Like the Caesar's wife, an election should not only be fair but it should also be ... be used to prove the way a voter cast his ballot and thus invite vote selling and.
Challenges Facing Electronic Voting Abhishek Parakh and Subhash Kak Computer Science Department Oklahoma State University, Stillwater OK
Like the Caesar’s wife, an election should not only be fair but it should also be above suspicion. After the contested 2000 presidential elections, the United States government attempted to develop electronic systems to overcome many shortcomings of paper ballots. But electronic machines have presented several problems of their own, and their use is coming under increasing legal challenge. Electronic voting systems that do not leave a paper trail have been banned in Netherlands, Ireland, and some counties in the United States. The German Federal Constitutional Court decided on 3 March 2009 that electronic voting is unconstitutional and therefore not to be used in future elections. Consequently, the 2009 German national elections were conducted with hand counted paper ballots. The reasoning used by the German court was that electronic voting is not verifiable because the votes are counted in secret. It uses a technology accessible only to the initiates. The court stressed that electronic voting machines (EVMs) don’t allow citizens to reliably examine, when the vote is cast, whether the vote has been recorded fairly. The German court’s defines conditions for acceptability of voting systems that go beyond paper trails for touch screen voting that are popular in the United States. In India the use by the Election Commission of EVMs has been challenged in the Supreme Court, and the Court’s decision is awaited. The argument used by the government appointed Chief Election Commissioner is that the EVMs ought to be trusted as they are manufactured by two government owned companies, ECIL and BEL, they are sent in a random order to the election booths, and their chips cannot be removed. At present all political parties outside of the ruling coalition are against the use of EVMs. Electronic elections are conducted either using Direct Recording Electronic (DRE) machines or over the Internet. Although DREs have benefits such as speedy results, accuracy, reduction in manpower and paperwork1, they are vulnerable to sabotage and equipment malfunction. Further, if a malfunction is detected, there seems no way to conduct a recount and the only remedy is a recast of ballots. Internet voting provides ease of access and eliminates absentee ballots, but is surrounded by many more security concerns than the DRE systems. Electronics has been a part of the election process for several decades in the form of punch card machines and optical scan systems that rely on software for the tally process and can carry a bug as easily as the DRE machines2. But punch card and optical scan systems leave a paper trail that can be used for verification and recounts in case of disputes. This is the rationale behind the argument that DREs should have voter verified paper trails wherein the voting machine prints a 1
paper receipt of the cast ballot for the voter. The receipt can the then be verified by the voter and deposited in a ballot box, bringing the DRE systems at par with punch card and optical scan systems. However, it requires additional resources and the burden of handling of paper receipts which were sought to be avoided in the first place. A solution would be to allow voters to take receipts home in which voters can verify their votes by accessing the results posted on bulletin boards against receipt numbers. Chaum3 has proposed schemes that combine visual cryptography and mixnets to achieve this. However, a receipt that is taken home may be used to prove the way a voter cast his ballot and thus invite vote selling and give rise to irresolvable false claims. Rivest and Smith4 suggest a variant of this scheme in which the voters deposit their receipts and take home with them the receipt of a random voter who cast a ballot before them. Now when the results are posted on the bulletin board, a voter will be able to verify one cast ballot, although not his. This scheme eliminates false claims and vote selling, but the receipts that are taken home must be tamper resistant, which would add to the cost of the system. But there is no guarantee that a voter will not raise a false alarm at the polling station and claim that the receipt printed by the machine is different from the vote he just cast. There would be no way to verify his claim because we have assumed the machines to be fundamentally distrustful. One such claim can disrupt the election process and an unscrupulous party can easily put in place people to make such claims in a wide geographic area. Another solution may include random permutation of votes during the voting process and then un-permuting the results after the vote count. This permutation order may be randomly chosen by the presiding officer at the polling station before the beginning of the polls and recorded appropriately. This would require a separation between the input device and the vote recording machine with a physical permutation device joining them. Once the tally is made, the results can then be permuted back. It might be simpler to employ two machines endorsed by opposing major parties in the elections, recording the same vote and then their counts could be tallied after the elections are closed. Although it is widely believed that open source software can help in improving system security and confidence, some argue that this makes the job of hackers easier who might find a bug and instead of reporting it, exploit it. Also, there is no guarantee that companies would be using the same software in the same form, which is made public, in every machine that is deployed and there is no way to prove this, for certain, one way or the other5. This also does not eliminate the possibility of bugs inserted by an unscrupulous employee into the machines during their manufacture and software installation. In general, the requirements for an ideal voting system include receipt freeness, un-forge-ability, privacy, fairness, verifiability, coercion resistance and ballot secrecy. Receipt freeness prevents a voter from proving to anyone how he voted, un-forge-ability prevents a voter from casting double ballots, privacy protects the voter from eaves droppers, fairness protects the intermediate 2
election results that could sway the outcome, verifiability allows voter to ensure that his ballot is recorded as intended, and so on. The election system and procedures are particularly challenging because one needs to treat every party involved as an adversary. The imperative of technology suggests that future elections will take place on the Internet since it finesses the problem of verifiability. But Internet based system cannot satisfy the requirement of coercion resistance, if the vote is to be cast by voters from their homes or elsewhere, at their convenience. Also, the requirement of receipt freeness does not apply to an Internet based system since anybody who is coercing a voter to cast a ballot a certain way can easily watch him do so over his shoulder. Further, the problem of vote selling is one of the central issues when talking about Internet voting. Conversely, the above shortcomings are not unique to online voting systems. They exist in paper based systems as well when one uses the provision of absentee ballot and yet everyone accepts them as a part of the system. In fact, about 16.8 percent of votes in 2008 presidential elections were cast as domestic absentee ballots6, which is more than enough to change an election outcome if any fraud was intended. Internet based voting systems require strong safeguards against hacking attacks, viruses and Trojans. Software continues to get complex and can never be bug free. A virus or network attack can also be mounted during the verification process and result in false positive verifications. Network attacks may be met by cryptographic key exchange and distributed backend databases. Information dispersal algorithms and verifiable secret sharing schemes may be used to maintain system fairness such that no single server stores all the cast ballots and the partitions are distributed over independent servers7. As long as a majority of these servers remain honest, the possibility of sabotage remains low. Although the Germans have returned to the paper ballot system, the fidelity of this system requires that the officials managing the election process are honest. For example, the 2004 presidential election held in Taiwan using paper ballots was won by the incumbent, Chen ShuiBian, where the central election commission declared 337,297 ballots invalid, which was more than 11 times the margin of victory8. In countries without a strong tradition of honest bureaucracy, it is common for ballot boxes to disappear or be replaced with already filled ones before counting takes place. The most recent example of this was the 2009 national election in Afghanistan. The strengths and weaknesses of electronic and paper based election systems are different. It is of course true that given an honest bureaucracy, paper based systems are demonstrably trustworthy whereas the trustworthiness of EVMs cannot be so established. Designing a perfect electronic voting system is impossible due to the opposite requirements of secrecy and verifiability, and no implementations that are demonstrably secure are available. Germany and other countries have already chosen to go back to the paper ballot, and it appears 3
that in spite of the ease and flexibility of electronic voting other countries will eventually do the same. References 1. B. J. Williams and M. S. King. Implementing voting systems: the Georgia method. Communications of the ACM, volume 47, issue 10, October 2004. 2. Norden, L. et al. The Machinery of Democracy: Protecting Elections in an Electronic World, Brennan Center for Justice at NYU School of Law, October 2006. 3. D. Chaum. Secret-ballot receipts: true voter-verifiable elections. Security & Privacy, IEEE , volume 2, number 1, pages 38- 47, Jan. – Feb. 2004. 4. R. Rivest. Three voting protocols: ThreeBallot, VAV, Twin. http://people.csail.mit.edu/rivest/RivestSmithThreeVotingProtocolsThreeBallotVAVAndTwin.pdf 5. N. Paul and A. S. Tanenbaum. Trustworthy voting: from machine to system. Computer, volume 42, number 5, pages 23-29, May 2009. 6. http://www.eac.gov/News/press/eac-releases-data-from-2008-presidentialelection/base_view retrieved on March 7, 2010. 7. A. Parakh and S. Kak. Internet voting protocol based on improved implicit security. Cryptologia, volume 34, issue 3, 2010. 8. Keith Bradsher and Joseph Kahn. Taiwan’s president appears to win elections. New York Times, March 20, 2004. http://www.nytimes.com/2004/03/20/international/asia/20CNDTAIWAN.html?pagewanted=all – retrieved on March 2, 2010.
4
