Several countries have experimented with Internet elections. While voters in Estonia could use the Internet in their 2007 national election for parliament,3,7 other countries have offered this option for local elections only. The argument in favor of allowing voting over the Internet is that this may increase voter participation, which has dropped in many countries in recent years. Another key argument is that Internet elections can increase access for people with disabilities. Furthermore, some people feel that Internet elections are an inevitable case of allowing democracy to enter the Internet world along with shopping, banking, and many other applications.
One argument against voting on the Internet is that it cannot guarantee the anonymity that a voting booth can provide. This can lead to coercion and the buying and selling of votes. Even more serious is the risk that someone may tamper with the voting or the results. This risk is aggravated by the fact that voting could be performed from a computer that has malware installed.
In order to overcome such obstacles the Ministry of Local Government in Norway launched a $40 million project ("e-valg 2011") in 2009 to design an electronic voting system to be used in the 2011 local elections. The system is based on experience from other countries, and is comparable to the Estonian system. Experts from academia, research institutions, and industry were engaged in the development of a secure system, and to check the proposed solutions. To prevent pressure for voting against one's wish, the system allowed repeated voting. The Internet option was closed one day prior to the election, voters always had the option to cast their vote at a polling station, and the voter's last vote would always override any previous votes. To counter malware and other risks, an advanced cryptographic system was employed.2 An important part of this is a coding system designed to prevent vote tampering.
This system uses codes to identify each party participating in the election.4 These codes are presented on the back of a "voter's card," which is mailed to everyone who has the right to vote. After casting the ballot on the Internet using a home or office computer, voters receive a confirmation text message. This message includes a code the voter can compare to the card in order to check if the vote was registered for the correct party. Since these codes only exist on the paper card and are particular to each voter, malware would have to break into the central server in order to generate the codes. Tests also showed that many voters do check that the code is correct. Thus, the ministry determined that it would require a "large-scale conspiration and unreasonable amounts of money" to break the system.
As we will describe, however, there are many ways to violate such a system. Malware can discard votes or change votes at the same time as sending users the correct confirmation code. In order to demonstrate these possibilities, we designed a malware system of our own. Although we have assumed the server part of the e-voting system is secure, our malware exploits the most vulnerable part of the voting system: the voter. After the voter has chosen a certain party, the official voting system presents a page with the name of the party and the user is asked to confirm by clicking a send button. Our version is similar, but it also asks for the (secret) party code: "Please confirm your selection by typing in the code for this party. You will find the code on the back of your voter's card." In a test simulating voting on paper, we tested this on 158 college students, including 25 IT students. None of the students found any faults with our system. In addition, over 400 high school students tested an online version. All of these students typed in the party code when required by the system. This was despite the fact that all participants, both college and high school students, were shown an animation made by the ministry that explains the e-voting system and stresses the correct use of the party code as a final manual check. However, in all other situations PIN codes are supposed to be typed into some computer system. Even the e-voting system has a part where a PIN received by a text message is to be typed in during the identification process. Thus, while our malware uses the code as users anticipate, it is the official system that applies the code in an unfamiliar manner.
Once it has the code, the malware can easily send the correct confirmation to the voter and then discard or change the vote. In the latter case, the voter will receive another text message, this time from the ministry, with a different code (for the party that the malware has chosen). With malware also present on the smartphone, this second text message can be discarded. Or, more simply, the user can be warned that additional messages may be forthcoming due to some communication problems, and to "please ignore these." A ministry document on security objectives stresses the risk of such malware: "The insecurity of browsers and operating systems on the client platform will invariably make it possible to subversively install malicious software."1
We have demonstrated that voters are actually victims of the user interface.
However, those with malicious intent may opt for more straightforward solutions. Introducing a fake URL is one possibility. Many users will find the link through other Web pages, such as community pages. These sites have been hacked before and can be hacked again. A false Web site will also receive identification data from the voter, and will, at least in the Norwegian system, be able to change the phone number for the confirmation message. Even more simply, a villain could send an email message to voters before the election with a "vote here" URL. By targeting the recipients, such as groups the villain feels vote unsatisfactorily, it is extremely simple to make an e-voting system that mimics the original system, asks for the party code, sends a confirmation message to the voter, and then discards the vote. It took us just a few hours to create such a system.
While someone would certainly notice a large-scale attack, a small-scale attack, perhaps in one community only, could go unnoticed. Even if there is disclosure, what should be done? Should voters be asked to vote again or should the election be considered invalid? Creating such chaos may even be the main intent of the villain. Even in such a case, there may not be an easy "undo." As well as changing your vote, malware may also know how you voted. This information, which most people consider private, could be used for blackmail or embarrassment.
In theory, the Norwegian e-voting system is safe. According to the developers, the risks involved can be expressed mathematically. However, this is based on the condition that voters do what they are supposed to do. We have demonstrated that voters are actually victims of the user interface. We argue that voting systems are particularly vulnerable. A conscientious voter who participates in all elections will in many countries vote once every two years. This is not frequent enough to get any practice or routine with an e-voting system. In any case, there may also be modifications in the interface from one election to another. So, while methods such as those presented here may, in principle, be used to obtain secret codes from Internet bank users, in practice, most of us would become suspicious if the system broke its expected pattern; for example, if it asked for additional codes. Furthermore, if someone breaks into your bank account, you would at least notice money has disappeared. A changed or discarded vote, however, may never be discovered.
Estonia requires citizens to insert their nationwide ID card into a card reader connected to the home computer to vote on the Internet, and then offer PIN codes as a further proof of identification. This may increase security on the home computer, but the risk of malware or a false election site is still the same.
Postal voting is another option offered in many countries, and some states have this as the only alternative.5 It offers the same possibility of voting from one's home as the Internet. Theoretically it can be as vulnerable as Internet voting, but it would take more resources to mount an attack. Also, while the Internet offers anonymity to the villains, this may not be the case for those who try to interfere with a postal voting system.
Trustworthy design of an electoral system is critical for democracy.
Postal voting, as any system that allows a voter to cast a vote outside a voting booth, still has the disadvantages that voters can be coerced or paid to vote in a certain way. The possibility of repeated voting could reduce this problem. By going to the polling place after giving the Internet or postal vote, one has the opportunity to vote again. However, a patriarch of a closely controlled family could easily restrict his daughter's movements on the final day of the election, just as he could control their Internet voting. For those buying votes it is just a small calculated risk that the seller of a vote will turn up on Election Day.
Repeated voting on the Internet may not offer any solution. Votes can still be bought, not by requiring how people vote, but by taking control over their ID codes. This allows the buyer to vote on their behalf. However, the Estonian solution with an ID card would make it more difficult to hand this over to others. This is especially the case when the card is also used for other purposes.
In Isaac Asimov's science fiction story Franchise (1955), the all-encompassing supercomputer Multivac chose Norman Muller as the "Voter of the Year." In this electronic democracy, a single person was selected to represent all voters. Based on the answers to a set of questions to Norman, Multivac determined the results of the election. Norman was proud that the U.S. citizens had, through him, "exercised once again their free, untrammeled franchise." This is not exactly Internet voting, but the two systems do have something in common: it is impossible for non-experts to verify they work correctly. The old system with paper ballots may be inefficient, but it does allow any voter to understand how it works. This is the case also for postal voting. Trust in such a system is more direct than with any e-voting application.
In an October 2011 Communications Inside Risks column, Carsten Schürman argued for modernizing the Danish democratic process.6 He stressed the importance of listening to the voices of scientists and other specialists when designing new systems, but, as we have seen, this did not work in Norway. While he praised the European e-voting initiatives, he was skeptical regarding Internet voting"for which there are still more open problems than solved ones." Perhaps voting is one task that should not be moved to the Internet? Trustworthy design of an electoral system is critical for democracy; this is a place where no risks, neither practical nor theoretical, can be tolerated. The advantage of running a computer system that is to be used sparingly is also dubious and, as we have seen, creates additional risks since users have no routine. It is also reasonable to believe that electoral participation does not depend on the voting system alone. Perhaps it has something to do with politics?
1. e-Vote 2011 Security Objectives. Ministry of Local Government; http://www.regjeringen.no/upload/KRD/Kampanjer/valgportal/e-valg/tekniskdok/Security_Objectives_v2.pdf.
2. Gjøsteen, K. Analysis of an Internet voting protocol, 2011; http://eprint.iacr.org/2010/380.
3. Meagher, S. When personal computers are transformed into ballot boxes: How Internet elections in Estonia comply with the United Nations international covenant on civil and political rights. American University International Law Review 23, 2 (Feb. 2009), 349386.
7. Trechsel, A. et al. Internet Voting in Estonia. A Comparative Analysis of Four Elections since 2005. Report for the Council of Europe, European University Institute, Robert Schuman Centre for Advanced Studies, 2010.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2012 ACM, Inc.
No entries found