Public Evidence from Secret Ballots

Elections seem simple---aren't they just counting? But they have a unique, challenging combination of security and privacy requirements. The stakes are high; the context is adversarial; the electorate needs to be convinced that the results are correct; and the secrecy of the ballot must be ensured. And they have practical constraints: time is of the essence, and voting systems need to be affordable and maintainable, and usable by voters, election officials, and pollworkers. It is thus not surprising that voting is a rich research area spanning theory, applied cryptography, practical systems analysis, usable security, and statistics. Election integrity involves two key concepts: convincing evidence that outcomes are correct and privacy, which amounts to convincing assurance that there is no evidence about how any given person voted. These are obviously in tension. We examine how current systems walk this tightrope.Comment: To appear in E-Vote-Id '1

Gaining assurance in a voter-verifiable voting system

The literature on e-voting systems has many examples of discussion of the correctness of the computer and communication algorithms of such systems, as well as discussions of their vulnerabilities. However, a gap in the literature concerns the practical need (before adoption of a specific e-voting system) for a complete case demonstrating that the system as a whole has sufficiently high probability of exhibiting the desired properties when in use in an actual election. This paper discusses the problem of producing such a case, with reference to a specific system: a version of the Prêt à Voter scheme for voter-verifiable e-voting. We show a possible organisation of a case in terms of four main requirements – accuracy, privacy, termination and ‘trustedness’– and show some of the detailed organisation that such a case should have, the diverse kinds of evidence that needs to be gathered and some of the interesting difficulties that arise

Comparing "challenge-based" and "code-based" internet voting verification implementations

Internet-enabled voting introduces an element of invisibility and unfamiliarity into the voting process, which makes it very different from traditional voting. Voters might be concerned about their vote being recorded correctly and included in the final tally. To mitigate mistrust, many Internet-enabled voting systems build verifiability into their systems. This allows voters to verify that their votes have been cast as intended, stored as cast and tallied as stored at the conclusion of the voting period. Verification implementations have not been universally successful, mostly due to voter difficulties using them. Here, we evaluate two cast as intended verification approaches in a lab study: (1) "Challenge-Based" and (2) "Code-Based". We assessed cast-as-intended vote verification efficacy, and identified usability issues related to verifying and/or vote casting. We also explored acceptance issues post-verification, to see whether our participants were willing to engage with Internet voting in a real election. Our study revealed the superiority of the code-based approach, in terms of ability to verify effectively. In terms of real-life Internet voting acceptance, convenience encourages acceptance, while security concerns and complexity might lead to rejection

Voter ID

The question of whether voters should be required to present an acceptable form of identification (ID) when casting a ballot at a federal election has persisted. Executive summary The question of whether voters should be required to present an acceptable form of identification (ID) when casting a ballot at a federal election has persisted, notwithstanding quite exhaustive debate and deliberation in numerous forums. Arguments advanced in favour of requiring voter ID included the need to: protect the integrity of the information contained on the roll deter attempts by voters to impersonate another voter discourage attempts by a voter to vote more than once. In 2001, in its report User friendly, not abuser friendly: Report of the inquiry into the integrity of the electoral roll, the Joint Standing Committee of Electoral Matters (JSCEM) concluded that that the introduction of voter identification was not warranted as a measure to deter fraud But while some consider that the level of alleged electoral fraud is minuscule, others have a much more pessimistic view. The report of the JSCEM Inquiry into the conduct of the 2001 Federal election addressed proof-of-identity requirements, but focussed on initial enrolment or re-enrolment, not the requirement to produce ID in the normal course of casting a ballot at a polling booth. The Committee recommended ‘that people making a first-time enrolment, those seeking re-enrolment, and those transferring their enrolment details, first be required to provide proof of identity and address, via a driver’s licence or similar. But evidence to that same JSCEM inquiry highlighted problems with the ready availability of ID among people who are extremely disadvantaged or living in Indigenous communities. Others argued that the alleged difficulties of producing ID are over stated, citing the numbers that attend large sports clubs or present ID to access video stores. Australians have a history of resistance to the adoption of any kind of universal ID card that can be legally required to be shown in order to access government services or to confirm one’s identity. The arguments against such a card are broadly couched in terms of personal privacy and an aversion to a ‘surveillance state’

What did I really vote for? On the usability of verifiable e-voting schemes

E-voting has been embraced by a number of countries, delivering benefits in terms of efficiency and accessibility. End-to-end verifiable e-voting schemes facilitate verification of the integrity of individual votes during the election process. In particular, methods for cast-as-intended verification enable voters to confirm that their cast votes have not been manipulated by the voting client. A well-known technique for effecting cast-as-intended verification is the Benaloh Challenge. The usability of this challenge is crucial because voters have to be actively engaged in the verification process. In this paper, we report on a usability evaluation of three different approaches of the Benaloh Challenge in the remote e-voting context. We performed a comparative user study with 95 participants. We conclude with a recommendation for which approaches should be provided to afford verification in real-world elections and suggest usability improvements

Reve\{a,i\}ling the risks: a phenomenology of information security

In information security research, perceived security usually has a negative meaning, when it is used in contrast to actual security. From a phenomenological perspective, however, perceived security is all we have. In this paper, we develop a phenomenological account of information security, where we distinguish between revealed and reveiled security instead. Linking these notions with the concepts of confidence and trust, we are able to give a phenomenological explanation of the electronic voting controversy in the Netherlands