\documentclass[a4paper, 11pt]{article} \usepackage{amssymb} \usepackage{eurosym} \usepackage{times} \usepackage{graphicx} \usepackage{paralist} \topmargin=1cm \textheight=200mm \begin{document} \begin{center} \LARGE{} Electronic Voting in Ireland \normalsize{} \vspace{10pt} \\ Margaret McGaley \\ Computer Science Department \\ NUI Maynooth \\ Maynooth \\ Co. Kildare \\ Ireland \\ mmcgaley@cs.may.ie \\ \today{} \end{center} \vspace{20pt} \section{Why is e-voting an important issue?} \subsection*{E-voting, if badly implemented, threatens our democracy} This may sound extremist, but it is actually a legitimate statement. If an electronic voting system were compromised, individuals or groups could gain power without the support of the people. This is exactly the situation that representative democracy is designed to avoid. Recent incidents in the UK \cite{UK05} have provided ample evidence, if any was needed, that where illegitimate means of gaining power exist, there will be those who seek to exploit them, even in the most modern and stable of democracies. \section{What are the major concerns?} \subsection*{How realistic is the threat to e-voting, and is it more serious than the threat to paper voting systems?} Paper voting is, naturally, potentially subject to certain kinds of ``attack'' \footnote{The word ``attack'' is used here in the sense commonly used in computer security; an attack is an attempt to compromise or gain control of a computer system.} but there are two important differences between it and electronic voting. \begin{compactitem} \item Scope and scale \item Conflict between security and privacy \end{compactitem} \subsection*{Scope and scale} Paper voting is, by nature, distributed. Votes are separate physical objects, which means that an attack must be launched on every constituency that the attackers wish to affect. It must also be repeated for every poll the attackers wish to affect. E-voting, on the other hand, is centralised. It offers a single point of attack. A successful attacker could affect every constituency, every time the system was used. If someone could alter the behaviour either of the vote collection machines, or the vote tabulation machines, they might gain control over all Irish polls. Such an attack could be surprisingly easy to implement, and surprisingly difficult to detect. Please see the submission made by {\em Irish Citizens for Trustworthy Evoting} (ICTE) to the Commission on Electronic Voting \cite{ICTE04} for more details on this point. \subsection*{Conflict between security and privacy} Secret-ballot voting systems possess an unusual conflict in their requirements. Voter identities must not be associated with their vote (requirement for privacy), but only eligible voters must be allowed to vote, and only once (requirement for security). Security in this sense would usually be implemented through auditing. For example, financial records are inspected to ensure that they have not been completed fraudulently. Unfortunately, the requirement for privacy prevents us from retaining records about who owns which vote. The solution to this conflict that is used in modern paper voting systems is called the Australian Ballot. Under this system, the only valid votes are those recorded on ballot papers provided by the state, and the only way to get one of these ballot papers is to prove your identity - showing that you are registered to vote at that polling station and that you have not yet voted in the current poll. Once the voter puts the ballot in the ballot box, it is no longer associated with their identity, but the ballot box should only contain papers marked by authenticated voters. A voter knows that their vote will be counted and an official knows that the votes they are counting are legitimate because they both know that: \vspace{3pt} \begin{compactitem} \item the vote was put into a sealed ballot box in public view, \item paper doesn't spontaneously change inside a sealed box, \item the vote was taken out of the ballot box in (semi-)public view. \end{compactitem} \vspace{3pt} \noindent{}It is true that this ``knowledge'' involves trust: trust that the ballot boxes are not the victims of large-scale collusion, probably involving members of the Garda\'{i}. This trust is bolstered by the fact that such collusion, even if it were successful, would have limited scope and scale, as noted above. E-voting systems without paper trails cannot offer this reassurance to voter and official. The vote counted by the e-voting system is an electronic record. It is not equivalent to the paper ballot in the system above because it is not a tangible piece of evidence of how an individual voter voted. Both voter and official know that a piece of paper doesn't change inside a ballot box, but they cannot say the same about an electronic record inside a computer. The voter cannot be sure that the vote recorded by the polling station machine is the vote they intended to make (they cannot see the microscopic internal workings of the machine). Officials cannot be sure that the vote is correctly copied from voting machine to counting machine (for the same reason). Such differences (between intended vote and recorded vote, and between recorded vote and counted vote) need not even be deliberate or malicious. ``Bugs'' are a fact of life in software development, even in the most rigorous processes \cite{Fish96}. Again, please see the ICTE submission to the Commission on Electronic Voting \cite{ICTE04} for more details on the kind of accidental errors that might affect an election outcome. \section{What should the Irish Government do now?} A simple and effective solution to the conflict described in the previous section is the introduction of what is known as a Voter Verified Audit Trail (VVAT), or Voter Verified Paper Ballots. This reintroduces the paper ballot that reassures both voter and official because: \vspace{3pt} \begin{compactitem} \item the vote was put into a sealed ballot box in public view, \item paper doesn't spontaneously change inside a sealed box, \item the vote was taken out of the ballot box in (semi-)public view. \end{compactitem} \vspace{3pt} \noindent{}It is very important that these paper ballots are the official record of votes cast, and are checked in a statistically significant number of constituencies for every poll, whether or not there is any suspicion of error. In those constituencies where there {\em is} any question over the electronic results, the paper ballots must be counted. Whenever there is a discrepancy between the electronic and paper results, the paper results must stand. If these three conditions were not met, there would be no point in the VVAT and we would be back to an unsecure e-voting system. VVAT is considered a basic requirement for secure e-voting by many experts in the field \cite{Mercuri, Schneier, VVRes}, and is becoming a legal requirement in many states of the U.S. \cite{VV.org}. The Irish Computer Society (ICS) - the national body for Information and Communication Technology (ICT) Professionals in Ireland - called for the introduction of a ``paper-based voter verified audit trail'' in a press release in March 2004 \footnote{The text of the press release is available on the website of Irish Citizens for Trustworthy Evoting at http://www.evoting.cs.may.ie/ics.press\_release.html}. There are several different ways of implementing VVAT. Unfortunately, the Nedap/Powervote system purchased by the Irish Government does not currently make use of any of them. Though the addition of printers to the voting machines would make it possible to implement what is known as the Mercuri method (whereby the vote is printed by the machine in front of the voter for verification and depositing in a normal ballot box). \subsection*{Three options: modify, replace, or wait} The Irish Government has committed significant funds to the purchase of the \newline{}Nedap/Powervote system. It appears that the contract does not allow the Government to retrieve any of those funds in the event that the system is not used here. It is understandable that the Government does not want to see that money go to waste, however the economic position is not straightforward. As outlined above, it is not acceptable that this system should be used as-is in Irish elections. It does not include a VVAT, and therefore cannot be trusted by citizens and officials to correctly record and count votes. This leaves three options open to the Government: \begin{compactitem} \item add a VVAT to the Nedap/Powervote system, \item buy a new e-voting sytem which already includes VVAT, or \item wait until voting technology becomes more mature. \end{compactitem} \vspace{6pt} When examining the economic viability of modifying the Nedap/Powervote system, it would be worth comparing it to the price of other systems. It may be that a simpler system - based on optical scan character recognition - would actually be cheaper than the modification of the proposed system. The third option, which would be unattractive to those with a political investment in this system, is to postpone the introduction of e-voting in the Republic of Ireland indefinitely. This is an immature technology which offers attackers potentially massive gains at very small risk, while posing massive risk to our very democracy. While it is suitable that this nation should aim to be at the forefront of technological innovation, our voting system is far too precious to be put at risk for the sake of that aim. \raggedright \bibliographystyle{unsrt} \bibliography{pds} \end{document}