Voting is one of the most vexing security arenas to be found, and beware of those that try to simplify the problem. A number of core issues make voting much more challenging than more traditional security domains such as the financial industry and the military. Predominant among these issues are the principles of ballot secrecy, vote integrity, and mutual suspicion.
Ballot Secrecy
The secret ballot is a cornerstone of democracy. Voting in secret prevents manipulation of elections by means of vote buying or voter coercion. In technology terms, it means that no information shall link the voter to the record of their ballot.
Vote Integrity
As a security term, integrity simply means the assurance that a data item is unchanged, and thus that it has not been tampered with or modified. If a vote is recorded without integrity protections, the final tally is suspect since it could have been changed along the way.
Mutual Suspicion
In many security domains there are trusted agents who are assumed not to attempt to subvert the system, in Common Criteria protection profiles you often find an assumption labeled “NO_EVIL_ADMIN” that simply means that to satisfy the security claims for the product you must assume that the administrators of the product are trusted - and if they are not trusted you cannot satisfy those security claims in most cases. This approach is not satisfactory in the voting arena.
After the jump, a comparison to the security requirements in the financial industry, particularly ATMs.