The security of electronic voting and counting systems is essential to ensuring public confidence and overall electoral integrity. At the same time, these technologies present a host of security challenges, including physical security of equipment, openness to review of the source code, secrecy of voting data, encryption of data stored on machines and transmitted to tabulation centers and verification of the legitimacy of the sources of data transmitted to tabulation centers. Because numerous security flaws have been detected in voting and counting machines in many countries, public debate on and scrutiny of the security of such technologies has increased. EMBs too often assume that systems are secure, while other electoral stakeholders often have greater distrust in technologies. Thus, EMBs need to take security concerns extremely seriously.
System security is a crucial feature of electronic voting and counting technologies. These technologies are inherently less transparent than the use of paper ballots, where all steps of the voting and counting process are observable. If an electronic voting or counting system is to be trusted by electoral stakeholders, it is important that the security challenges presented by the use of the technologies are understood and addressed.
Many aspects of this issue of system and data security need to be considered. One key concern is the openness to review of the source code for the electronic voting or counting machine, as well as any other software related to the machines. Whether the source code for electronic voting and counting applications should be open source (i.e., published for anyone to inspect) is a significant issue in the debate about the transparency and security of these technologies.
Traditionally the source code for these machines and supporting applications has been seen as proprietary in nature, exclusively owned by the supplier and not provided for any independent review. Proprietary source code carries two inherent risks for the EMB: that it may be locked into a long-term agreement with the solution provider; and/or that future supplemental procurement of new machines may not be compatible with the ballot or results format of the existing systems. The need for transparency in the electoral process has led to increasing demands from election management bodies for this source code to be open to inspection by external stakeholders, and increasingly, suppliers are meeting these demands.
This issue is relevant for security, in that the source code for voting and counting applications is often very long and complex. Errors and omissions, whether accidental or otherwise, may exist in the software and not be found, despite internal review. Allowing external stakeholders to inspect the code should dissuade the inclusion of deliberately malicious code by suppliers or rogue programmers. It is also expected that the more people that can check the source code, the more likely it is that errors in the code can be identified and corrected. Given the complexity of source code, political party observers and nonpartisan election observer groups will likely need to engage IT security experts to review the code and other aspects of the security mechanisms.
Maintaining secrecy of the voting data, including ensuring that votes are not linked to voters’ identification information, is a particular security challenge for electronic voting and counting machines, especially with remote voting, where identification details need to be entered into the same device on which the vote is cast (for example, a personal computer). However, this is increasingly an issue with electronic voting machines used in supervised environments, as voting machines are now being developed to identify each voter through a personal ID number or through biometrics.
The physical security of electronic voting or counting machines and the data held on the machines also needs to be protected. Access to voting or counting machines must be controlled, and any access that takes place should be recorded, reported on if it is outside of standard operating procedures and, ideally, conducted by two-person teams. Data ports on electronic voting or counting machines may be essential so that software and configuration data can be loaded onto the machines, but the data ports need to be protected so they cannot be used to manipulate the functioning of the machines or to insert different vote data. It is also important that mechanisms are in place to verify that the software loaded onto any electronic voting or counting machine is the same version that was tested and approved by the election management body and external stakeholders.
Data held on electronic voting or counting machines needs to be encrypted to ensure that, even if the data is accessed by unauthorized persons, this data cannot be read, used or manipulated. Procedures must also be in place to ensure the security of decryption keys and to establish when and how the decryption of data takes place.
The encryption of voting data needs to be maintained when it is transmitted or transported from individual electronic voting or counting machines to the tabulation system for generation of results. There also must be a way to ensure that data uploaded to the results tabulation system has come from a legitimate source. This can be achieved by digitally signing data and only allowing data with an authorized digital signature to be uploaded.
In the public debate about electronic voting and counting systems, their security has become an increasingly important issue, with systems subject to considerable scrutiny. Electronic voting and counting machines and results systems have not fared well under this additional scrutiny. Despite the denial of suppliers (and often of election administrators as well), numerous security flaws have been detected in voting and counting machines. In the Netherlands campaigners argued that it was easy to reprogram voting machines to, for example, play chess or to manipulate the election results. When the suppliers of the machines challenged this, the campaigners reprogrammed one of the voting machines to do exactly that, playing chess against a reprogrammed voting machine (see Figure 14 below for more details).32
In India, the election commission claimed that, because the instructions for their voting machine were burned into the circuit board, it was not possible to reprogram their machines. Rop Gonggrijp, a Dutch hacker who was involved in exposing the vulnerability of the Dutch voting machines, along with a number of other researchers, took on the challenge of showing whether the Indian voting machines were secure. They demonstrated that, with little effort, the Indian voting machines could be manipulated to change the results, avoiding this circuitry coding, and that this manipulation could even be activated remotely by mobile phone.33
In the U.S., the debate on electronic voting machine security has been particularly intense, with many studies demonstrating how existing voting and counting machines could be hacked in order to manipulate election results. In 2004 the source code for a commonly used electronic voting machine in the U.S. was published online. A group of four computer scientists set about analyzing the source code and discovered several problems, including the incorrect use of cryptography, vulnerabilities to network threats and poor software development processes. This analysis concluded that the voting machine system was vulnerable to both inside and external security threats and failed to meet even minimal security standards.34
Concerns about the physical security of the Irish voting machine were also identified by that country’s Commission on Electronic Voting. In its first report in 2004 on the electronic voting system chosen in Ireland, after an initial small pilot of the voting machines in 2002, the commission found security defects in both the hardware/software interface and the physical voting machine itself.35 The system did not use (then) current security mechanisms, such as cryptography, and was vulnerable to attack by an insider with short-term access to the machine, with the result that recorded votes could be significantly affected. The commission raised serious concerns about the integrity of any elections held using the machines and determined that they should not be used again before further efforts were made to resolve these issues.
The experiences of these countries has led to a tendency to put any electronic voting or counting system under intense scrutiny. All too often election management bodies seem to operate under the assumption that electronic voting and counting systems are secure until proven otherwise. At the same time, electoral stakeholders tend to start from a position of much greater distrust in such technologies. In this context, election management bodies need to take security concerns very seriously and must be seen to address both real and perceived security threats.
32 Gonggrijp, R. and Hengeveld, W-J (2006) “Nedap/Groenendaal ES3B Voting Computer: A Security Analysis.”
33 Prasad, H. K., Haldermann, J. A., Gonggrijp, R. Wolchok, S., Wustrow, E., Kankipati, A., Sakhamuri, S. K. and Yagati, V. (2010) “Security Analysis of India’s Electronic Voting Machines.”
34 Kohno, T., Stubblefield, A., Rubin, A. and Wallach, D. (2004) “Analysis of an Electronic Voting System,” IEEE Symposium on Security and Privacy. (Washington, DC: IEEE Computer Society Press) avirubin.com/vote.pdf.
35 Commission on Electronic Voting (2004) “First Report of the Commission on Electronic Voting on the Security, Accuracy and Testing of Chosen Electronic Voting System,” Appendix 2B.
Recruitment and Training of Personnel