E-Voting Systems Security Issues

Transcription

1 E-Voting Systems Security Issues 1 Abdalla Al-Ameen, 2 Samani A. Talab 1, Deanship of the Preparatory Year,Al Jouf University, Al Jouf, Kingdom of Saudi Arabia, Abda711_su@hotmail.com *2, Department of Information Technology University of Neelain, Khartoum, Sudan, samani_talab@hotmail.com Abstract In the digital age, democratic systems increasingly resort to technology to support, compliment, or even transform political processes. The growing use of various electronic means in elections reflects the general tendency of increased digitalization, greater outreach, and enhanced mobility in our societies. However, the challenges are considerable. If not carefully planned and designed, e-voting can undermine the confidence in the whole electoral process. The main task of this paper is to introduce the idea of electronic voting systems. This paper outlines the different ways in which voters can vote. We summarize the different phases and the main actors of E-voting systems. We discuss the importance of security in E-Voting systems. We identify the reasons for the growing interest in e-voting in some countries. This paper observes the requirements and the concepts of e-voting system. The focus of this paper leans on the vulnerabilities that may affect e-voting system. We end with our opinion about technical feasibility of electronic voting systems. 1. Introduction Keywords: E-voting system, security, attack. Election is a process in which voters choose their representatives and express their preferences for the way that they will be governed. Correctness, robustness to fraudulent behaviors, coherence, consistency, security, and transparency of voting are all key requirements for the integrity of an election process. There is a wide variety of different voting systems that are based on traditional paper ballots, mechanical devices, or electronic ballots [21]. In the traditional paper ballots, voters choose or mark their favorite choices on ballots and place them in boxes, which are sealed and officially opened under special conditions to warrant transparency. The ballots are then counted manually, which is a tedious process that is subject to human error. With voting via mechanical systems, meanwhile, voters make their choices by pulling down on mechanical levers that correspond to their favorite choice of candidates. Each lever has a mechanical counter that reports the number of votes for that position. These machines are no longer manufactured [21]. On the other hand, some systems use punch cards where voters punch holes in computer readable ballot cards. These systems are not reliable because of problems in reading cards and have been replaced by optical scan device systems, which allow voters to record choices by filling in areas on the ballots. The ballots are read using a computer scanner and then the votes are counted automatically using a computer program [21]. Finally, special-purpose computers are used as voting machines where voters use touch screens or push buttons to select choices, which are stored and counted or processed by a special program on the same machine [21]. However, counting errors have been occurred in this process, and in some cases, voters find ways to vote more than once, introducing irregularities in the final count results, which could, in rare cases, require a repeat of the election process altogether! Moreover, in some countries, purposely introduced manipulation of the votes takes place to distort the results of an election in favour of certain candidates [18]. Although such mishaps can be avoided with a properly scrutinized election process, errors can still occur, especially when the number of voters is quite large. Quite often, international monitoring bodies are required to monitor elections in certain countries. International Journal of Networked Computing and Advanced Information Management(IJNCM) Volume3, Number1,April 2013 doi: /ijncm.vol3.issue1.4 25

2 Exhaustive studies have shown that electronic voting, if carefully designed, enhances polling and votes security, confidentiality, sincerity and increased cost savings on reduced manpower, logistical materials and tools, and, above all, instant analysis and reporting. Electronic voting further enhances accuracy of all valid votes and final outcome, permits voting once for only eligible voters, allows independent verification of all voters, and improves voters turnaround as it flexibly allows a voter to login and vote from any workstation [14]. Therefore, electronic-based voting technologies would expand the reach and range of potential voting population. The rest of this paper is organized as follows. Section II describes the main types of e-voting; section III summarizes the actors and phases of e-voting systems; section IV describes the elements of e-voting systems, section V describes the security issues related to e-voting systems, section VI identifies the reasons for the growing interest in e-voting in some countries. Section VII provides description of generic functionalities and attributes of an e-voting system. It also describes system specific requirements that must be taken into consideration at the design of e-voting system. Section VIII presents primary e-voting system vulnerabilities through two major points: The client-server related security issues and connection related security issues. Section XI describes the secondary e- voting system vulnerabilities through social engineering and digital divide. Finally, section VII gives our opinion about technical feasibility of e-voting. 2. E Voting Systems In the digital age democratic systems increasingly resort to technology to support, compliment, or even transform political processes. The growing use of various electronic means in elections reflects the general tendency of increased modernization, greater outreach, and enhanced mobility in our societies. Electronic voting has been attracting considerable attention during the last years. The interest in e- voting is based on one hand upon interest and attention devoted to e-government, e-democracy, e- governance, etc. On the other hand, interest in e-voting is founded as a result of problems with conventional election systems. The term e-voting is being used from casting the vote by electronic means to asking the internet community for an opinion on a political issue, as well as from tabulating the votes by electronic means to integrated electronic systems from voters and candidates registration to the publication of election results [3]. Other terms, like e-elections and i-voting, have been introduced in order to clarify the specific contents of e-voting. The term "e-voting" should encompass only political elections and referenda, not initiatives or opinion polls or selective citizens participation between elections or referenda (e-consultations) [3]. In general, two main types of e-voting can be identified: e-voting supervised by the physical presence of representatives of governmental or independent electoral authorities, e.g. electronic voting machines at poll sites popularly known as Direct Recording Electronics (DRE), and e-voting within the voter s sole influence (remote e-voting), not physically supervised by representatives of governmental authorities, e.g. voting from one s own or another person s computer via the internet, by mobile phones (including Short Message Service, SMS), or via digital television [17]. By this summary categorization, advance voting of some developed countries at postal offices, or kiosk voting at municipal offices can fall, according to specific circumstances, within both of the above cases. The main focus of this paper is remote internet voting. 3. Overview of e-voting Systems The basic process of any e-voting is almost standard although a wide variety of e-voting systems and protocols exist. Any e-voting system should include these actors [15]: Voter: A voter has the right for voting, and he votes in the election. Registration Authority: Registration authority or authorities register eligible voters before the election days. These authorities ensure that only registered voters can vote, and they vote only once on the election days. Registration authorities may be a registrar, an authenticator, an authoriser, a ballot distributor and/or a key generator. Tallying Authority: The tallying authorities collect the cast votes and tally the results of the election. Tallying authorities may be a counter, a collector and/or a tallier. 26

3 As illustrated in Figure 1, any e-voting system should also involve these four phases: Registration: Voters register themselves to registration authorities, and the list of eligible voters is compiled before the election days. Authentication and Authorisation: On the election days registered voters request ballot or voting privilege from the registration authorities. Registration authorities check the credentials of those attempting to vote and only allow those who are eligible and registered before. Voting: Voters cast their vote. Tallying: The tallying authorities count the votes and announce the election results. E-Voting System Registration Authentication Voting Tallying Figure.1 PHASES OF E-VOTING SYSTEMS 4. Elements of E-Voting System E-voting system can be divided into three main categories: hardware, software, and human factors [7].Therefore, the security-relevant elements are the following: Hardware: Mechanical, electromechanical, and electrical parts. Software: Operating system, drivers, compilers, programs, databases, rules used in the program, procedures and sequences (order of voting events, voting protocol, encryption techniques). Human factors: This category comprises usability, rules, strategies (e.g. information flow, security management), politics, and other diverse aspects such as transparency, acceptance, and trust. All parts of the system have to be considered as equally important in terms of security vulnerabilities. 5. Security problems However, the challenges are considerable. If not carefully planned and designed, e-voting can undermine the confidence in the whole electoral process. The importance of security in elections cannot be overstated. The future of countries, as well as the free world, rests on public confidence that the people have the power to elect their own government. Any process that has the potential to threaten the integrity of the system, or even the perceived integrity of the system, should be treated with the utmost caution and suspicion [12]. One reason that e-voting presents such a security challenge is that any successful attack would be very high profile, a factor that motivates much of the hacking activity to date. Even scarier is that the most serious attacks would come from someone motivated by the ability to change the outcome without anyone noticing. The adversaries to an election system are not teenagers in garages but foreign governments and powerful interests at home and abroad. Never before have the stakes been so high! Security issues of Internet voting systems can be discussed from many points of view, e.g. technology driven, political science driven, or judicial driven. We address this paper with a technology view, focusing especially on voting servers and clients, and the network infrastructure enabling the client-server-connections. 6. Benefits of e-voting Systems 27

4 A number of countries, worldwide, have started or considered starting, thinking and experimenting as well as implementing e-voting [20]. A variety of e-voting schemes is developed, tested and piloted across the world. E-voting at poll sites is practiced in some states of the USA and Brazil, progressively followed by Mexico and considered by other Central and Latin American countries, as well as in some countries of the former Soviet Union and in India [20]. The reasons for the growing interest in e-voting may not be identical in all cases but the following reasons are identified [19]: 1. Enabling voters to cast their vote from a place other than the poll site in their voting district. 2. Facilitating the casting of the vote by the voter. 3. Facilitating the participation in elections and referendums of all those who are entitled to vote, and particularly of citizens residing or staying abroad. 4. Widening access to the voting process for voters with disabilities or those having other difficulties in being physically present at a poll site and using the devices available there. 5. Increasing voter turnout by providing additional voting channels. 6. Bringing voting in line with new developments in society and the increasing use of new technologies as a medium for communication and civic engagement in pursuit of democracy. 7. Reducing, over time, the overall cost to the electoral authorities of conducting an election or referendum. 8. Delivering voting results reliably and more quickly. 9. Providing the electorate with a better service in pursuit of democracy, by offering a variety of voting channels. 7. E-Voting Systems Requirements E-voting systems requirements fulfill generic functionalities and attributes of an electronic voting system [11],[14],[3],[24],[16]. System requirements define electronic voting system functionality, and are depicted in Figure 2. These capabilities apply at three different phases of the voting processes: Before the voting process occurs, during the voting process and after the voting process. Eligibility Freedom Security Robustnes Uniquenes Accuracy Anonymity E Voting System Authenticity Practicability Fairness Verifiability Democracy Integrity Uncoercibility Figure.2 E-Voting Systems Requirements 7.1. Pre-voting Process Requirements: The pre-voting process requirements of an e-voting system are the following: Authenticity: That means that only selected voters may vote and the electronic voting system must provide proof with the use of appropriate authentication mechanisms that a selected voter is the one that casted the vote [7]. Freedom: The electronic voting system must provide the ability to all selected voters to vote whatever candidate they wish, or none for an election process [7]. Eligibility: Only eligible voters are permitted to vote [15],[8], [1],[7]. Practicability: No extra skills are required to vote and no additional equipment is required [15], [10] During Voting Processes During election processes, an electronic voting system must maintain a high standard of the following capabilities: 28

5 Robustness: Any number of parties or authorities cannot disrupt or influence the election and final tally. To have confidence in the election results, robustness should be assured. However, there are numerous ways for corruption. For example; registration authorities may cheat by allowing ineligible voters to register; ineligible voters may register under the name of someone else; ballot boxes, ballots and vote counting machines may be compromised [1], [5], [13]. Security: During an election process the electronic voting system must maintain vote s integrity, voter s anonymity at the casted vote and encrypt the vote in order to prevent eavesdropping [19]. Uniqueness: The electronic voting system must provide appropriate mechanisms that ensure that voters are uniquely identified for an election process and vote only once [15],[8],[1],[7],[14],[10],[9]. Verifiability: A system is verifiable if voters can independently verify that their votes have been counted correctly. The most verifiable systems allow all voters to verify their votes and correct any mistakes they might and without sacrificing privacy. Less verifiable systems might allow mistakes to be pointed out, but not corrected or might allow verification of the process by party representatives but not by individual voters [17]. Fairness: The electronic voting system must not provide any information for the outcome of an election process during the election process. No one can learn the voting outcome before the tally [1]. Democracy: All votes are equal and have the same weight. The principle: One voter- one vote must be sustained by the electronic voting system during an election process [17] After Voting process After an election process, there are also electronic voting systems requirements that must be fulfilled: Privacy (anonymity): When the votes are verified by the election committee, the electronic voting system must provide anonymity mechanisms so that the voter could not be traced back by his vote. There is no way to derive a link between the voter s identity and the marked ballot. The voter remains anonymous [5], [15], [8], [1], [7], [10], [9]. Accuracy: All valid votes are counted correctly. The electronic voting system must count all votes and must count them as casted. A voter s vote cannot be altered, duplicated, or removed. Of course in a real electronic voting system appropriate error thresholds must be set that will indicate the validity of an election process [5], [15],[1],[13],[10],[9]. Integrity: The electronic voting system sustains the already sustained voting process vote integrity [19]. Uncoercibility: Any coercer, even authorities, should not be able to extract the value of the vote and should not be able to coerce a voter to cast his vote in a particular way. Voters must be able to vote freely [12],[15],[7], [18]. There are also system-specific requirements that must be taken into consideration at the design of an electronic voting system. Such requirements are the following: Accessibility: The electronic voting system must be accessible to voters regardless of their geographical location or the electronic equipment they use, so as to access the electronic voting system [4]. Availability: During a voting process, the electronic voting system must maintain the same availability response for all voters. Today availability problems of Internet services are less network link related and more erroneous service design and service user sustainability related [6]. Reliability: Electronic voting system reliability is identified by a set of performance metrics. Efficiency: The computations can be performed within a reasonable amount of time [10]. Mobility: There are no restrictions on the location where voters can cast their ballots. The electronic voting system must provide methods to cache user voting sessions in case a voter faces roaming problems or interacts with the electronic voting systems over network interfaces with latency problems (satellite links, mobile phones, wearable devices [15],[10]. Multi Language Support: The electronic voting system must provide multi language support for voter registration, election process and election results display [22]. 29

6 Care for Special Needs: The electronic voting system must provide ways of interaction with the system by people with special needs [4]. 8. Primary E-Voting System Vulnerabilities The e-voting systems are vulnerable to attack at two points: the server and client, and the communications infrastructure. Penetration attacks target the client or server directly whereas denial of service (DOS) attacks target and interrupt the communications link between the two. Both the targets and the attacks are discussed explicitly in the following subsections The Client and Server Related Security Issues With today s hardware and software architectures, penetration attacks involve the use of a delivery mechanism to transport a malicious payload to the target server or host in the form of remote control program or a Trojan horse. Once executed, it can spy on ballots, prevent voters from casting ballots, or, even worse, modify the ballot according to its instructions, thus having a direct effect on the election, and bringing the integrity of the entire process into question. What makes the latter threat particularly insidious is that it can be accomplished without detection, and such security mechanisms as encryption and authentication (e.g., secure socket layer (SSL) and secure hypertext transport protocol (https)) are impotent against this kind of attack in that its target is below the level of abstraction at which those security protocols operate (e.g., the operating system or browser). Virus and intrusion detection software is also likely to be powerless against this threat because detection mechanisms generally look for known signatures of malicious programs or other signs of unauthorized activity. These stealth attacks generally emanate from unknown or modified programs, and alter system files to effectively authorize the changes made (after which they might disable further virus protection). The attacks could originate from anywhere in the world. These malicious payloads can be delivered either through some input medium (e.g., CD-ROM or Optical drive), download, or , or by exploiting existing bugs and security flaws in such programs as Internet browsers. Activation need not be intentional (e.g., double clicking an icon), but can also occur by executing compromised code that users intentionally download from the Internet (e.g., device drivers, cookies, and multimedia) or unknowingly download (e.g., ActiveX controls associated with Web pages they visit). Even the simple viewing of a message in the preview screen of an client has, in some cases, proved sufficient to trigger execution of its attachment. A Trojan horse, once delivered to its host and executed, might be activated at any time, either by remote control, by a timer mechanism, or through detecting certain events on the host (or a combination of all three). If such a program were to be widely distributed and then triggered on or about Election Day, many voters could be disenfranchised or have their votes modified. Attacks do not have to be confined to individual or random voters, but can be targeted on a particular demographic group. Remote control software introduces a similar concern in that the secrecy and integrity of the ballot may be compromised by those monitoring the host s activity. In principle, poll site voting is much less susceptible than remote voting to such attacks. The software on voting machines would be controlled and supervised by elections officials, and would be configured so as to prevent communication with any Internet host except the proper election servers. Election officials and vendors could configure voting clients so that voters and poll workers would be unable to reboot the machines or introduce any software other than the voting application. Careful monitoring of the system could reduce the risks even further. Opportunities for attack and insider fraud, however, would still exist, especially since voting jurisdictions may have difficulty getting the reliable technical support they need to administer their system properly Connection Related Security Issues The communications path refers to the path between the voting client (the devices where the voter votes) and the server (where votes are tallied). For remote voting, this path must be trusted (secure) throughout the period during which votes are transmitted. This requires both an authenticated communications link between client and server, as well as the encryption of the data being transported 30

7 to preserve confidentiality [2]. In general, current cryptographic technologies, such as public key infrastructure, are sufficient for this latter purpose, assuming the standards required to run such technologies are met. Maintaining an authenticated communications linkage, however, cannot be guaranteed. Perhaps the most significant threat in this regard is a denial of service (DOS) attack [23], which involves the use of one or more computers to interrupt communications between a client and a server by flooding the target with more requests that it can handle. This action effectively prevents the target machine from communicating until such time as the attack stops. A refinement of this technique is referred to as distributed denial of service (DDOS) in which software programs called "daemons" are installed on many computers without the knowledge or consent of their owners (through the use of any of the delivery mechanisms referenced above), and used to perpetrate an attack. In this manner, an attacker can access the bandwidth of many computers to flood and overwhelm the intended target. Currently, there is no way to prevent a determined DOS attack, or to stop one in progress without shutting down unrelated and legitimate communications, and, even then, it may take several hours of diagnosis and network administration time For poll site voting, these threats can be avoided by designing the voting clients with the capability to function even if communication between the precinct and the server is lost without warning and never re-established. Accordingly, these systems must, in effect, include the functionality of a DRE (direct recording electronic) system and be able to revert to DRE mode without losing a single vote. If the voting clients act as DRE machines, and use the Internet to transmit votes when it is available, then poll site voting systems are not vulnerable to denial of service attacks. Even if the path is totally corrupted, because the votes have been accumulated correctly in the vote clients, one can still recover after the fact from any communication problem. The philosophy is not to rely on the reliability or security of the communications link [3]. This approach is not feasible for remote voting systems because it is not practical or desirable for PCs to emulate all the characteristics of DRE systems. One does not want to store votes on remote PCs because of the possibilities it would create for vote selling or coercion. It is simply not reasonable to expect voters who were unable to connect to the server due to a DOS attack to physically carry their votes to the election office for tallying. Remote voting systems will also have to contend with an attack known as spoofing-luring unwitting voters to connect to an imposter site instead of the actual election server. While technologies such as secure socket layer (SSL) and digital certificates are capable of distinguishing legitimate servers from malicious ones, it is infeasible to assume that all voters will have these protections functioning properly on their home or work computers, and, in any event, they cannot fully defend against all such attacks. Successful spoofing can result in the undetected loss of a vote should the user send his ballot to a fake voting site. Even worse, the imposter site can act as a man-inthe-middle between a voter and the real site, and change the vote. In short, this type of attack poses the same risk as a Trojan horse infiltration, and is much easier to carry out. 9. Secondary E- voting system Vulnerabilities Secondary internet voting vulnerabilities are mainly through social engineering and digital divide 9.1. Social Engineering Social Engineering is the term used to describe attacks that involve fooling people into compromising their security. Literature survey in social sciences and humanities shows that many voters do not follow simple directions. It is surprising to learn that, for example, when instructed to circle a candidate s name, voters will often underline it. While computers would seem to offer the opportunity to provide an interface that is tightly controlled and thus less subject to error, this is counter to the typical experience most users have with computers. For non-computer scientists, computers are often intimidating and unfamiliar. User interfaces are often poor and create confusion, rather than simplifying processes [2]. A remote voting scheme will have some interface. For the system to be secure there must be some way for voters to know that they are communicating with the election server. The infrastructure does exist right now for computer security specialists, who are suspicious that they could be communicating 31

8 with an imposter, to verify that their browser is communicating with a valid election server [2]. The SSL protocol and server side certificates can be used for this. While this process has its own risks and pitfalls, even if it is assumed to be flawless, it is unreasonable to assume that average internet users who want to vote on their computers can be expected to understand the concept of a server certificate, to verify the authenticity of the certificate, and to check the active cipher suites to ensure that strong encryption is used. In fact, most users would probably not distinguish between a page from an SSL connection to the legitimate server and a non-ssl page from a malicious server that had the exact same look as the real page. There are several ways that an attacker could spoof the legitimate voting site. One way would be to send an message to a user telling that user to click on a link, which would then bring up the fake voting site. The adversary could then collect the user s credentials and in a sense, steal the vote. An attacker could also set up a connection to the legitimate server and feed the user a fake web page, and act as a man in the middle, transferring information between the user and the web server, with all of the traffic under the attacker s control. This is probably enough to change a user s vote, regardless of how the application is implemented. A more serious attack is possible by targeting the Internet s Domain Name Service (DNS). The DNS is used to maintain a mapping from IP addresses, which computers use to reference each other to domain names, which people use to reference computers. The DNS is known to be vulnerable to attacks, such as cache poisoning, which change the information available to hosts about the IP addresses of computers. The reason that this is serious is that a DNS cache poisoning attack, along with many other known attacks against DNS, could be used to direct a user to the wrong web server when the user types in the name of the election server in the browser. Thus, a user could follow the instructions for voting, and yet receive a page that looked exactly like what it is supposed to look like, but actually is entirely controlled by the adversary. Detailed instructions about checking certificate validity are not likely to be understood nor followed by a substantial number of users. Another problem along these lines is that any computer under the control of an adversary can be made to simulate a valid connection to an election server, without actually connecting to anything. So, for example, a malicious librarian or cyber café operator could set up public computers that appear to accept votes, but actually do nothing with the votes. This could even work if the computers were not connected to the Internet, since no messages need to be sent or received to fool a user into believing that their vote was cast. Setting up such machines in districts known to vote a certain way could influence the outcome of an election Digital Divides Remote Internet voting brings along the potential for a digital divide, which can occur in two ways. There is a digital divide between those who have home computers with Internet connections and those who do not. Second, there may be a digital divide between those who have faster access and those who have slower connections and hence lower quality access. People with higher incomes are more likely to be able to afford access. Furthermore, access is often less expensive and of higher quality in urban areas. Those with lower incomes and who live in rural areas are at a disadvantage. In the developed countries where tamper-resistant devices, such as smart cards are used for authentication, cryptographic keys can be generated and stored on these devices, and they can perform computations, such that proper credentials can be exchanged between a client and a voting server. However, there are some limitations to the utility of such devices. The first is that there is not a deployed base of smart card readers on peoples personal computers. Any system that involves financial investment on the part of individuals in order to vote is unacceptable. Some people are more limited in their ability to spend, and it is unfair to decrease the likelihood that such people vote. It would, in effect, be a poll tax. This issue is also referred to as digital divide. Even if everybody did have smart card readers on their computers, there are security concerns. The smart card does not interact directly with the election server. The communication goes through the computer. Malicious code installed on the computer could misuse the smart card. At the very least, the code could prevent the vote from actually being cast, while deceiving the user into believing that it was. At worst, it could change the vote. Other specialized devices, such as a cell phone with no generalpurpose processor, equipped with a smart card, offer more promise of solving the technical security problems. However, they introduce even greater digital divide issues. In addition, the user interface 32

9 issues, which are fundamental to a fair election, are much more difficult. This is due to the more limited displays and input devices. Finally, while computers offer some hope of improving the accessibility of voting for the disabled, specialized devices are even more limiting in that respect. Therefore, the extension of an electronic voting system has the potential to create divides with respect to many socio-economic variables, namely income, education, gender, geography and race and ethnicity. These potential divides could be problematic for participation and representation. 10. Conclusion Over the last years, democratic systems increasingly resort to technology to support, compliment, or even transform political processes. There has been strong interest in E-voting as a way to make voting more convenient and, it is expected, to increase participation in election process. E-voting Systems are among those being considered to replace traditional voting system. E-voting may become the quickest, cheapest, and the most efficient way to administer election and count vote since it only consists of a simple process or procedure and requires a few workers within the process. One reason that electronic voting presents such a security challenge is that any successful attack would be very high profile, a factor that motivates much of the hacking activity to date. Even scarier is that the most serious attacks would come from someone motivated by the ability to change the outcome without anyone noticing. The adversaries to an election system are not teenagers but foreign governments and powerful interests at home and abroad. Never before have the stakes been so high. This paper introduced the idea of electronic voting systems. It discussed the different ways in which voters can vote. We summarized the importance of security in e-voting. The reasons for the growing interest in e-voting in some countries were identified.this paper observed the security vulnerabilities that may affect E- voting system. In our opinion transition to e-voting method should proceed slowly by implementing it in small pilot populations first, and then widening the scope slowly. If mistakes are made along the way, they will not be catastrophic and widespread. There is no doubt that the introduction of something like remote electronic voting will, and should, come under careful scrutiny, and in fact, the system may be held up to a higher standard. Given the current state of widely deployed computers in peoples homes, the vulnerability of the Internet to denial of service attacks, and the unreliability of the Domain Name Service, we believe that the technology does not yet exist to enable electronic voting in public elections. As we see, the implementation of such a system poses many challenges and risks for system developers and governments. Therefore it is important to consider whether we are able to meet all these requirements and whether the cost to be incurred during the implementation is proportional to the expected benefits. We may find that it is better to stay with the existing paper based solution. Therefore, without appropriate security measures, electronic based elections can be a challenge. Contrary to remote internet voting methods, we suggest that solutions based on Virtual Private Networks (VPNs) and reinforced with strong security layers pose as more viable approaches to implement reliable and strongly secure e-voting systems. Lastly, when the decision is made to create an e-voting system, it is important to learn from mistakes and successes made by others. 11. References [1] A. Fujioka, T. Okamoto, and K. Ohta, A Practical Secret Voting Scheme for Large Scale Elections. In Workshop on the Theory and Application of Cryptographic Techniques: Advances in Cryptology,volume 718, 1992,pp Springer-Verlag. [2] A. Rubin, Security considerations for remote electronic voting. Communications of the ACM, 45(12):39 44, December [3] A. Rubin, Security considerations for remote electronic voting over the Internet. The Magazine of USENIX and SAGE, 2001, 1(26):pp [4] B. Bederson,, B. Lee, and R. M. Sherman, Electronic voting system usability issues. In Human Factors in Computing Systems: Proceedings of CHI, 2003,pp [5] D. Chaum, Elections with unconditionally-secret ballots and disruption equivalent to breaking RSA. In proc of Computer Science on Advances in Cryptology-EUROCRYPT, 1987, pp

10 [6] D. Gritzalis, Secure Electronic Voting: Part III, Trends and Perspectives, Capabilities and Limitations., 2003, Kluwer Academic Publishers. [7] D.Gritzalis, Principles and requirements for a secure e-voting system. Computers & Security, 2002, 21(6):pp [8] G. Dini,, A secure and available electronic voting service for a large-scale distributed system. Future Generation Comp. 2003, Syst.,19(1):PP [9] I.Lin, M. Hwang, and C. Chang, Security enhancement for anonymous secure e-voting over a network. Computer Standards & Interfaces, 2003,25(2):pp [10] J. Karro, and J. Wang, Towards a practical, secure, and very large scale online election. Computer Security Applications Conference, 1999, Annual, 0:161. [11] J. Bannet,, D. Price, A.,Rudys, J. Singer, and D. Wallach, Hack-a-vote: Security issues with electronic voting systems. In proc of the IEEE Symposium on Security and Privacy, 2004, vol 2, pp [12] J. Benaloh, and D.Tuinstra, Receipt-free secret-ballot elections (extended abstract). In STOC, 1994, pp [13] J. Jan, and C.Tai, Asecure electronic voting protocol with ic cards. Journal of Systems and Software, 1997,39(2), pp [14] J. Karlof, S. Naveen, and D. Wagner, Cryptographic Voting Protocols: A Systems perspective. Proceedings of the Fourteenth USENIX Security Symposium (USENIX Security 2005),August URL= [15] L. F. Cranor, and R. K.Cytron, Sensus: A security- conscious electronic polling system for the internet. Hawaii International Conference on System Sciences, 1997, 3:560. [16] L. H. Nestas, Building Trust in Remote Internet Voting. M. Sc Thesis, Department of Informatics,University of Bergen,2010. [17] L. Mitrou, D. Gritzalis, and S. K. Katsikas, Revisiting legal and regulatory requirements for secure e- voting. In SEC 02:Proceedings of the IFIP TC11 17th International Conference on Information Security, 2002, pp , Deventer, The Netherlands, The Netherlands. Kluwer, B.V. [18] M. Hirt, and K. Sako, Efficient receipt-free voting based on homomorphic encryption. In proc of Advances in Cryptology EUROCRYPT, 2000, pp [19] M. Buchsbaum, E-voting: International Developments and Lessons Learnt. Proceedings of Workshop on Electronic Voting in Europe Technology, Law, Politics and Society, 2004, Austria, at Proceeding.GI.47-4.pdf. [20] N.Goodman, H. Pammett, J. DeBardeleben and J. Freeland, A Comparative Assessment of Electronic Voting, Carleton University Canada-Europe Transatlantic Dialogue, UK,2010. [21] National Science Foundation. Report on the National Workshop on Internet Voting: Issues and Research Agenda, Mar [22] R.Mercuri, Humanizing voting interfaces. Proceedings of Usability Professionals Association Conference,Orlando,Florida, 2002,. [23] R.Saltman, Accuracy,integrity, and security in computerized vote-tallying. U.S.Department of Commerce, 1988, National Bureau of Standards. [24] Y. Chen, Jan, K. Jinn, Chen,L.Chin, The design of a secure anonymous internet voting system. Computers & Security,Vol. 23,No. 54, 2004,