Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
The opinions expressed here are those of the author alone, and do not reflect the view of the
European Commission.
Introduction
In this paper we are going to look at the security implications of electronic voting,
more specifically of electors casting an electronic vote over the Internet from a computer
- typically the computer of the elector at home or at work, but in any event a computer
which is not under the physical control of the election officers.
trustworthy, merely that there are enough checks and balances within the electoral office
that any wrongdoing would come to light.) In the second tradition, the control is carried
out by the political parties themselves, who are invited to place observers within the
electoral system.
On first appearances, the second system would seem to set the more severe
challenge in ensuring the security and confidentiality of a technological voting system;
but in fact the differences are not as great as they appear. In both cases, the mechanisms
for validating and counting the vote must ensure that no individual within the electoral
office can know the vote of an identified individual. Thus for example, if this
requirement is rigorously applied, even to systems programmers, it has consequences for
the computing architecture needed: it would seem to require a computing architecture
which separates out the voter-identification computing system from the vote-counting
computing system1.
Threat analysis
When a new technological system is being considered, it is important to carry out
a thorough threat analysis and risk assessment, considering risks arising from accident,
error and malice, and analysing their likelihood, their consequences, and the possible
countermeasures. This paper studies only risks from malicious attacks, and so needs to be
complemented by consideration of the other sources of risk. Indeed the risk analysis
should be carried out in an integrated manner: most malicious attacks against computer
systems are made possible by an error in computer architecture, software specification, or
software implementation, and therefore prevention and detection of such errors is an
important element of protection against malicious attacks.
These are not the only risks attached to Internet voting: there are others which,
being widespread by their nature have no need of technological amplification. It is clear,
for example, that Internet voting, just like postal voting, is more open to impersonation
Paper published as pp. 255-266 in Informatik und Recht, Staempfli, Zürich, 2003
from within the voter’s household than going to a polling booth. These risks have to be
evaluated, but there is no particular need for specialist advice when doing so.
The first of these questions can be applied collectively to many sorts of Internet
attacks, and the principal possibilities are outlined below. For the other questions, the
response is different for different technical modalities of attack, and these questions are
discussed under the various attack categories in the next chapter.
In the case of electronic voting, to these groups should be added the “hackers”,
those to whom the technical challenge of disrupting an electronic voting system is
sufficient in itself.
Moreover, given that any vote is a relatively rare and expensive operation, it also
represents a possible vulnerable point for commercial or other pressures, including
threats of strikes. See Pratchett et al.2 for a more detailed discussion of these possibilities.
An important point to note in this context is that the political effects of a claim
that such an attack was carried out may be significant, whether or not the claim is true.
Paper published as pp. 255-266 in Informatik und Recht, Staempfli, Zürich, 2003
There appear to be three essential mechanisms for attacks of this type: attacking
the voter’s computer system (by installing corrupted software, whether from source or by
an Internet “Trojan horse”); attacking the communications system (a “Man in the Middle
- MITM” attack, or a “spoofing” attack in which a false voting site pretends to be the real
one); or attacking the central computing software (by hacking into it from the Internet, or
by authorised personnel installing corrupted software). These possibilities are considered
individually below.
Since the mechanisms for these attacks are essentially the same as those of the
previous section, they are not considered separately here.
Risk assessment
Having then identified the possible categories of attack, and having decided that
attacks intended to change the result - whether real attacks or claimed attacks - represent
the most serious threat to the legitimacy of the democratic process, we focus on a few of
these, trying to ask the questions outlined above, concerning ease of implementation,
preventability, detectability, recoverability, and deterrence.
In this paper, we have decided to focus on what appear the most threatening of
these attacks, that is attacks which are in some sense “internal”, in that they come
through the computer systems, either that of the voter or the central system. In a
comprehensive approach to security, the considerations brought up in this paper should
be complemented with measures to prevent attacks on the communication system, such
as MITM or spoofing attacks, starting with encryption of the voting session.
Can we trust this system? In other words, can we be sure that at no point has any
code been introduced which would corrupt the system, either by making a false count of
the votes, or by recording the result of an individual vote? If all the software is open-
source, then it can be supplied to the political parties, who can be invited to verify it -
supposing they have the technical ability to do so. They would also have to observe the
process of creating the clean CDs to boot the system, check the configuration of the
Paper published as pp. 255-266 in Informatik und Recht, Staempfli, Zürich, 2003
firewall, IDS and HIDS, check the pseudo-random number generator used to generate
private keys ... It’s a tall order. Even for major elections in large countries, political
parties would probably have difficulty calling on all the specialist knowledge required.
However, the possibility of checking exists: and given that modifying the software so as
to corrupt the system is not an easy task, and that the staff concerned would be liable to
criminal sanctions, it may be that this theoretical possibility of checking would be judged
sufficient, combined with the internal monitoring of the electoral office, to protect
against such an attack.
If the software is not open-source, it is much more difficult to see how such a
check could be carried out. Moreover, in the case of open-source application software
running over a proprietary operating system, there is the - admittedly remote - possibility
that the underlying operating system software has been corrupted. See the next section
for discussion of this possibility.
So the judgement here seems to be that while mounting an attack on the central
software might be only moderately difficult - given that staff with specialist knowledge
have privileged access to the systems concerned - the possibilities of prevention,
detection, and legal response can be made adequate, provided that open-source software
is used.
It is technically possible to ensure that voters’ computers are “clean”. This could
be done by sending out CDs (checked in the ways described above) to be used to boot the
voter’s computer for the purpose of voting. However, apart from the expense of such a
procedure, it is liable to encounter some resistance from voters. Many would not
understand, and many would not accept, the justification for re-booting their system; and
the extra trouble involved might discourage significant numbers.
If the voter’s computer is not rebooted off a clean CD, there would seem to be
two ways in which it could be corrupted.
Firstly, the operating system or application software could have been corrupted
on issue. This seems extremely improbable, but it is hard to say that it is completely
impossible, and is perhaps a possibility to be borne in mind for elections which are
important at a national or international level. Consider the following scenario:
Can we really be certain that that has not happened? Or that, is it has, we would
know about it? Or that, if we knew about it it would be possible to trace and prosecute
the programmer concerned?
Paper published as pp. 255-266 in Informatik und Recht, Staempfli, Zürich, 2003
Against this, it is reasonable to point out that this would require considerable
preparation, and a good knowledge of how the voting software for a particular election
was likely to work. In that sense, it is an extremely difficult attack to carry off
successfully.
The second scenario, rather less improbable, concerns the wealth of worms,
viruses, and Trojan horses which circulate on the Internet. Consider:
An attack like this would not require so much preparation, and could aim at a
particular election rather than the “general” possibility mentioned above. It is possible
that such an attack would be detected by some user, and the electoral office, thus alerted,
could find the Trojan horse. However, the Trojan horse could be set to eliminate itself
after use, and then the probability of detection would seem to be quite low. And if the
attack were launched from another country, it is not clear that legal deterrence would be
available.
So this attack is not quite as difficult to mount; the possibility of prevention relies
on clean software, with the drawbacks mentioned above; detection seems difficult, and
legal deterrence quite impossible.
Verification
So far, the results of our analysis look very discouraging. Even taking all
reasonable precautions, using only open-source software and heavily protected computer
systems, we are still vulnerable to attacks on the voters’ computers - unless we go for the
armour-plated solution of voters being required to boot off a clean CD. These attacks
may not be likely, at least for small-scale elections, but they are almost impossible to
Paper published as pp. 255-266 in Informatik und Recht, Staempfli, Zürich, 2003
prevent, detect, or deter. The consequences for the political legitimacy of any electronic
election are serious.
If it were possible to verify the results of individual votes after an election, then
we could with very high confidence detect such an attack after the event. Finding such an
attack would have serious consequences - the election concerned would presumably have
to be re-run - but the knowledge that the verification was routinely carried out would also
represent significant deterrence, perhaps enough to prevent would-be attackers from
putting in the large amount of effort needed to organise and mount a successful attack.
We should point out that there has long been considerable scepticism in the
computing security community as to whether any Internet election system can be made
adequately robust while respecting other requirements such as auditability and
confidentiality. See, for example, Rebecca Mercuri’s Ph.D. thesis3 in which she claims to
demonstrate that an electronic voting system cannot conform to the ISO’s Common
Criteria for Computer Security and be both confidential and secure. See also
Shamos4,Neumann et al.5 However, this should not stop us from trying new solutions to
see if they work, and it is in that spirit that the author of this paper would like tentatively
to suggest the following “voter verification system”. Even if judged positively, it will
doubtless need further development, but the concept behind may be a valid - if limited -
contribution to improving the security of Internet voting.
A voter who wishes later to check his vote is invited to print the voting screen on
which his vote is recorded. This information is not of course proof as to how that voter
voted; it is always possible to print one vote, then change one’s mind, and enter another.
However it should be reasonable protection against failure of memory. The voter is also
invited to note down - or to print - the hash of his vote. This information is not in practice
of any use in discovering how the voter has voted without the key held in Cc. However,
during a certain period after the election, the voter can go to the election building, and
there can ask to see what his vote is as recorded in Cv. The vote is displayed on the
screen, along with the corresponding hash. If the vote is correct according to the user’s
memory and print-out, and if the hash produced is the same, then there is no problem. If
the vote is wrong, then the hash provides powerful confirmation as to whether the
problem was in the voter’s computer or in the central vote-counting system.
The idea is that political parties are invited to nominate reasonable numbers of
their supporters who will check their votes. This verification system does not provide
complete protection against political parties in bad faith, in that it is still possible for
people to say “there must have been a Trojan in my computer: the hash corresponds to
Paper published as pp. 255-266 in Informatik und Recht, Staempfli, Zürich, 2003
the vote recorded, but it doesn’t correspond to the vote I thought I was casting”. (At that
point it would be possible to look at the voter’s computer’s log, and see if it showed any
inconsistencies.) Nor - and this is important - does it provide any protection against
attacks on the communication system aimed at recording rather than falsifying votes. But
it would provide good protection against the most worrying and delegitimising
possibility, that the election result had been fraudulently manipulated.
Various further checks and procedures would be needed. For example, one of the
terminals in the election building would be used by election officials to identify the voter,
while the other would be used by the voter, alone in a closed room, to actually see the
vote. Provisions, whether technical or procedural, would have to be made to ensure that
election office staff did not look at individual votes. And at some predetermined time,
say a fortnight after the election, if no problems had come forward Cv would be taken out
of action in such a way that the cryptographic key it had used was lost. At the same
moment, all the storage media used for the election would be overwritten a large number
of times …
It will be seen that the essence of this verification scheme is using a verifying
indicator, the hash, which provides a “proof of vote”, but of such a nature that it cannot
be read other than within the electoral system itself.
Conclusions
Attacks against Internet elections are a real possibility, and it seems reasonable to
hypothesise that the more important the election is the more likely it is that there will be
serious attacks. While some of these would “merely” disrupt an election, there is a
worrying possibility that attacks which could change the result of an election may be
undetectable. In the absence of any verification scheme, the consequence of these
vulnerabilities, at least in the view of the computer security community, is such that there
would always be a question mark attached to the legitimacy of any major election
conducting by Internet voting.
1
Richter D., Hartmann V.: “A component approach to on-line voting” presented at E-voting and the
European Parliamentary Elections, Florence 10/11 May 2002
2
Pratchett L., Wingfield M., Ben Fairweather N., Roferson S. “Balancing Security and Simplicity in E-
voting: is there an effective compromise?” presented at E-voting and the European Parliamentary
Elections, Florence 10/11 May 2002
3
Mercuri, R. “Electronic Vote Tabulation Checks & Balances” Ph.D. thesis no. 3003665 submitted to the
University of Pennsylvania, available from http://www.umi.com/. A summary can be found at
http://www.notablesoftware.com/Papers/thesdefabs.html
4
Shamos M.I. “Electronic Voting - Evaluating the Threat”, available at
http://www.cpsr.org/conferences/cfp93/shamos.html
5
Neumann P., Mercuri R., Weinstein L. “Internet and Electronic Voting”, available at
http://www.notablesoftware.com/Papers/Risks2114.html