Upload
alensvon-geoffrey
View
215
Download
0
Embed Size (px)
Citation preview
7/31/2019 Seminar Presentation:Electronic voting
1/49
Alensvon Geoffrey
Bct2410: Seminar Presentations
Topic: Electronic Voting
Introduction
Electronic voting and counting technologies are being increasingly used around the
world. India, the worlds largest democracy, now uses electronic voting machines
exclusively for national and provincial elections. Brazil, Belgium and the Philippines
also use electronic voting or counting technologies for all of their national elections.
Countries such as Estonia, Indonesia, Kazakhstan, Nepal, Norway, Pakistan, Russia and
the United States are at various stages of piloting or partially using electronic voting
and counting technologies, including the use of Internet voting.
Some countries, however, are moving in the opposite direction. The Netherlands, in
2008, after several decades of increasing use of electronic voting machines, decertified
all of its machines and moved back to paper balloting. Germany, likewise, recently
banned the use of electronic voting machines it had been using, and in Ireland 52
million1 worth of electronic voting machines were bought but only used for a smallpilot project. Furthermore, the use of electronic voting and counting technologies in the
United States is deeply controversial and generates fierce debate between advocates
and opponents of these technologies.
How are we to reconcile these very different approaches to the suitability of electronic
voting and counting technologies? For a country considering electronic voting or
counting technologies, which is the right approach and when is it advisable to proceed
using these technologies?
The answer is, of course, that there is no one answer. The factors which may push one
nation towards an electronic voting or counting technology may not be present for
another nation, or may indicate a different solution. The challenges of moving paper
ballots around large countries such as Russia and Kazakhstan make the use of electronic
7/31/2019 Seminar Presentation:Electronic voting
2/49
7/31/2019 Seminar Presentation:Electronic voting
3/49
cast a ballot via text message or SMS. In electronic counting an electronic device is used
to count the ballots cast, whether paper or electronic.
Any combination of manual/electronic voting/ counting is possible. A full electronic
solution involves an electronic voting machine, remote or otherwise, directly recording
the preference of the voter through a ballot interface (e.g., a touch screen), electronically
counting the votes received at the end of polling and providing these results to election
officials. Partial electronic solutions are also available whereby paper ballots are marked
manually but counted by machine (e.g., optical scan solutions) or an electronic device is
used to create a printed vote which is placed in the ballot box and counted by hand or
electronically.
The various technological solutions offered by electronic voting and counting
technologies mean there are many options available for election administrators while
considering the introduction of such technologies. Electronic voting and counting
technology vendors offer different ways of implementing each specific technical
solution.
Brief History of Electronic Voting
1955 -Erich Fromm presents the idea of communicating and decision-making via
interconnected technical devices.
1960 -The first computers for tabulating votes have been developed.
-The first punch card machines are developed and implemented.
1970 -Murry Turoff developed a computer supported Delphi panel, which provided
computer supported voting system. This Emergency Management Information
and Reference Index (EMISARI) was ready in 1972.
1971 -R. Buckminster Fuller introduced the concept of electrified voting in a
theoretical and ideally democratic world.
7/31/2019 Seminar Presentation:Electronic voting
4/49
1973 -The first efforts and developments in the area of optical scanninghave been
introduced.
1980 -Punch cards as voting technology were questioned regarding the accuracy of
the vote casting process.
1984 -The State of Illinois (US) started testingvote counting systems.
2000 -The United Kingdom launches a vast amount of trials and test projects to
discover the opportunities and challenges of Internet Voting.
2005 -First legally-binding Internet voting channel available at the local elections in
Estonia.
2007 -First Parliamentary elections in Estonia with an Internet voting channel
available for every eligible Estonian voter.
2008 -The German constitutional court ruling demands transparency and verification
mechanisms as an essential requirement for e-voting.
2008 -The Netherlands ban the use of electronic voting machines in elections.
2009 -Internet voting is used as an additional voting channel at the elections for the
Austrian Student Federation in Austria.
Today -In Estonia, 25% of the voters cast their vote over the Internet in the Parliament
elections.
-Norway introduces Internet voting at the municipal elections for predefined
communities.
7/31/2019 Seminar Presentation:Electronic voting
5/49
-Swiss living abroad have the ability to cast their vote over the Internet.
Points to Consider before Implementing Electronic Voting
General points to consider
Confidence
In recent years it has become clear that an e-voting system can only be introduced if
voters have confidence in their current electoral system. If it is trusted, voters are very
likely to have confidence in new e-enabled elections. However, confidence should not
be taken for granted and states need to do their utmost to ensure that it is preserved, all
the more so as once trust and public confidence are eroded, they are exceedingly hard
to restore. A trusted system gives scope for citizens and other stakeholders to ask
critical questions.
Fostering transparent practices in member states is a key element in building public
trust and confidence. Transparency about the e-voting system, the details of different
electoral procedures and the reasons for introducing e-voting will contribute to voters
knowledge and understanding, thereby generating trust and confidence among the
general public.
Although transparency, with documentation available to voters and other stakeholders,
is important, it will not be possible for everybody to understand the e-voting system. If
they are to have confidence in the electoral process, some voters need to rely on others
who are in a position to understand the equipment and the processes. It is therefore
essential that domestic and international observers as well as the media have as much
access as possible to relevant documents, meetings, activities, etc. Acting in a
transparent manner towards these specific and important groups will boost public trust
and confidence, because without transparency states cannot guarantee that an e-
7/31/2019 Seminar Presentation:Electronic voting
6/49
enabled election was conducted according to the democratic principles of free and fair
elections.
Some people argue that the introduction of e-voting can also boost public confidence.
However, building trust should never in itself be a reason for introducing e-voting.
Public debate
Before deciding to pilot or introduce e-voting, there should be sufficient public debate
on the subject. This is also a good way of finding out what voters want with regard to
elections. For example, are they in favour of Internet voting or would they prefer to
keep the current system? A public debate can foster the electorates confidence in the
system and provides transparency to the decision-making process. However, if nothandled well it may produce the opposite result. Political parties or other stakeholders
may argue against it because they think they would stand to lose if e-voting did not
engage their own voters.
One also has to be prepared to deal with unfounded allegations. People may claim that
the system does not work, or that they can hack into it (or have already done so). An
attack does not have to be successful technologically to be successful publicly. One has
to decide in advance how to deal with untrue or unfounded statements.
Accessibility
E-voting can provide great opportunities for improving certain groups access to the
election process. The following groups could benefit:
the visually impaired could use headphones connected to DREs and PCs if usingInternet voting;
citizens who are not normally able to go to a polling station to cast their vote cannow vote via the Internet from their own home;
the use of electronic media can also facilitate the use of official minoritylanguages, and this could lead to increasing involvement;
7/31/2019 Seminar Presentation:Electronic voting
7/49
military personnel overseas find it difficult to vote while on duty, so that e-voting might make it easier for them to participate in elections;
citizens living and working abroad face some of the same challenges as militarypersonnel, and so could similarly benefit from the introduction of e-voting.
E-voting should result in inclusion, never exclusion, of certain groups.
2.3. Technical points to consider
Open-source or proprietary software
Proprietary software is software which is licensed under exclusive legal rights held by
its owner. The buyer acquires the right to use the software under certain conditions, but
not for other purposes such as modification or further distribution. Open-source
software has freely available source codes which can grant users the right to use, study,
change, improve, expand and distribute the source code.
An important decision when defining an e-voting strategy is whether to use open-
source or proprietary software. This is especially relevant to the issue of confidence.
Several e-voting companies use proprietary software, which has the disadvantage that
in most cases the rights holder does not make the source code available to the general
public (or makes it available only partially or temporarily). In some cases a few selected
experts are given the possibility to review the source code. However, this is most likely
to be governed by strict rules, for example non-disclosure agreements barring the
electoral authority from revealing anything about the content of the source code, or its
conclusions or recommendations. This is not a very transparent process and will,
therefore, not contribute to building confidence.
7/31/2019 Seminar Presentation:Electronic voting
8/49
One advantage of open-source software is that it can increase the confidence of the
population and other parties involved in the e-voting system. This is reinforced by the
fact that the suppliers are independent and there is no vendor lock-in. Furthermore,information security is increased because the source code is available to all, and the
future stability of the chosen e-voting solutions is strengthened as the source code can
also be supported by third parties. Moreover, licence fee costs are lower because open-
source software is generally made available free of charge and the use of open
standards often means that fewer problems of connection to other software are
encountered. Proprietary systems also can, should and do use open standards like
Election Markup Language (EML) to increase interoperability, in conformity withwhatever requirements are set.
A third option is for a proprietary source code to be owned by the government, which
means that the government controls the source code and its distribution. This approach
allows the government, independent bodies and citizens to examine the source code
and to propose improvements if they wish. It is important, however, that governments
refrain from using ownership of the source code as an excuse to restrict distribution to a
select few or to not share it with others at all.
Identification and authentication of the voter
When e-voting is used at a polling station, the voter identification process can stay the
same, but it can also change if an electronic voter register is used. In this case,
arrangements need to be in place to ensure that the voters identity cannot be linked to
his/her vote (see 2.3.3). If biometric features have been used for the registration process
(see 3.4.1), these same features can be used for voter authentication.
Internet voting from home7 is different and a remote electronic identification system
must be developed. Voters could authenticate themselves with an electronic ID card or,
7/31/2019 Seminar Presentation:Electronic voting
9/49
where no such system exists, authenticate themselves by using a combination of
username and password with a control question (for example, date of birth). It is
important to realise that without a physical token, voter authentication is less reliable
and it is much easier to sell ones vote by disclosing username and password to a thirdperson.
It should be noted that when voters have to make up their own username and/or
password (for example, when registering to vote), they may forget or mislay the
username and/or password. So a system needs to be set up to provide a new username
and/or password at very short notice whilst at the same time ensuring that the voter
can only vote once.
Removing the link between vote and voter
In order to respect the secrecy of the ballot as one of the main principles of democratic
elections, it is important that at some point in the voting process the link between the
identity of the voter and the vote itself is broken. This should preferably happen
immediately after the voter has cast his/her vote.
Since the vote and the voter must not be linked, it is important to establish a procedure
governing who has access to the voting register and the voter registers (preferably
managed by different authorities), when and under what circumstances they will have
access, how long the registers will exist, and how and by whom they will be deleted. In
the case of reversible voting (see paragraph 2.1.2), specific technical solutions must be
put into place.
Design of the electronic ballot paper
Decisions have to be taken about the design and layout of the electronic ballot paper.
There are two possibilities:
the electronic ballot is exactly the same as the paper ballot;
7/31/2019 Seminar Presentation:Electronic voting
10/49
the electronic ballot has a different layout, for example because the paper ballotsare too large and their design does not lend itself to computer use. In this case a
two-stage approach may be necessary. The voter would first choose a party and
then, on the next screen, vote for his/her chosen candidate. The need to scrolldown the screen should be avoided, because it would jeopardise the equality of
the candidates: those whose names are only visible when a voter scrolls down
would be disadvantaged.
In particular in cases when electronic media are used alongside paper, one has to decide
how to deal with any difference in design, since this could also have legal repercussions
for the election.
Austria
For binding elections to the student bodies in 2009, the law provides in Article 43
HSWO that the electronic and paper ballot should both resemble as closely as possible
the original template in the law. As e-voting was conducted in the week before the
paper-based elections, a data entry error was found on the electronic ballot (one student
partys name was not complete) which could only be corrected on the paper ballot. This
problem can be overcome by certifying the e-ballot before the election starts.
The introduction of new voting technology could also serve as an opportunity to
improve the current design.
Confirmation of the vote
It is advisable to have the voter confirm his/her e-vote. The procedure would be as
follows: first, the voter votes for a party, a candidate, indicates one or more preferences,
casts a blank vote or votes yes or no in a referendum. Next, the voter receives an
overview of all his/her votes and is asked to confirm his/her choices. If the voter is not
satisfied with the overview, he/she should be able to return to the election or
7/31/2019 Seminar Presentation:Electronic voting
11/49
referendum options and change his/her vote. The voter would then receive a new
overview. Once satisfied, he/she should confirm his/her choices.
Since this is an additional, new step in the election process, special attention should be
paid to informing voters about this new procedure, as it has been found that it is notalways clear. Furthermore, it should be noted that if the confirmation stage is not
completed the voting process is potentially open to fraud, with polling station
personnel tempted to finish the casting of the vote.
Finland
The Finnish Ministry of Justice conducted an experiment with DREs in three
municipalities during the local elections on 26 October 2008. Owing to a usability issue,voting was prematurely aborted for 232 voters. The system required voters to insert a
smart card to identify themselves, type in their selected candidate number, then press
OK, check thecandidate details on the screen, and then press OK again. Some
voters did not press OK the second time, but instead removed for reasons unknown
their smart card from the voting terminal prematurely, with the result that their votes
were not recorded. On 9 April 2009 the Supreme Administrative Court ordered that
new elections be held in the three pilot municipalities.
Voting period
Citizens are generally accustomed to an election held on a single day, but this may be
extended if e-voting at polling stations is used. However, when introducing Internet
voting from home, consideration may be given to extending the voting period from a
few days to a few weeks. One advantage of this is to reduce demands on availability
and capacity. Note, however, that interest in the electoral campaign may wane if a
significant number of voters have already voted long before election day.
As regards the end of the Internet voting period, there are two options. Voting can end:
one or two days before election day. This would give the organizers extra time toupdate the voter register if necessary;
7/31/2019 Seminar Presentation:Electronic voting
12/49
at the same time as voting at the polling station. This requires that an onlinevoter register be in place.
Different types of electronic tools
1. Direct Recording Electronic computers (DREs). These are machines or computersnormally installed at a polling station, which record and simultaneously store the
vote. This can be done using a touch screen (with or without a specific pen) or
through a device which involves pressing one or more buttons.
2. Voting via the Internet. This can be done in a controlled area like a polling station orin a non-controlled area such as a kiosk or the home.
3. Optical and digital scanning devices which can be used in polling stations or in adesignated counting area to scan ballot papers. These are normally used to improve
the accuracy of the counting process and reduce potential manual counting errors.
However, the quality of the count depends on the correct marking of the ballot
paper and the quality of the ink used by the voter.
4. At a polling station, use of one medium to record the vote, which is then registeredin a ballot box on another device. This system differs substantially from a DRE inthat nothing is stored in the DRE and it is impossible for a voter to manipulate the
memory containing the vote.
Internet Voting Channels
The term Internet voting is used to refer to many different methods, or channels, of
voting. What these channels have in common is the use of the communications
connectivity and protocols provided by the Internet. The Internet is a global
information system composed of hundreds of thousands of independent computers and
networks that are logically linked together by a common set of communication
standards, procedures and formats. It provides the connectivity, message routing and
7/31/2019 Seminar Presentation:Electronic voting
13/49
end-to-end communication services that enable the development of a constantly
evolving array of information services.7
Figure 1 Internet Voting Classification
Figure 1-1 classifies Internet voting as a subset of electronic voting. For purposes of this
research, an Internet voting system was defined as any system where the voters ballot
selections are transmitted over the Internet from a location other than a polling place to
the entity conducting the election. Hence the term remote electronic voting is oftenused as a synonym for Internet voting. Based on this definition, blank ballot
distribution systems, online marking systems and public switched telephone network
(PSTN) systems are not considered Internet voting systems.
7/31/2019 Seminar Presentation:Electronic voting
14/49
As indicated in Figure 1-1, the remote voting location can be either a controlled or an
uncontrolled voting environment. A controlled environment means that the voting
platform (i.e., computer used for voting) was supplied by, and was under the control of,
the entity conducting the election. An uncontrolled environment means the votersupplies the computer used for voting, which might be their personal computer, their
workplace computer, or any other public computer.
There are two forms in which the voters ballot selections can be returned: electronic
ballot return, where the entire ballot document, including the voters sections, is
transmitted; or vote data return, where only the voters selections are transmitted.
There are three channels, or methods, for electronic ballot return:
a web-based communications application which uploads a digital representation of avoted ballot (e.g., pdf, jpeg, png) file to a website;
digital facsimile, where a voted ballot is scanned and transmitted as a graphics file;
and
email, where a digital representation (e.g., pdf, jpeg, png) of a voted ballot is
transmitted via email.
There are also three channels, or methods, for presentation of the ballot and vote data
return:
a web browser or computer application which the voter executes to display the ballot,
record selections and transmit selections;
a DRE or kiosk connected to the Internet to transmit vote data; and
a Voice Over Internet Protocol (VOIP) approach for the voter to access the ballot,
record selections and transmit selections.
This report includes examples of Internet voting systems using all of the above channels
of electronic ballot return and vote data return except systems utilizing email and fax
technology.
7/31/2019 Seminar Presentation:Electronic voting
15/49
Case Studies (Sample E-Voting Projects)
1. Okaloosa Distance Balloting Project (ODBP)Sponsor: Okaloosa County Supervisor of Elections
Election Type: General Election
Date or Voting Period: October-November 2008
Target Population: Military and Overseas voters
Channel: Controlled>Vote Data Return>DRE/KioskTechnology Provider: Scytl
Channel Protection: VPN, SSL, multiple layers of encryption and digitally
signed data
Participating Voters: 93
Authentication: Two factor: In person identification with photo ID,
digital certificate
The Supervisor of Elections in Okaloosa County, Florida, fielded a small pilot project for
the 2008 General Election, known as the Okaloosa Distance Balloting Pilot (ODBP).
There are numerous military installations representing every branch of the military
based in Okaloosa County. There are over 20,000 active duty service members and
dependents registered to vote in the county. To avoid the security concerns raised by
the SERVE project (see SERVE section), voting was conducted in a controlled voting
environment using a computer provided and administered by the local election office.
The voting sites, called kiosks, were set up in hotels in three overseas locations:
Mildenhall, England; Ramstein, Germany; and Kadena, Japan. These locations were
selected because they have U.S. military installations with high concentrations of
7/31/2019 Seminar Presentation:Electronic voting
16/49
Okaloosa voters. The sites in England and Germany were open for a 10 day period prior
to the election and closed 2 days before Election Day (October 24th through November
2nd). The Japan site was open for only 2 days, due to a last minute issue that required
finding a new location.
Figure 2 ODBP Kiosk Equipment
The ODBP architecture was composed of three segments: kiosk sites, the central servers
hosted in a commercial data center, and the Okaloosa elections office server and voter
registration database. Appendix C shows the physical equipment used at the kiosk
sites. The database was hosted in the county data center. As indicated in the figure that
follows, all communications between the various elements of the system were provided
by VPN connections through the Internet.
7/31/2019 Seminar Presentation:Electronic voting
17/49
Figure 3 ODBP System Architecture
The configuration of the Voter Authentication System consisted of a hardened laptop
computer, a printer, a bar code scanner and a smartcard reader. This system was used
to verify the voters eligibility; print the state required Voter Certificate; and extract
specified data elements from the voter registration database to encode a smart card
used to activate the voting session at the voting laptop. The Voter Authentication
System was connected to the Okaloosa voter registration database via the Internet to
update voter history data in real time.
The voting laptop configuration consisted of a touch screen connected to a laptop
computer, a smartcard reader and a printer. The entire Operating System (OS) the
voting laptop used (e.g., voting specifications) was written to read-only media, known
as the Live CD. The laptop was connected through a VPN to the central server.
When a voter arrived at the kiosk site, they presented a photo ID to the kiosk worker,
who validated the voters eligibility to vote using the voter registration database. If
verified, a Voter Certificate was printed so the voter could sign the state oath. This
document contained data such as voter name and address, date of birth, election
7/31/2019 Seminar Presentation:Electronic voting
18/49
identifier, voter registration number, precinct number and ballot style. Selected data
elements were captured in a bar code, which was scanned by the kiosk worker to write
the required voter credentials and ballot style information on a smart card.
The voter inserted the smart card in the reader attached to the voting computer toinitiate the voting session. The smart card data were transmitted to, and validated by,
the central server that returned an electronic ballot, along with the digital certificate
issued for that voter. The voter made their selections and received a paper record of
their choices to compare with the summary screen display. If the voter was satisfied
with their choices, they touched the Vote button. The voting software encrypted the
voters selections, applied the voters digital signature using their digital certificate and
transmitted the voters selections to the central server. A receipt was printed with arandomly generated code that the voter could use after the election to see if his ballot
was counted. Removal of the smart card closed out the voting session. The voter
returned the smart card to the kiosk worker along with the paper record, which was
stored in a receptacle and returned to Okaloosa County as part of the election records.
Since the kiosks were set up in hotel rooms, the only available physical security
measure was to lock the door when the kiosk was not in operation. Consequently, the
Live CD with the voting application and all other sensitive materials were removed
each day when kiosk operations ended and kept under the physical control of the kiosk
workers. Each morning the kiosk workers checked the tamper evident seals on the
computers, initialized the Voter Authentication System, checked the integrity of the
Live CD by verifying the hash, rebooted the voting laptop and established the VPN
link.52
The central server hosted the ballot database, delivered the correct ballot style to the
requesting voter, stored the encrypted voted ballots in an electronic ballot box, and
delivered the ballot box to the Okaloosa County Canvassing Board upon request after
the close of the election. The central server also maintained detailed audit logs of all
system transactions and events. The system software installed on the central servers
7/31/2019 Seminar Presentation:Electronic voting
19/49
was the same software tested, certified and digitally signed by the Florida Bureau of
Voting Systems Certification.
The computer designated as the mixing server in the architecture diagram is a critical
component of the voting system. This server was operated and administered by theelection office staff. Before the start of voting, the mixing server was used by the
Okaloosa Canvassing Board to generate a public/private key pair for the election. The
public key was used to encrypt the ballots cast by the voters. The private key was used
at the end of the election to decrypt the ballots. The private key was divided into shares,
which were distributed to the Canvassing Board members and then the key was erased
from the system. This ensured ballot contents could not be viewed during the voting
period. Multiple shares were required to reconstruct the key, so no single person coulddecrypt the ballots when the voting period closed. After this process was completed, the
mixing server was stored in the office vault.
At the end of the voting period, the bridge laptop was used to download the encrypted
ballot box from the central server. The ballot box file contained the ballots, which were
individually encrypted and digitally signed by the voters. Then, the entire file was
wrapped in another layer of encryption and transmitted. This file was manually
transferred to the mixing server by means of a USB memory stick because this server
was required to be isolated from any network. The mixing server verified that the
encrypted ballot box file had not been tampered with or corrupted during transmission.
Then the Canvassing Board reconstructed the private key and authorized the
decryption and tabulation of the ballots. This process breaks the correlation between
voters and ballots and mixes the ballot order to preserve anonymity. A tabulation
report was produced and the results manually uploaded to the county election
management system.
Standards Used
The Florida Administrative Rule 1S-2.030 Electronic Transmission of Absentee Ballots
authorized the project.53 This rule permits a supervisor of elections to provide overseas
7/31/2019 Seminar Presentation:Electronic voting
20/49
voters the option of voting by secure remote electronic transmission if certain
requirements were met. These requirements included the submission of a project plan
for approval by the State Division of Elections. The rule also specified the information
that the plan had to include. The project plan had to be approved by the FloridaDivision of Elections before the project could proceed.54
In addition, the system was required to be tested and certified for use by the Florida
Bureau of Voting Systems Certification. The test plan incorporated the administrative
rule requirements, the applicable Florida Voting System Standards, and additional
security standards defined to cover elements of the system not addressed by the Florida
standards. 55
Level of Risk AssumedThe security controls implemented in the ODBP project were defined following an ISO
27001 risk management approach. Florida Administrative Rule 1S-2.030 was the starting
point for security requirements. After identifying the vulnerabilities and security threats
to which the system could be exposed, a set of physical, logical and procedural security
controls were defined to prevent the materialization of threats or to mitigate their
impact. These security controls are summarized in Section 11 of the June 19 project
plan.56 A third party independent team of voting system experts conducted a software
review and analysis of the security architecture of the system and several elements were
modified based on the findings of this group.57
The level of risk assumed by ODBP personnel was very low due to a number of factors:
1. The system was designed with robust, multi-layered security architecture.2. The system utilized successfully implemented technologies used in a number of
previous government elections.
3. All ballot data was encrypted and digitally signed while in transit and in storage.4. All system communication was performed over dedicated virtual private
networks, established with digital certificates at both ends for strong
authentication.
5. Two levels of firewalls blocked public access to the system.
7/31/2019 Seminar Presentation:Electronic voting
21/49
6. Alternative communications paths were available to mitigate against denial ofservice attempts.
7. The voting sites were under the administrative control of the election office.8.
The integrity of kiosk voting software was validated each day.58
Entity Assuming Risk
The Supervisor of Elections of Okaloosa County and the Florida Secretary of States
office assumed the risk for this project. The elections supervisor was the system
proponent and the state tested and certified the system for use.
2. Secure Electronic Registration and Voting Experiment (SERVE)Election Type: General Election
Date or Voting Period: Scheduled for 2004 General Election
Target Population: Military and Overseas voters
Channel: Uncontrolled>Vote Data
Return>Web Application
Technology Provider: FVAP, Hart InterCivic
Channel Protection: SSL 3.0 with session keys, and
encrypted and digitally signed data
(SHA1 with DSA)
Participating Voters: 0
Authentication: Two factor: User name and
password, X .509 digital certificate
Following the completion of the Voting Over the Internet (VOI) project in 2000, in the
Fiscal Year 2002 National Defense Authorization Act (1604 of P.L. 107-107:115
Stat.1277), Congress instructed the Secretary of Defense to carry out a larger
demonstration project. The States of Arkansas, Florida, Hawaii, North Carolina, South
7/31/2019 Seminar Presentation:Electronic voting
22/49
Carolina, Utah, and Washington agreed to work with FVAP and ask counties to
participate in the Secure Electronic Registration and Voting Experiment (SERVE) project
for the November 2004 election. Fifty-five counties from Arkansas, Florida, Hawaii,
North Carolina, South Carolina, Utah and Washington chose to participate. However,the SERVE project was cancelled before it was deployed due to security concerns raised
by a group of computer scientists. These individuals publicly issued a critique of the
system contending that the use of personal computers over the Internet could not be
made secure enough for public elections and called for the project to be
terminated.65The Department of Defense, citing a lack of public confidence in the
system because of this report, decided that the project could not continue under these
circumstances.
The SERVE architecture was a central hosting environment with distributed access from
local election officials and voters using any computer that met the minimal
compatibility requirements. 66
7/31/2019 Seminar Presentation:Electronic voting
23/49
Figure 4 SERVE System Architecture
Nearly all system processing, except tabulation, was performed on the central server
site. The system software consisted of eight integrated subsystems: Identification and
Authentication; Common Services; Voter Registration; Election Administration; Ballot
Definition; Voting; Download and Decryption; and Tabulation. Each participating local
election jurisdiction (LEO) had a dedicated environment on the system to enable them
to independently administer their own election processes from any workstation in their
office.
There was an SFTP connection with the voter registration database server for
downloading the voter registration applications submitted on the system for There was
an SFTP connection with the voter registration database server for downloading the
voter registration applications submitted on the system for processing by the LEO. Each
LEO was provided a hardened laptop for the download, decryption and tabulation of
7/31/2019 Seminar Presentation:Electronic voting
24/49
ballots from the central hosting environment. Capabilities for local election officials
included voter registration, election definition, ballot, ballot decryption, ballot
tabulation, and voter history.
Voters were required to use a computer running a Windows Operating System witheither Netscape or Internet Explorer as the web browser. The voter needed to have a
SERVE digital certificate. System services for voters included: online voter registration
and updating of voter information online; ballot delivery and vote selection; and review
of their registration and voting status. When the voter finished making vote selections,
the selections were transmitted to temporary storage in the cast vote record database on
the central server.67 A summary was sent back to the voter to confirm the vote
selections as received by the cast vote record database were correct. Upon return of theconfirmation message by the voter, the vote selections were permanently stored in the
database on the central server until downloaded by the LEO.68
SERVE established its own X.509 compliant certificate authority using VeriSign roaming
certificates. 69Personal digital certificates were issued to all system users LEOS,
voters, and system administrators. Machine certificates were provided for LEO servers
exchanging non-ballot data with the central server and for all the central server
elements. This provided a complete audit trail of all user transactions and all machine-
generated events. A minimum of two LEO personal certificates plus a hardware token
with a password were required for the use of the LEO laptop to download, decrypt and
tabulate ballots.
If a voter had a Department of Defense (DoD) Common Access Card (CAC), they could
use that credential to identify themselves to the SERVE system. Upon the systems
verification of this credential against the DoD PKI Certificate Revocation List, the voter
was issued a SERVE certificate for future system access. The reason for replacing the
CAC with a SERVE credential was to enable voters to use any computer to access the
system and not be restricted by needing a card reader. The roaming certificate was
stored on the system and was accessed with the voters user name and password.
Voters who did not have a CAC card were issued a SERVE certificate by physically
7/31/2019 Seminar Presentation:Electronic voting
25/49
presenting themselves with a suitable identification document to a SERVE trusted
agent.
Figure 5 SERVE Voting Action Summary
Standards Used
The testing regimen planned for the SERVE system was a combined DoD Information
Technology Security Certification and Accreditation Process (DITSCAP), National
7/31/2019 Seminar Presentation:Electronic voting
26/49
Association of State Election Directors (NASED), and State of Florida certification and
accreditation process. As was the case with the earlier Voting Over the Internet project
(see VOI section), the available voting system standards did not include standards for
the more advanced technologies employed, such as cryptography, digital certificatesand the Internet. The SERVE project team began with the VOI testing requirements and
expanded them to cover all the elements of the system security architecture and
communications links.70In addition to the Florida Voting System Standards and the
2002 Federal Election Commission Voting System Standards, a variety of Federal
Information Processing Standards (FIPS), ISO standards, the Open Web Application
Security Project standards and Common Criteria Protection Profiles Guidelines were
drawn upon to provide the system testing requirements. The results of the SERVEThreat Risk Assessment process identified areas where additional security testing was
needed.
Level of Risk Assumed
The SERVE project used the Facilitated Risk Analysis Procedure (FRAP) methodology
as the basis for its phased risk assessment activity. FRAP uses a diverse team of subject
matter experts to identify the pool of risks and rank them in a comparative fashion. The
process is not designed to create hard risk values but rather comparative risk qualifiers
to give system designers and project managers the ability to focus on the risks with the
highest priority for the project. While different teams of experts might assign different
levels of risk ratings to risk elements, the design of the methodology causes the overall
ranking of the risks to remain generally the same. Portions of the National Security
Agency INFOSEC Assessment Methodology were employed to create information
criticality ratings. NSA, as a detailed and systematic way of examining cyber
vulnerabilities, developed this methodology. The results of the risk assessment were
used in the system security architecture design phase and also factored into the system
testing requirements.
7/31/2019 Seminar Presentation:Electronic voting
27/49
As a generalized statement of the acceptable level of risk, the SERVE Report states, At
the very least, any new form of absentee voting should be as secure as current absentee
voting systems.71However, a risk assessment has not been performed on the by mail
UOCAVA absentee process, so there is no baseline for making a comparison. The threatprofile for voting by mail is significantly different than the threat profile for Internet
voting.
Entity Assuming Risk
Different levels of risk applied to each of the entities participating in the project,
depending on their system role. FVAP relied on due diligence of conducting a formal
phased risk assessment throughout the system development cycle; monitoring andreview of system development process; developing system security requirements to be
responsive to risks; collaborative development of system requirements with states and
counties; conducting thorough certification and accreditation testing for conformance to
both functional and security requirements and doing third party penetration testing
prior to deployment.72
After deployment, the use of random third party penetration testing, continuous
monitoring of system performance audit logs with pre-specified alarm conditions, and
random third party review of system audit logs were planned as mechanisms to
maintain awareness of the threat environment.
State election office due diligence consisted of relying on FVAPs due diligence;
participating in the development of system requirements; participating in system
design reviews; approving the system design; participating, reviewing and approving
certification and accreditation testing and possibly doing their own acceptance testing;
and participating in system administration decisions in the event of detected anomalous
activity during the systems operation.73
Local election office due diligence relied upon FVAPs and their States actions,
performing their own Logic & Accuracy testing, and adhering to system operating and
security procedures. 74
7/31/2019 Seminar Presentation:Electronic voting
28/49
Voters assumed the risk of keeping their personal computers free of malware, properly
protecting their electronic credentials to prevent fraudulent use, reliable service from
their ISP provider, and using an experimental system.
3. Voting Over the Internet (VOI)Sponsor: FVAP; South Carolina (Statewide);
Okaloosa County, FL; Orange County,
FL; Dallas County, TX; Weber County,
UT
Election Type: General ElectionDate or Voting Period: September - November 2000
Target Population: UOCAVA voters
Channel: Uncontrolled>Vote Data Return>Web
Application
Technology Provider: U.S. Department of Defense (DoD)
FVAP
Channel Protection: VPN between central server and
servers at state/county offices; SSL
between voters and central server;
session and object encryption
Participating Voters: 84
Authentication: Two factor: User name and password
with hard token DoD PKI medium
assurance (X.509) digital certificate
The Voting Over the Internet (VOI) project was a small project implemented
cooperatively by the Federal Voting Assistance Program (FVAP), South Carolina
7/31/2019 Seminar Presentation:Electronic voting
29/49
(Statewide); Okaloosa County, FL; Orange County, FL; Dallas County, TX; Weber
County, UT. The pilot project was designed to examine the feasibility of using the
Internet for remote registration and voting in an effort to overcome the time and
distance barriers faced by UOCAVA voters. This was the first time that binding voteswere cast over the Internet for federal, state, and local offices, including the President
and Members of Congress.88
The VOI architecture was composed of three segments: the central server site
administered by FVAP, the local election office (LEO) server sites administered by the
county election offices and the South Carolina State Board of Elections, and the
computers used by the voters.
All system communications took place over the Internet. External communications
connections were configured so that voters could only connect to the central server, and
only the central server could communicate with the LEO servers. An Intrusion
Detection System on the central server monitored all traffic.
7/31/2019 Seminar Presentation:Electronic voting
30/49
The central server site, administered by FVAP, was the focal point for all system
services. It included a server, operating system, database management software,
application server software, and the VOI custom-developed software. From a functionalperspective, the central server identified and authenticated users, allowed users to
transfer Electronic Federal Post Card Applications (EFPCAs) and electronic ballots to
and from the LEO servers, and performed a postmarking function of time-stamping
all transactions. The content of all transactions passed through the central server in
encrypted form; only the addressing information could be read for message routing.
The central server provided these functions: authenticated voters and objects;
transmitted blank EFPCAs to voters; received completed EFPCAs from voters andforwarded them to LEOs; received blank ballots from LEOs and forwarded them to
voters; received voted ballots and forwarded them to LEOs; received and forwarded
status messages to voters; maintained transaction and security audit logs; and archived
data.89
One of the challenges faced by the project was finding an efficient and reliable method
for converting ballot data from the native formats of the various Election Management
Systems (EMS) and other applications (e.g., Pagemaker) into the format required for
electronic transmission and vote capture. The final solution was to develop a software
application, called the Electronic Ballot Tool. This tool provided the following
functionality: Web interface and step-by-step assistance for the creation of electronic
ballots, including defining races, candidates, questions, oaths and instructions; dual
language capability for those jurisdictions required to provide ballots in languages
other than English; and preparation of final electronic ballot files for transmission to the
LEO workstation. LEOs copied the completed ballot files to a floppy disk to upload to
the LEO VOI server. The ballot tool server did not retain ballot files.90Each LEO site
had a server that connected only to the central server to transmit and receive EFPCAs,
electronic ballots and voter status messages. The server utilized a database of voter
information and ballot assignment information to match each voter with the correct
7/31/2019 Seminar Presentation:Electronic voting
31/49
ballot style. Each server stored completed EFPCAs, blank electronic ballots, and voted
electronic ballots for its county. The South Carolina server was operated by the State
Board of Elections and contained information for all the counties in the state. After the
close of the voting period, the LEO servers supported ballot reconciliation and ballotprocessing. The LEO server could authenticate objects; maintain transaction and
security logs; print records; and archive data.
Ballot reconciliation is a procedure to ensure that only one ballot is counted for each
voter. Each LEO had a list of voters requesting to participate in the pilot. If anyone on
this list returned a ballot by mail, the ballot was held aside unopened until the end of
the voting period. If a voter returned voted ballots by both channels, the electronic
ballot was counted and the mail ballot remained unopened. Ballot processing is theprocedure whereby the voters identity is separated from the electronic ballot, and the
ballot is decrypted and printed. The LEOs transcribed the votes from the HTML-
formatted ballots to ballots that could be tabulated by the local tabulating process.
To use the VOI system, the voters computer had to run a Microsoft Windows 95/98
operating system, have a connection to the Internet, and have Netscape Navigator
browser Version 4.05 or higher installed. MacIntosh and UNIX platforms could not be
used, nor could Microsofts Internet Explorer browser. Custom software to enable VOI-
specific functions, in the form of a browser plug-in, was provided on a CD-ROM sent
to each voter. The CD-ROM contained the required version of the Netscape Navigator
browser for voters who needed to upgrade their software to be compatible. The voter
needed to have a DoD PKI digital certificate stored on a floppy disk or pre-loaded in the
browser.
The voter used their computer to access the VOI central server; request, complete and
submit an EFPCA; request, vote and submit an electronic ballot; and make a status
request. The LEO server could respond with a number of status conditions such as no
EFPCA received, EFPCA denied, EFPCA pending, E-Ballot available, E-Ballot received.
The voter took the following actions to use the VOI system:
1) Notify their LEO that they wanted to volunteer for the project.
7/31/2019 Seminar Presentation:Electronic voting
32/49
2) Obtain a digital certificate.
3) Receive the VOI software and install it on their computer.91
After completing these activities the voter could logon to the system as follows:
1) Insert the floppy disk with digital certificate into disk drive.
2) Start Netscape Communicator.
3) Enter the URL provided by FVAP.
4) Enter the certificate password at the login screen.92
Each voter completed and submitted an EFPCA so the LEO had current voter
information to assign the appropriate ballot style. When the form was completed, the
voter received a blank Affirmation Statement. The voter entered their certificate
password again to digitally sign the form before transmitting it to the LEO. In addition
to being a voter registration application and absentee ballot request, this activity
enrolled the voter on the system access list.
After the LEO approved the EFPCA and the voting period began, the voter requested a
blank ballot using the same login process described above. When the LEO received this
request, they transmitted a ballot to the voter. The voter recorded their selections online
and reviewed their choices on a confirmation screen. An affirmation screen appeared
for the voter to enter their digital signature password, and then click on the
Electronically Sign and Send button to transmit the voted ballot to the LEO. The voter
received notification that the LEO successfully received the E-Ballot.
FVAP required all system users, including voters and LEOS, to obtain DoD PKI
medium assurance X.509 digital certificates, to enable the system to identify and
authenticate users with a high degree of certainty. The issuing procedure for these
certificates required the recipient to appear in person before an issuing authority or a
trusted agent and present government-issued photo identification. After receiving and
7/31/2019 Seminar Presentation:Electronic voting
33/49
signing the certificate document, the recipient had to access the PKI website, download
their certificate to a floppy disk and assign a password.
Standards UsedThe VOI pilot system went through two certification processes -- one prescribed by the
Department of Defense for information systems and the other prescribed by the State of
Florida for voting systems. The two certifications were combined into a single testing
campaign. The DoD Information Technology Security Certification and Accreditation
Process (DITSCAP) is a structured testing process to validate a systems functional and
security features. It provides a comprehensive approach to characterize the anticipated
threat scenario and the type and criticality of the system so appropriate testingprocedures and standards can be applied.93
The State of Florida requires voting systems to be tested against the Florida Voting
System Standards and certified by the State Division of Elections. Other participating
states used the National Association of State Election Directors (NASED) voting system
accreditation process based on the 1990 Federal Election Commission Voting System
Standards. Both of these standards were used as sources of testing requirements for
system functionality and some aspects of system security. However, neither included
security standards for Internet technology. The Federal Information Processing
Standards (FIPS) and other sources were used to develop testing requirements for the
security elements of the system.
The project team spent considerable time and effort reviewing, revising and adapting
testing requirements and procedures from these sources, first with the DITSCAP testing
group and then with the Florida certification experts. This required analyzing each
testing standard or procedure to determine if it could be directly applied to the VOI
system. In those instances where there was not a close fit, the intent of the standard or
procedure was considered and the wording modified to meet the intent. For example, it
was determined that the Florida design, construction and maintenance standards for
durable and reliable voting equipment were satisfied because the system used all COTS
7/31/2019 Seminar Presentation:Electronic voting
34/49
equipment. In many instances the voting system standards did not apply because they
were intended for other types of voting technology. For example, card stock
specifications were not applicable because they were intended for paper ballots while
the VOI system used electronic ballots.94Level of Risk Assumed
The DoD Information Technology Security System Class analysis performed by the
independent testing organization rated the System Class level of the VOI system at 30
out of a possible 47 points. This rating was based on evaluation of the following factors:
interfacing mode (Benign), processing mode (System High), attribution mode
(Comprehensive), mission-reliance factor (Total), accessibility factor (As Soon As
Possible), accuracy factor (Exact), and information categories (Sensitive butUnclassified). The significance of this rating is that it indicates the level of analysis
required for system certification. VOI was classed as requiring Level 3, Detailed
Analysis.95
Recognizing the risks inherent in the system development process, FVAP and the states
requested pilot voters to also submit a ballot by mail as a back-up measure. This would
prevent an unexpected system outage or other malfunction from disenfranchising any
voters. Fifteen voters submitted only E-Ballots. Seven of the 69 mail ballots received
arrived after Election Day.
The participating states set a limit of 50 participants per jurisdiction to minimize the risk
to any single election.96
White hat penetration testing was performed as part of the system certification testing
process. Random penetration testing was performed as a system security validation
strategy while the system was in operation.
Entity Assuming Risk
FVAP signed Memoranda of Agreement (MOAs) with all the participating states and
counties describing the roles and responsibilities of the parties.97FVAP was the
program manager and proponent. During the development phase FVAP was
7/31/2019 Seminar Presentation:Electronic voting
35/49
responsible for funding; defining functional requirements; establishing standards for
security, operations and pubic information; approving the test plan; conducting system
acceptance testing; and obtaining system certification. Pilot jurisdictions assisted in
developing functional requirements and identifying potential voters; and pilotprocedures; provided personnel to operate their portion of the system; provided space,
power, connectivity and security for the system; participated in functional testing; and
pursued electronic voting and digital signature legislation, where needed to authorize
the pilot in their jurisdiction.
During the operational phase, FVAP was responsible for managing the overall system;
administering operating the central server site; providing a help desk for voters and
LEOs; collecting performance data; and assessing system performance. States andcounties were responsible for performing the LEO election process functions;
administering the LEO server sites; collecting and reporting performance data; and
working with FVAP to assess system performance. 98
Through the mechanism of these MOAs, FVAP and the participating states and counties
agreed to mutually undertake this project and accept the associated risks.
Benefits of Electronic Voting
1. Reduced Logistical ArrangementsA significant challenge for election administrators is the finalization of design, printing,
distribution, storage, security and counting of ballot papers. Electronic voting
technology can reduce or eliminate these ballot logistical arrangements.
2. Voter Identification PossibilitiesWhether in the polling station or remotely, the use of technology for the voting process
allows improved mechanisms for voter identification at the point of polling. This can be
done through biometric recognition systems such as automated fingerprint
7/31/2019 Seminar Presentation:Electronic voting
36/49
identification systems or the use of multiple factor authentication (smartcard and
personal identification number). This significantly reduces voter registration fraud and
ensures that the person voting is the person on the voter register.
3. AccessibilityWhere remote electronic voting technology is used, there is a significant increase in
accessibility to the electoral process. It may make the process more engaging to groups
which are computer literate (e.g., young voters), but also make access to the ballot more
feasible for voting groups which currently struggle to participate in the process. Such
groups may include persons with disabilities, out of country voters (e.g., military and
diplomatic personnel) and residents of remote communities with no polling stationnearby.
4. Increased Speed of VotingIf voting technology is properly designed and sufficient voter education is conducted in
advance, electronic voting machines may lead to a faster voting process as there are
fewer steps. There would be no ballot issued to the voter and no need to fold and place
the ballot in the ballot box afterwards.
5. Ability to Deal With Complex ElectionsElectronic voting and counting technologies are generally able to deal with complex
elections easily. This includes more complex electoral systems, such as preference
voting and block voting, as well as holding multiple elections at the same time (e.g.,
concurrent presidential, parliamentary and local government elections).
6. Late Changes to the BallotWhile any last minute changes to the ballot should be avoided, last minute changes
through late inclusion or exclusion of a candidate or party, possibly as a result of court
cases, do happen. This results in election administrators having to manually amend
7/31/2019 Seminar Presentation:Electronic voting
37/49
ballot papers which have already been printed. It can be easier to amend ballot design
software in affected constituencies later in the election process with electronic voting
and counting technologies compared to paper ballots; and much easier if voting is done
remotely (e.g., Internet voting).
7. Less Polling StaffWith a simpler process in the polling station, no ballot to be issued and no ballot box to
monitor, it may be possible to reduce the number of staff required for each polling
station. It is sometimes difficult to find staff for polling stations so this may be a
significant benefit. Where the technology also counts the ballots, it means polling staff
do not need to work as long on Election Day.
8. Access for People With Disabilities
Electronic voting and counting technologies can be developed to facilitate casting secret
ballots by voters with disabilities. These voters may normally require assisted voting,
violating their right to a secret ballot.
9. Problems in the Official StampThe need to have an official stamp on paper ballots can cause problems if polling staff
forget to stamp the ballot (thus invalidating the ballot) or if the stamp smudges on the
ballot, making it look like a second mark on the ballot (also invalidating the ballot).
Electronic voting technologies do not suffer from this problem.
10.Increase in TurnoutElectronic voting and counting technologies may increase turnout if these technologies
help improve trust in the electoral process; if the technology makes people more
interested in participating or increases access for certain communities.
11.Elimination of Invalid/Incorrectly Cast Ballots
7/31/2019 Seminar Presentation:Electronic voting
38/49
In some countries significant numbers of ballots are deemed invalid and not counted.
Those voters are disenfranchised. Where ballots are cast and recorded electronically, the
electronic voting software can be configured to ensure only valid ballots are cast
(although blank ballots may still be allowed). Likewise where paper ballots are insertedinto an electronic ballot box, the validity and choices of the voter can be displayed,
allowing voters to change their ballot if a mistake was made.
12.Speed of CountingAn important advantage of using electronic voting technology, which directly record
votes electronically, is that results are immediately available after polls close, without a
lengthy counting process. Even when paper ballots are used, but electronically counted,the results are normally available a lot faster than manual counting.
13.Standard Adjudication of BallotsCounting paper ballots electronically ensures that the same kind of ballot marking is
adjudicated in the same manner across all polling stations. This ensures consistency on
which ballots are counted and which are determined to be invalid. This is often not the
case with manual counting of ballots.
14.Accurate Tabulation of ResultsWhen results are electronically recorded and transmitted to the election management
body (EMB) for tabulation, the possibility of data entry errors during results tabulation
is greatly diminished.
15.ImpartialityElectronic voting and counting technologies follow predefined rules and are
independent from human influence and impartial.
7/31/2019 Seminar Presentation:Electronic voting
39/49
16.Fraud PreventionElectronic voting and counting technologies can mitigate some fraud in polling stations.
For example, some electronic voting and counting technologies only allow votes to be
cast at a certain speed, thus mitigating ballot stuffing. Similarly, electronic counting of
ballots mitigates fraud during the counting process. Electronic voting and counting
technologies cannot, however, eliminate all aspects of electoral fraud.
17.CostElectronic voting and counting technologies remove the need for expensive ballot
printing, distribution, storage, etc. However, these technologies also incur different
costs which need to be assessed over the life cycle of the technology.
Disadvantages of Electronic Voting
1. Lack of TransparencyTransparency is a key component of building and maintaining trust in the electoral
process. The paper balloting system is very transparent. Observers can watch ballots
being issued, voters placing their marked ballots in the ballot box and ballots beingcounted. Electronic voting technology, more so than electronic counting technology, is
often considered to be a black box. This is because it is not possible to observe the way
in which the selected choices of voters are aggregated to produce the results announced.
We simply have to trust that these results accurately reflect the choices made by voters.
This makes the checking of results produced by electronic voting and counting
technologies all the more important.
2. ConfidenceLack of transparency with electronic voting and counting technologies means that
confidence in the operation of the technology is a considerable problem. Election
management bodies need to ensure that trust in the electoral process is maintained.
7/31/2019 Seminar Presentation:Electronic voting
40/49
Once trust is lost, it is difficult to re-establish. While the introduction of electronic
voting and counting technologies does not have to lead to an erosion of trust in the
electoral process, it has happened in some countries. Election management bodies are
likely to have to introduce new procedures, possibly random audit of results orpublication of source code for electronic voting and counting technologies, in order to
maintain trust in the process.
3. Audit of Results
A great strength of the paper balloting system is that if the results of an election are
challenged then the ballots can be recounted to check the result. Many electronic voting
machines6 have no such possibility for auditing and checking the results of an election.
The ability to audit and check is an important feature of building trust in the electoral
process and increasing acceptance of the results. Some electronic voting machines do
have what is called a Voter Verified Paper Audit Trail (VVPAT), which prints a copy of
the electronic ballot and is verified by the voter before casting the ballot. This VVPAT
can be used to audit/ check electronic results produced by the electronic voting
machine (EVM).
The provision of a VVPAT is increasingly seen as a standard for EVMs,7 but the
inclusion of a VVPAT does have cost and logistic implications.
4. Secrecy of the BallotA key international standard for elections is that it should not be possible to determine
how an individual voter has voted. Electronic voting and counting technologies can
undermine this secrecy. With some VVPAT systems, but not all, the order of ballots cast
is clear from the paper audit trail. If the order of voters is recorded by observers/party
agents then the way in which voters voted can be determined. Also, electronic voting
systems which identify the voter first (as all remote electronic voting systems must do)
7/31/2019 Seminar Presentation:Electronic voting
41/49
7/31/2019 Seminar Presentation:Electronic voting
42/49
most educated voters, may be confusing for illiterate and poorly educated voters. While
this is a genuine concern, it is worth noting that simpler electronic voting and counting
solutions have been successfully used for populations with high levels of illiteracy.
9. Digital DivideAccess that some voters may have to new voting technology, especially Internet voting
technology, may serve to exclude some sections of the community which do not have
such similar access to cast their ballot. This may increase barriers to participation
amongst poor, illiterate voters and violate the principle of equal access to the electoral
process for all eligible to participate.
10.Voter Education
A considerable amount of voter education would be required to educate and prepare
voters for a move to electronic voting technology, and to a lesser extent electronic
counting technology. This voter education exercise would likely be costly.
11.Specialized IT Skills
Maintenance and repair of hardware used by electronic voting and counting
technologies requires specialized IT skills which may or may not be available in
sufficient supply and at a reasonable cost in the local labor market. These skills may be
required centrally as well as at the local level in order to deal with problems closer to
Election Day if field based electronic voting or counting machines are used. More
specialized IT skills may even be required at the polling station in order to operate anyelectronic voting or counting technology being implemented there. If these skills are in
short supply then the use of electronic voting and counting technologies may either be
unsustainable or may require the expensive import of foreign expertise.
12.Integrity and Accuracy of Source Code
7/31/2019 Seminar Presentation:Electronic voting
43/49
Electronic voting and counting technologies rely on software to function. This software
is a set of instructions to the electronic voting or counting system defining how it
operates. As with any set of instructions, mistakes can be made and a thorough review
of the source code has to be conducted before using any electronic voting or countingtechnologies. As it takes specialized technical skills to be able to read and understand
source code, an independent testing authority may be required to review any electronic
voting or counting system. This review would determine, to the greatest extent
possible, whether the system is functioning according to its specifications and whether
the system performs sufficiently well before it is accredited for use in an election.
13.Storage of EquipmentSome electronic voting and counting system hardware is required to be stored under
temperature controlled conditions between elections. Temperature controlled storage
may be difficult and costly to find, especially on a regional or local basis.
14.Environmental Considerations
Electronic voting and counting hardware, especially the machinery, may be required to
withstand and perform reliably under a wide range of environmental factors including
extreme heat, cold, humidity and dust. Finding electronic voting and counting solutions
which reliably operate in such situations may be difficult.
15.Power Considerations
Electronic voting and counting technologies require a source of power, with mostrunning on mains electricity. For solutions based in polling stations, chronic power
shortages or the lack of electricity entirely could require electronic voting or counting
machines to run for the entire period of polling on an alternative power source. Such
power requirements limit the options available.
7/31/2019 Seminar Presentation:Electronic voting
44/49
16.SecurityDifferent security challenges are presented by electronic voting and counting
technologies compared to paper balloting systems. For example, electronic transmission
of results for tabulation presents the possibility for the system to be hacked and false
results be inserted. Secure systems of protection and verification for electronic data
need to be ensured.
17.Consequences of Fraud
While fraud conducted using the paper balloting system is often localized and not
widespread, the possibility exists with electronic voting and counting technologies for
fraud to be implemented on a nationwide scale. Electronic voting and counting
software could be manipulated to record vote preferences which are different from
those made by the voters, or fraud and manipulation could occur in the electronic
tabulation of results if such tabulation occurs directly from the electronic voting or
counting machines.
18.Management ComplexityManaging the introduction, testing, deployment, retrieval and security for electronic
technologies can be more complicated than managing a paper-based election. Election
management bodies often lack adequate experience in management of such complex
systems. This can lead to a heavy reliance on the technology contractor to the point of
surrendering control of the electoral process to a foreign entity.
19.Cost
The cost of electronic voting and counting machines ranges from $300 per unit for the
more simple solutions to approximately $5,000 per unit for more complex solutions.
When aggregated for an entire election this can represent a potentially huge investment
7/31/2019 Seminar Presentation:Electronic voting
45/49
for many countries, although a full comparison against the costs of paper balloting
needs to take into consideration the life cycle of electronic voting and counting
technologies and the number of election cycles they would be expected to cover.
Definitions
ELECTRONIC VOTING
The term electronic voting (e-voting) covers a wide range of systems, encompassing any
and all systems where some part of the process is carried out electronically. These
systems include remote voting systems, where an individual will cast their vote
remotely via some electronic means, most commonly via a computer connected to the
Internet.
AUDIT TRAIL
A record showing who has accessed a computer system and what operations he or she
has performed during a given period of time. Audit trails are useful both for
maintaining security and for recovering lost transactions. Most accounting systems and
database management systems include an audit trail component. In addition, there are
separate audit trail software products that enable network administrators to monitor
use of network resources.
Red Team Attack!
One method of uncovering security flaws is the red team approach. The term red
team comes from military simulations. The red team represents the enemy and is
charged with finding and exploiting weaknesses in military strategy. In the world of e-
voting, red teams are groups of highly skilled people who use any means necessary to
uncover weak links in system security, including hacking into the software,
compromising the security of a systems memory device, or even testing to see if
7/31/2019 Seminar Presentation:Electronic voting
46/49
election officials are susceptible to bribery. Vendors and election officials can then
address any flaws in the process.
Direct Recording Electronic Systems
A Direct Recording Electronic System is essentially a computer. Voters view ballots on a
screen and make choices using an input device such as a bank of buttons or a
touchscreen. Some DRE systems also employ a card swipe or cartridge system that must
be activated before a ballot can be cast. Votes are stored on a memory card, compact
disc or other memory device. Election officials transport these memory devices to a
centralized location for tabulation, just as they would with paper-based ballots. Some
machines have the capability to broadcast results over a modem-to-modem line, though
due to concerns about data security, these results are normally deemed unofficial until
they can be verified by tabulating the results stored on the memory devices. Many DRE
devices also have the capacity to print a paper record of ballots cast. Some, however,
have no corresponding paper trail.
Figure 6 A touch-screen DRE System
7/31/2019 Seminar Presentation:Electronic voting
47/49
The Psychology of Electronic Voting
The public must trust that elections are fairly conducted in order for a democratic
government to be considered legitimate. If the public perceives elections to be unfair,
the foundation of the government is weakened. Whether electronic voting systems are
fair may not even matter; it is the public perception that is crucial. At the moment, the
latest electronic voting systems in use (particularly DRE systems, which according to
Election Data Services, serves as the voting equipment available for 38 percent of the
nations registered voters) are receiving a great deal of scrutiny and criticism. Citizens,
private companies and elected officials are spending more time carefully examining
these systems and the implications of their use.
Impartiality, Auditing Results and Cost
Transparency and fraud are both factors in another concern critics have of DRE systems:
impartiality. DRE systems are produced by private companies, and these companies
have not always been seen as politically neutral. Critics question if it is wise to entrust
public elections to private companies that have a vested interest in a particular partys
victory in the election.
Auditing is another important consideration in the use of DRE systems. HAVA requires
that all voting systems are auditable, both for recounts and to confirm that the system is
working properly. This is an ongoing struggle for computer scientists and vendors. It is
extremely difficult to create an auditing process that still preserves the anonymity of
voters. Some experts argue for a Voter Verified Paper Trail (VVPT), where both the
machines memory device and a physical paper trail record each ballot. Each voter
http://www.edssurvey.com/images/File/ve2006_nrpt.pdfhttp://www.edssurvey.com/images/File/ve2006_nrpt.pdfhttp://www.edssurvey.com/images/File/ve2006_nrpt.pdf7/31/2019 Seminar Presentation:Electronic voting
48/49
could then compare the paper trail to the results screen on the DRE monitor to verify
his vote was counted properly.
DRE systems cost more than other systems currently in use. Whats more, the ongoing
costs of maintaining DRE systems are unknown at this point. As with computer
systems, adjustments will need to be made to any DRE to fix bugs or make upgrades.
While states received money due to HAVA in 2002, that was a one-time grant.
Maintenance costs are left to the states. If vendors go out of business or consolidate, that
may affect the costs of maintaining hardware and software.
References
Caarls, S. (2010) E-voting Handbook: Key steps in the implementation of e-enabled elections,
Council of Europe Publishing: Strasbourg
Council of Europe
www.coe.int
Competence Center for Electronic Voting and Participation (E-Voting.CC)
www.e-voting.cc
IFES
www.ifes.org
International IDEA
www.idea.int
National Democratic Institute
www.ndi.org
Organization of American States
http://www.coe.int/http://www.coe.int/http://www.e-voting.cc/http://www.e-voting.cc/http://www.ifes.org/http://www.ifes.org/http://www.idea.int/http://www.idea.int/http://www.ndi.org/http://www.ndi.org/http://www.ndi.org/http://www.idea.int/http://www.ifes.org/http://www.e-voting.cc/http://www.coe.int/7/31/2019 Seminar Presentation:Electronic voting
49/49
www.oas.org
www.e-voting.cc/fi les/e-voting-history
http://www.oas.org/http://www.oas.org/http://www.oas.org/