insertedinto an electronic ballot box, the validity and choices of the voter can be displayed,

allowing voters to change their ballot if a mistake was made.

12.Speed of CountingAn important advantage of using electronic voting technology, which directly record

votes electronically, is that results are immediately available after polls close, without a

lengthy counting process. Even when paper ballots are used, but electronically counted,the results are normally available a lot faster than manual counting.

13.Standard Adjudication of BallotsCounting paper ballots electronically ensures that the same kind of ballot marking is

adjudicated in the same manner across all polling stations. This ensures consistency on

which ballots are counted and which are determined to be invalid. This is often not the

case with manual counting of ballots.

14.Accurate Tabulation of ResultsWhen results are electronically recorded and transmitted to the election management

body (EMB) for tabulation, the possibility of data entry errors during results tabulation

is greatly diminished.

15.ImpartialityElectronic voting and counting technologies follow predefined rules and are

independent from human influence and impartial.


39/49

16.Fraud PreventionElectronic voting and counting technologies can mitigate some fraud in polling stations.

For example, some electronic voting and counting technologies only allow votes to be

cast at a certain speed, thus mitigating ballot stuffing. Similarly, electronic counting of

ballots mitigates fraud during the counting process. Electronic voting and counting

technologies cannot, however, eliminate all aspects of electoral fraud.

17.CostElectronic voting and counting technologies remove the need for expensive ballot

printing, distribution, storage, etc. However, these technologies also incur different

costs which need to be assessed over the life cycle of the technology.

Disadvantages of Electronic Voting

1. Lack of TransparencyTransparency is a key component of building and maintaining trust in the electoral

process. The paper balloting system is very transparent. Observers can watch ballots

being issued, voters placing their marked ballots in the ballot box and ballots beingcounted. Electronic voting technology, more so than electronic counting technology, is

often considered to be a black box. This is because it is not possible to observe the way

in which the selected choices of voters are aggregated to produce the results announced.

We simply have to trust that these results accurately reflect the choices made by voters.

This makes the checking of results produced by electronic voting and counting

technologies all the more important.

2. ConfidenceLack of transparency with electronic voting and counting technologies means that

confidence in the operation of the technology is a considerable problem. Election

management bodies need to ensure that trust in the electoral process is maintained.


40/49

Once trust is lost, it is difficult to re-establish. While the introduction of electronic

voting and counting technologies does not have to lead to an erosion of trust in the

electoral process, it has happened in some countries. Election management bodies are

likely to have to introduce new procedures, possibly random audit of results orpublication of source code for electronic voting and counting technologies, in order to

maintain trust in the process.

3. Audit of Results

A great strength of the paper balloting system is that if the results of an election are

challenged then the ballots can be recounted to check the result. Many electronic voting

machines6 have no such possibility for auditing and checking the results of an election.

The ability to audit and check is an important feature of building trust in the electoral

process and increasing acceptance of the results. Some electronic voting machines do

have what is called a Voter Verified Paper Audit Trail (VVPAT), which prints a copy of

the electronic ballot and is verified by the voter before casting the ballot. This VVPAT

can be used to audit/ check electronic results produced by the electronic voting

machine (EVM).

The provision of a VVPAT is increasingly seen as a standard for EVMs,7 but the

inclusion of a VVPAT does have cost and logistic implications.

4. Secrecy of the BallotA key international standard for elections is that it should not be possible to determine

how an individual voter has voted. Electronic voting and counting technologies can

undermine this secrecy. With some VVPAT systems, but not all, the order of ballots cast

is clear from the paper audit trail. If the order of voters is recorded by observers/party

agents then the way in which voters voted can be determined. Also, electronic voting

systems which identify the voter first (as all remote electronic voting systems must do)


41/49


42/49

most educated voters, may be confusing for illiterate and poorly educated voters. While

this is a genuine concern, it is worth noting that simpler electronic voting and counting

solutions have been successfully used for populations with high levels of illiteracy.

9. Digital DivideAccess that some voters may have to new voting technology, especially Internet voting

technology, may serve to exclude some sections of the community which do not have

such similar access to cast their ballot. This may increase barriers to participation

amongst poor, illiterate voters and violate the principle of equal access to the electoral

process for all eligible to participate.

10.Voter Education

A considerable amount of voter education would be required to educate and prepare

voters for a move to electronic voting technology, and to a lesser extent electronic

counting technology. This voter education exercise would likely be costly.

11.Specialized IT Skills

Maintenance and repair of hardware used by electronic voting and counting

technologies requires specialized IT skills which may or may not be available in

sufficient supply and at a reasonable cost in the local labor market. These skills may be

required centrally as well as at the local level in order to deal with problems closer to

Election Day if field based electronic voting or counting machines are used. More

specialized IT skills may even be required at the polling station in order to operate anyelectronic voting or counting technology being implemented there. If these skills are in

short supply then the use of electronic voting and counting technologies may either be

unsustainable or may require the expensive import of foreign expertise.

12.Integrity and Accuracy of Source Code


43/49

Electronic voting and counting technologies rely on software to function. This software

is a set of instructions to the electronic voting or counting system defining how it

operates. As with any set of instructions, mistakes can be made and a thorough review

of the source code has to be conducted before using any electronic voting or countingtechnologies. As it takes specialized technical skills to be able to read and understand

source code, an independent testing authority may be required to review any electronic

voting or counting system. This review would determine, to the greatest extent

possible, whether the system is functioning according to its specifications and whether

the system performs sufficiently well before it is accredited for use in an election.

13.Storage of EquipmentSome electronic voting and counting system hardware is required to be stored under

temperature controlled conditions between elections. Temperature controlled storage

may be difficult and costly to find, especially on a regional or local basis.

14.Environmental Considerations

Electronic voting and counting hardware, especially the machinery, may be required to

withstand and perform reliably under a wide range of environmental factors including

extreme heat, cold, humidity and dust. Finding electronic voting and counting solutions

which reliably operate in such situations may be difficult.

15.Power Considerations

Electronic voting and counting technologies require a source of power, with mostrunning on mains electricity. For solutions based in polling stations, chronic power

shortages or the lack of electricity entirely could require electronic voting or counting

machines to run for the entire period of polling on an alternative power source. Such

power requirements limit the options available.


44/49

16.SecurityDifferent security challenges are presented by electronic voting and counting

technologies compared to paper balloting systems. For example, electronic transmission

of results for tabulation presents the possibility for the system to be hacked and false

results be inserted. Secure systems of protection and verification for electronic data

need to be ensured.

17.Consequences of Fraud

While fraud conducted using the paper balloting system is often localized and not

widespread, the possibility exists with electronic voting and counting technologies for

fraud to be implemented on a nationwide scale. Electronic voting and counting

software could be manipulated to record vote preferences which are different from

those made by the voters, or fraud and manipulation could occur in the electronic

tabulation of results if such tabulation occurs directly from the electronic voting or

counting machines.

18.Management ComplexityManaging the introduction, testing, deployment, retrieval and security for electronic

technologies can be more complicated than managing a paper-based election. Election

management bodies often lack adequate experience in management of such complex

systems. This can lead to a heavy reliance on the technology contractor to the point of

surrendering control of the electoral process to a foreign entity.

19.Cost

The cost of electronic voting and counting machines ranges from $300 per unit for the

more simple solutions to approximately $5,000 per unit for more complex solutions.

When aggregated for an entire election this can represent a potentially huge investment


45/49

for many countries, although a full comparison against the costs of paper balloting

needs to take into consideration the life cycle of electronic voting and counting

technologies and the number of election cycles they would be expected to cover.

Definitions

ELECTRONIC VOTING

The term electronic voting (e-voting) covers a wide range of systems, encompassing any

and all systems where some part of the process is carried out electronically. These

systems include remote voting systems, where an individual will cast their vote

remotely via some electronic means, most commonly via a computer connected to the

Internet.

AUDIT TRAIL

A record showing who has accessed a computer system and what operations he or she

has performed during a given period of time. Audit trails are useful both for

maintaining security and for recovering lost transactions. Most accounting systems and

database management systems include an audit trail component. In addition, there are

separate audit trail software products that enable network administrators to monitor

use of network resources.

Red Team Attack!

One method of uncovering security flaws is the red team approach. The term red

team comes from military simulations. The red team represents the enemy and is

charged with finding and exploiting weaknesses in military strategy. In the world of e-

voting, red teams are groups of highly skilled people who use any means necessary to

uncover weak links in system security, including hacking into the software,

compromising the security of a systems memory device, or even testing to see if


46/49

election officials are susceptible to bribery. Vendors and election officials can then

address any flaws in the process.

Direct Recording Electronic Systems

A Direct Recording Electronic System is essentially a computer. Voters view ballots on a

screen and make choices using an input device such as a bank of buttons or a

touchscreen. Some DRE systems also employ a card swipe or cartridge system that must

be activated before a ballot can be cast. Votes are stored on a memory card, compact

disc or other memory device. Election officials transport these memory devices to a

centralized location for tabulation, just as they would with paper-based ballots. Some

machines have the capability to broadcast results over a modem-to-modem line, though

due to concerns about data security, these results are normally deemed unofficial until

they can be verified by tabulating the results stored on the memory devices. Many DRE

devices also have the capacity to print a paper record of ballots cast. Some, however,

have no corresponding paper trail.

Figure 6 A touch-screen DRE System


47/49

The Psychology of Electronic Voting

The public must trust that elections are fairly conducted in order for a democratic

government to be considered legitimate. If the public perceives elections to be unfair,

the foundation of the government is weakened. Whether electronic voting systems are

fair may not even matter; it is the public perception that is crucial. At the moment, the

latest electronic voting systems in use (particularly DRE systems, which according to

Election Data Services, serves as the voting equipment available for 38 percent of the

nations registered voters) are receiving a great deal of scrutiny and criticism. Citizens,

private companies and elected officials are spending more time carefully examining

these systems and the implications of their use.

Impartiality, Auditing Results and Cost

Transparency and fraud are both factors in another concern critics have of DRE systems:

impartiality. DRE systems are produced by private companies, and these companies

have not always been seen as politically neutral. Critics question if it is wise to entrust

public elections to private companies that have a vested interest in a particular partys

victory in the election.

Auditing is another important consideration in the use of DRE systems. HAVA requires

that all voting systems are auditable, both for recounts and to confirm that the system is

working properly. This is an ongoing struggle for computer scientists and vendors. It is

extremely difficult to create an auditing process that still preserves the anonymity of

voters. Some experts argue for a Voter Verified Paper Trail (VVPT), where both the

machines memory device and a physical paper trail record each ballot. Each voter
http://www.edssurvey.com/images/File/ve2006_nrpt.pdfhttp://www.edssurvey.com/images/File/ve2006_nrpt.pdfhttp://www.edssurvey.com/images/File/ve2006_nrpt.pdf


48/49

could then compare the paper trail to the results screen on the DRE monitor to verify

his vote was counted properly.

DRE systems cost more than other systems currently in use. Whats more, the ongoing

costs of maintaining DRE systems are unknown at this point. As with computer

systems, adjustments will need to be made to any DRE to fix bugs or make upgrades.

While states received money due to HAVA in 2002, that was a one-time grant.

Maintenance costs are left to the states. If vendors go out of business or consolidate, that

may affect the costs of maintaining hardware and software.

References

Caarls, S. (2010) E-voting Handbook: Key steps in the implementation of e-enabled elections,

Council of Europe Publishing: Strasbourg

Council of Europe

www.coe.int

Competence Center for Electronic Voting and Participation (E-Voting.CC)

www.e-voting.cc

IFES

www.ifes.org

International IDEA

www.idea.int

National Democratic Institute

www.ndi.org

Organization of American States
http://www.coe.int/http://www.coe.int/http://www.e-voting.cc/http://www.e-voting.cc/http://www.ifes.org/http://www.ifes.org/http://www.idea.int/http://www.idea.int/http://www.ndi.org/http://www.ndi.org/http://www.ndi.org/http://www.idea.int/http://www.ifes.org/http://www.e-voting.cc/http://www.coe.int/


49/49

www.oas.org

www.e-voting.cc/fi les/e-voting-history
http://www.oas.org/http://www.oas.org/http://www.oas.org/

Documents

Seminar Presentation:Electronic voting