Bryan Meng-Hong Tsai
mbt9@cornell.edu

Security Properties for Electronic Voting

1. Eligibility and Authentication. Only authorized voters should be able to vote. [1]
   • Voter registration management. In the context of today's voting systems, voter authenticity are typically handled procedurally, initially by presentation of a birth certificate or other means of supposed identification, and later by means of a written verifying signature. In future systems in which remote voting will be possible, some sort of electronic or biometric authentication may be required (in the form of digital signature or something). A electronic voting should have the ability to manage such a database of all eligible voters. [1][8]
   • Authentication compromises such as guessing and enumeration must be prevented. Also, capturing and replaying either a token or a PIN must not be successful. [8]
   • Non-repudiation is also necessary, preventing the authenticatee from later saying  that the authentication had been subverted by a masquerader.
   • Authentication must be easy for the voter to use, with system operation as invisible as possible. The human interfaces to computer systems and token-generating devices should be inherently fail-safe, fool-proof, overly cautious in defending against accidental and intentional misuse, and unobtrusive.
2. Uniqueness. No voter should be able to vote more than one time. [1][6]
   • Each eligible voter should vote only once, and only for the office for which she is authorized to cast a vote. [7]
3. Accuracy. Election systems should record the votes correctly. [1]
   • Extremely small error-tolerance. In normal reliable systems, a probability of failure of 10**(-4) or 10**(-9) per hour may be enough. However, such measures are too weak for voting systems. For example, a one-bit error in memory might result in the loss or gain of 2**k votes (for example, 1024 or 65,536). [2]
   • Ideally, numerical errors attributable to hardware and software must not be tolerated, although a few errors in reading cards may be acceptable within narrow ranges. Efforts must be made to detect errors attributable to the hardware through fault-tolerance techniques or software consistency checks (note also that any software-implemented fault-tolerance technique is itself a possible source of subversion.).
   • Any detected but uncorrectable errors must be monitored, forcing a controlled rerun. However, a policy that permits any detected inconsistencies to invalidate election results would be very dangerous, because it might encourage denial-of-service attacks by the expected losers.
4. Integrity. Votes should not be able to be modified, forged, or deleted without detection. [1][6]
   • It should be impossible for a validated vote to be eliminated from the final tally. It should also be impossible for an invalid vote to be counted in the final tally. [6]
   • System integrity. The computer systems must be tamperproof. Vote counting must produce reproducibly correct results. Ideally, system changes must be prohibited throughout the active stages of the election process. That is, once certified, the code, initial parameters, and configuration information must remain static. No run-time self-modifying software can be permitted. End-to-end configuration control is essential. System boot-load must be protected from subversion that could otherwise be used to implant Trojan horses. [2]
   • Data integrity and reliability. All data (including votes, vote counts ...) involved in entering and tabulating votes must be tamperproof. Votes must be recorded correctly without being altered during transit, processing, or in storage. [2]
   • Non-alterable media may provide some assistance for integrity, but not if the system itself is subvertible. [2]
   • There must be no trapdoors --- for example, for maintenance and setup --- that could be used for operational subversions. [2]
5. Verifiability and Auditability. It should be possible to verify that all votes have been correctly accounted for in the final election tally, and there should be reliable and demonstrably authentic election records. [1]
   • Vote audit. Provide an independent audit (such as paper print-out ballot) which can ascertain the content of the true ballots cast. The audit can be checked by the voter visually before deposit and used by the election board in the case of recount. Without such an audit, system defects may be revealed years after an election, making all earlier results questionable. [4][10]
   • System accountability. All internal operations must be monitored, without violating voter confidentiality. Monitoring must include votes recorded and votes tabulated, and all system programming and administrative operations such as pre- and post-election testing. All attempted and successful changes to configuration status (especially those in violation of the static system integrity requirement) must be noted. Furthermore, monitoring must be non-bypassable --- it must be impossible to turn off or circumvent. Monitoring and analysis of audit trails must themselves be non-tamperable. All operator authentication operations must be logged. [2]
   • Read-only media can help ensure nontamperability of the audit trail, but nonbypassability requires a trusted system for data collection.
6. Reliability. Elections systems should work robustly, without loss of any votes, even in the face of numerous failures, including failures of voting machines and total loss of Internet communication. [1]
   • Fault-Tolerance. The votes must be captured accurately in redundant and non-volatile storage within the voting client. Once that happens, all other failures can in principle be tolerated and recovered from. In the case of the failure of communication link, voting systems must include the functionality of a direct recording electronic (DRE) system and be able to revert to DRE mode without losing a single vote.
   • System reliability. System development (design, implementation, maintenance, etc.) should attempt to minimize the likelihood of accidental system bugs and malicious code. [2]
7. Voter Anonymity and Non-Coercibility. Neither election authorities nor anyone should be able to determine how any individual voted, and voters should not be able to prove how they voted. [1][6]
   • No voter can prove that he or she voted in a particular way. It is important for the prevention of vote buying and extortion. Voters can only sell their votes if they are able to prove to the buyer that they actually voted according to the buyer's wishes. [6]
   • Data confidentiality. Votes must be protected from external reading during the voting process. [2][7]
   • Anonymous channel. All communication between voter and election authorities occurs over an anonymous channel. An anonymous channel could be secured through the use of a chain of World Wide Web forwarding servers. [6]
8. Flexibility. Election equipment should allow for a variety of ballot question formats, be compatible with a variety of standard platforms and technologies, and be accessible to everyone including disabilities. [1]
9. Efficiency. Election systems should be efficient. [9]
10. Interface Usability and Convenience. Voters should be able to cast votes quickly with minimal equipment or skills. [1][6]
    • Complicated operator interfaces are inherently risky, because they induce accidents and can mask hidden functionality.
    • Transparency. Voters should be able to possess a general knowledge and understanding of the voting process. [1]
11. Certifiability. Voting systems should be testable so that election officials have confidence that they meet the necessary criteria. [1]
    • The source code must be open for random inspection at any time (including documentation), despite cries for secrecy from the system vendors. It need not be open-sourced, but the source code should at least be available to designated security experts when certification/inspection is processed. [2]
12. Trusted Path. A reliable mechanism for delivering cast vote to the election server in a timely manner. The path must be trusted (secure) throughout the period during which votes are transmitted.
    • Authenticated communication link must be used between client and server, and encryption of the data being transported is needed to preserve data confidentiality. [1]
    • System availability. The system must be protected against both accidental and malicious denials of service, and must be available for use whenever it is expected to be operational. [1][2][3][7]
    • Defenses against spoofing (fake voting sites). [1]
13. Documentation and assurance. The design, implementation, development practice, operational procedures, and testing procedures must all be unambiguously and consistently documented. Documentation must also describe what assurance measures have been applied to each of those system aspects. [2]
14. System Management and Operation.
    • Many systems provide intentional trapdoors in case of failures of the authentication mechanism or loss of ability to authenticate. Such trapdoors should be avoided, and if unavoidable must be audited non-bypassably. All persons authorized to perform system-administration functions must be nontrivially authenticated (not to mention well-trained and experienced!), with no exceptions. [8]
    • Local operating control. Voting systems must be amenable to easy use by local election officials, and must not necessitate the on-line control of external personnel (such as vendor-supplied operators). [2]
    • Dedicated system. Voting systems should better not be shared with other applications running concurrently. [4]
    • Warning messages must occur during elections whenever appropriate. [4]
    • Vote counting and reporting. The official canvass should include counts not only of the number of votes for each candidate, but also counts of the disputed votes where one member of a vote counting team held that the vote was for one candidate while the opposing member held that the vote should be excluded for one reason or another. [5]
      • Disputed ballots must be set aside during the initial count, with documentation of what votes were disputed by which vote counters. [5]
      • At each level in the reporting process leading to the official canvass, in addition to reporting the number of votes for each candidate, the number of overvotes, undervotes and disputed votes should be reported, and the sum of these must equal the total number of ballots counted in all precincts covered by this report. [5]
      • Machine detected overvotes that were not corrected by the voter should be subject to a hand count if their number exceeds the margin between the leading candidates. [5]
    • Recount. Voting system must provide functions for recounting, either providing vote audit for manual recounting or some other means in case there's any question about the final voting result.

References

1. "Report of the National Workshop on Internet Voting: Issues and Research Agenda," by Internet Policy Institute, March 2001.
2. "Security Criteria for Electronic Voting," by Peter G. Neumann, 16th National Computer Security Conference, September, 1993.
3. "Security Considerations for Remote Internet Voting," by Avi Rubin, AT&T Labs.
4. "Accuracy, Integrity, and Security in Computerized Vote-Tallying," by R.G. Saltman, NBS (now NIST) special publication, 1988.
5. "Evaluating Voting Technology," by Douglas W. Jones, Testimony before the United States Civil Rights Commission Tallahassee, Florida, January 11, 2001.
6. "Design and Implementation of a Practical Security-Conscious Electronic Polling System," by Lorrie Faith Cranor and Ron K. Cytron.
7. "Electronic Voting - Evaluating the Threat," by Michael Ian Shamos,
8. "Computer-Related Risks," by Peter G. Neumann, Addison-Wesley, 1995.
9. "Voting and Technology: Crypto-Gram -- December 15, 2000," by Bruce Schneier.
10. "Rebecca Mercuri's Statement on Electronic Voting," by Rebecca Mercuri.
11. "Risks in Computerized Elections," by Peter G. Neumann, Inside Risks, 5, CACM 33, 11, p. 170, November 1990.
12. "Disenfranchised by design: voting systems and the election process," by Susan King Roth, Information Design Journal, Volume 9, No. 1, 1998.