Article Preview
TopIntroduction
Voting in elections is generally regarded as a fundamental democratic right, but it can be a challenge to engage citizens and encourage them to vote. Participation in the democratic process could be improved by using remote e-voting systems, where a voter uses their own computer or mobile device to cast votes over the Internet. Examples of practical implementations of remote e-voting include elections in Estonia (Estonian National Electoral Committee, n.d.) and Switzerland (Geneva State Chancellery, n.d.).
The fundamental requirements for any voting system are that votes should be recorded as cast, counted as recorded and not linked to a specific voter. Only eligible voters should be allowed to vote, and they can only cast one vote each (Ryan, Bismark, Heather, Schneider, & Xia, 2009). Some e-voting systems are designed to address these requirements in the controlled environment of an election poll-site. Examples include fully electronic systems such as Votebox (Sandler, Derr, & Wallach, 2008), Direct Recording Electronic (DRE) machines (Appel et al., 2009; Kohno, Stubblefield, Rubin, & Wallach, 2004); and paper-based ballots such as Prêt à Voter (Xia et al., 2007) and the Scratch Card voting system (Randell & Ryan, 2006)
Remote e-voting systems, however, have to operate in unsupervised environments, leading to opportunities for denial of service and technical attacks on the voting infrastructure. For example, the voter’s equipment could be infected with malware that tampers with the vote, or a Voting Authority (VA)’s centralised web-servers could be attacked, as seen in the 2010 Washington D.C. election (Wolchok, Wustrow, Isabel, & Halderman, 2012) and the 2012 Canadian New Democratic Party Elections (Payton, 2012). These attacks can seriously undermine the credibility of an election. In the Washington D.C. case, the e-voting system was broken into within 48 hours of it becoming available, and by taking control of the election server, the attackers “changed every vote and revealed almost every secret ballot” (Wolchok et al.,2012). Coercion and vote-buying are also problems for remote e-voting. Anti-coercion measures are included in some e-voting systems e.g. Civitas (Clarkson, Chong, & Myers, 2008), but some schemes are specifically designed for use in low-coercion elections, such as Helios (Adida, 2008). Some e-voting schemes have been implemented on mobile devices: for example, SEAS (Baiardi et al., 2005) was implemented on a mobile phone and formally analysed by Campanelli et al. (2008).
Although many e-voting processes can be cryptographically protected to ensure the integrity and confidentiality of the votes cast, Rivest (2001) identified a critical problem with remote implementations, i.e. “interfacing the voter to the cryptography”. Security weaknesses in hardware, operating systems and software mean that equipment cannot be trusted. This is known as “the secure platform problem”. Several methods to address this have been proposed (Oppliger, 2002). One approach is code voting, when voting authorisation codes are sent to voters before the election, via a second channel such as the postal service: see (Helbach & Schwenk, 2007; Randell & Ryan, 2006; Ryan & Teague, 2009) for examples.