Security Requirements in Electronic Voting
Voting is one of the most vexing security arenas to be found, and beware of those that try to simplify the problem. A number of important issues make voting much more challenging than more traditional security domains such as the financial industry and the military. Predominant among these issues are the principles of ballot secrecy, vote integrity, and mutual suspicion.
Ballot Secrecy
The secret ballot is a cornerstone of democracy. Voting in secret prevents manipulation of elections by means of vote buying or voter coercion. In technology terms, it means that no information shall link the voter to the record of their ballot. This requirement makes achieving other security requirements more difficult – without the requirement for a secret ballot, elections administrators could publish a list of all voters and how they voted, and the voters could verify that their vote as published reflects the vote they cast. However such a scheme permits vote buying and coersion, which are antithetical to democratic principles.
Vote Integrity
As a security term, integrity simply means the assurance that a data item is unchanged, and thus that it has not been tampered with or modified. If a vote is recorded without integrity protections, the final tally is suspect since it could have been changed along the way.
The integrity of recorded votes can be assured through a number of measures that fall into two broad categories – firstly measures that attempt to prevent modifications to votes such as physical protection of the devices that store votes, discretionary access controls and minimizing the privilege of applications and users; and secondly measures that detect when the integrity has been violated, particularly cryptographic protection of data.
Mutual Suspicion
In many security domains there are trusted agents who are assumed not to attempt to subvert the system, in Common Criteria protection profiles you often find an assumption labeled NO_EVIL_ADMIN that simply means that to satisfy the security claims for the product you must assume that the administrators of the product are trusted – and if they are not trusted you cannot satisfy those security claims in most cases. This approach is not satisfactory in the voting arena.
Elections are administered by representatives of local governments, who are often elected or appointed by elected officials. This can lead to a conflict of interest that undermines the public’s trust in the overall system. A well designed electronic voting system will apply principles of seperation of duties to prevent single individuals from manipulating the system and will audit all actions so that attempts to attack the system can be detected and the attackers held accountable.