Glass Box Voting

Voting is one of the most vexing security arenas to be found, and beware of those that try to simplify the problem. A number of core issues make voting much more challenging than more traditional security domains such as the financial industry and the military. Predominant among these issues are the principles of ballot secrecy, vote integrity, and mutual suspicion.

Ballot Secrecy

The secret ballot is a cornerstone of democracy. Voting in secret prevents manipulation of elections by means of vote buying or voter coercion. In technology terms, it means that no information shall link the voter to the record of their ballot.

Vote Integrity

As a security term, integrity simply means the assurance that a data item is unchanged, and thus that it has not been tampered with or modified. If a vote is recorded without integrity protections, the final tally is suspect since it could have been changed along the way.

Mutual Suspicion

In many security domains there are trusted agents who are assumed not to attempt to subvert the system, in Common Criteria protection profiles you often find an assumption labeled “NO_EVIL_ADMIN” that simply means that to satisfy the security claims for the product you must assume that the administrators of the product are trusted - and if they are not trusted you cannot satisfy those security claims in most cases. This approach is not satisfactory in the voting arena.

After the jump, a comparison to the security requirements in the financial industry, particularly ATMs.

Consider the ATM.

Doesn’t this guy look happy with his ATM?

An ATM is a holder of valuable things - why shouldn’t an ATM manufacturer be able to build a perfect voting machine? However, an ATM has a very different security profile than a voting machine.

Trust

• You trust your bank. If you don’t trust them, why did you give them your money, hmm?
• Your bank, however, does not and should not trust you. Nothing against you in particular, but I do not want to put my money in a bank that will then give that money to just anyone who claims to be me.

Privacy

• When you interact with an ATM you have no expectation of privacy whatsoever - you have the opposite of privacy, since you are in fact authenticated via PIN and possession of a magnetic stripe card, furthermore your picture is taken for your convenience and protection. This reduces the possibility of fraud.

Failure

• If an ATM breaks while you are using it, you don’t lose anything. Sometimes you even get free cash (rarely do you hit this jackpot, however).

Voting

Voting, of course, does not satisfy the above requirements.

Trust

• While the elections administration process must be well designed and trusted, the elections administrators need not be. http://www.youtube.com/watch?v=hHL_YMBolRs is a video of elections administrators acting in a very secretive manner. To be very clear, I am not implying anything about the motives of the elections administrators. However, suspicion is inevitable when questions are answered so incompletely about the chain of custody of ballots. A system that could prevent such suspicion through enforcement of separation of duties, auditing, and self protection mechanisms would be greatly preferred.
• Similarly, manufacturers are often not trusted. This is a topic for another post.
• It is possible not to trust accreditation labs, as well. The scenario of accreditation labs in collusion with the manufacturers is particularly worrisome, in fact.
• Aside from voters during the act of voting, nobody can be truly trusted.

Privacy

• Voters must not be authenticated at the vote capture device. They must certainly identify themselves to poll workers, and laws for how that is done are rightly established locally and are outside the scope of technology to enforce. Voters are granted role based authentication tokens and their identity does not get recorded in any way by the system. This limits accountability mechanisms that could otherwise be used to detect and prevent attempted fraud.

Failure

• If a voting machine fails, the votes stored on it must not be lost.

This entry was posted on Sunday, February 10th, 2008 at 3:14 pm and is filed under definitions, electronic voting, security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.