ChallengesforLargeScaleInternetVotingImplementations

KyleDhillon
PrincetonUniversityDepartmentofComputerScience
IndependentWorkFinalReport,Spring2015
Advisor:ProfessorAndrewAppel

Abstract
SeveralgovernmentsaroundtheworldhavebeenexperimentingwithInternetvotingasa
meanstomakeelectionseasierandmoreefficient.Thispaperexplainshowmodern,largescale
implementationsofInternetvotingsystemsworkandexaminesexactlywhytheyaresodifficult
tosecure,usingtworecentimplementationsofInternetvotingsystemsascasestudies.Ithen
proposetechniquesforsolvingtheproblemofwidespreadpublictrustinInternetvoting,and
finallyexaminethepotentialforInternetvotingsystemsthatutilizefullyendtoendverifiable
schemes.

1.Introduction
1.1.Background
Governmentsandcitizensalikeareconstantlysearchingforwaystomakevotingmore
efficientandaccessibletomorepeople.Recently,variousgovernmentshavebeenexperimenting
withInternetvotingasameanstoachievethesegoals.Infact,multipleEuropeancountrieshave
heldbindingnationalelectionsovertheInternetseveraltimesinthelastdecade
[13]
.
ThesecurityofsuchInternetvotingsystemsisextremelyimportant.Inanyelection,there
isthedangeroffraudandcoercion,andnumerouscybersecurityexpertshavepointedoutthat
1

Internetelectionsareparticularlysusceptibletothesethreats,moresothantraditionalvoting
systems
[46]
.Inthispaper,IexplainhowmodernimplementationsofInternetvotingsystems
workandexamineexactlywhytheyaresodifficulttosecure,usingtwolargescale
implementationsinEuropeascasestudies.Ithenproposetechniquesforsolvingtheproblemof
widespreadpublictrustinInternetvoting,andfinallyexamineotheroptionsforInternetvoting
systemsthatuseendtoendverifiableschemes.

1.2.WhatisInternetVoting?
Inthispaper,IusethetermInternetvotingtorefertoelectionsystemsinwhich
registeredvotershavetheoptiontocastvalidballotsfromtheirpersonaldevices(whichmight
includecomputers,laptops,tabletsandsmartphones).Theseballotsaretransferredoverthe
Internettoelectionofficialsandcountednormally.
Internetvotingiscontrastedtotraditionalvoting,inwhichvotersmustphysicallybe
presentapollingplacethatisoperatedandmonitoredbyelectionofficialsinordertocasttheir
ballot.Intraditionalvotingsystems,votersmaycasttheirballotusingapapermechanismorby
usingelectronicvotingmachines,whicharegenerallynotconnectedtotheInternet.
WhenusingthetermmodernInternetvotingsystems,Iamreferringtothelargescale
Internetvotingsystemsthathavebeenimplementedbetween2005and2015,particularlythe
EstoniannationalevotingsystemandtheNorwegianpilotprojectvotingsystem.

1.3.SupplementaryVideo:ShouldWeTrustInternetVoting?
Thisresearchissupplementedbyarelatedproject:avideoexplainingtothegeneral
publicwhyInternetvotingisinsecure.Thisvideo,whichisfourminuteslongandtitledShould
WeTrustInternetVoting?ismeantasahighlevelintroductiontomodernInternetvoting
schemesandthethreatstheyface.Adetailedlookattheconstructionofthisvideocanbefound
insection5.
Thisvideoiscurrentlyavailableonlineat
www.youtube.com/watch?v=hg34L_iMg6s
.

2.ComponentsofModernInternetVotingImplementations
ThissectiondetailsthecomponentsofatypicalInternetvotingimplementation.Because
thesesystemsmustbeimplementedonalargescaleandwithusabilityinmind,theysacrifice
severalverificationpropertiesinexchangeforeaseofinstallationandusebyvoters.
Componentsofatypicalmodernvotingimplementationinclude:
Amasterpublic/privatekeypairusedtoencrypt/decryptallballots
Anindividualpublic/privatekeypairforeachregisteredvoter,usedtodigitallysign
ballots
Softwareonthevotersdevicethatencryptsandsignsaballotandtransfersittothevote
forwardingserverovertheInternet
Avoteforwardingserver,accessibleovertheInternet,whichreceivesencryptedballots,
determineswhethertheybelongtoregisteredvoters,andforwardsthemtothevote
collectionserver
Avotecollectionserverthatstoresencryptedvotesuntilvotecollectioniscomplete
3

 Anofflineprotocolfordecryptingandcountingballotsafterallvotesarecollected
Asecondchannelindividualverificationmethodenablingvoterstoverifythattheir
encryptedballotswerereceivedbythecentralserver
NotallmodernimplementationsofInternetvotingcontainallofthesecomponents.
Rather,thislistismeanttorepresentcomponentsthatthemostsecuremodernimplementations
typicallycontain,specificallytheNorwegian(2013)andEstonian(2015)votingsystems
[7,8]
.

2.1.MasterEncryption/DecryptionKeyPair
Mostmoderncryptographicvotingimplementationsrelyonpublickeycryptographyfor
ballotencryption.Beforeanelection,electionofficialsgenerateamasterpublicprivatekeypair
inasecureenvironment,forexample,byusingaHardwareSecurityModule(HSM)
[7]
.
Themasterprivatekey,whichisusedtodecryptvotes,isdividedamonganumberof
electionofficialsusingacryptographictechniqueknownas
thresholdencryption
[9]
.
In
thresholdencryption,acertainminimumnumberofelectionofficialsmustpresenttheirunique
keysinorderforthemasterprivatekeytobecomeavailable
[7]
.Thistechniqueminimizesthe
riskofleakingthemasterprivatekeyifasinglekeybecomespublic,andreducestrust
requirementsforeachindividualelectionofficial.
Themasterpublickeyisembeddedinthesoftwareusedtoencryptvotersballots.Itis
importantthatbothpublicandprivatekeysarekeptsecretfromthepublic,becauseifthepublic
keyweretobecomeknown,attackerscouldencryptandsubmitillegitimateballots
[6]
.

2.2.VoterIDKeyPairs

Asymmetriccryptographyisalsousedforballotsigningandvoteridentification.Modern
cryptographicvotingsystemsmayissueavoteridentificationcardtoallregisteredvoters,
containingauniqueprivatekeyforeachvoter.Thelistofallvoterspublickeysisstoredatthe
electionofficeandisonlyaccessibletoelectionofficials
[7]
.
Throughthevotingsoftware,votersdigitallysigntheirencryptedballotwiththisunique
privatekey.Thisactofdigitallysigninganencryptedballotisanalogoustovotebymail
systemsthatrequirevoterstoplacetheirmarkedballotsinsidetwoenvelopes:oneunmarked
innerenvelope(representedbytheencryptedballot)containedinsideanouterenvelope
containingvoteridentificationinformation(representedbythedigitalsignature)
[7]
.Digital
signaturesguaranteethateachvoterhascontroloverthevotescastintheirname,solongastheir
privatekeyiskeptsecret.

2.3.BallotEncryptionandTransmissionSoftware
AfundamentalcomponentofanyInternetvotingsystemisthesoftwarethroughwhich
userscasttheirballot.Ittypicallyfeaturesauserinterfacebywhichvotersfirstverifytheir
identityusingtheirIDcardsorusinglogininformation,andthenselecttheircandidatesofchoice
andconfirmsubmissionoftheirballot.Atthispoint,thesoftwareencryptstheballotusingthe
masterpublickeywhichisembeddedinthesoftware.Finally,thesoftwaredigitallysignsthe
encryptedballotusingthevoterssuppliedprivatekey,andsendsittothevoteforwardingserver
[7]
.

Thissoftwaremayruninavotersbrowserorasastandalonedownloadableapplication
[6,7]
.Thissoftwareisnotrequiredtoverifythatusersareregisteredvotersbeforesending
signedvotestothevoteforwardingserver
[7]
.

2.4.VoteForwardingServer
Thevoteforwardingserver(VFS)receivesincomingencryptedballotssentbyvoting
software.Byaccessingamasterlistofallregisteredvoterspublickeys,itverifiesballots
belongingtoregisteredvotersanddiscardsunregisteredballots.Itthenforwardsregistered
votersballotsontothevotecollectionserver,whichisnotdirectlyconnectedtotheInternet.The
VFSistheonlycomponentofthecentralelectionsystemthatisaccessibleovertheInternet
[7]
.

2.5.VoteCollectionServer
Thevotecollectionserver(VCS)receivesballotsfromthevoteforwardingserver.The
VCSsimplystoresadatabaseofallreceivedencryptedballotsuntiltheelectionisover
[7]
.In
olderInternetvotingsystems,theVCSandVCFwerenotseparated,andratherwereasingle
multipurposeserver
[6]
.Modernvotingimplementationstendtoseparatetheseservers,sothe
databaseofcollectedvotesisnotdirectlyaccessibleovertheInternet.

2.6.OfflineVoteCountingProtocol
Whentheelectionisoverandvotecollectionhasterminated,votingofficialstypically
haveanofflineprocessbywhichtheycantallyreceivedvotes.Thisfirstinvolvestransferringthe
databaseofencryptedvotesviaremovablestoragemedia(USBthumbdriveorCDROM),toa

secure,offline,countingmachine
[6,7]
.Electionofficialsthenaccessthemasterprivatekeyby
poolingtheirindividualkeysusingthethresholdencryptiontechniquedescribedinsection2.1.
Themasterpublickeyisusedtodecryptallballots,whichcanthenbecountedbythecounting
machine.

2.7.IndividualBallotVerificationMethod
Arelativelyrecentadditiontothesevotingsystemsistheconceptofindividualballot
verification.Becausethesecurityofvotersowndevicesisdifficulttoguarantee,another
communicationchannel(suchasSMSorasmartphoneapplication)canbeusedtoverifythata
ballotwasproperlyreceivedbythevotecollectionserver.Thisisusuallyaccomplishedthrough
aconfirmationmessageindicatingthataballotwasreceivedfromthevoter,alongwithcoded
indicationofwhichcandidateswereselected
[10,11]
.Asdiscussedinsection3,whilethis
additionalverificationoptiondoespartiallysolvetheseriousproblemofinsecureuserend
devices,itviolatesthefundamentalprincipleofballotsecrecy
[10]
.

3.OverviewofModernInternetVotingImplementations
ThissectiondescribestwospecificimplementationsofInternetvotingwhichfollowthe
aboveprotocol.Thereare,ofcourse,manyothergovernmentswhichhaveattemptedInternet
votingorthatwillattemptitinthecomingyears.However,thesetwosystemswereselected
primarilybecause:
1) theyhavebothbeenimplementedfornationalbindingelections,and
2) theyhavebothundergonerigoroussecurityanalysis.

Becauseeachsystemfollowsasimilarprotocoltotheonedescribedintheprevious
sectionofthispaper,Idescribeeachimplementationbyitsdifferencesfromthatstandard
protocol.

3.1.EstonianeVotingSystem(20052015)
EstoniaiscurrentlytheonlycountryintheworldthatallowsInternetvotingintheir
nationalparliamentaryelections,andhasemployedsuchasysteminsevendifferentnational
electionssince2005.Inthe2015EuropeanUnionParliamentaryelection,roughly20%of
Estonianballots(176,491voters)werecastonline
[2]
.
Themodern(20132015)EstonianInternetvotingsystemisidenticaltotheonedescribed
insection(2),andusesasmartphoneappasameanstoverifythatausersvotewasproperly
cast
[7,12]
.Estoniaalsoallowsrepeatvotingasameanstocombatcoercionandbribery.
In2014,researchersattheUniversityofMichiganconductedathoroughsecurityanalysis
oftheEstonianInternetvotingsystem
[5]
.Theirresearchfocusedondiscoveringvulnerabilities
intheclientsidevotingsoftwareandcentralservers,aswellasprocedurallapsesinoperational
securitythatcreatedopportunitiesforattackerstoeitherdisrupttheelection,submitforged
ballots,modifyexistingballots,orchangethewayballotsweretallied.Thedetailsofthese
specificattacksareincludedinthefollowingsection.

3.2.NorwegianInternetVotingPilotProject(2011,2013)
NorwayexperimentedwithInternetvotingincertainmunicipalitiestwice,firstin2011
andagainin2013.Afterthe2013elections,Norwegianofficialsdecidednottocontinuetrialsin

thefuture,citingalackofbroadpoliticaldesireaswellasdistrustinthesecurityofthesystem
astheprincipalreasonsforthediscontinuation
[13]
.
TheNorwegiansystemisnearlyidenticaltotheEstoniansystemdescribedabove,The
NorwegianpilotprojectusedaslightlydifferentindividualverificationmethodtotheEstonian
one,basedontheconceptofreturncodes.Beforetheelection,eachvoterreceivesalistof
codesforeachpartyrunningintheelection.Thislistisuniqueforeachvoter.Afteravotercasts
herballot,shereceivesanSMSmessagecontainingthereturncodecorrespondingtohervote,
andcanthereforeverifythathervotewasproperlycast
[10]
.
Finally,Norwegianofficialsinsistedthatelectionsfeatureadditionalcomponentsof
endtoendverifiabilitybasedonzeroknowledgeproofs.Thesewouldallowverifiersto
mathematicallyprovethatallvoteswereproperlyhandledatvariousstagesoftheelection.The
notionofendtoendverifiabilityisdiscussedindetailinsection6
[10,14]
.

4.SecurityChallengesofInternetVoting
4.1.FundamentalRequirementsofVoting
Severalfundamentalrequirementsofanyvotingsystem,onlineoroffline,areasfollows:
Allvotesmustcomefromregisteredvoters,whocancastamaximumofoneballot.
Thefinalvotecountmustaccuratelyreflectallcastballots.
Avotermustnotbeabletoprovehowshevotedtoathirdparty.Inotherwords,the
ballotcastingprocessmustbereceiptfree
[15]
.
Thisrequirementforreceiptfreeness,whichcanbeconsideredpartoftheprincipleofballot
secrecy,existssothatvotersareprotectedagainstcoercionandvotebuying.
9

InmodernInternetvotingsystemswithindividualballotverificationmethodsas
describedinsection2.8,voterscanreceiveconfirmationthattheirvotewascastasintended.
However,thisconfirmationmessageallowsvoterstoeasilyprovetoathirdpartyhowthey
voted,clearlyviolatingtheprincipleofballotsecrecy.Internetvotingsystemsusuallyaddress
thisthreatbyallowingrevoting,bothonlineandinpersonatpollingplaces.Thismeansthatifa
voterwasbribedorcoercedtovoteoneway,theyhavetheabilitytorecasttheirballotasmany
timesastheylike.Ifavoterplacesanofflinevoteatapollingplace,theironlineballotsmaybe
nullified
[7,10]
.
Althoughrevotingmaycreateasolutiontothisprobleminsomesituations,itdoesnot
solvethefundamentalproblemthatballotsecrecyhasbeenviolatedandthatvotebuyingisnow
possible.Considerthefollowingexample:inthe2015Estonianparliamentaryelections,roughly
36%ofregisteredvoters,or321,883people,didnotcastaballot
[2]
.Supposethemajorityof
thesepeoplechosenottovotebecausetheysimplydonotcareenoughabouttheelectionto
wastetheirtimevoting.Thisgroupofnonvoterswouldbehighlysusceptibletocoercionand
votebuying,astheywouldbeunlikelytoexercisetheirrighttoplaceasecondvote,considering
theydidnotvoteinthefirstplace.Essentially,therevotesafetynetdoesnotcreatea
permanentsolutiontotheproblemofsacrificedballotsecrecy.

4.2.ChallengesofRemoteVoting
Remotevoting,thatis,votingnottakingplaceatapollingstation(includingInternet
votingandvotingbymail),presentstwoadditionalchallengesforasecureelection.

10

First,remotevotingmakesidentificationofregisteredvoterschallenging.Internetvoting
systemssolvethisproblembyusinguniquevoterIDinformationanddigitalsignatures,as
describedinsection2.2.However,ifavotersIDinformationisstolen,anadversaryhasthe
abilitytoplacealegitimatevoteinthatvotersname.Somevotingsystemsaddressthisthreatby
givingvotersauniquePINcodethatmustbeprovidedbeforeaballotcanbesubmitted
[5]
.
Second,remotevotingmakesguaranteeingasecretballotvirtuallyimpossible.As
describedinsection3.1,thesecretballotprincipleisfundamentaltoensuringthatvoterswillnot
besubjecttobriberyorcoercion.Again,votingsystemsaddressthisbyallowingrevotes,which
aredescribedmorethoroughlyintheprevioussection.
Whilethesetwofactthatanyonecanstealanothersidentificationinformationand
placeavoteintheirname,andthatballotsecrecyisimpossibletoguaranteeshouldbe
troubling,theyaretrueofallpostalvotingsystemswhicharecommonlyemployedinlarge
democracies
[10]
.Sowhilethesechallengesshouldbemitigatedinanyremotevoting
implementation,theycannotbeseenasproblemsuniquetoInternetvoting.

4.3.ClientSideVulnerabilities
PerhapsthebiggestsecuritychallengetoInternetvotingimplementationsarethe
insecurityofuserdevices.Ifausersdeviceiscompromised,itcouldrecordavotersprivatekey
andPINandsubmitunauthorizedvotesintheclientsname
[5]
.
Intheiranalysisofthe2013Estoniannationalelection,researchersimplementeda
numberofclientsideattacksthatexploitedthesevulnerabilities.Theseattacksincludeda
malwareprogramthatcouldsilentlyreplaceausersvotewithadifferentone,whilestilltricking

11

thesmartphoneverificationsoftwareintobelievingalegitimatevotewascast
[5]
.Anotherattack
directlycompromisesthesmartphoneverificationapp,renderingtheverificationsoftware
uselessifbothauserscomputeranddevicearecompromisedsimultaneously
[5]
.Sowhile
individualvoteverificationisintendedasasafeguardagainstthiskindofattack,acleverattacker
caneithermanipulatetheverificationchannelordeviseanattackthatbypassestheverification
channelaltogether,perhapsbysubmittinganewballotatalatertime
[5]
.

4.4.ServerSideVulnerabilities
Thepublicfacingvoteforwardingserver(VFS),thevotecollectionserver(VCS),and
thevotecountingmachinearethemostcriticalcomponentsofanInternetvotingsystem.As
such,theypresentthemostattractivetargetsforadversaries,andmustbesecureagainstawide
varietyofattacks.ThisismademoredifficultbythefactthattheVFSmustbeconnectedtothe
Internetandthusexposedtoattackersfromallovertheworld
[7]
.
Intheiranalysisofthe2014Estonianelection,researchersdiscoveredmultiple
vulnerabilitiesintheInternetfacingvoteforwardingserver.Forexample,theydiscoveredthat
thevoteforwardingserverissubjecttoasimpledenialofserviceattackthatcouldhave
preventednewvotesfrombeingrecordedafterroughly75minutes.Theseresearchersalso
discoveredashellinjectionvulnerabilitythatcouldhaveallowedanyelectionworkertoexecute
shellcommandswithrootpermissiononthevotecollectionserver
[5]
.
Althoughthevotecollectionandcountingserversarenotdirectlyconnectedtothe
Internet,theyarestillvulnerabletoattack.Thesesameresearchersimplementedseveralattacks
ontheofflinevotecountingserveroftheEstonianelectionthatcouldhavesilentlychanged

12

100%ofvotesduringthetallyingprocess.Beforetheseserversareinstalled,forexample,
attackerscouldinstallmalwareoninstallationDVDsorondevicefirmwarethatcouldstealvotes
oncevotecountingbegins.Theresearchersalsonotedadditionalattackstothisofflineserver,
includingduringsoftwareupdatesandbyexploitingzerodayvulnerabilitiesinthirdparty
software
[5]
.

4.4.SoftwareBugs
Anunfortunaterealityoflargescalevotingimplementationsistheexistenceofbugsin
software,eitherontheclientsideorserverside.Moreformally,thesebugsaremistakesinthe
implementationsofthesesystemsthatresultinunpredictabledifferencesbetweentheproposed
theoreticalsystemandtheactualimplementation.Asanexample,bugsinclientsidesoftware
mightexposevotersballotstothepublicandviolatetheprincipleofballotsecrecy.Inthe2013
Norwegiannationalelections,abugwasdiscoveredintheencryptioncodethatresultedin
29,000virtuallynonencryptedballotsbeingtransferredtothecentralservers
[14]
.
Tominimizethepresenceofbugs,Internetvotingsystemstypicallypublishtheirsource
codeonline,bothsoauditorscanidentifybugsthemselvesandforthesakeoftransparency.
Unfortunately,thisalsomakesvulnerabilitiescausedbyminorbugseasyforattackerstofind.In
a2010WashingtonD.C.Internetvotingpilotproject,forexample,researchersdiscovereda
minorbugintheopensourceclientsideencryptionsoftwarethatultimatelygavethemfull
controloverthecentralvotecollectionserver
[6]
.

13

Itisvirtuallyimpossibletoguaranteetheabsenceofbugsinanylargesoftwareproject.
Asaresult,anyInternetvotingimplementationsuffersfromtheuncertaintyofwhetherornotthe
implementedsystemexactlymatchesthedesiredone.

4.5.UndetectabilityofAttacks
Perhapsthemostfrighteningaspectofthesethreatstoanelectionisthattheymaybe
impossibletodetect.Themalwarethatcouldhaveforgedvotesinthe2013Estonianelection,for
example,operatedsilentlywithoutalertingthevoterorthecentralelectionservers,andcould
havechangedhundredsofthousandsofvoteswhilestillundetected
[5]
.Inthe2010attackonthe
WashingtonD.C.system,researchershadfullaccesstothecentralserverforseveraldaysbefore
officialsdiscoveredtheirpresence
[6]
.Whilestepscanbetakentomaximizethechancesfor
detectinganintrusion,thenatureofwellexecutedcyberattacksisthattheytendtobecompletely
undetectable.

4.6.Summary
Theattacksmentionedaboveareunfortunatelynotanexhaustivelist.Rather,they
illustratethatimplementinglargescaleInternetelectionsisvirtuallyimpossibletodowithout
creatingnumerousopportunitiesforvotersideandserversideattacks.TheEstonianand
Norwegianimplementationsinparticulararetwoofthemostadvancedandthoroughlyaudited
Internetvotingsystemseverimplemented
[3]
.IntheEstoniancase,asmallteamsofresearchers
wasabletodiscoveravarietyofattackswhichcouldhave,attheveryleast,disruptedthevoting
processandcreatedanightmareforelectionofficials,orintheworstcasecompletelyfabricated

14

electionresults.AnyrealisticthreatscenarioforanationalInternetelectionshouldconsider
adversarieswithfarmorecomputationalandfinancialpowerthantheseteams.Thesheernumber
ofpotentialvulnerabilities,aswellastheimpossibilitytopredictadditionalvulnerabilitiesand
theinabilitytodetectattacks,areamplereasonstothoroughlydistrustanymodernInternet
votingsystem.

5.AddressingMisplacedTrustinInternetVoting
DespitetheinsecurityofmodernInternetvotingsystems,thereexistswidespreadtrustin
thesesystemsfromthevotingpublicaswellasfrompublicofficials
[1,2]
.Thistrusthasleada
numberofgovernments,suchasthoselistedabove,torushtodevelopInternetvotingsystems
thatmaybeseriouslyinsecure.Andalthoughcryptologistsandnetworksecurityexpertshave
beenexpressingseriousconcernsaboutInternetVotingformanyyears,theseconcernstendtobe
buriedneartheendoftechnicalsecurityanalysispapers
[4,6]
.
TherehavebeeneffortstoeducatethegeneralpubliconthedangersofInternetvoting.
Themostnotableoftheseeffortsisthewebsite
estoniaevoting.org
,createdbythesameteamthat
observedthesecurityvulnerabilitiesoftheEstonianvotingsystem
[16]
.Thiswebsitefocuses
specificallyontheEstoniansystemanddescribesitsvulnerabilitiesintermsthatnonexpertscan
understand
[17]
.
However,therestillexistsaneedfornonspecificexplanationsoftherisksofInternet
voting,enumeratedinsimpleterms.Inanattempttoaddressthis,Icreatedashortvideo,titled
ShouldWeTrustInternetVoting?thatexplainsthetopicscoveredinthisreportintermsthat
shouldbeunderstandablebytheaverage,Internetsavvyvoter.

15

ThecaseIputforwardinthisvideodiffersslightlyfromtraditionalargumentsagainst
Internetvoting,becausetheconcernsoftheaveragevoteraredifferentfromtheconcernsofa
cybersecurityexpert.Themostimportantcomponentsofthisargumentareoutlinedinthis
section.

5.1.RejectingPoliticalMotivations
WhenhearingacaseagainstInternetvoting,askepticalvotermaysuspectthatthe
experthaspoliticalmotivations.Forexample,avotermightwonder:isapoliticalpartypaying
thisexperttodissuadepeoplefromtrustingInternetvoting,becauseitwouldhurtthispartyin
thenextelection?
Theaforementionedwebsite
estoniaevoting.org
addressesthisconcernbyemphasizing
thattheresearchteamisindependentandhasnotacceptedanyfinancialsupportfromwithin
Estonia
[18]
. Inmyvideo,Iattempttoneutralizethisconcernbyexplainingmyownfrustration
withtraditionalvotingsystems,andmyowndesiretoseeInternetvotingrealized.Iframethe
videoasanexplanationofcarefulresearchdoneintothisproblemfromavarietyof
politicallyneutralsources.Additionally,Ispendtimeexplainingendtoendschemesthatmight
workinthefuture.ThisimpliesthatmyconcernswithInternetvotingaresimplywiththecurrent
stateofsecurity,notwiththeconceptitself.
Unfortunately,itisdifficulttocompletelyprovethatonehasnohiddenpolitical
motivations.DespitetheattemptsoftheUniversityofMichiganresearchteamtodistance
themselvesfrompoliticalmotivations,thePrimeMinisterandPresidentofEstoniahaveboth
insinuatedthatthisteamwasboughtoffbyarivalpoliticalpartyseekingtodisparagethe

16

system
[5]
.Nonetheless,mitigatingtheseconcernstothebestofonesabilityiscriticaltoadd
credibilitytoanyargumentagainstInternetvoting.

5.2.UseVotersFear
Thoughitsoundsmanipulative,capitalizingonavotersnaturalfearofastolenelection
isimportanttoconvincethemtodistrustInternetvotingsystems.AfteranInternetelectiontakes
place,therewilllikelybeasimilarfearamongbroadswathesofthegeneralpublic,especially
amongthosevotersforthelosingparty.Futurevotersmayoftenbetoodistractedbythe
promisedconvenienceofInternetvotingtoconsidertheworstcaseoutcomesandrealitiesofa
lostelection.
Iplayoffthisfearintwowaysinthisvideo.Ibeginbyemphasizingthatthestakesin
theseelectionsareextremelyhigh.Iwantthisaudiencetounderstandthefullconsequencesofa
failedelectionbeforeIdiscussspecificthreatsinmoredetaillater.Second,Iemphasizethefact
thatcyberattacksonvotingsystemsarepotentiallyundetectable,andthatevenanelectionthat
appearstorunsmoothlymaybeundergoingcarefulattacksfromadversaries.Thisis,inmy
opinion,themostfrighteningargumenttobemadeagainsttheuseofInternetvotingsystems.
SomethingIdonotdiscussinthevideo,butwhichisimportanttoconsider,isthe
aftermathofacloseInternetelection.Iftheelectionappearstohaverunproperly,howwoulda
losingpartyreact?Theywouldlikelyclaimthattherewasfraudinthevotingprocess,andit
wouldbenearimpossiblefortheelectionofficialsdisprovetheseclaims.Ifofficialsdetecteda
successfulattackonalargescale,howmighttheyoperatearecount?Theseprocedural

17

ambiguitiesareextremelyimportanttoconsider,butwerenotincludedinthevideoasatradeoff
forvideolength.

5.4.LevelofTechnicality
Anadditionalconsiderationwhenmakingthiscaseisthelevelofdetailandvocabulary
thatshouldbeused.MostInternetusersarefamiliaronlywiththemostbasicconceptsin
computersecurity.Thankstofilm,theyrecognizewhatahackeris.Frompersonalexperience,
theymostlikelyknowthatpersonalcomputersaresusceptibletoviruses.Thankstothe2013
NSAleaks,theyrelikelyawarethatgovernmentagencieshavetheresourcestoseeandcollect
informationaboutcitizensactivityovertheInternet.
Atthesametime,theaverageInternetuserwouldinitiallybeconfusedbytheconceptof
publicprivatekeyencryption,whichisfundamentaltoInternetvotingschemes.Theyprobably
donotknowthatmostInternettraffic,includingemail,ishighlyinsecure.Asaresult,an
explanationofInternetvotingmuststrikeabalancebetweenspecificityandunderstandability.In
myvideo,forexample,Idonotrefertothevoteencryptionprocessaspublickeyencryption,
whichmightseemcontradictorytotheaverageviewer,butrathersimplyasencryption.
ThetechnicaltermsIusewithoutexplanationincludecyberattack/attack,
encrypt/decrypt,andserver,undertheassumptionthatthetargetaudienceisfamiliarwith
theseconcepts.Moreadvancedconcepts,likecryptographicvotingprotocolandendtoend
verifiableschemes,Iexplainwithsimplehanddrawndiagrams.

5.5.OtherConsiderations

18

Inadditiontothespecificelementsmentionedabove,thereareotherprinciplesIfound
importantinexplainingthedangersofInternetvotingtothegeneralpublic.Forinstance,I
assumethattheviewersattentionspansarefairlyshort.Whencreatingthisvideo,Iaimedfora
durationof35minutes,andendedupwithafinalproductofaround4minutes.Ialsouse
handdrawndiagramstoexplainmorecomplicatedtopicsinasimpleway.

6.EndtoEndVerifiability
AusefulpropertyfordevelopinganyInternetvotingschemeisendtoendverifiability
(E2Everifiability).E2Everifiabilitycanapplytobothtraditionalelectronicmachinevoting
systemsaswellasInternetvotingsystems,andisusedasawaytosolvetheproblemofneeding
totrusttheelectionprocessthatcollectsandtalliesvotes.However,thistermisslightly
ambiguous,assomeelections(includingtheEstonianandNorwegianexamples)maybepartially
endtoendverifiablewithoutprovidingalloftheguaranteesoffullE2Everifiability.Forthe
purposesofthissection,weusethedefinitionofE2EverifiabilityproposedbyJoshBenaloh,
whopioneeredtheterminrelationtoelectronicvoting
[9,19]
.Therequirementsofafully
E2Everifiablesystemarethat:
1) voterscanindividuallycheckthattheirballotsarecastastheyintend(
individual
verifiability
),and
2) anyonecancheckthatallofthecastballotshavebeenaccuratelytallied(
universal
verifiability
)
[20]
.

6.1.E2EVerifiableInternetVotingSchemes
19

Wehavealreadyobservedtwomethodsforprovidingindividualverifiability:the
EstoniansmartphoneverificationappandtheNorwegianSMSreturncodesystem.However,we
havenotyetdiscussedhowwecanguaranteeuniversalverifiability.Thetypicalmethodto
guaranteeuniversalverifiabilityisbyusingzeroknowledgeproofs
[9,14]
.Theseproofscan
convinceaverifierthatthevotingprocessproceededcorrectlywithhighprobability,without
givingtheverifieranyknowledgeabouttheactualcontentofvotesusedintheelection.
Theabilitytoverifypropercountingbyusingzeroknowledgeproofsisavailableat
severalstagesoftheNorwegianInternetvotingsystem
[14]
.Inthatelection,verifierscould
ensure,forexample,thattheencryptedvotesthatenteredthecountingprocessweredecrypted
andcountedproperly.However,whileelectionofficialsarguedthattheyhadcreatedcomplete
endtoendverification,theydidnotincludeallofthenecessarycomponentsthatmakefortrue
E2Everifiability
[14]
.
AnexampleofafullyE2EverifiableInternetelectionsystemisBenAdidasHELIOS,
whichhasbeencalledarecognizedstandardinInternetvotingverifiability
[14]
.HELIOS
providesalltheguaranteesofE2Everifiability,includingtheabilitytoviewnoninteractive
zeroknowledgeproofsverifyingthateachballotwasproperlycast,andthatthecomplete
electiontallywascomputedproperly
[21]
.

6.2.E2ESchemesandtheFutureofInternetVoting
ThesefullyE2Everifiablesystemscreatesameviolationsofballotsecrecyasthe
individualverificationsystemsoftheEstonianandNorwegiansystems.Asaresult,thecreators

20

ofHELIOSwarnagainstusingHELIOSforpublicofficeelectionsinwhichfraudand
coercionisexpected
[22]
.
However,theadditionalguaranteesprovidedbyE2Eschemesremovetheneedforvoters
totrustboththeirowndevicesortotrusttheserversandofficialsmanagingthevoteforwarding,
votecollectionandvotecountingprocesses.ThisisextremelyappealingforInternetvoting
systems,aswehaveseenthatthesecentralcomponentsaresourcesofmajorvulnerabilities.Asa
result,E2EschemesarecurrentlybeingresearchedbyateamofscientistswiththeOverseas
VoteFoundationasapossiblesolutiontosecureInternetvotingonline
[20]
.

7.Conclusion
Insummary,modernimplementationsofInternetvotingsystemshavebeenshowntobe
highlyinsecure.Despitethis,thereisstillworldwidetrustinInternetelectionsandmovement
towardsthedevelopmentofnewsystems.Asaresult,cybersecurityexpertsshouldfocuson
explainingthedangersofInternetvotingintermsthateverydayInternetuserscanunderstandin
toreducetheserisksuntilseriousimprovementsinInternetelectionsecuritycanbeguaranteed.
Theadditionofindividualverifiabilitythroughcodereturnsystemsdoesremovesome
trustrequirementsfromthesesystems,butsacrificesthepropertyofballotsecrecy.This
observationsuggestsafundamentaltradeoffinanyInternetvotingsystembetweenelection
securityandballotsecrecy.Theremaybepotentialinfullyendtoendverifiablevotingsystems
thatusezeroknowledgeproofstoshowboththatballotshavebeenreceivedandthattheyhave
beenproperlytalliedwithoutrevealinganyinformationaboutthoseballotstotheverifiers.If
thesesystemssucceed,theymayofferasolutionthateliminatestheneedtotrustmost

21

componentsinatypicalInternetvotingsystemwhilealsoprotectingballotsecrecy.Fornow,the
biggestchallengetoInternetvotingremainseducatingthevotingpublicaboutitsdangers,
reducingtheriskofmajorfraudinaninsecureInternetelection.

WorksCited
1.

NorwayMinistryofLocalGovernmentandModernisation(n.d.)Whatdothevotersdoand
think?EnglishSummary.

2.

StatisticsInternetVotingVotingmethodsinEstoniaEstonianNationalElectoral
Committee(n.d.).Available:
http://www.vvk.ee/votingmethodsinestonia/engindex/statistics
.Accessed27April2015.

3.

U.S.ElectionAssistanceCommission(2011)ASurveyofInternetVoting.EAC.

4.

AppelAW(2006)Cecinestpasuneurne:OnTheInternetvotefortheAssembleedes
Francaisdel'etranger.

5.

SpringallD,FinkenauerT,DurumericZ,KitcatJ,HurstiH,etal.(2014)SecurityAnalysis
oftheEstonianInternetVotingSystem.Proceedingsofthe2014ACMSIGSAC
ConferenceonComputerandCommunicationsSecurity.ACM.pp.703715.

6.

WolchokS,WustrowE,IsabelD,AlexHaldermanJ(2012)AttackingtheWashington,
D.C.InternetVotingSystem.FinancialCryptographyandDataSecurity.LectureNotesin
ComputerScience.SpringerBerlinHeidelberg.pp.114128.

7.

EstonianNationalElectoralCommittee(2010)EVotingSystem:GeneralOverview.

8.

CortierV,WiedlingC(2012)AFormalAnalysisoftheNorwegianEvotingProtocol.
PrinciplesofSecurityandTrust.LectureNotesinComputerScience.SpringerBerlin
Heidelberg.pp.109128.

9.

BenalohJ(2006)SimpleVerifiableElections.MicrosoftResearch.

10. BarratJ,ChevallierM,GoldsmithB,JanduraD,TurnerJ,etal.(n.d.)InternetVotingand
IndividualVerifiability:TheNorwegianReturnCodes.
11. EstonianNationalElectoralCommittee(2013)WhatisVerificationofIvotes.
12. EstonianNationalElectoralCommittee(n.d.)InternetVotingVotingmethodsinEstonia.
VabariigiValimiskomisjon.Available:
http://www.vvk.ee/votingmethodsinestonia/
.
22

Accessed23April2015.
13. NorweigianMinistryofLocalGovernmentandModernisation(2014)Internetvotingpilot
tobediscontinued.Government.no.Available:
https://www.regjeringen.no/en/aktuelt/Internetvotingpilottobediscontinued/id764300/
.
Accessed23April2015.
14. ReportESM(2014)InternetVotingPilot:Norways2013ParliamentaryElections.The
CarterCenter.
15. KarlofC,SastryN,WagnerD(2005)CryptographicVotingProtocols:ASystems
Perspective.14thUSENIXSecuritySymposium.
16. IndependentReportonEvotinginEstonia|AsecurityanalysisofEstoniasInternetvoting
systembyinternationalevotingexperts(n.d.).Available:
https://estoniaevoting.org/
.
Accessed27April2015.
17. IndependentReportonEvotinginEstonia|AsecurityanalysisofEstoniasInternetvoting
systembyinternationalevotingexperts(n.d.).Available:
https://estoniaevoting.org/
.
Accessed27April2015.
18. TheTeam|IndependentReportonEvotinginEstonia(n.d.).Available:
https://estoniaevoting.org/team/
.Accessed27April2015.
19. SmythB,FrinkS,ClarksonMR(2015)ComputationalElectionVerifiability:Definitions
andanAnalysisofHeliosandJCJ.
20. E2EVIVProjectEndtoEndVerifiableInternetVoting:FeasibilityandAssessment
Study|OverseasVoteFoundation(n.d.).Available:
https://www.overseasvotefoundation.org/E2EVerifiableInternetVotingProject/News
.
Accessed27April2015.
21. Heliosv4Helios(n.d.).Available:
http://documentation.heliosvoting.org/verificationspecs/heliosv4
.Accessed28April2015.
22. HeliosVoting(n.d.).Available:
https://vote.heliosvoting.org/faq
.Accessed30April2015.

23