Remote e-Voting

2.4.1 Background - Remote e-Voting

Elections are important democratic events, and traditionally, voting is performed in person at controlled physical centres i.e. poll-sites. It can be a challenge to engage citizens and encourage them to vote, especially if voters are immobile or

geographi-Figure 2.2: Firefox OS User Interface

2.4. Remote e-Voting 2. Background

cally remote. Elections have fundamental security requirements that votes should be recorded as cast, counted as recorded and not linked to a specific voter. Only eligible voters should be allowed to vote, and they can only cast one vote each [81]. Electronic voting (e-voting) uses electronic processes for one or more of the following tasks in an election: voter identification, vote casting, and/or vote counting. No entities in an e-voting system are considered to be trustworthy, and the stringent and often contra-dictory security requirements must be met to ensure the election’s integrity remains intact.

Some e-voting systems are designed to address voting security requirements in the controlled environment of an election poll-site. Examples include fully electronic sys-tems such as Votebox [82], Direct Recording Electronic (DRE) machines [83, 84]; paper-based ballots such as Prˆet `a Voter [85] and the Scratch Card voting system [86].

Remote e-voting enables a voter to cast their vote over the Internet. Participation could be improved by using remote e-voting systems, as a voter can use their own computer or mobile device to cast their vote. Examples of practical implementations of remote e-voting include elections in Estonia [87] and Switzerland [88]. The number of potential adversaries is very much higher for remote e-voting systems compared to paper-based poll-site voting, and a successful attack could have far-reaching implica-tions e.g. state-level actors may have a vested interest in affecting the outcome of an election.

Although many e-voting processes can be cryptographically protected to ensure the integrity and confidentiality of the votes cast, Rivest [89] identified a critical problem with remote implementations, i.e. “interfacing the voter to the cryptography”. Security weaknesses in hardware, operating systems and software mean that equipment cannot be trusted, so for example, the voter’s equipment could be infected with malware that tampers with the vote. This is known as “the secure platform problem”. Several methods to address this have been proposed [90]. These include: having a “clean”

operating system and voting application; using special hardware attached to a PC;

secure PC operating systems i.e. trusted computing; test ballots; and security by obscurity. Code sheet voting is also popular, when voting authorisation codes are sent to voters before the election, via a second channel such as the postal service: examples here include Pretty Good Democracy [18], the work of Helbach et al. [91, 92] and Randell and Ryan [86].

Remote e-voting systems could be attacked using Internet vulnerabilities to disrupt an election. For example, there have been a number of security concerns about the Estonian Internet voting system, both in overall design and technical implementation.

For example, there are no DDoS countermeasures, it may be possible to link a voter

2.4. Remote e-Voting 2. Background

to a vote and the procedures for cancelling re-votes may impact accuracy [93]. In the 2011 elections, there were technical web server and browser problems which hindered the voting process [94]. It was also reported that there was an application that could change the contents of the vote on the user’s PC without them knowing, although this complaint was not upheld by the voting authority [95]. The scheme is not voter-verifiable, i.e. the voter has no way of checking whether their vote has been counted as cast: however, the voter has the option to cast a paper vote at a later stage if they have any doubts about the security of the I-voting system⁵.

Technical attacks on remote e-voting infrastructures and associated sites have been reported:

• DDoS attacks against centralised voting web-servers were seen in the 2010 Wash-ington D.C. election [96] and the 2012 Canadian New Democratic Party Elec-tions [97]. In the Washington D.C. case, the e-voting system was broken into within 48 hours of it becoming available, and by taking control of the election server, the attackers “changed every vote and revealed almost every secret bal-lot” [96].

• Remote e-voting systems that have implemented anti-DDoS measures have opened up new routes for attack. The 2017 state election of Western Australia (WA) used an Internet voting system (I-Vote) from third-party vendor Scytl, in con-junction with Imperva Incapsula, a content delivery network which provides a DDoS mitigation service by operating as a TLS proxy. It was found that the I-Vote server had been misconfigured, and JavaScript performed by the DDoS protection service could be used maliciously to compromise voter credentials and modify ballots [98].

• There were also reports of Russian influence in the US elections in 2016 [99] and a possible DDoS attack on the U.K.’s Referendum voter registration site [100].

• In 2014, an online (unofficial) democracy polling site https://popvote.hk/ that was canvassing opinion on future Hong Kong elections was subjected to a large and sophisticated DDoS attack [101].

Trust in an electoral process may be low [102], and violence can occur. For example, Kenya has a history of corruption and systemic abuse of office by public officials, and every election since 1991 has resulted in violence [103]. The violence that erupted after the 2008 elections was widespread and prolonged. Also, in the Russian elections in 2011,

5The I-voting scheme was amended to include voter-verifiability after the 2015 Estonian elec-tions [19].

2.4. Remote e-Voting 2. Background

there were several cyber-attacks, and individuals posted videos of ballot-box stuffing on social media. Rumours of election-rigging circulated on the Internet - fuelled by the fact that in some areas voter turnout appeared to exceed 140%. Protesters clashed with armed police and 300 activists were detained: on a later occasion another 2,000 protesters were dispersed by riot police [104].

Using Mobile devices in Remote e-Voting

There are currently very few examples of mobile phone based e-voting systems: one example of an e-voting scheme that has been implemented as an application on a mobile devices is SEAS [105]. This was formally analysed by Campanelli et al. [106]. However, mobile voting applications are vulnerable because mobile phone operating systems/

applications cannot be trusted to perform correctly (the secure platform problem).

Scytl developed a telephone voting system that uses a standard land line or mobile phone [107]. However Scytl e-voting systems have been criticised in the past, notably their claims of end-to-end verifiability [108], to which they responded by claiming the report was inaccurate [109]. It was a Scytl system that was the victim of the DDoS attack in the 2012 NDP elections [97], and another of their systems was used in the 2017 state election of Western Australia (WA) mentioned above.

The latest version of Scytl’s e-voting software uses client-side JavaScript, which has been tested on Android and iPhone browsers as well as desktop implementations [110], therefore it can be used for mobile voting. However, a vulnerability was found in the JavaScript voting client that Scytl implemented for the State General Elections 2015 of New South Wales [111]. This occurred because third party code⁶ was included for monitoring purposes. However, the 3rd party server that hosted the code had the FREAK [112] vulnerability present, so it would be possible to exploit this and tamper with the voting client code in the voter’s browser to modify the vote. Scytl’s view was that this vulnerability’s potential damage to vote integrity was akin to malware on the voter’s device [110] - which brings us back to the secure platform problem.

2.4.2 Rationale for Studying e-Voting

Remote e-voting on a mobile device is a relatively new area to research, and the systems that have been implemented have security issues. As shown above, there are two interesting security aspects that warrant further investigation, i.e. DDoS protection and methods for overcoming the secure platform problem. Processing votes in the tamper-resistant environment of the SIM in the mobile device would help with both these

6Scytl does not recommend including third party code from external servers.