1. Introduction

Voting is understood to be the form of choice. This form of expression can be performed through the ballot, or by any other electoral schemes. The electronic voting is a way in which votes cast by voters of a specific electronic medium that can be retrieved, tallied and stored electronically.

The project to be produced will be focusing on converting the current paper based elections system currently being used in Mauritius and by proposing a more secure online voting system. The current voting system being used by Mauritius is currently undergoing a poor voter turnout due to the fact that the system in place is being inconvenient for many voters for those who are disabled and abroad. The system to be created will address this issue by providing voters with the capability of casting their votes for their chosen candidates via an internet enabled computer.

The project will focus on the current voting method being used in Mauritius that is paper based ballot voting, and identify ways and which method can be modeled with the internet voting system to be implemented. The system will implement different election mechanisms used for casting votes.

Electronic voting is not just a possibility it is a reality. There are, already, numerous examples from across the world of electronic ballots taking place in both private and public elections. However, the range of potential technologies that can be used and the wide range of issues that their use gives rise to, means that implementing large scale, nation-wide, electronic voting needs careful planning. The central question in such planning is not whether electronic voting should be developed but how, and in what ways, it can be implemented. Resolving this question is the principal focus of this report.

A comparison of 2 countries will be carried out to determine their ways of conducting online voting.

The system will be built to have strict security features. These security features resumed from the point of voter login into the voting system, to casting their vote for their chosen candidate to the point of their exit from the system. The system will have secure restriction preventing the voter to vote more than once for the election candidates.

The system to be implemented needs to address the issues covering security needs of a vote being cast over the internet. Authentication and validation of the users, access rights, information encryption and vote's security need to be looked into in an in depth in order to produce a secure means of voting online.

Ballot voting in Mauritius

Electoral Management Bodies

There are two bodies which are responsible for supervision of the voter registration process in Mauritius that is the Electoral Commissioner's Office which is responsible for the overall coordination of the country's elections, and the Electoral Supervisory Commission (ESC) which is specifically responsible for and supervises the registration of electors and the conduct of elections. The ESC consists of a chairperson which is appointed by the president and 6 other members appointed after consultation between the president, the prime minister, the leader of the opposition in Parliament and other significant leaders of political parties in Parliament. Members of the ESC are not allowed to be either a member of, or candidate for election to, Parliament or any other public office.

The Registration Process

The voters roll is updated on an annual basis through a house to house enquiry which is usually carried out in January. Officers from the Electoral Commissioner's office visit every household after office hours and weekends to collect voter registration form which is dully filled. Data is collated from enquiries and made available in its provisional form in April and May of that Year. Once provisional has been made available eligible voters can at this stage register their names if their name does not appear in the register. The Electoral Commission Officer will see to it that the whole process is followed accordingly.

Mauritius Electoral Commission is an independent institution. The secrecy of ballot involves many preparations from implementing the appropriate infrastructures and equipments for casting of the ballot. The law takes into consideration the secrecy of the ballot and the Officials inspect the polling stations, voting booths, compound, fencing and the transparent ballot boxes in front of all pooling officers and political party agents before opening the pooling stations. This is to ensure that everything has been setup properly and also the police have to make sure that unauthorized persons should not be allowed within 200 meters of the polling stations except voters, police, pooling officials, candidates and their of their official agents and accredited media.

Transparent boxes are being provided to provide a sound guarantees and dispelled fears of vote stuffing in respect of secrecy of the ballot. The rooms had glass windows so that all to know what is happening inside. This will remove doubts. The voting process in Mauritius was very easy that is when a voter took the paper to the booth provided, placed a cross in the rectangle then folded the ballot paper so that the official can mark was visible. The voter would then fold up the ballot paper to drop it in the ballot box. This is to make certain that no person directly or indirectly interferes with any elector when marking his vote. The name of the candidate for or against whom he or she has voted is not made known to any other person. There were also a mechanism to assist the disabled and illiterate by blindness or other physical cause had to vote in the presence of at least two election officers. Thus marking on a ballot paper is made on behalf of the elector as directed by the elector himself. Thereafter the marked ballot paper was put into the ballot box. .

Mauritius constitution protects and enshrines the right of eligible individuals to vote without hindrance and secretly in a ballot box.

Section 72 (1)(a) Stipulates

"Every Officer, clerk, candidate and agent in attendance at a pooling station shall maintain and aid in maintaining the secrecy of the voting in the station, and shall not communicate except far a purpose authorized by law, before the poll is closed, to any person any information as to the name or number on the register of electors of any elector who has or has not applied for a ballot paper or voted at that station or as the official mark:

(4) a person who contravenes this section shall commit an offence and be liable to imprisonment." In terms of the voter assistance by other citizens,

Section 37 (1) states:

If any elector is incapacitated by blindness of other physical cause from voting, the pool clerk shall at the request of the elector, and on being so ordered by the presiding officer and in his presence and that of another election officer mark the vote of such elector on ballot paper in the manner directed by such elector."

Process of voting in Mauritius

It is important that the election counting process be open and transparent. The counting rules are clear and are sent to all election stakeholders who include political parties, the police, the candidates, agents and international observers. The ballot boxes were taken to counting center under strict police escort and left overnight under police guard. Important security measures were taken to ensure that the ballot boxes arrived safely at the counting centre and accompanied by the police, party agents, international observers.

On the counting day the police were already at the counting centre at 5:45am for the purpose of controlling access to the polling stations. People were allowed to the counting centers were candidates prominently wearing their candidate's badge, official election agents, international observers and the press clearly identified. At 8am the guarded rooms with the ballot boxes were handed over to the returning officers in the police presence.

Polling Station Staff

Polling station staff should be recruited in a non-partisan manner and should receive training well prior to an Election Day. In Mauritius, the majority of the polling station staff was recruited from the civil service, including a large number of teachers who acted as polling staff during the elections. This situation is not ideal, as there is a potential conflict of interest in using civil servants to assist in the voting process, given that civil servants are employed by government comprised of a ruling party. However, there was little evidence to suggest that polling station staff executed their duties in anything other than an impartial and professional manner. Although there was a good gender balance in the selection of polling staff and officials during the 2005 elections, men continue to constitute the majority of the Chief Presiding Officers in all districts. The issue of gender equity remains an acute challenge for Mauritius in many areas, and this is an area which can and must be addressed in subsequent elections.

The counting Process:

It start with the sorting the ballots by counting the ballot papers into 100 facing upwards and each bundle being tied together by a string. Once the process is over the ballots in their bundles are shifted again to the counting rooms. The process is very transparent as the police lead the way with the ballot boxes and all the candidates, agents are present. Then is follows by the pre-counting preparations were the process is quite lengthy so the actual count started at least two hours later. The set up for the counting of ballots, where counting agents are supposed to sit and those recording the count is clearly illustrated on a diagram on a circular that is available for all parties concerned. As counting continues an ballot paper with no voted for or unmarked or marked in any uncertainty as to the vote is considered void and not counted. Upon the completion of the counting the returning officers seals up in separate packets, the counted and the rejected ballot papers. It is important in the event of recount. As soon as the counting is complete the returning officer publicly declares the pool results.

Paper Form Voting Process:

Existing System

Regardless of any current imperfections, elections must continue to take place because they form the foundation of the democratic process. The voting system currently being used in Mauritius is a paper based system, in which the voter will have to picks up ballots sheets from electoral officials, put a cross who they would like to vote for, and then cast their votes then hand over the ballot sheet back to electoral official. The electoral officials gather all the votes being cast into a ballot box. At the end of the elections, the electoral officials converge and count the votes cast for each candidate and determine the winner of each election category.

Problems With Existing System

The current system in use today, has a number of problems which my proposed system would aim to correct. The system is highly insecure and prone to election malpractice. Due to the fact that any voters can come and fill out a ballot sheet without prior authentication to determine who he/she says they are, is a major concern. Even though they verify Identity card but still there are breach of security. The Identity card can be easily tampered as they do not have security hologram, microchip or optical stripe. The staff working on the voting system as a whole is highly inefficient, slow and time consuming, which is highly prone to human error. As most of the staffs are government employees so they there is a possibility of manipulating result in favor of the government.

Stringent control need to be carried out from the inception to the end when the process of ballot voting are generated, viewed, approved, controlled, distributed, voted, collected, tallied, recounted if needed and stored.

Law also demands that ballots must be handled by at least two elections officials or authorized poll workers and all unused ballots voting cards must be accounted for. Ballots are physically protected. Controlling the ballot is a well defined task for paper ballots which can be physically designed as the will appear to voter, physically printed, physically transported, physically counted. Ballots boxes are protected by physical tamperproof seal, should be transparent and in the presence of at least two authorized officials.

The process becomes expensive since the same process must be repeated for every election cycle. Costs are involved in creating, printing and involvement of personnel to track the election, tabulate results and provide assistance to voters. Elections is also a time consuming process that can last months, beginning with the process of accepting nominations, issuing guidelines, creating ballots, printing, collecting marked ballots and finally tallying, tabulating and publishing results.

Electoral stain can be used as a security feature to prevent double voting in elections. Ink is normally applied to the left hand index finger, especially to the cuticle where it is almost impossible to remove quickly. The ink normally remains visible for a minimum of 72 hours on skin.

The evolution from paper based voting to online voting are economic, political and social factors. Considerable cost reduction can be achieved in a client and server system with electronic data transfer, while increasing voter participation thus reducing physical transportation, physical security needs for transportation of ballot boxes and reduced time for tabulating results.

The desire for modernization

Increasingly, people use electronic means for conducting their lives, from telephone and internet banking through to on-line shopping. Even when individuals do not make use of such facilities themselves, they are likely to come across electronic transactions as a part of everyday life. Government policy often assumes that new technologies hold the solution to many social problems. Crime in urban areas is being tackled through the use of CCTV and the electronic tagging of offenders. Proposals to relieve traffic congestion in major cities depend on advanced technologies to manage new charging regimes for road use. There is an expectation, therefore, that technology should lie at the heart of all modern systems.

The Government has now made explicit commitments to implement electronic service delivery across all public services where, all key government services will be accessible electronically.

Many processes which currently depend largely on the exchange of physical documents or attendance at a specific place will be very widely increased and in many cases replaced by the application of new technology. The core processes which demonstrate government interactions with citizens and businesses giving and receiving money, giving and receiving information, regulation and procurement will be able to be carried out electronically While it is debatable whether voting should be seen simply as another Government service or, rather, as a more fundamental right within a democratic system, it is nevertheless apparent that electronic interfaces between citizen and Government are becoming more commonplace. There is, therefore, an expectation among both policy makers and the public that for democracy to appear modernised it must have an element of electronic voting. The desire for electronic voting, also reflects a broader process of modernisation and an expectation that democratic processes should mirror other political, economic and social activities.

The Interest in Internet Voting

With the explosion of the Internet culture around the world he question arise why should we not cast our ballots voting in the same manner as we order books on the web from house , work or from any country. Voters expect the government to venture into online voting since they are already providing services and information across internet. The concept of digital democracy has attracted many followers.

Internet Voting (remote e-voting)

Internet Voting also knows as remote e-voting systems is regarded as a major factor to many governments as the next step in the evolution of the electoral process because it increases the voters turnout rates, make the voting process more easy to citizens and to give somebody the right to vote in an election such as overseas voters, military voters and voters with disabilities.

An electronic voting system on-line voting, internet voting is an election system which uses electronic ballot that would allow voters to transmit their secure and secret voted ballot to election officials over the internet. With the wide spread of internet voting will surely increase more participation of public as voting is more convenient.

Internet voting offers many advantages when compared to the conventional paper-based electoral systems. Those advantages includes mobility and convenience for voters as they don't have to travel far away to cast their votes, greater speed and accuracy in the counting process, prevention of involuntary voting errors, better accessibility, lower costs, support of multiple languages, greater flexibility.

The electronic voting system is based on remote technology. Usually voters have the chance to vote by using computers at remote locations or at polling stations. They use computer and Internet networks for voting. Voters can vote out with the normal interval for voting (usually office hours). They can also vote from abroad. These constitute the most important advantages of the remote-based voting system. This idea is usually called Internet voting.

Forms of electronic voting

The term electronic voting, or e-voting, captures a whole range of innovations in voting practice, from relatively simple systems of electronic counting of manually cast ballots through to widespread remote voting by electronic means such as by the internet Electronic voting (e-voting) is a generic term that is applied here to all aspects of voting that involve some element of casting or counting of votes by electronic means.

Electronic counting (e-counting) refers to those systems that provide some form of automated count of votes that are cast using traditional methods (i.e. by physically marking a ballot paper by hand), whether in a polling station or by some other remote form such as postal ballots. While most forms of e-voting are likely to include some element of electronic counting, the term is reserved here to refer to those systems that only involve electronic systems in the counting of the votes.

3.1 Types of electronic voting systems

Nowadays there are different types of electronic voting systems which are being used across the world. With the increase of the internet usage, voting are being made much more easier for voters hence saying more time.

The types of electronic voting used currently are stated below.

3.1.1Punch Card Voting System

A punch card is a storage medium that is made of a thin cardboard stock that holds data as patterns of punched holes. Each of the 80 columns holds one character. The holes are punched by a keypunch machine and are fed into the computer by a card reader. With punch card voting, voters create holes in prepared ballot cards to indicate their choice of candidate. The system lacks verifiability because voters have difficulty matching up ballot choices with the punch-card device and cannot check their choices without the machine. Ballots are counted by a special scanning device and can be verified by hand count.

3.1.2 Direct Recording Electronic Voting System (DRE)

Direct Recording Voting machine are computerized voting machines that are used to count votes that are cast on the machine itself. These machines require the voter to use a keyboard, pointer or touch to mark their vote on a computer terminal. The DRE voting machines take the form of an ATM shaped box and the terminal consists of graphic images which will guide the voter through the voting process. Most of the machines support additional input devices and audio interfaces. The primary advantages of these machines are privacy and ease-of-use. The flexible user interface allows many voters, even those with disabilities, to cast their ballots privately and without assistance.

3.1.4 Online Voting

Online voting is whereby individuals are able to cast their votes online, through a web interface. Through the use of online voting, the voter browse through the election site using a web browser on an ordinary PC. The user then authenticates himself or herself before the system enables the voter to view the ballot displayed on the screen. The voter is then allowed to select their chosen candidate and then cast the votes which would then be sent to the election server for processing.

Different methods of Online Voting systems:

Kiosk Internet Voting:

This form of internet voting allows voters to vote from computers in kiosks set up by the voting authority in convenient locations such as post offices and shopping malls. The kiosks are not frequently monitored by poll workers all the time and voting can be carried out for several days.

Poll Site Internet Voting:

Pool Site internet voting allows voters to go to selected polling sites to cast their votes for their chosen candidates through the use of computers. The data contains the votes that are then transmitted from each polling site to a central election server via the internet.

Remote Internet Voting:

This form of voting enables the voters to cast votes for specified candidates from any location through the use of a normal computer connected to the internet. Remote voting is typically carried out at the voter's home, work place and abroad. It is the most convenient method of voting, since the voter has the choice to vote in an election from any suitable location.

Telephone Voting

Telephone voting enables people to call different telephone numbers to indicate their choice for different options, or a voter can also call the number and indicate a preference by pressing buttons in a menu system. Its main drawback is the difficulty in verifying the identity of the voter and in permitting only one vote per person. Its advantage is the ease in getting people to participate.

SMS Voting

A few pilots using among SMS voting have also been tested. This method is different from the previous ones because of being less interactive. On each poll card is written a number where to send the vote. The voter is asked to send one single message containing his credentials, the code of his ward and the code of the candidate he wants to vote for. If the message is valid then a confirmation SMS is sent to the voter.

Digital TV Voting

This voting method is fairly similar to Internet voting in the way it is applied. Voters have to navigate the menu system of their digital TV to access the eVoting service. Once it is done, the voter is asked to enter his credentials (indicated on his poll card). Being identified, he is then asked to select its favorite candidate, to vote for him and to confirm his vote.

A recent voting method is via the Internet.

The voter uses web-based applications for the voting process. The first step is choosing and editing a ballot. Then the ballot is secured by cryptophytic method (e. g. public key). The secured ballot is saved into a database. Each ballot has an individual transaction ID. Each voter receives a ticket with the transaction ID and results of their voting. This is necessary for voting control and maintaining anonymity.

Internet voting is mistrusted by many voters because of issues with voter identification, multiple voting, possible outside influences in vote tallying, and other problems. Serious security and privacy risks must be addressed and solved before the Internet can become a viable voting method. The use of a paper ballot in combination with the Internet is not possible, so no paper ballot is available as a backup audit trail for election officials if ever needed.

Criteria for Election Systems

Here is a list of the common criteria that are expected to satisfy through voting process.

  • Eligibility and Authentication—only authorized voters should be able to vote.
  • Uniqueness—no voter should be able to vote more than one time.
  • Accuracy—election systems should record the votes correctly.
  • Integrity—votes should not be able to be modified, forged, or deleted without detection.
  • Verifiability and Auditability—it should be possible to verify that all votes have been correctly accounted for in the final election tally, and there should be reliable and demonstrably authentic election records.
  • Reliability—election systems should work robustly, without loss of any votes, even in the face of numerous failures, including failures of voting machines and total loss of Internet communication.
  • Secrecy and Non-Coercibility—no one should be able to determine how any individual voted, and voters should not be able to prove how they voted (which would facilitate vote selling or coercion).
  • Flexibility—election equipment should allow for a variety of ballot question formats (e.g., write-in candidates, survey questions, multiple languages); be compatible with a variety of standard platforms and technologies; and be accessible to people with disabilities.
  • Convenience—voters should be able to cast votes quickly with minimal equipment or skills.
  • Certifiability—election systems should be testable so that election officials have confidence that they meet the necessary criteria.
  • Transparency—voters should be able to possess a general knowledge and understanding of the voting process; and
  • Cost-effectiveness-- election systems should be affordable and efficient.

Perceived advantages and disadvantages of voting in person using paper based voting

Some of the perceived advantages and disadvantages of voting in person are:

Perceived advantages

  1. Voters are familiar with the process of voting in person at their local polling stations.
  2. It is a visible act of democratic participation.
  3. The secrecy of the ballot is evidently assured with voting taking place in a screened booth and
  4. Voters place their ballot directly in the box and can be assured that their vote will be accounted for.

Perceived disadvantages

  1. The polling station may be some distance from where some people live and difficult to get to due to a number of reasons. These may include: Lack of transport to the polling station (particularly in rural areas) or lack of parking facilities.
  2. Polling station buildings being not as readily accessible as all individuals require.
  3. Lifestyles have changed significantly in the last few decades with people now more likely to be absent from their home for a range of reasons, including work and holidays.
  4. Voters can only vote at a polling station in the district in which they reside.
  5. Work commitments including commuting times may mean that a voter is unable to get to the polling station.
  6. Family or caring responsibilities may mean that a voter is unable to get to the polling station.
  7. Schools may have to close for the day to enable the facilities to be used for polling. This may have wider implications for parents/guardians who may have to take time off work to look after their children.

General description of e-voting systems

Generally, e-voting systems consist of six main phases:

  • voters registration
  • authentication
  • voting and votes saving
  • votes managing
  • votes counting
  • auditing.

The voters registration is a phase to define voters for the e-voting system and give them authentication data to log into the e-voting system.

The authentication is a phase to verify that the voters have access rights and franchise.

The voting and vote's saving is a phase where eligible voters cast votes and e-voting system saves the received votes from voters.

The votes managing is a phase in which votes are managed, sorted and prepared for counting.

The votes counting is the phase to decrypt and count the votes and to output the final tally.

The auditing is a phase to check that eligible voters were capable to vote and their votes participate in the computation of final tally. Additionally there are some other e-voting specific rules verified in this phase.

To list some of the relating phases are as follows: storing and managing the list of candidates, key generation and management, storing and managing the list of eligible voters, the installation of system initial position, taking down and archiving the system.

The e-voting system can be divided into three main components of infrastructure:

  • Voter Applications
  • Network Sever
  • Back-office

Voter Application is a web application or an application in voters' personal computers forecasting votes. Voter application connects to Network Server. Usually, encryptions and authentications methods secure the communication between these components.

Network Server is an online server that provides voters a necessary interface for casting votes. Network Server connects to Back-office server and transfers the received votes to it.

Back-office consists of servers to save and maintain votes and to count a final tally. In e-voting systems there are many Voter Applications, Network Servers and Back-office servers, but for the sake of simplicity and generalization we consider only one.

In Great Britain, there are many different electronic voting methods that have been experienced since 2002 for example polling booth, telephone, SMS, remote electronic voting via Internet and digital television. Remote electronic voting systems were used in the local election in 30 municipals in 2003. There were 27% of the voters who voted electronically (146 000 votes). The majority of all the votes are in favor of Internet voting while only a small group of the voters is against it. Many non voters are against it too. Even though many eligible voters would not use e-voting methods by themselves, there was a widespread support for making it available to others.

Estonia

Estonia has always included the development of e-government into its policy. It was the first country ever to use Internet voting in an election. The Internet is available to over 50% of the Estonian households, 40% of the households have a computer at home, and 81% of home computers are connected to the Internet. Since a large part of the Estonian population lives in urban areas, Internet access is widely available. The government continues to promote the accessibility and use of the Internet in rural areas, through many projects. The enabling factor in the whole eVoting project is the electronic ID card, which is widely spread: it allows for remote identification and signing of documents, and it plays a critical role in the Internet voting procedure.

In 2005, in the local elections, it was possible to vote over the Internet. The system was tested during a pilot in Tallinn in January 2005; a question was asked about the place of the statue of liberty, and voters could issue their vote in regular voting boots, and over the Internet. Despite a low response only 822 electronic votes were cast, and the number of eVoters was only 703, the conditions for electronic voting were met.

Costs and Benefits of the Electronic Voting System

Since the electronic voting system uses the ID card, which was already being widely distributed, the additional costs of eVoting are fairly limited. The ID card can't be seen as a cost made purely for the Internet voting system other services like e-banking make use of the ID card. Voters who wish to use the system use their home computer or a public computer, so these costs have also been avoided. The main cost of the system lies in the creation of a secure website, and the accompanying hardware setup. In comparison to countries like Ireland and the Netherlands, who use specific voting machines, the costs are quite low.

Lithuania

Lithuania has a mixed parallel electoral system consisting of both majority and the Hare quota with the largest remainder system. The Seimas, the Lithuanian Parliament, has 141 members, elected for 4 years. 71 of them are elected by 71 single-member constituencies via two round majority rules. The single-member candidates require more than 50 per cent of the vote to be elected provided that the turnout is not below 40 per cent. If the voter turnout is less than 40 per cent, a candidate that that has a majority and at least one fifth of all registered voters is considered to be elected. In case there is no winner, the top two go to a second round. In this second round, only a simple majority is needed to be elected. The other 70 MPs are elected by 1 national constituency via party list proportional representation whereby the allocation of the seats is based on the Hare quota. To have a valid election, the voter turnout should not be less than 25 per cent. The legal minimum threshold implies that a party has to win at least 5 per cent of the national vote to gain representation in the Seimas.

Logistic of voting

Lithuania has about 2.7 million voters that can cast a vote. Even though there is no compulsory voting, to be entitled to vote, one has to have Lithuanian citizenship, have reached the age of 18 years and not been disqualified from the right to vote (court declaration of incapability). The Election Day is usually a Sunday.

Electronic Voting

Lithuania has no electronic voting, but in November 2006, a law has been passed by the parliament approving Internet voting during elections and referenda. This Internet voting will be an advanced voting in the sense that it will begin 6 to 4 days before the Election Day. Lithuania will start a test project in order to introduce the Internet voting as an alternative voting channel at the Seimas election in autumn 2008. The Internet voting will be based on the on-line banking systems utilized by the Lithuanian banks and it is expected to enhance the voter turnout and lower the costs of future elections.

Electronic voting in different countries

Swiss Electronic Voting

In 1998, the Swiss federal executive has launched a governmental project aiming at making it possible for citizens to exercise all political rights, ranging from signing petitions to voting for elections and referendums, by online channels. This initiative has rapidly received a wide support. Public opinions surveys have shown that about two thirds of Swiss citizens were in favor of eVoting. Most political parties were enthusiast about the project. And cantonal authorities also quickly declared their envy to engage in the initiative (Geser, 2002).

The three cantons offer to citizens the choice between three voting methods: traditional polling stations, postal voting and Internet voting. The last two methods were allowed in the days before the official Election Day. Some weeks before the elections, voters receive a polling card with an ID and a password they can use to access an online voting website and to identify them before voting. If they do not want to vote via the Internet, they can either use the postal ballot or go to the polling station to vote on the Election Day. There is no question of making elections or referendums 100% online. The authorities want to leave the choice to voters.

What appears from the first pilots organized is that most voters prefer postal voting (approx. 70 per cent). Internet voting comes second with almost 20 per cent of voters. Finally, only a minority of voters (less than 10 per cent) still vote in a polling station on the Election Day. Interestingly, Internet voters are mainly voters that were using postal voting previously and not citizens who have always kept on voting in a polling station. Internet voting is also used mainly by occasional voters and not much by the few citizens who vote for all elections and referendums (Christin & Trechsel, 2005).

Debates about Electronic Voting

Arguments in Favor

Four main arguments are mobilized in favor of Internet voting (Auer & Trechsel, 2001). The first one is the expected positive impact of eVoting on turnout. Online voting would enhance the commodity in the act of voting and would make voting easier. Therefore, it could convince some occasional abstentionists to vote more regularly. In a country like Switzerland where turnout for elections is around 50 per cent and even below for most referendums, the issue of turnout is crucial. In that sense, the context in which eVoting has been introduced in Switzerland is fairly different from Belgium where voting is compulsory.

The second argument is that it would enhance the quality of the vote. The logic behind this line of argument is that before voting online, voters can easily access online a wide variety of information on the election or on the referendum they are going to vote for. The expectation is that citizens will first collect information on various websites before deciding how they will vote. In order to guarantee a better access to political information, Swiss governmental agencies have been considering the creation of web pages on the official online voting website that would gather relevant and neutral information but also some useful Internet links to political parties websites for example).

The third argument is that Internet voting would reduce the human and financial costs of elections. First, if most citizens prefer to vote via postal ballot or via the Internet, fewer polling stations would have to be open. The simple cost of printing paper ballots would also be suppressed. Fewer officials would be required to count votes. All these elements could lead to a significant reduction in the cost of elections and referendums. Finally, promoters of eVoting in Switzerland have also underlined that Internet voting is the natural step forward for any modern society.

Arguments against

When it comes to arguments against Internet voting heard in Switzerland, three potential problems are underlined. The first one is that Internet voting would potentially be a new form of social exclusion as only one half of Swiss citizens are familiar with the Internet (Auer& Trechsel, 2001). A digital divide could lead to the exclusion of some social groups from the democratic process. The fear is that the elderly, the less educated, women and the citizens with less economic resources - all groups with a difficult access to ICTs - would face problems if they have to vote on the Internet.

The second argument against eVoting raised in the Swiss debate is more psychological. It is actually related to the lack of trust voters may have about Internet voting. Having doubts about the security and the transparency of voting online, voters may have a problem of confidence with Internet voting (Cotti, 2002).

The lack of confidence concerns two categories of citizens.

First, citizens having a very limited knowledge of ICTs may be frightened by something they do not know. As they do not understand how it works, they may face problems to use ICTs to vote.

The second category of voters having of potential problem of confidence in Internet voting is voters that know a lot about ICTs. These citizens know how vulnerable Internet systems are for hackers and viruses. Therefore, they have difficulties to use the Internet for elections or referendums.

Finally, a critique against Internet voting that has emerged in Switzerland is that it would transform the act of voting and make it more influenced by emotions. Voting may become an act citizens spend less time and effort in. They would just need to connect on the network, (sometimes) look for information and then vote. The risk is that decisions in elections and referendums are more influenced by short term impressions and that less time is given to think quietly about the arguments in presence (Linder, 2001).

The United Kingdom

Introduction

Like in most European countries, turnout has been declining constantly in the United Kingdom. In particular, turnout for local elections and for EU elections is very low. For the local elections in 2000 it was below 30 per cent. In 2004, for the election of the European parliament, only 37.2 per cent of all voters turned out and voted. In that context, the British government has decided to develop various initiatives in order to increase electoral participation.

Firstly, in 2000, a new body, the Electoral Commission, has been created. Its role is to organize elections and to look for potential reforms that could amend positively the way elections are held in Britain. In its task, the Electoral Commission has been supported by the Department of Constitutional Affairs and its Electoral Modernization Unit. These two bodies have pushed the British government to explore new ways of voting in order to increase turnout.

Since then, several experiments of new voting methods have been tested across Britain, mainly for local elections. It ranges from postal voting to electronic voting, Internet voting and even SMS voting. Yet, no decision has been taken up to now to introduce electronic voting for all elections.

Pilots of Electronic Voting

Since 2000, the British government has authorized local authorities to test new ways of voting for local elections. When it comes to eVoting, the 2002-3 local elections were crucial. The government allocated 30 millions pounds for 17 eVoting pilots across the country for a total of about 1.5 million voters 1.426.318 having the possibility to use eVoting methods. The goal was to offer a wider range of voting methods to all citizens. It was no question of replacing paper ballots; the aim was to allow citizens deciding between various ways of voting. The main methods tested are discussed below.

Remote Internet Voting

For 14 local elections, a special electoral website was created. Each voter had received on his poll card credentials (most of the time, an ID and a password) to log on the website.

Once logged on, the voter had to choose the elections he wants to take part (parish or district) and then to vote for his favorite candidate by clicking on his name. The vote has to be confirmed before being validated.

The evaluation of eVoting pilots was also made possible by a study directed by the Electoral Commission and conducted by the MORI (Market & Opinion Research International) to evaluate the attitude of British voters towards eVoting in areas where pilots where held. First, the ease of using new eVoting methods has been investigated. The results seem to show that none of the new ways of voting are fairly difficult (see table 1). Among the five eVoting methods tested (Internet, telephone, SMS, kiosks and digital TV), telephone voting appears to be perceived as being the easiest. Interestingly, it is the device voters are most familiar with.

The MORI survey also tried to evaluate if effectively using eVoting methods changes the perception voters have about Internet, telephone and kiosk voting. This analysis has been conducted by comparing a sample of voters having effectively used one of the eVoting methods and another sample of voters that have never used eVoting methods. The two samples were questioned about easiness of use, commodity, security and secrecy (see table 2).

Costs and benefits (156330 pdf)

The costs and benefits of e-voting are difficult to quantify, although some assessment can be made:

Benefits

Providing multi-channel access to voting will make it much more convenient and accessible for many people than the current system. Modernisation of the electoral process will also provide the opportunity to make voting practices more robust and flexible, reducing further the opportunities for electoral fraud while, at the same time, improving the ease with which elections can be implemented. Consequently, the electoral process might be more easily modified in the future or used for alternative activities such as referendums. In addition, elections in which a large proportion of the votes are cast electronically will reduce the costs of vote counting and may provide opportunities for other parts of the electoral process to be automated. Consequently, in the longer term there may be significant efficiency gains to be made from e-voting.

Costs

The costs of an e-enabled election depend upon the range of channels offered and the ways in which each of the relevant technologies is implemented. Information from an e-voting pilots may suggests that the set-up costs for e-voting can be significant and are unlikely to be matched by efficiency savings in the short-term. However, once the investment has been made in appropriate infrastructures then it seems likely that greater savings can be made in the long term.

Technological penetration

One of the main constraints for e-voting is the access that various groups have to different technologies. In effect, the extent to which technologies are widely available across society or more narrowly focused within particular socio-economic or demographic groups, affects the opportunities for widespread implementation. This issue is important because first the differential access to the technologies affects the practical opportunities that individuals have to vote through these means. Somewhat obviously, implementation based upon a technology that is only available among certain socio-economic or demographic groups is likely to disproportionately benefit these groups. Second, however, as the focus groups have emphasised, access to the technology has a substantial influence on the ability of individuals to have either the confidence in or the capacity to use them. Those with no access or experience to the technologies are not able to make sense of the operational rules and, therefore, may be unintentionally disenfranchised by implementation based upon technologies that are not universally, or at least popularly, available.

This section briefly maps some of the main technological trends in order to identify the extent to which particular technologies are likely to be universally or popularly available in the near future.

Personal Computers (PCs)

Remote voting via personal computers is a possibility, either using the internet or another conduit for transferring the vote. However, the risk of virus attack will be greatest if general purpose computers are used by individual voters. Such computers will, almost universally, be vulnerable to attack by novel viruses or malware, since virtually all 'virus protection' facilities rely on a library of known viruses or malware. In the case of home computers, few currently have any 'virus protection' and even fewer have regularly updated libraries of known viruses or malware. Any virus widely distributed in the months before the election could be expected to be present on a high proportion of home computers, if such a virus did not make its presence felt to the individual user concerned in advance of the election. Viruses are already in widespread circulation that can detect anything typed on the keyboard. It would be relatively easy for a virus writer to write a virus that did nothing except propagate itself until a web browser was directed to "election.gov.uk" or a similar address, but which then was capable of changing the individual's vote, or preventing the individual from voting, or sending a copy of their vote to some other destination there-by violating the privacy of the ballot.

It might be thought that this problem could be overcome by distributing 'virus protection'. At present, with low levels of broadband penetration, if such a distribution was conducted 'down the wire' as part of the voting process, the downloading of the software onto the user's computer could be prohibitively time-consuming. A theoretical alternative might be to distribute 'virus protection' facilities on disk, however, to be successful, the library of viruses included would have to be very contemporary. Considerations elsewhere suggest that the contents of such a disk would have to be open source and open to scrutiny by experts appointed by the Parties for a specified period prior to the election. With disk production and distribution time as well, there would be a danger of viruses being propagated between when the contents of the disk were finalised and the election. This could be mitigated by including an internet address to check for updates, but such sites would equally have to be running open source code,available to scrutiny by the Parties, and even if no updates were needed, the extra time taken for the voting process to go through this extra stage would be problematic. A better solution is to bypass the software on which such viruses/malware depend, providing a specialised operating system and set of drivers of known quality and without the basic security vulnerabilities of mainstream software on the disk. This might imply that all voters are sent a special disk for PC based voting in advance of each election which loads when the computer is switched on and bypasses existing operating systems to create a secure voting environment.

Internet

Where the internet is used as a substantial transmission route, general disruption of the internet (such as when the email 'ILOVEYOU' worm was propagating) could be a significant threat. At present there is no effective defence against such disruption. Until and unless such defences are introduced, the internet cannot be relied upon as a substantial transmission route for electronic voting. However, developments in internet security over the next few years may resolve many of these problems.

The problem of internet security, particularly in relation to denial of service attacks, is only significant if a large proportion of the electorate depend upon it to cast their votes. If mainstream electronic voting does not use the internet, the 'number of eggs' in the basket of an internet connection for the webserver might be sufficiently small to enable internet voting where the mainstream e-voting option is impractical or impossible (for example, overseas). It appears that internet voting used on a small scale to enable voting from overseas and other exceptional cases would be less problematic than large scale internet voting. A further concern with networks is that it may be possible to identify the individual who is casting a vote (presumably encrypted, and thus the precise content of the vote is not discernible, although spoilt ballots may be discernible). This is particularly a risk if individuals are voting from work, where it is not uncommon for the name of the computer to be employeename@employername.co.uk.

Network

The internet domain name system is at present not sufficiently secure against attack to enable it to be used in the election process in any substantial way. A system that asks significant numbers of voters to access a particular web domain (for example, www.election.gov.uk), risks having that web traffic hijacked (in the short term, which is long enough to cause unacceptable problems for the election). As security consultant Bruce Schneier puts it: "there's no security in the DNS system. So when a computer sends a query to a DNS server and gets a reply, it assumes that the reply is accurate and that the DNS server is honest. In fact, the DNS server does not have to be honest; it could have been hacked. And the reply that the computer gets from the DNS server might not have even come from the DNS server; it could have been a faked reply from somewhere else." (Schneier, 2000, p180)

The US National Science Foundation similarly warn: "Remote voting systems will ... have to contend with an attack known as spoofing-luring unwitting voters to connect to an impostor site instead of the actual election server. While technologies such as secure socket layer (SSL) and digital certificates are capable of distinguishing legitimate servers from malicious ones, it is infeasible to assume that all voters will have these protections functioning properly on their home or work computers, and, in any event, they cannot fully defend against all such attacks. Successful spoofing can result in the undetected loss of a vote should the user send his ballot to a fake voting site. .... In short, this type of attack poses the same risk as a Trojan horse infiltration, and is much easier to carry out." (NSF, 2001 p16).

While DNS problems could only disrupt a given election for a short time, it could well be that individual voters have no idea if they have 'voted' on a spoofed site rather than the real one, so that when the correct IP address is replaced on the DNS, the affected voters do not know that they need to vote again. Spreading the election over several days will not help with this problem, as this would simply give a longer window during which the DNS system can be disrupted. The current DNS protocol contains many elements that can, in principle, be used to secure DNS, and these are implemented in current versions. These are in use, but not widely. Even if much of the network can be made in principle secure, it seems that client end problems will still be a potential problem for some voters for many years. In the eyes of some experienced commentators 'interfacing to the Internet could be, in itself, considered to constitute a security breach, in that wide attack and monitoring opportunities are provided that would not be possible with individual DRE [voting machine] kiosks, or in a closed network setting' (Mercuri, 2001, p34). Despite this, it is logically possible for internet voting to be made suitably secure for use as the mainstream means of voting in a UK general election. However, the cost of achieving such security (including the time costs to voters), suggests that other options are much more likely to be fruitful as the mainstream method of electronic voting in the near future. It may be worthwhile continuing to investigate internet voting for the longer term future. Indeed, conversations with the Office of the e-Envoy suggest that substantial work is already under way to address the security issues in order to make internet voting a practical reality by the General Election after 2006.

Collecting and processing centres

In order to be resilient in the face of attempted denial of service attacks, the electronic voting system needs to avoid being vulnerable to single points of failure. Similarly, reducing the 'number of eggs in one basket' would reduce the attractiveness of any single target: thus, the collection and processing of votes should take place at very many centres for a General Election. Each of these centres will need to be defended against denial of service attacks. Whether connected to the internet or not, to protect against attempts to hack into servers (as well as denial of service attacks) each counting centre needs a good, well configured and well maintained firewall with effective detection and reaction capabilities in addition to the protection capabilities that are normally associated with firewalls. If servers that collect votes and pass them on for processing have any connection to the internet (as seems most likely), firewalls will also have to ensure that attacks on the internet connection do not tie up system resources and cause a denial of service for other connections.

A further consideration that strongly suggests that the number of counting centres should be large is the risk of physical disruption. At present to cause significant disruption to a General Election would require physical disruption to many counting centres, thus the election is fairly well defended against attacks using physical disruption. The smaller the number of counting centres, the greater the defences of each would need to be.

Security

For the purposes of analysis, security can be divided into two principal parts:

2. security to ensure that all voters are allowed to cast their ballot - this equates to the door keeper principle and

3. security to ensure that once votes have been cast they are stored and counted correctly - this relates to the verification, tally and audit principle.

Electronic systems of voting introduce new issues of security into the voting process, because they are vulnerable to a range of new threats that traditional systems do not suffer from. At the same time, however, electronic systems create the opportunity to improve upon existing security arrangements and to reduce the risks of personation and other forms of electoral fraud. Not all security risks can be guarded against. In striking the right balance, therefore, the emphasis should be upon minimising risks while improving upon existing security arrangements.

Different technologies, of course, have the potential to highlight different security problems.

However, many are common across all technologies. Drawing upon the evidence presented in section 4 it is apparent that the most common security problems are likely to include:

Hacking - computer based systems such as the internet are particularly vulnerable to hackers who may hack into a system to corrupt or alter votes or may add or remove votes from the system. However, any electronic system that is connected to some form of telecommunication network is potentially vulnerable to this problem. While firewalls and other mechanisms can afford high levels of protection, all forms of remote electronic voting would remain vulnerable to some extent to this form of attack.

Viruses and malware - electronic systems are also vulnerable to planted disruptions. This is particularly true of all computerised voting systems, where viruses may lie dormant until triggered by a particular event or date. The problem does not relate only to home based voting but could also, potentially, apply to computerised voting within polling stations where the system has not been adequately protected. Of course, there is also the danger that someone involved in the election may deliberately introduce malware to the process. However, the risk of this form of malicious attack is not much greater than with conventional electoral systems, even if the means by which it might take place differs.

Denial of service attacks - elections are particularly time critical. Denying access to a service for a particular period of time, therefore, might disenfranchise a large number of voters. While the internet is often seen as the technology most vulnerable to this form of attack all distributed electronic systems can, potentially, suffer from these problems, although some are more vulnerable than others.

Disruption by strikes or commercial contract disputes - electronic voting introduces new vulnerabilities into the electoral process because third parties become involved in the process. Given the time critical nature of elections and their high public profile, contractual disputes between suppliers and local authorities or, indeed, others involved in the supply process, may use the threat of action against the election as a bargaining device. Of course, elections have always been subject, in principle, to such disruption. The suggestion here, however, is that electronic systems may make it easier for a few key workers or organisations to disrupt the entire election.

System failure - this may occur either where a critical component of a system fails or where a system becomes overloaded. An example of the former might include a power failure within a polling station which temporarily prevents individuals from voting electronically. This only becomes critical if the power is not restored quickly and the voter is thereby disenfranchised. An example of the latter might occur where so many people seek to vote at the same time that the system locks voters out. The concern here is whether voters would be prepared to keep trying if the system was overloaded at peak times.

The problem is not only one of making elections secure, it is also one of convincing citizens that the system is secure. Hackers may be able to undermine confidence in e-voting systems simply by claiming that they have hacked into a system or that they have altered votes. They may also undermine confidence by suggesting that they have invaded the privacy of a vote. Similarly, anecdotes of people who tried but were unable to get onto the system to cast a vote will undermine confidence in the integrity of the election. It is not sufficient, therefore, to take technical steps to protect security. It will also be necessary to demonstrate security through rigorous audit and tally mechanisms.

All technological options carry with them security risks. One way of guarding against the extremes of security risks, however, is to avoid resting too much of an election on any single technological platform. Consequently, it may be better for e-voting to take place across a range of platforms, both electronic and manual, there-by reducing the risk of total disruption to the election. This proposal also has the benefit of increasing voter choice in the way in which they vote. The downside, however, is that while the risk is spread across a number of technologies, there is also more risk associated with multiple technological solutions. The range of voting options should not be so great as to make security fragmented.

Secrecy

The technology needed to facilitate remote voting by electronic means raises serious concerns for the secrecy of the ballot. Each vote in a democracy is considered to be the means by which the individual citizen contributes to decision-making in the polity. Modern theories of democracy stress the importance of elections as a means of guaranteeing citizen autonomy. This notion is predicated on voting being a private act in which the individual makes up his or her mind alone, free from the immediate influence of others. Such influence can take a variety of forms, from actual physical intimidation and coercion through to far more subtle forms of social pressure. Although the problem of undue influence will, in all probability, never be entirely overcome, the humble polling booth goes a long way toward creating an environment in which the voter can reflect on his or her choice and make a considered decision safe in the knowledge that no-one will ever know how they voted (save by court order). In this sense, voting under the current system is both the most public act that most citizens perform - in the sense that it is their most direct contribution to the public good - and the most private - in the sense that they do it in total, rigorously enforced isolation from their fellow human beings Outside of the carefully-monitored confines of the supervised polling place, it is difficult to imagine the circumstances under which this peculiar combination of features of voting could be safeguarded. It is particularly difficult to envisage a form of home-based voting that would achieve the same standards of integrity as that obtained through voting in supervised polling places. The home is not, for many people, a private place. There are several dimensions to this:

The social dimension

Social influence can take a variety of forms, both intentional and unintentional. Outright coercion is the most obvious type of influence, but it is likely that the desire to behave in a way that is socially acceptable within the family may represent an even greater threat to vote autonomy. Survey researchers are well aware of the problem of respondents providing 'socially acceptable' answers to questions about vote behaviour that are at variance with how (and whether) they actually voted. Within the home, the sanctions for behaving in an 'acceptable' way are far greater, and if voting is not secret, many voters may feel they are under considerable pressure to alter their vote choice. Moreover, those voters who are the most vulnerable within the home, are also likely to be the most socially disadvantaged in general - women, dependent children, dependent elderly, disabled people and so on.

The technological dimension

All those familiar with domestic contests for use of television remote controls will be aware that access to technology within the home is often determined by complex sets of power relations in which family members are by no means equal. Those family members who have paid to acquire and maintain the technology, who have superior skills and confidence in using it, or who are the most habitual users of it often seek to control access by others. It is likely that this type of behaviour will spill over also into the electoral arena, regardless of legal impediments to undue influence. It is also possible that family members who are less technologically literate would seek the assistance of those more familiar with the use of keyboards and other such devices and would then seek to 'thank' their helpers by voting in way that would please the latter. For all these reasons, the argument that voters can just 'close the door' and vote in private is unlikely to reflect domestic reality. If the choice of candidate is an object of influence, then the choice of whether or not to vote will, in all probability, be subject to the same social pressures.

Moreover, many voters may choose to put what they perceive to be their family duty before their civic duty. 'Honouring' and 'obeying' spouses and parents are norms in many cultures, and within the home these norms are likely to over-ride civic norms in a way that they would not do so in a polling station. If 'closing the door' is perceived to be a violation of domestic norms of communal living and shared experience, it may not be a socially realistic option. Under these circumstances the obligation to vote in private may put many voters in an invidious position. No voter should be forced to choose between domestic and civic duties in this way, yet this is precisely the position in which many voters would find themselves were voting to be conducted via communal home appliances in shared living space. It might be argued that voters who found themselves to be under severe cross-pressures of this type could simply opt to go vote in a polling station where the secrecy of their choice was protected. But this might often not be an option for the same reason that 'closing the door' would not be an option. If the head of the family decided in advance that the entire family was to vote together, opting out of that activity would carry considerable social risk. In some cases it might not even be physically possible, as dominant family members might well exercise control over the means of locomotion.

Because vote choice does not in and of itself carry immediate consequences for the individual, the integrity of that act is fragile. There are doubtless committed partisans who would give their lives to be able to vote for their preferred candidate, but these are few and far between. The average voter can be expected to be vulnerable to a multitude of social pressures in making up his or her mind on voting day, and stringent safeguards are necessary to protect the voter from the undue influence (whether intentional or not, conscious or not) of others. It is unlikely that it would be possible for the state to erect such safeguards within the home even if it were not for the right to privacy and a family life. If that right were enforced in the voting context, safeguarding the vote of even a moderately large electorate would be impossible. The public act of voting is incompatible with private life in the family.

Malicious payload

There are literally hundreds of attack programs that we could discuss in this section. One only need to visit the web site of any number of security software vendors to see the long lists of exploits that affect hosts to various degrees. The fact of the matter is that on the platforms currently in the most widespread use, once a malicious payload reaches a host, there is virtually no limit to the damage it can cause. With today's hardware and software architectures, a malicious payload on a voting client can actually change the voter' s vote, without the voter or anyone else noticing, regardless of the kind of encryption or voter authentication in place. This is because the malicious code can do its damage before the encryption and authentication is applied to the data. The malicious module can then erase itself after doing its damage so that there is no evidence to correct, or even detect the fraud. To illustrate, we focus the discussion on two particular malicious payloads that each exemplify the level of vulnerability faced by hosts.

The first program we describe, Backorifice 2000 (BO2K) is packaged and distributed as a legitimate network administration toolkit. In fact, it is very useful as a tool for enhancing security. It is freely available, fully open source, extensible, and stealth (defined below). The package is available at http://www.bo2k.com/. BO2K contains a remote control server that when installed on a machine, enables a remote administrator (or attacker) to view and control every aspect of that machine, as though the person were actually sitting at the console. This is similar in functionality to a commercial product called PCAnywhere. The main differences are that BO2K is available in full source code form and it runs in stealth mode.

The open source nature of BO2K means that an attacker can modify the code and recompile such that the program can evade detection by security defense software (virus and intrusion detection) that look for known signatures of programs. A signature is a pattern that identifies a particular known malicious program. The current state of the art in widely deployed systems for detecting malicious code does not go much beyond comparing a program against a list of attack signatures. In fact, most personal computers in peoples' houses have no detection software on them. BO2K is said to run in stealth mode because it was carefully designed to be very difficult to detect. The program does not appear in the Task Menu of running processes, and it was designed so that even an experienced administrator would have a difficult time discovering that it was on a Computer. The program is difficult to detect even while it is running. There can be no expectation that an average Internet user participating in an online election from home could have any hope of detecting the existence of BO2K on his computer. At the same time, this program enables an attacker to watch every aspect of the voting procedure, intercept any action of the user with the potential of modifying it without the user's knowledge, and to further install any other program of the attackers desire, even ones written by the attacker, on the voting user's machine. The package also monitors every keystroke typed on the machine and has an option to remotely lock the keyboard and mouse. It is difficult, and most likely impossible, to conceive of a web application that could prevent an attacker who installs BO2K on a user's machine from being able to view and/or change a user's vote.

Delivery mechanism

The previous section gave three examples of what an attacker could do to disrupt an election if the attacker could install code of his choosing on peoples' computers. This section deals with how this installation could happen.

The first, and most obvious mechanism is physical installation. Most people do not keep their computers in a carefully controlled, locked environment. Imagine someone who develops an application to attack the voting system, such as the two described above, prepares a floppy disk with the code on it, and then installs it on as many machines as possible. This could be accomplished by breaking into houses, by accessing machines in someone's house when visiting, by installing the program on public machines in the library, etc. The bottom line is that many people can obtain physical access to many other peoples' computers at some point leading up to an election. Then, malicious code can be delivered that can trigger any action at a later date, enable future access (as in the case of BO2K), or disrupt normal operation at any time. Considering that many of the attack programs that we are seeing these days run in stealth mode, malicious code could be installed such that average computer users cannot detect its presence.

While the physical delivery of malicious code is a serious problem, it is nowhere near as effective as remote automated delivery. By now, most people have heard of the Melissa virus and the I Love You bug. These are the better-known ones, but many such attacks happen all the time. In fact, the most widespread of the e-mail viruses, Happy99, has received very little media attention. Typically, these attacks cause temporary disruption in service, and perform some annoying action. In most of the cases, the attacks spread wider and faster than their creators ever imagined. One thing that all of these attacks have in common is that they install some code on the PCs that are infected. There is a misconception by many people that users must open an attachment in order to activate them. In fact, one virus called Bubbleboy was triggered as soon as a message was previewed in the Outlook mailer, requiring no action on the part of the user. Any one of these e-mail viruses could deliver the attack code described in the previous section.

It is naïve to think that we have seen the worst of the Internet viruses, worms, and bugs. In the last several months, the incidents of new attacks have grown much faster than our ability to cope with them. This is a trend that is likely to continue. E-mail viruses are not the only way that malicious code can be delivered to hosts. The computers in most peoples' houses are running operating systems with tens of thousands of lines of code. These systems are known to be full of operational bugs as well as security flaws. On top of these platforms, users are typically running many applications with security problems. These security flaws can be exploited remotely to install malicious code on them. The most common example of such a flaw is a buffer overflow.

A buffer overflow occurs when a process assigns more data to a memory location than was expected by the programmer. The consequence is that that attacker can manipulate the computer's memory to cause arbitrary malicious code to run. There are ways to check for and prevent this in a program, and yet buffer overflows are the most common form of security flaw in deployed systems today.

The communications infrastructure

A network connection consists of two endpoints and the communication between them. The previous section dealt with one of the endpoints, the user's host. The other endpoint is the elections server. While it is in no way trivial, the technology exists to provide reasonable protection on the servers. This section deals with the communication between the two endpoints.

Cryptography can be used to protect the communication between the user's browser and the elections server. This technology is mature and can be relied upon to ensure the integrity and confidentiality of the network traffic. This section does not deal with the classic security properties of the communications infrastructure; rather, we look at the availability of the Internet service, as required by remote electronic voting over the Internet.

Most people are aware of the massive distributed denial of service (DDOS) attack that brought down many of the main portals on the Internet in February, 2000. While these attacks brought the vulnerability of the Internet to denial of service attacks to the mainstream public consciousness, the security community has long been aware of this, and in fact, this attack was nothing compared to what a dedicated and determined adversary could do. The February attack consisted of the installation and execution of publicly available attack scripts. Very little skill was required to launch the attack, and minimal skill was required to install the attack. The way DDOS works is that a program called a daemon is installed on many machines. Any of the delivery mechanisms described above can be used. One other program is installed somewhere called the master. These programs are placed anywhere on the Internet, so that there are many, unwitting accomplices to the attack, and the real attacker cannot be traced. The system lies dormant until the attacker decides that it is time to strike. At that point, the attacker sends a signal to the master, using a publicly available tool, indicating a target to attack. The master conveys this information to all of the daemons, who simultaneously flood the target with more Internet traffic than it can handle. The effect is that the target machine is completely disabled.

We experimented in the lab with one of the well known DDOS programs called Tribe Flood Network (TFN), and discovered that the attack is so potent, that even one daemon attacking a Unix workstation disabled it to the point where it had to be rebooted. The target computer was so overwhelmed that we could not even move the cursor with the mouse.

There are tools that can be easily found by anyone with access to the web that automate the process of installing daemons, masters, and the attack signal. People who attack systems with such tools are known as script kiddies, and represent a growing number of people. In an election, the adversary is more likely to be someone at least as knowledgeable as the writers of the script kiddy tools, and possibly with the resources of a foreign government.

There are many other ways to target a machine and make it unusable, and it is not too difficult to target a particular set of users, given domain name information that can easily be obtained from the online registries such as Register.com and Network Solutions, or directly from the WHOIS database. The list of examples of attacks goes on and on. A simple one is the ping of death, in which a packet can be constructed and split into two fragments. When the target computer assembles the fragments, the result is a message that is too big for the operating system to handle, and the machine crashes. This has been demonstrated in the lab and in the wild, and script kiddy tools exist to launch it. The danger to Internet voting is that it is possible that during an election, communication on the Internet will stop because attackers cause routers to crash, election servers to get flooded by DDOS, or a large set of hosts, possibly targeted demographically, to cease to function. In some close campaigns, even an untargeted attack that changes the vote by one percentage point could sway the election.

Social engineering

Social Engineering is the term used to describe attacks that involve fooling people into compromising their security. Talking with election officials, one discovers that one of the issues that they grapple with is the inability of many people to follow simple directions. It is surprising to learn that, for example, when instructed to circle a candidate's name, people will often underline it. While computers would seem to offer the opportunity to provide an interface that is tightly controlled and thus less subject to error, this is counter to the typical experience most users have with computers. For non-Computer Scientists, computers are often intimidating and unfamiliar. User interfaces are often poor and create confusion, rather than simplifying processes.

A remote voting scheme will have some interface. The actual design of that interface is not the subject of this paper, but it is clear that there will be some interface. For the system to be secure, there must be some way for voters to know that they are communicating with the election server. The infrastructure does exist right now for computer security specialists, who are suspicious that they could be communicating with an imposter, to verify that their browser is communicating with a valid election server. The SSL protocol and server side certificates can be used for this. While this process has its own risks and pitfalls, even if we assume that it is flawless, it is unreasonable to assume that average Internet users who want to vote on their computers can be expected to understand the concept of a server certificate, to verify the authenticity of the certificate, and to check the active ciphersuites to ensure that strong encryption is used. In fact, most users would probably not distinguish between a page from an SSL connection to the legitimate server and a non-SSL page from a malicious server that had the exact same look as the real page.

There are several ways that an attacker could spoof the legitimate voting site. One way would be to send an e-mail message to a user telling that user to click on a link, which would then bring up the fake voting site. The adversary could then collect the user's credentials and in a sense, steal the vote. An attacker could also set up a connection to the legitimate server and feed the user a fake web page, and act as a man in the middle, transferring information between the user and the web server, with all of the traffic under the attacker's control. This is probably enough to change a user's vote, regardless of how the application is implemented.

A more serious attack is possible by targeting the Internet's Domain Name Service (DNS). The DNS is used to maintain a mapping from IP addresses, which computers use to reference each other (e.g. 135.207.18.199) to domain names, which people use to reference computers (e.g. www.research.att.com). The DNS is known to be vulnerable to attacks, such as cache poisoning, which change the information available to hosts about the IP addresses of computers. The reason that this is serious is that a DNS cache poisoning attack, along with many other known attacks against DNS, could be used to direct a user to the wrong web server when the user types in the name of the election server in the browser. Thus, a user could follow the instructions for voting, and yet receive a page that looked exactly like what it is supposed to look like, but actually is entirely controlled by the adversary. Detailed instructions about checking certificate validity are not likely to be understood nor followed by a substantial number of users. Another problem along these lines is that any computer under the control of an adversary can be made to simulate a valid connection to an election server, without actually connecting to anything. So, for example, a malicious librarian or cyber café operator could set up public computers that appear to accept votes, but actually do nothing with the votes. This could even work if the computers were not connected to the Internet, since no messages need to be sent or received to fool a user into believing that their vote was cast. Setting up such machines in districts known to vote a certain way could influence the outcome of an election.

Election Data Security

eBallot has extensive security measures in place to protect against the loss, misuse, and alteration of data. eBallot is a SAS- 70 (Statement on Auditing Standard 70) Type I certified solution. Developed and maintained by the American Institute of Certified Public Accountants, the AICPA audited eBallot to ensure compliance with the SAS-70 Information Security Controls standards. This certification also verifies that eBallot is a neutral third-party solution, eliminating any perception of election tampering. These industry best practices, procedures and controls, coupled with industry-leading database technologies, ensure that your election information is secured.

eBallot offers a true multi-tenant architecture, meaning that individual customer "deployments" of the eBallot application occupy virtual partitions, rather than requiring separate physical stacks of hardware and software. Customers share the same physical infrastructure and identical code lines, but all customer and election data is stored separately. This ensures that one customer cannot access another customer's election results and voter lists.

Powerful databases enable high volume vote processing at any time during an election, ensuring against system slowdowns and lost votes even if large numbers of voters cast ballots simultaneously.

Database Security

Database technologies and procedures are in place to safeguard and secure your voter lists and election results,preventing unauthorized access and maintaining accuracy.

  • Databases are restricted to a very limited number of authorized technicians
  • Databases are password-protected, and passwords are changed regularly
  • Database access is logged via electronic entry logs with a time and date stamp, providing
  • a history of each login and possible irregularities Voter lists are stored securely in our protected database

Business Continuity and Disaster Recovery

Business continuity is the ability of an organization to continue to function at its normal operational levels, even after a disastrous event or during an electrical outage. A comprehensive, proven backup and recovery strategy is imperative to achieving business continuity, leading Votenet Solutions to partner with Unitrends, leading provider of backup and rapid recovery systems rated #1 by industry analyst firm Gartner.

Unitrends provides data protection, system recovery, and application recovery capabilities from a single appliance, the Data Protection Unit (DPU), ensuring that no election data is lost in the event of a disaster and enabling eBallot to fully recover from a system crash in less than half an hour.

All eBallot web and database servers are connected to the Unitrends system and all data is backed-up every hour. All backups are encrypted, and any unused, obsolete, or end-of-life media is destroyed to prevent third-party data retrieval.

Additionally, Votenet Solutions business partner SAVVIS provides state-of-the-art hosting facilities for Votenet's data and servers. Rated #1 by industry analyst firm Gartner and trusted by the U.S. Department of Defense, AOL/Time Warner, Google and many FORTUNE 500 companies, each SAVVIS datacenter is engineered to include multiple levels of data protection.

A large team of highly trained, certified on-site engineers continuously monitor Votenet's servers 24/7/365. From physical defense measures to network architecture, HVAC services, redundancy and failover, security, performance reliability, and disaster recovery has been fully accounted for in all areas.

Uninterruptible Power Supplies (UPS) - Caterpillar 1000 KW diesel generators. Multiple UPS systems eliminate fluctuations and electrical irregularities, delivering continuous power to all critical systems.

N+1 Redundancy - All systems are configured to be N+1 redundant. Electricity backup capabilities at SAVVIS datacenters are essentially unlimited. Short-notice refueling contracts for the diesel generators are maintained with multiple vendors at each datacenter location.

Environmental Controls - All SAVVIS datacenters are built on raised floors and have highvolume,zoned temperature control systems. Multiple air conditioning units are configured to ensure proper heat dissipation. SAVVIS maintains multiple (N+1) Heating, Ventilation, Air Conditioning (HVAC) units within each data center. The HVAC units are powered by both normal and emergency electrical systems, and are monitored 24x7x365 by on-site personnel.

Fire Suppression - "Sniffer" systems that detect smoke from the earliest stages of combustion. This detection system is augmented by heat detection and dry-pipe sprinkler systems.

Seismic Engineering - Design elements include seismic isolation equipment to cushion facilities against movement, as well as earthquake bracing on all equipment racks. All datacenters have racks anchored to a concrete slab below the raised floor.

Votenet Solutions Corporate Privacy Promise

We take privacy seriously and are committed to establishing and maintaining policies and procedures which protect the privacy of personal information gathered from our customers, prospective customers, and partners. Our comprehensive privacy promise means:

Your voter lists are protected and safeguarded using secure servers and a secure hosting environment.

Your membership or voter data is never sold to 3rd parties.

Voter credentials or pass codes are never provided to individuals who contact us unless authorized by thedesignated Election Administrator.

Military-grade email encryption is used when routing your voter lists to technicians for scrubbing and uploading intoyour eBallot system.

Strict Non-Disclosure Agreements signed by partner firms assisting Votenet in maintaining our hosting facility.

Your election results are never disclosed to anyone at anytime

TRUSTe Certification

We are a member of the TRUSTe Privacy Program. TRUSTe is an independent, non-profit organization whose mission is to build trust and confidence in the Internet by promoting the use of fair information practices. Because we want to demonstrate our commitment to your privacy, we have agreed to disclose our information practices and have our privacy practices reviewed for compliance by TRUSTe. For more information about the TRUSTe certification process, and what TRUSTe certification means, please look at the TRUSTe website at www.truste.com.

EU Safe Harbor Certification

We comply with the E.U. Safe Harbor Framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal data from the European Union. The Department of Commerce Safe Harbor certification program is a way for U.S. based companies to ensure that they comply with E.U. regulations regarding the safekeeping of private data. You can see our Department of Commerce certification at http://web.ita.doc.gov/safeharbor/shlist.nsf/webPages/safe+harbor+list

Application Security

eBallot was designed from the ground up with security in mind, using the Cold Fusion platform. Cold Fusion utilizes the Web Services Security (WS-Security) standard and World Wide Web Consortium (W3C) specifications for industry-standard authentication,encryption, authorization, XML signature, attachments, and routing with Web services.

128-Bit SSL Security

VeriSign, the world's leading provider of SSL encryption certificates, equips eBallot with the strongest commercial-grade 128-bit SSL encryption available. This ensures data and votes cannot be stolen, intercepted or manipulated while in transit from an administrator's or voter's computer to our election servers. A comprehensive encryption system ensures that only eBallot servers can decrypt data.

Administrator Security

Log-in Safeguards - Election administrators may access eBallot only with a valid username and password. Safeguards exist to ensure intruders cannot gain access simply by trying numerous different passwords.

Intrusion Detection - Administrator entry logs show a time and date stamp as well as IP address log, providing a history of each login and possible irregularities

Encrypted Election E-mail Reminders - eBallot utilizes JangoMail, leading secure e-mail service provider, to enable administrators to send election e-mail reminders via 51 powerful, encrypted servers, ensuring rapid delivery. JangoMail participates in several whitelist programs, ensuring e-mails are delivered to their recipients' in-boxes, including participation in third-party initiatives such as Return Path's Sender Score Certified program.

Ballot Security

Ballot Scanning - Before a ballot has been activated, the ballot is reviewed for logic errors and incomplete sections

Ballot Lockdown - Prevents ballots from being altered or edited once they are active, eliminating inaccurate election results

Advanced Error Checking - Ballot selections that do not adhere to ballot-level rules prompt instant notification of voter, preventing them from moving forward in the voting process until errors are resolved

Results Security

IP Tracking and Restriction - eBallot tracks the Internet Protocol (IP) address for every vote, aiding election administrators in uncovering irregularities or illegal block voting, and enabling administrators to restrict votes to specific IP addresses only

Multiple Viewing Options - Real-time election results can be viewed during the election or hidden from view until voting has closed, enabling organizations to choose a setting that complies with their bylaws

Receipts and Time and Date Stamps - Each vote has a receipt and time and date stamp, ensuring results can be audited

SAS-70 Certified Tabulation - Independent auditors have inspected eBallot to ensure each vote is counted correctly and election results are 100% accurate

Voter Security

VeriSign, the world's leading provider of SSL encryption certificates, equips eBallot with the strongest commercial-grade 128-bit SSL encryption available. This ensures data and votes cannot be stolen, intercepted or manipulated while in transit from an administrator's or voter's computer to our election servers. A comprehensive encryption system ensures that only eBallot servers can decrypt data.

Log-in Safeguards

Voters may access eBallot only with a valid username and password

Election administrators create username and password for each voter, using randomly generated codes, or existing membership information

eBallot automatically authenticates voters, for example verifying membership dues are up-to-date, ensuring only eligible voters access the election voting area, and guarding against double voting and ballot stuffing

eBallot safeguards against multiple failed attempts to log-in to the election voting area, ensuring intruders cannot gain access simply by trying numerous different passwords

Anonymous voting option - If desired, eBallot can separate voter identity from vote selection, ensuring complete privacy.

Session Limits - Limiting the length of time that a voter can view the ballot reduces the possibility that another voter could view the voter's ballot choices.

Paper Receipts - The option to print a paper receipt provides voters with proof and peace-of-mind that their vote is counted.

Network Security

Votenet Solutions maintains the most robust, secure, and reliable network infrastructure in the online election software market, with hosting partner SAVVIS guaranteeing 99.9% network uptime. SAVVIS is a SAS 70 Type II Certified hosting facility. This independent third-party technology audit ensures compliance with best practices for the security of network assets. Our multi-layer network perimeter further protects your voting application, data, and results.

OC-12, OC-3, and T-3 bandwidth.

Belden Media Twist 350 Category 6 cable

Private IP address eliminates the possibility for the outside world to establish a connection directly to a machine running eBallot

Network complies with the RFC 1918 Internet standard

Constant Trend Micro anti-virus scanning

Intrusion Detection System sensors placed through all network segments

Multiple robust, enterprise-class redundant firewalls and constant intrusion detection monitoring powered by Fortinet

Web Application Vulnerability Testing with 24/7/365 alert notifications if vulnerabilities detected

Swift issue remediation using extensive vulnerability management portal and comprehensive technical support

Load balancing server configuration evenly divides traffic, ensuring ballots and election content loads quickly and performs at optimal levels

Full Redundancy/Fail Over - All networking components, VeriSign 128-bit Secure Sockets Layer (SSL) accelerators, Coyote Pointequalizer, load balancers, Web servers and application servers operate in a mirrored, multi-redundancy configuration. If an eBallot Web server were to go down, another server would immediately handle the traffic, ensuring no downtime during an election.

24/7/365 Election Monitoring - eBallot servers are automatically monitored 24 hours/day, every day of the year by a team of election specialists

HACKER SAFE certification from ScanAlert achieved by passing rigorous daily network security audits

Dynamic Port Scanning including Port-level Network Services Vulnerability Testing

Votenet Solutions utilizes IceSECURE, a corporate email network from IceWEB with military-grade encryption and security protocols. IceWEB employs multiple firewalls and technologies, including anti-virus scanning, to protect confidential information transferred via email, such as voter lists sent from administrators to Votenet election consultants, from Internet predators, denial of service attacks, and hackers.

Step 1: Domain Footprint

Using a list of hosts, IP addresses and/or subnet blocks supplied by Votenet Solutions, Hyperion Group discovered all hosts or devices within the provided IP range(s) that had listening services. Hyperion Group also performed DNS lookups and analysis of the service oriented architecture (SOA) records of all zones to discover additional hosts, or gain additional intelligence about the domain.

Step 2: Scanning/Enumeration of Hosts

Hyperion Group performed port scans of the discovered hosts in order to reveal the type and nature of the services that are running on the hosts.

Step 3: Identification of Operating Systems and Applications

Hyperion Group determined what hosts and ports were available, then discovered the operating systems and application version information of services on the hosts. This was accomplished through "banner grabbing" and TCP/IP stack fingerprinting. Known vulnerabilities and exploits were obtained through:

Computer Emergency Response Team (CERT) advisories

U.S. Department of Energy Computer Information Advisory Capability (CIAC)

National Institute of Science and Technology (NIST)

Vendor security alerts

Hyperion Group internal exploit and tool library

Step 4: Map Vulnerabilities to Services

Based upon the results of the identification phase, Hyperion Group consultants performed vulnerability mapping to determine what known vulnerabilities existed within the network and on their hosts.

Step 5: Exploit Vulnerabilities

Once the attack methods, means, vectors, and risk levels were quantified, Hyperion Group then used variousmethods for exploiting mapped vulnerabilities, such as:

  1. Known faulty configurations or default configurations
  2. Buffer Overflows/Overruns
  3. Web-based Exploits
  4. HTML Embedding
  5. Cross-site Scripting
  6. SQL Injection
  7. File Includes
  8. Second-Order Code Injection
  9. Brute Force attacks
  10. Denial of Service (where feasible)

Certification Achieved

Upon completion of the vulnerability assessment, Hyperion Group provided a detailed breakdown of all vulnerabilities found within Votenet Solutions' external networks.

Once Votenet Solutions performed the necessary remediation, Hyperion Group then authorized Votenet Solutions to display the Hyperion Group seal on their website. Votenet Solutions may use the seal for a period of no more than one calendar year, at which time they must perform a new assessment, or remove the seal from their site.

Successful eGovernance Without Worry

Achieving this security certification enables you to conduct your elections, nominations, contests, surveys, or polls without concerns about meeting the privacy and safety commitments your organization has made to your constituents.

Physical Security

Office Security

eBallot customers are protected by world-class physical security measures normally only found at global FORTUNE 500 companies and government agencies. Ensuring that every measure is taken to guard against physical intrusion to their office locations, Votenet Solutions proactively

consulted with Interfor, Inc., an independent international investigation and security firm with over 25 years of experience in comprehensive domestic and foreign intelligence services to the legal, corporate, and financial communities. Votenet received Interfor's highly-regarded

Physical Security Certification after intense scrutiny of their security protocols, including:

  1. On-site building security guard
  2. Building visitor sign in/sign out
  3. Electronic alarm/motion detection system monitored by 3rd party
  4. 24-hour video surveillance of lobby, elevator, and suite entrances
  5. Electronic access ID badge required to enter office suite
  6. Visitor sign-in/sign-out witnessed by receptionist
  7. Extremely limited access to IT systems, encrypted password for authorized executive use only
  8. Criminal background checks conducted on each staff member and vendors at both the federal and local levels prior to hiring

On-site security guard, electronic alarm/motion detection system, 24-hour video surveillance, electronic access ID badges just a few of the state-of-the-art physical security measures protecting eBallot customer data

Hosting Security

Ensuring the highest levels of network protection, SAVVIS datacenters provide market-leading physical security measures including:

Building Exterior

  • Unmarked, anonymous buildings
  • Bullet-resistant exterior walls and embassy-grade concrete posts and planters around the perimeter
  • 24-hour video surveillance cameras with digital recorders, Pan-Tilt-Zoom capabilities
  • False entrances
  • Vehicle blockades
  • Biometric scan, including palm scan, of personnel prior to building entrance
  • Exterior entrances feature silent alarm systems that notify law enforcement in the event of suspicion or intrusion.
  • Building Interior

  • Cipher-encoded personnel ID access badges
  • On-premise uniformed guards to control access
  • Bulletproof glass/walls
  • All of Votenet Solutions' equipment, including servers, routers, switches, and storage devices are stored in locked steel Internet Data Cages (IDC) Authorized personnel must pass through five levels of biometric scanning to reach the Votenet Solutions IDC
  • Access to the IDC is monitored by time-stamped logs for historical retrieval

Continuous Security Upgrades and Monitoring

Hosting Security

eBallot is the only online voting solution that guarantees continuous security and solution improvements to every customer. Customers are not required to manually install disks or download patches, they are available instantly and delivered automatically through their existing eBallot software. Independent audits continuously arm that the eBallot security infrastructure goes to great lengths to protect customer elections and condential data. Using the latest rewall protection, encryption, and proprietary security products, eBallot gives customers the peace of mind that only a world-class security infrastructure can provide.