Electronic Voting Systems The Impact of System Actors to the Overall Security Level C. Lambrinoudakis *, V. Tsoumas +, M. Karyda +, D. Gritzalis +, S. Katsikas * * Dept. of Information and Communication Systems Engineering University of the Aegean + Dept. of Informatics Athens University of Economics & Business & e-vote Project European Commission, IST Program
What is electronic voting (system)? An electronic voting (e-voting) system is a voting system in which the election data is recorded, stored and processed primarily as digital information. Network Voting System Standards, VoteHere, Inc., April 2002 Voting Paper voting E-voting Paper ballots... Punch cards Polling place voting Internet voting Precinct voting Kiosk voting Note: Traditional electronic voting is 134 years old (T. Edison, Electrographic Vote Recorder, U.S. Patent, 1869). 2
Do we need electronic voting systems? * They could lead to increased voter turnout (USA 2001: 59%, 18-24 yrs: 39%), thus supporting democratic process. They could give elections new potential (by providing ballots in multiple languages, accommodating lengthy ballots, facilitate early and absentee voting, etc.) thus enhancing democratic process. They could open a new market, supporting the commerce and the employment. * D. Gritzalis (Ed.), Secure Electronic Voting, Kluwer Academic Publishers, USA, January 2003. 3
Generic voting principles Only eligible persons vote. No person can vote more than once. The vote is secret. Each (correctly cast) vote gets counted. The voters trust that their vote is counted. Internet Policy Institute, Report of the National Workshop on Internet Voting, March 2001 4
Identifying e-voting requirements An e-voting system may be specified: as a set of the guidelines to be adopted for ensuring conformance to the legislation. ( State Authority point of view) or in terms of the problems associated with the provision of the adequate level of security (anonymity, authentication, tractability, etc.). ( System Engineer point of view) 5
Identifying e-voting requirements none of these approaches is complete! Legal requirements abstract formulations (e.g. laws, principles, etc.) Functional requirements - Usability properties Non-functional requirements Security and System properties (e.g. flexibility, efficiency, etc.) 6
Identifying e-voting requirements A third approach, proposed by the e-vote project: Requirements elicitation based on a Generic Voting Model, taking into account the: European Union legislation. Organisational details of the conventional voting processes. Opportunities offered and the constraints imposed by stateof-the-art technologies. Aim of the developers is to express: The legal requirements. The security (non-functional) requirements. The functional requirements. as a User Requirements Specification document that sets specific Design Criteria. 7
Voting systems design criteria Authentication: Only authorized voters should be able to vote. Uniqueness: No voter should be able to vote more than once. Accuracy: Voting systems should record the votes correctly. Integrity: Votes should not be able to be modified without detection. Verifiability: Should be possible to verify that votes are correctly counted for in the final tally. Auditability: There should be reliable and demonstrably authentic election records. Reliability: Systems should work robustly, even in the face of numerous failures. 8
Secrecy: Voting systems design criteria No one should be able to determine how any individual voted. coercibility: Voters should not be able to prove how they voted. Equipment should allow for a variety of ballot question formats. Voters should be able to cast votes with minimal equipment and skills. Systems should be testable against essential criteria. Voters should be able to possess a general understanding of the whole process. effectiveness:systems should be affordable and efficient. Non-coercibility Flexibility: Convenience: Certifiability: Transparency: Cost-effectiveness 9
Voting Systems Functional Requirements Support all essential services for organizing and conducting an opinion expressing process: Poll Decision-making (e.g. Referenda) Internal election General election Depending on the specific process, the services may include voter registration, vote casting, voter authentication, calculation of the vote tally, versification of the election result, etc. 10
Requirements for different types of election process The General Election requirements are practically a superset of those regarding the other election processes Polls Decision-making procedures (e.g. Referenda) Internal elections General elections 11
e-vote System Use Cases for General Election 12
Is a Secure Voting Protocol Enough?? A lot of research effort has been spent on designing and building voting voting protocols that can support the voting process, while fulfilling the security requirements However, not much attention has been paid in the administrative part of an electronic voting system that supports the actors of the system to set-up the election. Possible security security gaps in the administrative workflow of the system may result in deteriorating the overall security level of the system. 13
Workflow 14
Identified System Actors Actors Election Organizers Election Personnel Judicial Officers Party Representatives Independent Third Parties Voters Description People responsible for organizing the election process and ensuring that it is properly conducted. People actually performing the system use-cases, under the supervision of Election Organizers. People responsible for monitoring the election process and ensuring that it is carried out in a legal way. People appointed by parties to monitor the election process. People neutral from participating parties, responsible for monitoring the election process and for providing reasonable assurance with regard to the integrity of it. People eligible to participate in the voting process. 15
Actors participation in e-voting: Authorization and Validation Use cases can only be performed by authorized actors ("roles") An additional validation phase is employed before committing the outcome of a use case The validation phase is implemented through the implementation of the separate use case "Validate Action" 16
Actors participation in e-voting Use Case Validate Action Use Case activation Participating Roles Election Organizer Party Representative Election Personnel Voter Judicial Officer Independent Third Party Authenticate Actor A A A A A A Validate Action N/A A A A A Modify System State A V V Manage Election Districts V A Provide Election System Parameters V A V 17
Actors participation in e-voting Use Case Validate Action Use Case activation Election Organizer Party Representative Participating Roles Election Personnel Voter Judicial Officer Independent Third Party Manage Voters V A Provide Authentication Means V A Manage Parties V A Manage Candidates V A Preview Ballots A A A Cast Vote A Tally Votes A V V V Verify Result Integrity A V V 18
(Secure) Electronic voting: (instead of) Conclusions Description of actor roles together with clear indication of what each actor is allowed to do with the system, formulate an operational framework that complements the technological security features of the system Rapidly emerging issue... Of a socio-technical nature... Contradicting views... Further experimentation is needed in the meantime, as complementary only! 19
Something like a moto... Electronic voting: Between pessimism (bureaucracy) and optimism (technology) we choose realism (democracy)! 20