Problems With Electronic Voting Systems Security Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

One of the most significant current discussions in Computer Science is security in using electronic voting systems. These systems play a decisive role in democratic organisations and are a new technology which helps electors to cast their ballots in an election using computerised systems. There are different forms of voting systems. The first type is a punched card, introduced in 1980 (Lauer, 2004), which is a sheet of paper that contains perforated holes, used to store digital information. The second type is an optical scan system which uses an optical scanner to read and count votes marked on a paper ballot by colouring a circle with a pencil (Armen and Morelli, 2005), and was introduced in the 1960s (Lauer, 2004). One of the newest types of voting-counting system is a Direct- Recording Electronic voting machine (DRE) (Armen and Morelli, 2005). It is the first computerised system which enables voters to cast their votes using a touch-screen (Lauer, 2004). The final form of electronic voting is the Internet voting system which enables voters to cast their ballots from home or anywhere else using the web.

With the rapid development of technology, the use of computers has become more convenient to make ballots through using different means such as the Internet, telephone and a private computer network. Such means offer a large number of advantages of using electronic voting systems such as precision in the voting process, quickness of implementation, accessibility for disabled voters (Bederson et al., 2003) and lack of sophistication. Despite these advantages, however, electronic voting systems have a number of limitations in security issues. It has been a controversial issue in democratic societies, because electronic voting can lead to electoral fraud as Lauer (2004) points out.

The purpose of this paper is to examine the main security problems in electronic voting systems, particularly security threats to DRE voting systems and security threats to the Internet voting systems. It will focus on how security problems can be addressed. The paper is divided into four parts. The first part will pinpoint the criteria of using electronic voting systems. The second part of this paper will focus on the main security problems in DRE voting systems and the Internet voting systems. The third part will discuss and evaluate the best solutions for these limitations. The last part will be the conclusion.

Security criteria for electronic voting systems

The objective of electronic voting is reliability and accuracy in recording electors' votes to making the voting process fair and transparent. Neumann (1993) suggests that electronic voting systems should follow some vital requirements in order to achieve the integrity of the election process; the first standard is that an elector should vote only once in each election. The second is that electronic voting systems should support an audit log containing the vote records to detect errors and modifications. The third standard is that voters' preferences should be confidential. The voting system should also be operable to accomplish tasks at the same time throughout the election process. The fourth standard is that voting systems should be protected from fraud and exchange. The last criterion is that the vote results should be recorded and shown precisely.

Security Problems

Security threats to DRE voting systems

3.1.1 The Diebold software

The DRE system is manufactured by Diebold Corporation in United State. There are some security limitations of using DRE systems. One of the most serious weaknesses of the Diebold software is that the source code, which is a programme comprising a set of instructions written in computer programming languages, is not disclosed to the public (Garera and Rubin, 2007). The Diebold software is closed-source, which means that it has protected copyright and does not allow other programmers to modify it or examine it except the owner of the software. As a result, a serious problem with the Diebold software, which is used to conduct elections, is that the software may be exposed to a wide range of modifications by developers of the software to influence the voting process, raising concerns about the integrity of the voting results (Penha-Lopes, 2005). Garera and Rubin (2007) note that releasing the source code to the public to detect errors or to know how the votes are counted is unacceptable by the owner of DRE systems, because they desire to retain copyright. Although the owners of the Diebold machines assert that the software is ''reliable and secure'' (Amurao, 2006, p. 2), there is still doubt that programmers of the Diebold code can manipulate the source code in support of a specific candidate through allowing to more votes to be counted (Amurao, 2006).

3.1.2 Database of GEMS in Diebold DRE

A Global Election Management System (GEMS) is the software which runs on Diebold DRE machines (Armen and Morelli, 2005). The GEMS software uses the Microsoft Access database as a DataBase Management System (DBMS) to store the votes (ibid). Armen and Morelli (2005) point out that the Access database used in GEMS has insufficient protection and is susceptible to hacking. The deficiency of security in the database of GEMS is thus a major problem with using the Diebold DRE machines. Ordinary or professional users can access the database through Microsoft Access rather than the GEMS software and tamper with voting outcome (ibid). Harris (2004) argues in his book 'Black Box Voting' that using the Microsoft Access database to store the electro's votes can affect the level of security of the GEMS programme and the fairness of the voting process. It seems that the security feature of the database of the GEMS programme is deficient and vulnerable to a series of attacks.

3.1.3 Audit ability and Verifiability

In traditional elections, using a paper ballot is the way that assures voters that their votes were calculated and as well as preventing tampering with the voting results. According to Jefferson et- al. (2004), a common criticism of Direct-Recording Electronic (DRE) voting systems is that DRE systems do not include a Voter-Verified Audit Trail (VVAT) which is a printer used to print a paper-based record of the voters' selections (Balzarotti et al., 2008). The use of Voter-Verified Audit Trails to verifying and auditing votes is a crucial factor to prevent an adversary from modifying and tampering with the voting outcome. Direct- Recording Electronic voting machines do not provide this a means (Amurao, 2006; Bederson et al., 2003). The lack of verification is therefore a major defect in DRE systems, because it is impossible to prove that votes have been counted as Bederson et al. (2003) state. For this reason it might lead to a security breach and as a result may reflect negatively on the integrity of the election process. According to Bederson et al. (2003, p. 146), there is concern about the credibility of DRE systems, because they are ''paperless''.

3.2 Security threats to Internet voting systems

It is becoming increasingly difficult to ignore the importance of voting through the Internet. In spite of the fact that the Internet voting systems have a great number of advantages such as reducing cost, flexibility and convenience, there are several serious problems which can make democratic communities think twice before deciding to adopt Internet voting systems. This part will present effects of Denial of Service attacks, malicious software and spoofing attacks on these systems.

3.2.1 Denial of Service attacks (DoS)

A Denial of Service attack is an attempt by an attacker to make a server unavailable to using either temporarily or permanently (Lau et al., 2000). This type of attack aims to prevent legitimate citizens from accessing the election web through disrupting a host server through various ways of attacks as Jefferson et al., 2004 reveal. There are four patterns of Denial of Service attacks as Lau et al. (2000) show; the first type of attack is to flood the election web server with a series of messages to obstruct the network and prevent voters from accessing the election web. The second attack is to disconnect connections between two computers to prevent access the election web. The third attempt is to make the election web unreachable to a particular system or a legal user. The fourth attempt is to prevent a specific person from accessing the election web.

Such DoS attacks can result in serious security problems and influence the justice of the election, as these attacks can prevent the electors from voting through making the election web server unreachable. The Internet voting systems can, therefore, be vulnerable to various malicious attacks.

3.2.2 Virus infestation and malicious software

Not only does a Denial of Service attack threaten democratic societies with electoral fraud, but malicious code, known as malware, also is one of the most serious security threats in using the Internet voting system. Malware is software designed to damage computer systems and most malicious codes are distributed through Trojan horses, viruses and worms (Jefferson et al., 2004). Some personal computers do not have sufficient security and are easily prone to virus infestation. According to Jefferson et al. (2004), there are two threats of malicious code for the Internet voting systems. The first threat aims to plant malicious software into the election web server by developers, designing the system, to destroy the vote data. The second threat is the distribution of malicious software into voters' computers, thus affecting the election process. Such malicious software may be difficult to detect it sufficiently, because some anti-virus programmes cannot detect new viruses; therefore, it can affect the voting process without the voters' knowledge. It does this by altering the electors' inputs or dropping their votes from the list of the vote or through preventing them from voting as Jefferson et al. (2004) note. The absence of sufficient security in the election web server and electors' computers within the election process raises concerns about the integrity of the vote when using the Internet.

3.2.3 Spoofing attacks

Another security challenge of using Internet voting systems is Man-in-the-Middle attacks, in which an attacker attempts to obstruct communication between a client and a server (Jefferson et- al., 2004). There are several methods for an adversary to become a Man-in-the-Middle; one of them is spoofing attacks, which deceive voters that they are communicating with the election web server. For instance, when a voter types the name of an official election website into a web browser, an attacker would redirect voters to another fake election web server. This attack would mislead voters that they are at a real voting website, consequently exploiting electors' votes to tamper with votes in favour of a particular preferred party (Amurao, 2006). Not only does a spoofing attack alter the voting data, but also it could result in an invasion of personal privacy through mining the personal information of voters, including their date of birth, name and signature.

Solutions of security problems

This part will suggest the effective solutions for security problems of electronic voting systems as the following:

The use of open-source software

Using Voter Verifiable Audit Trails (VVAT)

Using Layer (SSL) protocol

Using a Digital signature scheme

4.1 The use of open-source software

As already mentioned above, one of the major flaws in using electronic voting systems is that the type of software used such systems is closed-source, which has been generally criticized for inadequate security and reliability. As Penha-Lopes (2005) points out, using a closed-source code in proprietary electronic voting software is ''highly questionable'' (p. 412). It is, however, suggested that the use of open-source software may enhance some security limitations of electronic voting software as Armen and Morelli (2005) indicate. Open-source software refers to the source code which is released to the public to be examined and verified to design software based on their needs. For example, Linux is a common operation system which is built on open-source code. The purpose of the use of an open-source code is to build and develop security and reliability in electronic voting software, since an open-source code enables developers and experts to discover errors and modifications that may manipulate the voting results. Not only does open-source software improve the security and reliability in using electronic voting systems, but it also encourages the public to depending on electronic voting systems and building electors' confidence again in the electoral process (Parakh and Kak, 2007).

It is tempting to think that the use of open-source software is the appropriate solution to such systems. Since there is no guarantee that the code source, which has been inspected, is the same code source used in electronic voting systems. It could, thus, be argued that exposure an open- source code for the public may lead to further problems. For instance, when a source code becomes disclosed, the public can recognise some shortcomings in a source code written. It may, in turn, be exploited by hackers to change and tamper with the software's code source. Rubin (2002) mentions an example illustrating that using an open-source code is vulnerable to be attacked. Back orifice 2000 (BO2K) is a computer software designed for controlling a computer from a remote location.

This software is based on open-source code. Some attackers use this programme negatively to modify the source code to be difficult detection by protection software so that they can tamper with voters' inputs (Rubin, 2002). This may be evidence that an open-source code would be highly questionable.

4.2 Using Voter Verifiable Audit Trails (VVAT)

As we have said above, the lack of a Voter Verifiable Audit Trail is one of the fundamental security problems of using electronic voting systems. A practical solution minimizing errors and tampering with the vote results is to provide a Voter Verifiable Audit Trail (VVAT), also known as a Voter Verified Paper Audit Trail (VVPAT), for electronic voting systems as Lauer (2004) and Karlof et al. (2005) suggest. A Voter Verified Paper Audit Trail (VVPAT) refers to a type of vote receipt printed by electronic voting systems to confirm that votes have been computed as they were entered (Balzarotti et al., 2008). The objective of VVAT in the electoral processes is to confirm and assure voters that their votes have been recorded correctly inside the system as they were entered (Karlof et al., 2005). Moreover, it is possible to return to a ballot box, where votes are placed, in case there is some doubt about the integrity of the electronic record (ibid). The use of VVAT can also preserve electors' votes as a backup paper system in case of exposure to attacks such as a DoS attack or even to recover from modifications in the voting results (Karlof et al., 2005). There is a current consensus that the use of VVAT method in electronic voting systems is the best form of verification of the voting outcome (Jefferson et al., 2004; Karlof et al., 2005; Lauer, 2004; Parakh and Kak, 2007).

Bearing this in mind, using VVAT appears to raise concerns of relying on VVAT as proof if there is suspicion about the fairness of the election. This may result in a lack of trust in the ability of electronic voting systems to run the electoral process. It might, thus, shake voters' confidence in the credibility of the voting outcome.

4.3 Using Layer (SSL) protocol

As already stated above, the major problem that poses a threat to electronic voting systems is a Man-in-the-Middle attack which can impact negatively on the voting process. However, there is a possible solution, which may mitigate the threat of a Man-in-the-Middle attack, using the Secure Socket Layer (SSL) protocol (Jefferson et al., 2004). The SSL protocol refers to protecting sensitive data sent between a voter and a voting server over the network through the process of encryption (Wagner and Schneier, 1996). The key feature of using the SSL Protocol is to distinguish between a SSL election web and a non-SSL election web (Rubin, 2002). Encryption of data transmitted from a voter to a legitimate election web server is also one of the distinguishing features of using the SSL protocol (Hubbers et al., 2005). This data cannot, in turn, be disclosed by attackers, it is only between the voter and the voting server (Hubbers et al., 2005). It can be concluded that the aim of the SSL protocol is to prevent a third party from manipulating the voting outcome and to guarantee data integrity. Despite these advantages of using the SSL Protocol, however, it seems that the use of the SSL protocol is vulnerable to hacking through the decrypting of transmitted data as Jefferson et al. (2004) state. For example, a Man-in-the-Middle attack has the ability to be an SSL gateway, which connects computers, between a voter and an election web server (Jefferson et al., 2004); hence an adversary can convince victims that they are communicating with a legal election web server. However, using cryptographic methods such as the SSL encryption protocol to provide secure communication over a network is an insufficient solution to create trustworthy electronic voting systems. The voters have also the primary responsibility to know the difference between a legitimate election web server and a malicious server through noticing the web address. Most legal web servers use the Secure Hypertext Transfer Protocol (HTTPS) to encrypt and decrypt web pages in a browser. This may assist in raising the level of awareness of voters when typing a legal election web address in their browsers. As Rubin (2002) points out, most users have a lack of knowledge regarding recognising the types of web addresses.

4.4 Using a digital signature scheme

As we have said above, one security limitation of Diebold DRE is that it uses Microsoft Access as a database for its software GEMS. One can gain access the database with ease. This may, in turn, be susceptible to hacking and compromise data integrity in election processes. Using cryptographic techniques as a digital signature scheme may be an appropriate solution to address the security problem, thus protecting input data in the database for the electronic voting systems (Ibrahim et al., 2003). A digital signature scheme is a type of cryptography used to authenticate that a digital document sent is digitally signed by a legal sender to convince a recipient that this signed document was entered by the legitimate sender (Juels et al., 1997). This scheme uses two types of algorithms. The first algorithm is the private key, which decrypts digital information or documents that were encrypted by the public key. The second algorithm is the public key, which is used to encrypt and verify digital information and documents in order to be decrypted with help private key (Juels et al., 1997; Ibrahim et al., 2003). The purpose of a digital signature is to verify that input data comes from an authorised voter and as a result prevent unauthorised users such as attackers or illegitimate voters, from accessing the election data centre and to guarantee the integrity of input data (Ibrahim et al., 2003).

On the other hand, using a cryptographic digital signature scheme may only solve the problem of voter authentication, as this scheme helps to verify that a voter is an eligible as Ibrahim et al. (2003) note. But there is increasing concern about the secrecy of votes sent over the network. One security requirement that should be available in electronic voting systems to protect voters' privacy is confidentiality as Ibrahim et al. (2003) stress. Using a digital signature scheme is sufficient to prove that a voter is eligible, but is not adequate to remain electors' votes completely confidential. Ibrahim et al. (2003) indicate that one effective solution to protect voters' privacy is a blind signature scheme. The aim of a blind signature scheme is to conceal the content of a vote while verifying that the voter is legitimate (Ibrahim et al., 2003). Using both a digital signature scheme and a blind signature scheme may address the limitations of authentication and confidentiality in the electronic voting systems.


The purpose of the current paper was to examine the main security problems of using electronic voting systems and the best solution for these problems. As mentioned in the introduction to this paper, using electronic voting systems may offer substantial benefits for democratic societies, although there are some security flaws in using these systems. It has been proposed that electronic voting systems should meet security requirements to make the voting process more secure, reliable and confidential. It should be noted that voting systems have inadequate protection that can be easily exposed to attack. This paper discussed different serious threats of denial of service attacks on voting systems. A Man-in the-Middle attack may also pose a particular challenge to voting systems. It can be seen that the database used in Diebold DRE is insufficient security. However, it has been argued that using open-source software for voting systems may overcome threats from software's developers and increase voters' confidence in relying on voting systems. It seems that cryptographic techniques such as a digital signature scheme may be immune from alteration and forgery in the voting results and may lead to significant improvements in the security of the database used in Diebold DRE machines. Using a blind signature scheme may be the best solution for confidentiality of electronic voting systems. It is suggested that a Voter Verifiable Audit Trail (VVAT) may be a fundamental element to improve the transparency and integrity of voting outcome.