Public Evidence from Secret Ballots

Elections seem simple---aren't they just counting? But they have a unique, challenging combination of security and privacy requirements. The stakes are high; the context is adversarial; the electorate needs to be convinced that the results are correct; and the secrecy of the ballot must be ensured. And they have practical constraints: time is of the essence, and voting systems need to be affordable and maintainable, and usable by voters, election officials, and pollworkers. It is thus not surprising that voting is a rich research area spanning theory, applied cryptography, practical systems analysis, usable security, and statistics. Election integrity involves two key concepts: convincing evidence that outcomes are correct and privacy, which amounts to convincing assurance that there is no evidence about how any given person voted. These are obviously in tension. We examine how current systems walk this tightrope.Comment: To appear in E-Vote-Id '1

Gaining assurance in a voter-verifiable voting system

The literature on e-voting systems has many examples of discussion of the correctness of the computer and communication algorithms of such systems, as well as discussions of their vulnerabilities. However, a gap in the literature concerns the practical need (before adoption of a specific e-voting system) for a complete case demonstrating that the system as a whole has sufficiently high probability of exhibiting the desired properties when in use in an actual election. This paper discusses the problem of producing such a case, with reference to a specific system: a version of the Prêt à Voter scheme for voter-verifiable e-voting. We show a possible organisation of a case in terms of four main requirements – accuracy, privacy, termination and ‘trustedness’– and show some of the detailed organisation that such a case should have, the diverse kinds of evidence that needs to be gathered and some of the interesting difficulties that arise

Secret texts and cipherballots: secret suffrage and remote electronic voting

Una de les principals preocupacions sobre el vot telemàtic és com preservar el sufragi secret. La llista d’estudis que afirmen que el vot per Internet és incompatible amb el secret del vot és força extensa. Si bé estudis posteriors sobre experiències reals han tingut resultats més matisats, les preocupacions sobre el sufragi secret i el vot telemàtic es mantenen. Abordar aquestes preocupacions esdevé una obligació ineludible. En aquest context, la nostra recerca és novadora. En primer lloc, el nostre punt de partida no es basa en definicions legals preexistents que s'accepten com a donades. Partint de l'enfocament universalista del dret constitucional comparat, hem entès que el principi del sufragi secret transcendeix les opinions i convencions lligades a comunitats polítiques concretes. Aquesta concepció comú i bàsica s'ha traduït en tres estàndards: individualitat, confidencialitat i anonimat. Aquests estàndards s’han de satisfer en qualsevol canal de votació. En segon lloc, hem adoptat un enfocament més ampli en l’aplicació d’aquest principi al vot telemàtic. Hem demostrat que el sufragi secret es pot garantir mitjançant la llei, el codi informàtic, les normes i fins i tot el mercat. La normativa actual tendeix a ser limitada perquè recorre a analogies amb els canals de votació en paper i no reconeix les especificitats del vot telemàtic. Per contra, aquí hem examinat el paper que exerceixen (i les limitacions pròpies) del xifrat asimètric, l'anonimització basada en mix-nets o el recompte homomòrfic, i el vot múltiple.Una de las principales preocupaciones sobre el voto telemático es cómo garantizar el secreto del voto. La lista de autores que afirman que el voto por Internet es incompatible con el sufragio secreto es considerable. Aunque las conclusiones de estudios posteriores sobre experiencias reales hayan sido más matizadas, las preocupaciones sobre el sufragio secreto y el voto telemático se mantienen. Abordar estas preocupaciones constituye en una obligación ineludible. En este contexto, nuestra investigación es novedosa. En primer lugar, nuestro punto de partida no se basa en definiciones legales preexistentes que se aceptan como dadas. Partiendo del enfoque universalista del derecho constitucional comparado, hemos entendido que el principio del sufragio secreto trasciende las opiniones y convenciones ligadas a la cultura de comunidades políticas concretas. Esta concepción se ha traducido en tres normas: individualidad, confidencialidad y anonimato. Estas normas deberían aplicarse a cualquier canal de votación. En segundo lugar, hemos adoptado un enfoque más amplio sobre la aplicación de este principio. Hemos demostrado que el sufragio secreto puede garantizarse mediante la ley, el código, las normas e incluso el mercado. La normativa actual tiende a ser limitada porque recurre a analogías con los canales de votación en papel y no reconoce las especificidades del voto telemático.One of the key concerns about remote electronic voting is how to preserve secret suffrage. The list of authors who claim that Internet voting is incompatible with the secrecy of the vote is actually quite long. Even if later studies that analysed the actual implementation of remote electronic voting in public political elections had more nuanced findings, concerns about secret suffrage and remote electronic voting remain. Addressing these concerns becomes an inescapable obligation. In this context, our research is quite novel. First and foremost, our starting point is not based on pre-existing legal definitions that are accepted as given. Drawing from the universalist approach to comparative constitutional law, we have understood that the principle of secret suffrage exists in such a way that it transcends the culture bound opinions and conventions of particular political communities. This core understanding has been translated into three standards: individuality, confidentiality, and anonymity. These standards should apply to any voting channel. Second, we have taken a wider approach at the enforcement of this principle. We have showed that secret suffrage may be enforced through law, code, norms, and even the market. Current regulations tend to be constrained because they resort to analogies with paper-based voting channels and fail to acknowledge the specificities of remote electronic voting. In contrast, we have examined the role played by (and the limitations of) asymmetric encryption, anonymization based on mix-nets or homomorphic tallying, and of multiple voting to enforce secret suffrage

Council of Europe Recommendation CM/Rec(2017)5 and e-Voting Protocol Design

The Corona pandemic has created a push towards digitization in a number of fields, not least in the public sector including democratic processes. This of course includes an increased interest in e-voting via the Internet. The Council of Europe has a long-standing history of work in the field including two Recommendations – (2004)11 and (2017)5 – which have become the de facto yardstick against which every e-voting system is measured. Rec(2017)5 builds on a decade of experience with e-voting and particularly strengthens two concepts important in any electronic voting system: Voting secrecy and auditability/verifiability. This has distinct implications for the design of e-voting protocols. The aim of this paper is to analyse the impact on what arguably are the most popular voting protocol families, envelope and token protocols. How does the modified Recommendation impact on the viability of protocols and protocol design? The paper first presents the Council of Europe Recommendation and the technical issues it addresses. Then a model is introduced to assess a voting protocol against the Recommendation; a typical envelope and a token protocol are assessed in view of the model and finally the two assessments are compared including policy recommendations for a path to e-voting implementation

A TECHNOLOGICAL FRAMEWORK FOR TRANSPARENT E-VOTING SOLUTION IN THE NIGERIAN ELECTORAL SYSTEM

This paper presents the design of a technological framework for electronic voting (E-voting) systems in Nigeria. The traditional voting system with paper ballots used in the Nigeria electoral system is time consuming and in most cases marred with irregularities due to system and/or human errors. These irregularities usually results in inconclusive electoral decisions, violent arguments, and expensive litigations. Certain technologies and recently card readers with biometric authentication have been employed to achieve transparent polls. However, high level frauds still accompany results due to human control of these technological devices and have not generated the required trust resulting in a drastic decrease in voter participation. The framework presented here seeks to combine different e-voting technologies in a way that best suit the Nigeria electoral system in order to build trust and boost participation. The result is an automated polling system that requires minimum supervision with adequate transparency and accuracy of the voting process. The framework showcased how a cost saving real-time electoral procedure can be achieved, with the presentation of precise and accurate results at the end of any election.  http://dx.doi.org/10.4314/njt.v35i3.2

Evaluation and Improvement of Internet Voting Schemes Based on Legally-Founded Security Requirements

In recent years, several nations and private associations have introduced Internet voting as additional means to conduct elections. To date, a variety of voting schemes to conduct Internet-based elections have been constructed, both from the scientific community and industry. Because of its fundamental importance to democratic societies, Internet voting – as any other voting method – is bound to high legal standards, particularly imposing security requirements on the voting method. However, these legal standards, and resultant derived security requirements, partially oppose each other. As a consequence, Internet voting schemes cannot enforce these legally-founded security requirements to their full extent, but rather build upon specific assumptions. The criticality of these assumptions depends on the target election setting, particularly the adversary expected within that setting. Given the lack of an election-specific evaluation framework for these assumptions, or more generally Internet voting schemes, the adequacy of Internet voting schemes for specific elections cannot readily be determined. Hence, selecting the Internet voting scheme that satisfies legally-founded security requirements within a specific election setting in the most appropriate manner, is a challenging task. To support election officials in the selection process, the first goal of this dissertation is the construction of a evaluation framework for Internet voting schemes based on legally-founded security requirements. Therefore, on the foundation of previous interdisciplinary research, legally-founded security requirements for Internet voting schemes are derived. To provide election officials with improved decision alternatives, the second goal of this dissertation is the improvement of two established Internet voting schemes with regard to legally-founded security requirements, namely the Polyas Internet voting scheme and the Estonian Internet voting scheme. Our research results in five (partially opposing) security requirements for Internet voting schemes. On the basis of these security requirements, we construct a capability-based risk assessment approach for the security evaluation of Internet voting schemes in specific election settings. The evaluation of the Polyas scheme reveals the fact that compromised voting devices can alter votes undetectably. Considering surrounding circumstances, we eliminate this shortcoming by incorporating out of band codes to acknowledge voters’ votes. It turns out that in the Estonian scheme, four out of five security requirements rely on the correct behaviour of voting devices. We improve the Estonian scheme in that regard by incorporating out of band voting and acknowledgment codes. Thereby, we maintain four out of five security requirements against adversaries capable of compromising voting devices

Seventh International Joint Conference on Electronic Voting

This volume contains papers presented at E-Vote-ID 2022, the Seventh International JointConference on Electronic Voting, held during October 4–7, 2022. This was the first in-personconference following the COVID-19 pandemic, and, as such, it was a very special event forthe community since we returned to the traditional venue in Bregenz, Austria. The E-Vote-IDconference resulted from merging EVOTE and Vote-ID, and 18 years have now elapsed sincethe first EVOTE conference in Austria.Since that conference in 2004, over 1500 experts have attended the venue, including scholars,practitioners, authorities, electoral managers, vendors, and PhD students. E-Vote-ID collectsthe most relevant debates on the development of electronic voting, from aspects relating tosecurity and usability through to practical experiences and applications of voting systems, alsoincluding legal, social, or political aspects, amongst others, turning out to be an importantglobal referent on these issues