BY: CHRIS GROVES

Privacy in the Voting Booth

Reason for Privacy

Voters worry that their vote may be held against them in the future People shouldn’t be rewarded or punished for who

they voted for

Voters don’t want to feel socially pressured to vote a particular way Voters shouldn’t feel peer pressure at the voting booth

Issues

The system needs to have a physical paper trail incase the results come into question

Trail can be used to keep track of the order of votes

Must be sure that there is no record of the order that people voted ie. Video or paper

Non-Technical Measures

The physical paper trail has to have the records randomized before any person is able to physically touch it

No cameras may be permitted in the location or at entrance/exit to prevent any tracing back to database logs (if the person has video to link the time of the vote to the person then that’s a privacy issue)

Technical Issues

Recorded data needs to be heavily encrypted in the event that the physical storage medium is lost or stolen

Where do electronic votes get stored? Local or Remote

Local Storage

Must be stored on physical storageNeed to collect all of the results to get the

final tallies.After the election all of the physical media

must be collected to be stored securely so that nobody can access them

Central Server

Each voting terminal will transfer it’s votes to the central server via the Internet

Central server then maintains the totalsStill need physical paper trail created at the

voting terminal

Privacy/Security Concerns

System sends messages over the internet and so they can be intercept and read along the way

Both the voting machines and the central server have to be exposed to the internet during the voting period to allow for traffic to be sent

IP Addresses

System would use static IP addressesServer would filter traffic so that only accepts

traffic that it knows are from the network of voting machines

Must be kept a closely guarded secret

IP Addresses Cont’d

If IP addresses became known traffic could be intercepted between voting machine and central server

Attacker could spoof the IP of a voting machine and send false votes

Would also leave the system open to DoS attacks

Trusted Connection

In this case we could use a public key system to ensure traffic is between voting terminal and the server.

Better option is to use a confidential key All machines are known ahead of time so all can be

given the key before hand Saves the overhead of exchanging keys

Must be kept strictly confidential

Encryption

With these precautions packets need to be encrypted because they can be intercepted en route

Must be very high levels of encryption because the government has a great deal of computing power

Data to Store

• Stored Information should be kept to a bare minimum to minimize possibility of linking vote to voter

• For this system 3 parts shall be stored– Date – Needed in the case of a discrepancy and an

audit of the results– Candidate– Identifier – Confirms that the vote came from a

legitimate source

Identifier

Must be unique to each voter but cannot identify the voter from the ID

In Canada everyone has a Social Insurance Number to uniquely identify them. Can use that to generate our identifier

Can keep a database of generated IDs so that only people that have actually showed up to vote have IDs.

Generating the ID

We need a one way functionCould use a one way hash functionThis would be computationally infeasible to

get the voters Social Insurance Number from the ID

Use a hash function on the persons Social Insurance Number

Conclusion

For this system to work effectively it’s important that all parts work together

It’s particularly important that the Confidential Key and the list of IP Addresses be kept private

If they are confidential the technologies can ensure that the data is secure and that it can’t be linked back to an individual voter