E-Voting (cont)

Key Actions

• For technical solutions where it is not possible to prevent others from observing the screen, instigate a public debate leading to a political decision as to a definition of an acceptable level of privacy and secrecy, including explicit consideration of issues relevant to minority groups who may be using specialist interfaces, and where family pressures make secret voting in the home difficult. There is a crucial disanalogy between electronic voting using normal display screens and postal voting because screens are normally larger and less portable than paper and pencil, less easily hidden from view and less easily taken to another venue where privacy could be more easily attained.
• System design methodologies must embrace social impact: ‘off the shelf’ commercial design methodologies as implemented by major contractors can be expected to be inappropriate. For example, in this application of an information system, it is wholly and grossly inappropriate for the design to consider: that a certain proportion of disabled people need not be catered for; that errors are just another design factor that can be simply factored against financial considerations; or that secrecy can surround the design and the choices made as part of the design.
• Development of a voter friendly system should be based upon the concept of inclusive design. That is based on providing facilities for all that cater for the needs of all voters including those with disability, linguistic constraints and restricted literacy. The use of adaptive interfaces will be important so that the view of the system is sympathetic to the needs of the individual voter. There needs to be legislation in place to ensure that the voting system as a whole caters for the needs of all voters.
• Provision for audit should be incorporated into system development from the outset. The audit should not capture details of voter profiles, and should maintain secrecy of the ballot. Further political, social and technical analysis of the tension between audit and secrecy is needed, including explicit consideration of interfaces used by minorities (whether disabled voters or geographical or linguistic minorities). Thorough procedures for audit need to be developed that provide assurance that integrity of vote tallying is achieved, and that reveal any other problems with the system (that have not affected the integrity of vote tallying), such as dropped connections, problems with any specialist interfaces, and attempts to abuse the system, all without jeopardising the anonymity of individual voters.
• Achieve cross-party acceptance not just that undue influence from businesses has not taken place, but also that it is impossible. A system that relies to a significant extent on the use of the facilities of a major business (such as News International, the banks, or BT) is in danger of being accused of being unduly influenced by that business. Systems that cannot achieve cross-party acceptance should be rejected as being too susceptible to confidence attacks.
• To stand any chance of maintaining privacy and prevent votes being altered in transmission, votes need to be put in an 'envelope' of encryption, and there need to be mechanisms to prevent “bypass, deception, trapdoor or other malicious circumvention of an entire crypto system” (Mercuri, 2001, p61). For voting using standard computers running their normal operating systems, “Since the environments (operating systems, compilers, etc.) upon which the crypto systems rely are inherently weak, vast security holes persist” (Mercuri, 2001, p61). The solution to this problem for standard computers is to bypass the software on already on the computer, providing a specialised operating system of known quality.
• Encryption keys must be kept separate and adequate impartial protection of such keys in place for extended time spans.
• Voters should be randomly allocated an identification number that could not later be associated with the voter, and the list correlating numbers issued with names should be kept on a separate computer, under intense security separate from other parts of the voting system and the list should never be made publicly available until destroyed.
• De-couple voter identification data (explicit and implicit) from the vote as soon as possible after the vote is received.
• All identification information must be separated from the vote while the vote is still securely encrypted. To achieve this, the identification communication needs to be encrypted separately from the encryption of the vote, so that the authorities who decrypt the identification data and check it against the register of electors to ensure the voter is eligible and has not already voted, cannot discover how that voter has voted. In practice this requires two levels of encryption, and thus the distribution of encryption software that is capable of encryption, separately secure, of the two elements.
• Equity of access requires that if a significant proportion of voters can use hardware they posses (whether PC, digital TV, or some telephone technology) to vote, and there is demographic inequality in the distribution of such technology, access to some minimum system sufficient to enable voting should be provided to those who would not otherwise have access to the technology.

A Comparison with Other Secure Transactions
It is useful to compare voting with other online transactions for which security is needed.
The most obvious comparison is with banking. Attacking an electronic voting system is unlikely to bring the immediate financial rewards that a successful attack on the banking system would, and thus some types of well-resourced attack are less likely. However, the likelihood of well-resourced attacks is still sufficiently high to be problematic. The consequences of a successful attack are very different with electronic voting, than with banking, though. Banks can, and do, take a financial analysis of how much loss they can stand and insure against such losses. It may be that a political decision could be taken that the loss of a certain percentage of votes is acceptable, but in the absence of such a decision, security appropriate for banking cannot be considered sufficient for electronic voting. Banks have also maintained confidence in the face of repeated losses through computer crime by covering up the cause of those losses. It is inconceivable that, in the event of a successful attack on electronic voting, such a cover-up would be acceptable to the electorate if subsequently disclosed. In a similar vein, individuals can be, and are, compensated for financial losses due to disruption/failures/hacking of online banking. It is not easy to see how there could be equivalent compensation for disruption/failures/hacking of an individuals vote, even if somehow it was discovered which individuals were affected (which might not be possible with some sorts of disruption).
Another issue is anonymity: electronic voting “differs from the aforementioned applications due to the fact that, in addition to the requirements for accuracy and privacy, there is the mandated necessity to provide ... anonymity. In other words, banking … applications can (in fact must) allow tracking back to the user of the system, but the [electronic voting system] must ensure that such tracking is impossible.” (Mercuri, 2001, pp8-9).
Electronic voting also differs from financial transactions in that the risk that an election delayed by a few days will have a different result is unacceptably high. By contrast substantial financial transactions between two willing partners usually can be conducted a few days later if there are problems with ecommerce applications, since such transactions are rarely conducted on a whim.

The Options

PCs
Personal Computers of all types, and whatever software is loaded, are a technology that makes it difficult to prevent others from observing the screen, unless they are used in a supervised location.
The risk of virus/malware attack will be greatest if general purpose computers are used by individual voters. Such computers will, almost universally, be vulnerable to attack by novel viruses/malware, since virtually all ‘virus protection’ facilities rely on a library of known viruses/malware. In the case of home computers, few currently have any ‘virus protection’ and even fewer have regularly updated libraries of known viruses/malware. Any virus widely distributed in the months before the election could be expected to be present on a high proportion of home computers, if such a virus did not make its presence felt to the individual user concerned in advance of the election. Viruses are already in widespread circulation that can detect anything typed on the keyboard (eg F-Secure, 2001). It would be relatively easy for a virus writer to write a virus that did nothing (except propagate itself(7)) until a web browser was directed to “election.gov.uk” or a similar address, but which then was capable of changing the individual’s vote, or preventing the individual from voting, or sending a copy of their vote to some other destination (violating the secrecy of the ballot).
It might be thought that this problem could be overcome by distributing ‘virus protection’. At present with low levels of broadband takeup, if such a distribution was conducted ‘down the wire’ as part of the voting process, the downloading of the software onto the user’s computer could be prohibitively time-consuming. A theoretical alternative might be to distribute ‘virus protection’ facilities on disk, however to be successful, the library of viruses included would have to be very contemporary. Considerations elsewhere suggest that the contents of such a disk would have to be open source and open to scrutiny by experts appointed by the Parties for a specified period prior to the election. With disk production and distribution time as well, there would be a danger of viruses being propagated between when the contents of the disk were finalised and the election. This could be mitigated by including an internet address to check for updates, but such sites (a large number to reduce denial of service dangers) would equally have to be running open source code, available to scrutiny by the Parties, and even if no updates were needed, the extra time taken for the voting process to go through this extra stage would be problematic.
A better solution is to bypass the software on which such viruses/malware depend, providing a specialised operating system and set of drivers of known quality and without the basic security vulnerabilities of mainstream (MS) software on the disk (California Internet Voting Task Force, 2000, p4). The process of loading such an operating system and drivers would detract from the convenience some hope for from PC-based voting.
It will be exceptionally difficult for the specialised drivers to include drivers for the full range of specialised interfaces that make PCs compatible with the needs of groups of disabled people.
If general purpose computers are used, with software being loaded for the purposes of the election, there is a serious danger that any failure of the system that coincides with the general time of voting will be blamed on the voting system. It is quite plausible that attempts will be made to claim recompense for damage that far exceed any damage that the voting system may have caused. This is equally a problem for all solutions that use general purpose computers.

7 For home users who do not have ‘virus protection’ with a regularly updated library, a virus that propagates itself slowly is probably more of a threat, since such a virus is less likely to get media attention, and thus less likely to come to the attention of the individual. If such a virus also restricted itself to ISPs who serve the home user, the chances of detection would be considerably reduced.

Voting from Work
Voting from work opens particular challenges: employers claim a right to monitor activity in the workplace, and it would be virtually impossible to exclude voting from such monitoring and maintain secrecy in the voting process, unless workers are in individual offices, and certain technical measures to monitor are disabled.
Voting by PC from suitable workplaces might be a possibility, apart from technical constraints. Security issues preclude the use of PCs and general purpose computers unless the installed operating system is bypassed. Many work computers will have been, wisely, set up to prevent this. Further, work computers will generally connect to the outside world through a local network that will be practically impossible for the specialised operating system and drivers to navigate.
If votes are encrypted and not capable of decryption by the corporate firewall, they may be prevented from reaching their destination by the firewall, while if they are not encrypted they voters would be in very grave danger of having their employer know how they vote, and able to unduly influence this, and there would be no security to ensure that the vote was not changed, whether by the employer or somebody else on the network.
Issues with telephone voting are dealt with elsewhere.

Supervised Polling Place
We believe the worry about other software installed on the machine (Coleman et al, 2002, p69) is not sufficient to justify election-dedicated equipment to be required, provided that when used in an election, all software that can be used by the computer is of known quality, and in particular that a specialised operating system and drivers are provided and that any pre-existing general purpose operating system and hard-drive is completely prevented from interfering with the election software.
Within the environment of supervised polling place either electronic voting machines or general purpose computers will provide an adequate technical solution provided the software (and especially in the case of electronic voting machines, the hardware) is known to be trustworthy. Low-specification, reconditioned, general purpose computers would be adequate, and thus probably a cheaper solution; while electronic voting machines may include screening to hide the voter, or offer touch-screens (which may be useful for a proportion of voters), or some other advantage. Existing electronic voting machines should not be accepted unmodified since “hooks and backdoors, particularly those within compilers and operating systems, exist and have already been proliferated invisibly throughout the industry. Under this view, software rigging is assumed to have already happened, rather than just a speculative possibility.” (Mercuri, 2001, p49).
Transfer of the votes to a counting and processing location could be accomplished adequately by physical transfer, or, encrypted over the telephone network to a modem on a dedicated (secret) telephone number. Encrypted votes could also be sent from supervised polling places in Embassies, High Commissions and Consulates overseas using the FCO network. If such conduits were not available, encrypted votes could be sent over the internet with less problems than would accompany sending votes from home computers, since the polling official can ensure that the polling place computer is virus free, and can ensure that a connection has genuinely been made with the correct server (bypassing DNS if necessary).
When used in a polling station environment, we would recommend that a paper ballot is printed for voters to examine (but which they are prevented from removing) to provide a paper audit trail (see Mercuri, 2001, pp54-5).

Voting at Home
With all sorts of voting from home, the voting system cannot, with current technology, prevent others from observing the screen (or listening to a voice telephone call) while the voting transaction is taking place. Voting from home should not be introduced without a public debate about acceptable levels of privacy and secrecy.
One of the major barriers we see to internet voting is that there appears, at present, to be little prospect that internet access (including home and workplace access) will reach 90% of the voting population, except through interactive digital TV (and if voting is to be conducted using iDTV, it would be better to use direct connections rather than routing through the internet). The Government, by contrast, is committed to achieving such high levels of penetration of digital TV, prior to the planned ending of analogue TV broadcasts.

Digital TV
Software to vote by DTV needs to be designed to ensure that DTV suppliers cannot detect who has voted. Considerations about the openness of all source code, both for the voting software itself, and for operating systems, apply as much to DTV as to voting using devices conventionally recognised as computers: it will thus be necessary to negotiate with the suppliers of DTV hardware to achieve access to their source code, as well as to negotiate access to the DTV broadcasts to enable distribution of voting software.
Digital Television does not offer the range of specialised interfaces that PCs do, and thus may be more difficult to make compatible with the needs of groups of disabled people.
Terrestrial and satellite digital TV rely on the use of telephone lines for the ‘return path’.
There may be problems for some voters whose televisions are not close to a telephone point. While this will present a problem for a proportion of voters, it is anticipated that these voters will, in general, not be demographically distinctive.
For DTV to be suitable for electronic voting, any DTV equipment distributed to those without DTV in preparation for the switch-off of analogue transmissions will have to be equipped with the capability for a return path. At present it is unclear whether such equipment will be suitably equipped: the suitability of DTV for use in electronic voting hangs on that decision, since it can be expected that there will be issues of equity of access of a demographically distinct minority who have not previously purchased DTV (perhaps due to lack of funds).
Satellite Digital Television may be susceptible to disruption to the satellite (either failure or attack from a hostile regime). Any digital TV-based electronic voting system would have to be resilient against such disruption.
Given that Digital TV is, globally, not in widespread use (the UK is more than 25% of the world market (e-Envoy 2000)), it has not had the degree of security testing that internet systems have (although that it is still a better bet than the internet for time being because internet systems repeatedly fail those tests). Future developments need to be monitored carefully.

Lottery
Lottery terminals are geographically distributed in a manner which is broadly comparable with the distribution of current polling stations, except with a greater presence in town and city centres. Lottery terminals offer the advantages of publicly available points at which votes could be input to a secure network.
Security from tampering with lottery terminals is assured, in part at least, by the presence of the lottery vendor.
Supervision by the lottery vendor could provide some deterrent to intimidation of voters.
The cards used to input selections to the lottery terminal would need to be securely retained at or by the terminal to prevent them violating the secrecy of the ballot after the vote has been input.
Accurate marking of the cards used to input selections to the lottery terminal could be problematic for a minority of disabled voters.
A decision was made in the contract process for the current lottery contract to exclude a voting function.
The current lottery security model, with transactions mediated by a vendor, would preclude the introduction of lottery terminals that could support voting even minimally secret from the vendor. This is a fatal flaw with current technology. If at some time in the future there was a change to a security model compatible with secret voting, it would almost certainly be accompanied by unsupervised terminals, which would allow problems of intimidation and tampering with terminals which provide key advantages to the use of lottery terminals on present arrangements.

ATM
Bank Automated Teller Machines provide a distinctive advantage over all other kinds of unsupervised electronic voting, in that they have been designed to offer transaction secrecy from those in the vicinity. Thus they may offer greater potential for secrecy of the ballot.
The security of the banking ATM network also lends itself well to use in electronic voting.
Geographical distribution may be a problem with ATMs, since they are much less frequent in residential areas than polling stations currently are. Perhaps worse for equity of access, they tend to be less common in less affluent areas, and thus a demographically distinct population may have less favourable access to electronic voting, if it were conducted by ATM.
It seems unlikely that ATM operators would be willing to allow open source operating systems to be run on ATMs, for fear of introducing security vulnerabilities, if only by the process of changing operating system.
Focus group research as part of this project makes it clear that there is a significant fear of intimidation at unsupervised ATMs.

Telephone Voting
Telephones offer one massive advantage over other technologies: ubiquity.
Voters will have to listen to a list of candidates. Given that it is not unusual for elections to have more than 5 candidates, this could be a lengthy process, and there will be a temptation to vote for candidates who are announced first, especially if you are allowed to vote before the list is completed. To avoid biasing by the order the candidates were 'read out', I suspect that the order would have to be different for each voter, but this would prevent parties saying "vote for candidate 5", and force all phone voters to listen to the whole list. The big advantage, of course, would be for visually impaired voters.
For most telephone voting, authentication of voter identity will not be easy. Focus group research as part of this project suggests the input of a PIN (of sufficient length to uniquely identify the voter and prevent successful guessing) will prove too difficult for many voters.
At present voice telephone voting is only possible with operators to note down the votes – there must be zero secrecy from them, and no guarantee they will not attempt to rig elections unless there are further violations of secrecy of the ballot. There would be no way to make sure that others monitoring a call (such as employers) can't find out how the vote is being cast.
The user interface problems with touch-tone voting are massive. There are problems with defences against violations of secrecy of the ballot and preventing calls being hijacked part way through, threatening the integrity of the ballot.
Focus group research as part of this project suggested public interest in dialling separate numbers according to the party of one’s choice, a procedure that is familiar from popular television voting. To prevent multiple voting identification data will be needed, inevitably violating the requirement for anonymity from the regime. Secrecy of the ballot from the immediate telecomms supplier (including the employer, if the call is made from a work ‘phone) will not be possible, and any handset with last number redial further risks violating secrecy. The integrity of the election could further be threatened by calls to particular numbers being caused fail (particularly by employers).
It is currently impossible to encrypt votes using WAP or 3rd generation (3G) mobile telephones, meaning that secrecy and inalterability of the vote are both impossible. There is a possibility of smartcard readers in the future for 3G phones, which might enable cryptographic potential. Current levels of penetration are insufficient to suggest whether this technology will ever be sufficiently widespread to be practical, and it appears unlikely that the voting function will be sufficient to ensure it is widespread.
The only form in which telephone voting appears acceptable is if voter identification data and the vote can be encrypted automatically prior to input into the telephone. A smartcard-like device with sound generator could do this.

Authentication
Biometric authentication may seem to allow the most reliable authentication of identity, however, the data associated with the biometric can be stolen, giving the thief access to an identification data that the person associated with that biometric cannot repudiate as a valid identifier. Further, biometric identification may be inappropriate for some voters (for example retinal scanning cannot be used by some voters with visual impairments), meaning that another system will have to be available that does not disadvantage the voter using the other system. Moreover, the collection of biometric identification data will be expensive, probably involving door-to-door collection. It will require the state to hold data on citizens of a sort that currently would be seen as being an unacceptable invasion of privacy.
Considerations of anonymity of the voter from the regime (above) preclude any authentication that uses identifiers that are valid over time, including all of biometric authentication, the use of identity and entitlement cards, and the use of long term “elector cards” as recommended by Coleman et al (2002, p13).
The model for anonymity that we recommend would require identifiers to be generated by the computer that holds the electoral register that will be ‘marked’ when votes are received.
We would anticipate that they would then be sealed into envelopes addressed by the same computer. The receipt of such an identifier that has been accurately delivered (whether by the Royal Mail or by some other agency) will provide a level of authentication of identity for many voters not far removed from that achieved by current arrangements. The combination with some other data, such as a date of birth, may provide levels of authentication greater than current arrangements.
A significant issue with authentication is ease of use. Focus group research as part of this project suggests the input of a PIN (of sufficient length to uniquely identify the voter and prevent successful guessing) will prove too difficult for many voters. Where appropriate hardware exists on the voting system, ease of use suggests that the randomly allocated identifier should be recorded onto a CD-Rom or Smartcard, so that the introduction of that computer-readable material into the voting system would be the first part of the authentication procedure. The choice of CD-Rom or Smartcard would depend on convenience and the availability of suitable readers.
Whether a manually input PIN or an identifier on CD-Rom or Smartcard, the first stage of the voting process would be to send the (encrypted) identification data to the computer that will eventually receive the encrypted combination of identifier and vote. The identification data will then be sent on to the computer that holds the electoral register and the confidential list correlating numbers issued with names. If the identification data is in order, and no vote has been recorded for that voter, this computer will send a message back to the voting software at the voter’s end, to ask the voter to confirm (on pain of legal penalty) that they are the voter whose identification data was sent, before they proceed to the selection of the candidates of their choice. As outlined (above) in the consideration of reliability from failures, the identification data will be sent again (in encrypted form) with the vote before the register will record that the voter has voted.
One particular danger, is that if internet voting was enabled, procedures to thwart automated attempts to guess identification data may well prevent real voting, especially if the attack were mounted from distributed compromised machines.
For voting in supervised polling places, individuals could identify themselves to the system using a CD ROM, a smartcard or a password/PIN combination, ideally partially moderated by the polling official, since polling officials can make use of judgements of the demeanour and appearance of the voter to judge whether to suspect personation, whereas use of automated techniques alone would inhibit that process. It should also be possible for a voter to identify themself using name and address, as at present. To make this operationally possible, computers would need to be (securely) available to polling staff that could securely enquire of the computer that holds the electoral register and the confidential list of identification numbers for that election what the identification number was for that particular voter. To maintain the confidentiality of the list of identifiers, answers should be returned only for those who have not yet voted, and statistical techniques employed to ensure the system was not abused.

Conduits
The law on treating voters currently requires a clear separation of voting from commercial activities. Transferring this into the electronic sphere creates difficulties for a variety of conduits.
Many internet service providers provide a default page of web content. Others “also ship unsolicited advertising along with the requested Web pages” (Mercuri, 2001, p34). It is clear that any service provider that enables electronic voting (whether internet, digital TV, lottery or ATM) will need to be required to separate the voting function from their normal service. This might be done by a legal requirement that they keep content (news, commentary and advertising) well separated from any electronic voting interface, and perhaps even a requirement that such content is suspended for the polling day(s). The acceptability of this to service providers is unclear.
The Lottery Network and the ATM Network are dealt with through consideration of the lottery and ATMs as voting interfaces. Where voting takes place at supervised polling places overseas, the FCO network should be used if at all possible.

Physical Transfer
While it is anticipated that even at supervised polling places, voting should be conducted with votes transmitted at the time of casting to the counting location, supervised polling places do, uniquely, enable the physical transfer of votes at the end of polling, if communications are lost.

Cable
For voters who receive digital TV by cable there is the possibility of sending votes by the cable network, this appears to be a relatively secure first-choice network that should be used when available.

Telephone
Telephone communications will be available to internet-capable PCs and interactive digital television as well as telephone-based voting.
Unlike the internet, the telephone system has significant defences against overload. Despite these defences, in theory it might be possible for a distributed Denial of Service attack to be mounted that abuses very many compromised user systems to dial and attempt to overload the telephone system. Using different telephone numbers for different local collection and processing centres may help with this. Similarly, keeping such telephone numbers confidential for as long as possible could hamper the mounting of a distributed DoS attack, and aid detection. If telephone numbers are only distributed implicitly by software that automatically dials the relevant number, it may be that by the time attackers have obtained the numbers they cannot mount any effective attack. If a system that uses direct dial in access to local processing centres is disrupted in this manner, if it is appropriately designed, it may be possible for it automatically use the internet as an alternative method of communication (provided the local processing centre internet connection does not come through the disrupted part of the telephone network: locations which can enable this separate routing should be chosen).
Systems based on mobile telephony could be susceptible to localised disruption through radio interference.
Mobile telephones automatically release information about their location, which could to some extent be a problem for maintaining privacy for voting by mobile telephone.

Internet based solutions
Where the internet is used as a substantial transmission route, general disruption of the internet (such as when the email ‘ILOVEYOU’ worm was propagating) could be a significant threat. At present there is no effective defence against such disruption. Until and unless such defences are introduced, the internet cannot be relied upon as a substantial transmission route for electronic voting. The most likely way of ensuring effective defence would be for there to be substantial Government regulation of internet service providers to ensure they monitor for and act against the propagation of viruses/malware of sorts that could cause this disruption. We see no sign that Government is prepared to regulate internet service providers in this way. In theory technical means may be developed to defend against such development in the absence of Government regulation.
If mainstream electronic voting does not use the internet, the ‘number of eggs’ in the basket of an internet connection for the server might be sufficiently small to enable internet voting where the mainstream electronic voting option is impractical or impossible (overseas, for disabled voters who need specialised interfaces, etc.). It appears that internet voting used on a small scale to enable voting from overseas and other exceptional cases would be incomparably less problematic than large scale internet voting.
If general purpose computers are used for electronic voting away from supervised settings, it is necessary to protect them from viruses and to ensure that they are verifiably free from attacks within mainstream software houses. There may be a number of possible ways of achieving this.

1. If by the date of the relevant election a significant majority of home computers use genuinely open source operating systems(8) which have been analysed and are known to be suitable for use in elections, the election software may be able to verify the integrity of the operating system and ensure that computers are virus free.
2. If most general purpose computers still have operating systems that are not suitable for election use, they might still be used in an election if some technique can be devised to ensure the election software communicates directly with input devices (mouse and keyboard, for example) and screen, without interference from the operating system, browser software or viruses, and if virus protection either is widespread on such computers or can be distributed by broadband connections.
3. If most general purpose computers still have operating systems that are not suitable for election use, and no technique as described in 2) has been developed, there is no real alternative to bypassing the installed operating system, and supplying an operating system and sufficient drivers of known quality that are known to be free of viruses and are insulated from any viruses/malware that are already on the general purpose computer. At present such an operating system would have to be supplied on CD-Rom with a floppy disk to boot the computer using the special operating system rather than the normal operating system. While such installation is compatible with internet voting, for virtually all voters, at present the advantages of internet voting over voting by interactive Digital TV will be lost in the process, and the result would be identical to a system that sent votes by telephone without using the internet.

Even if other problems could be solved “One company that audits Web sites for application-level bugs … has never found a Web site they could not hack. That’s 100 percent vulnerability.” (Schneier, 2000 p175) If websites are used as part of an internet election, the software and server configurations for such websites must be extensively tested both by Government security agencies and by at least one internationally recognised security consultancy, and also be available for testing by the political parties, and experts in their employ to ensure that they cannot be hacked.
At present the distribution via the internet of encryption software suitable for voting is not practical for the bulk of home users without broadband access, and for whom the time to download would seem unnecessary and excessive. It is possible that broadband access will become the norm for home users, and thus this problem will disappear, however, if not such software will need to be distributed by post. This need not be a barrier to internet voting, although advantages of internet voting would be lost.
A further concern with networks is that it may be possible to identify the individual who is casting a vote (presumably encrypted, and thus the precise content of the vote is not discernible, although spoilt ballots may be discernible). This is particularly a risk if individuals are voting from work, where it is not uncommon for the name of the computer to be employeename.employername.co.uk.

8 That is operating systems where all the elements are open source, rather than commercial versions of, say, Linux, where proprietary closed source software might modify the operation of open source elements.

Network
The internet domain name system is at present not sufficiently secure against attack to enable it to be used in the election process in any substantial way. A system that asks significant numbers of voters to access a particular web domain (for example, www.election.gov.uk), risks having that web traffic hijacked (in the short term, which is long enough to cause unacceptable problems for the election). As security consultant Bruce Schneier puts it: “there’s no security in the DNS system. So when a computer sends a query to a DNS server and gets a reply, it assumes that the reply is accurate and that the DNS server is honest. In fact, the DNS server does not have to be honest; it could have been hacked. And the reply that the computer gets from the DNS server might not have even come from the DNS server; it could have been a faked reply from somewhere else.” (Schneier, 2000, p180)
The US National Science Foundation similarly warn: “Remote voting systems will … have to contend with an attack known as spoofing—luring unwitting voters to connect to an imposter site instead of the actual election server. While technologies such as secure socket layer (SSL) and digital certificates are capable of distinguishing legitimate servers from malicious ones, it is infeasible to assume that all voters will have these protections functioning properly on their home or work computers, and, in any event, they cannot fully defend against all such attacks. Successful spoofing can result in the undetected loss of a vote should the user send his ballot to a fake voting site. …. In short, this type of attack poses the same risk as a Trojan horse infiltration, and is much easier to carry out.” (Internet Policy Institute, 2001 p16).
While DNS problems could only disrupt a given election for a short time, it could well be that individual voters have no idea if they have ‘voted’ on a spoofed site rather than the real one, so that when the correct IP address is replaced on the DNS, the affected voters do not know that they need to vote again. Spreading the election over several days will not help with this problem, so much as give a longer window during which the DNS system can be disrupted.
The current DNS protocol contains many elements that can, in principle, be used to secure DNS, and these are implemented in current versions. These are in use, but not widely. The real problem with this is the resolver library that the client uses to perform a query. At present this is a barrier to the current implementation of internet voting, however it need not remain so. If 95% of home computers used to access the internet have web browsers with a library that supports secure DNS and secure DNS is at least as widely implemented by nameservers, DNS attacks need no longer be seen as a barrier to internet voting (although other barriers may remain).
There is currently a vulnerability to attacks on network traffic routers using Simple Network Management Protocol (SNMP) (Lemos, 2002b). If SNMP version 3 (or above) comes to be used by at least 90% of installed routers in the UK, and no serious vulnerabilities are discovered with SNMP version 3, SNMP attacks on routers need no longer be seen as a barrier to internet voting (although other barriers may remain).
Even if much of the network can be made in principle secure, it seems that client end problems will still be a potential problem for SOME voters for many years.

Conclusions on Internet based solutions
In the eyes of some experienced commentators “interfacing to the Internet could be, in itself, considered to constitute a security breach, in that wide attack and monitoring opportunities are provided that would not be possible with individual DRE [voting machine] kiosks, or in a closed network setting” (Mercuri, 2001, p34)
Despite this, it is logically possible for internet voting to be made suitably secure for use as the mainstream means of voting in a UK general election. However, the cost of achieving such security (including the time costs to voters), suggests that other options are much more likely to be fruitful as the mainstream method of electronic voting for the next few general elections. It may be worthwhile continuing to investigate internet voting for the longer term future.

Collecting and Processing Centres
In order to be resilient in the face of attempted denial of service attacks (DoS), the electronic voting system needs to avoid being vulnerable to single points of failure.
Similarly, reducing the ‘number of eggs in one basket’ would reduce the attractiveness of any single target: thus the collection and processing of votes should take place at very many centres for a general election. Each of these centres will need to be defended against DoS attacks.
However, given that the number of trustworthy people with sufficient technical capabilities is limited, the need for security from internal attacks may place limits on the numbers of counting centres.
Whether connected to the internet or not, to protect against attempts to hack into servers (as well as denial of service attacks) each counting centre needs a good, well configured and well maintained firewall with effective detection and reaction capabilities in addition to the protection capabilities that are normally associated with firewalls(9). If servers that collect votes and pass them on for processing have any connection to the internet (as seems most likely), firewalls will also have to ensure that DoS attacks on the internet connection do not tie up system resources and cause a denial of service for other connections.
The number of counting centres may be limited by the availability of staff capable of competently operating such security systems and servers, however, in no circumstances should more than 10 parliamentary constituencies be dealt with at a single counting centre (and if as many as 10 are dealt with in one centre, the constituencies should be politically mixed, since the chance of the overall result of the election being affected could affect the likelihood of an attack).
A further consideration that strongly suggests that the number of counting centres should be large is the risk of physical disruption. At present to cause significant disruption to a general election would require physical disruption to many counting centres, thus the election is fairly well defended against attacks using physical disruption. The smaller the number of counting centres, the greater the defences of each would need to be.

9 Unlike many applications of firewalls, the configuration should err on the side of false alarms, since the election period will be short, and the costs of a security breach cannot easily be offset by financial measures.

Shortlist
Thus our shortlist for further study as part of our project was
1) Polling Location-Polling Official-PC
2) Home - CDRom and Floppy-PC
3) Home - Smartcard -DTV
4) Public Space -Smartcard -ATM
5) Anywhere - Smartcard with sound generator-Voice Phone
All would connect to local authority collecting and processing facilities to provide security against hacking.
1-3 would use telephone to communicate but with the potential to use the internet if that route is blocked.
3 can, for households where DTV is Digital Cable, use cable as first choice communications network, using internet as a back-up route.
4 uses the ATM network.
5 uses the phone network with no backup. The smartcard with sound generator would have to be issued to each voter and with the current state of play would be significantly expensive.

Conclusions
Account should be taken of the key actions outlined above.
Voting from unsupervised locations should not be introduced without a public debate informed by the gathering and dissemination of expert opinion about acceptable levels of privacy and secrecy.
It is quite plausible that whatever is done to protect the election from attacks on software distributed to voters or to prevent such attacks, the first election at which such programs are widely distributed will suffer some disruption: the best that can be hoped for is that relatively few people will be voting electronically, and thus that the problems caused will be minor.

Servers
Defending against attempts to cause biased software to be used requires the source code of programs used to be openly available. There should be a legal requirement that authoritative results cannot arise without open source code. There is an element of tension here with the desire to prevent hacking and viruses, in that openly available source code would be more vulnerable to such attacks than equally well tested bespoke source code that remained confidential. However, attempts to widely distribute programs while keeping them sufficiently confidential to prevent hacking repeatedly fail as ‘tamper-proof’ devices are tampered with and programs are reverse engineered by hackers.
Thorough testing of software by paid experts is essential, although open source software should additionally allow leveraging the expertise of the wider security community.

Openly available source code for programs run on servers would, despite advantages in other respects, be more vulnerable to hacking attacks than equally well tested bespoke source code that remained confidential (unlike voter-end software, there is a reasonable chance that server software could remain confidential). For each counting centre, there should, thus, be at least two sets of servers, one running open source code and the other running separately developed programs with confidential code. If the results differ, an investigation should be made into the origin of the difference. If there was evidence of hacking of the system with open source code, before the system with confidential code could be accepted as giving a result that overrode the result from the open source system, the source code of the previously confidential system should be opened to inspection(10).
To minimise the risk of physical attacks on counting centres, parallel systems should be in separate locations for each (logical) counting centre. There will be a need for those charged with the operation of servers to have a thorough concern for security: if they are operated by local authorities, there may be a need for a programme of security education for relevant local authority staff.

10 With a sufficient minimum time for inspection being specified by law, so that a result could not be declared until there had been sufficient opportunity to ensure that the previously confidential code was fair and accurate.

Supply
There is also a need for substantial procedures to ensure that the programs actually run on servers and distributed to voters or polling places are unmodified instantiations of these open source programs, where “The compiler used to generate the object code must be available, and all hardware specifications must be revealed, down to the chip level” (Mercuri, 2001, p48).
There will be a need to ensure that there is adequate security within those suppliers who are charged with enabling the delivery of software and identifiers to voters (whether transmitting software to the voting point or producing physical carriers of the identifiers, and if applicable, software for delivery), and servers. There is also a need for testing to verify that no undetected changes of the software have been made: a sample of voter-side software and all server software should be tested in this way.
System design methodologies must embrace social impact: ‘off the shelf’ commercial design methodologies as implemented by major contractors can be expected to be inappropriate.

Technologies
The two technological solutions that give the greatest promise in the timescales under consideration are

1. Voting using PCs supervised by polling officials, probably in a wider range of polling places than current polling stations, and where voters can vote from any such polling place in the UK (or overseas, where they are set up). Such polling places would use telephones(11) to communicate but with the potential to use the internet if that route is blocked.
2. If the public debate about privacy and secrecy in voting from unsupervised locations concludes that such a technological solution is acceptable, voting from home using digital television, with primary identification being by inserting a smartcard produced for that particular election. For households where DTV is digital cable, the cable network should be used as the first choice communications network, using the internet as a back-up route. For other DTV systems the telephone system would be the means to conduct the voting transaction, but with the potential to use the internet if that route is blocked at a point distant from the house.

In the longer term the internet may show potential, but a number of key hurdles outlined in the report need to be overcome.
Whatever technology is used to send electronic votes, they would connect to local collecting and processing facilities to provide security for the overall election.
Generally, the only way to be sure that a system is secure is that many people have tried a wide range of attacks against it, and it has withstood them. Electronic voting should thus be introduced gradually.As a further safeguard, we would recommend that electronic voting initially only be introduced in constituencies where the consent of all the parties that have stood in either the
last two general elections has been obtained.

11 Land line where available, or mobile telephones, with handsets for alternative mobile telephone networks available as a back-up for the local connection.

• Bolton MBC, 2000 “Evaluation of Pilot Election Schemes” online at
  http://www.elections.dtlr.gov.uk/pilot/pdf/evalbolt.pdf , accessed 26.02.2002.
• Burnham, David, 1985 “Vote by Computer: Some See Problems” in New York Times 21.08.1985, as quoted in Mercuri, 2001, p92.
• Butler, David and Kavanagh, Dennis, 1992 The British General Election of 1992 (Basingstoke: Macmillan)
• California Internet Voting Task Force, 2000 A Report on the Feasibility of Internet
  Voting (Sacramento, CA: Secretary of State, State of California) online at
  http://www.ss.ca.gov/executive/ivote/final_report.htm , accessed 31.01.2002
• Coleman, Stephen et al 2002 Elections in the 21st Century: from paper ballot to evoting
  Report of the Independent Commission on Alternative Voting Methods (London: Electoral Reform Society)
• F-Secure, 2001 “F-Secure Virus Descriptions: BadTrans.B” at http://www.europe.fsecure.com/v-descs/badtrs_b.shtml  accessed 24.01.2002
• Graham, Paul, 2002 “Online defences” pp8-9 in Local Government Chronicle Special Supplement on Electronic Government January 2002
• Internet Policy Institute, 2001 Report of the National Workshop on Internet Voting:
  Issues and Research Agenda online at
  http://www.netvoting.org/Resources/InternetVotingReport.pdf , accessed 31.1.2002
• Judge, Peter, 2002 “.Net vote rigging illustrates importance of Web services” online at
  http://news.zdnet.co.uk/story/0,,t269-s2102244,00.html , accessed 01.02.2002
• Lemos, Robert, 2002a “Data on Internet threats still out cold” online at
  http://news.com.com/2100-1001-819521.html , accessed 28.01.2002.
• Lemos, Robert, 2002b “Flaws in common software threaten Net” online at
  http://news.com.com/2100-1001-835602.html accessed 13.02.2002.
• Mercuri, Rebecca, 2001 Electronic Vote Tabulation: Checks and Balances PhD thesis, University of Pennsylvania.
• Mohen, Joe, 2000 (CEO, election.com) as quoted in Wall Street Journal “Election.com Aims to Revolutionize The Voting Process With Online Ballots” 08.05.2000
• Nu.nl, 2001 “Internetstemmen voor gemeentenaam stopt na fraude” online at
  http://nu.nl/document?n=44479&___cookie2__=S1012231513707873 accessed 28.01.2002
• O’Neill, Tip, with Novak, William 1987 Man of the House (Random House) as Quoted in Mercuri, 2001, p91.
• Schneider, Fred,B (ed) 1999, Trust in Cyberspace (Washington, DC: National Academy of Sciences) online at http://bob.nap.edu/html/trust/trust-4.htm , accessed 31.1.2001
• Schneier, Bruce, 2000 Secrets and Lies (Wiley)

Appendix - Electronic Voting Options Taxonomy: full listing

All could be connected to national, regional, or local, collection and processing facilities (except that physical transfer would have to be to local facilities)
This leads to 136 combinations (approx), some of which may be used by some voters in the same election as other voters use other combinations.

(c) Fairweather and Rogerson, 2002

Farming Politics Government Posters Humour Technology Religion Nature Me Links  
Email - b e r n a r d - c l a y s o n @ s h u a r t f a r m . f s n e t . c o . u k