Archives

Anonymity in Voting & Surveying

Anonymity is especially important in the voting and surveying contexts. The voting process requires that voters can vote honestly, which necessitates a secret ballot. The process has evolved from stone and pottery shards, to paper ballots, to mechanical voting booths and punch cards, to today’s computerized voting machines and remote voting options. This article takes a look at privacy and security options in voting systems.

Voting Technology Criteria

According to security experts, an ideal voting technology requires four attributes:

  1. Anonymity
  2. Scalability
  3. Speed
  4. Accuracy

Unfortunately, in the move to develop the first three attributes, it appears that the accuracy of voting technology has fallen by the wayside. All voting technologies must translate the voter’s intent in some way and many of them must do so a number of times. Each translation step presents another opportunity for errors to accumulate.

Within the context of voting, accuracy is determined by how well the process translates voter intent into properly tallied votes, rather than how well the ballots are counted. Many issues with voting result from translation errors. Consider the punch-card system of voting, which has a number of translation steps: from voter to ballot to punch card to card reader to vote tabulator to centralized total. Errors can occur at each step!

Simpler is Better

The best way to prevent these errors is designing a voting system that focuses on simplicity! The fewer the number of translation steps, the fewer the number of errors. While it’s inconvenient to deal with, handwritten ballots are actually more accurate than computerized systems, since it involves much fewer translation steps. A number of European countries continue to use paper ballots. Although paper methods are much more accurate, they don’t consider the elements of scalability or speed.

One idea, suggested by security expert Bruce Schneier, is:

“… a computer voting machine that prints out an ATM-style paper ballot. The voter checks the paper ballot for accuracy and then drops it into a sealed ballot box. The paper ballots are the “official” votes and can be used for recounts, while the computer provides a quick initial tally. E-voting machines must have the ability to verify some of the translation steps; voters can then verify that the machine correctly recorded their votes, and election officials can, if there is a recount, verify the votes were correctly tabulated. We can’t eliminate translation steps, but we can add redundancy.”

E-Voting Options

While the traditional method of voting in a polling booth offers some real advantages, it’s sometimes essential to make remote voting, or e-voting, an option to increase accessibility and participation. While Schneier’s ATM-style solution might be great for those who have physical access to an election station, what about voters who live abroad, or those who, for whatever reason, are unable to get to the election station?

There are a number of basic requirements to consider when creating a secure e-voting or remote voting system. These properties include:

  1. Ballot Anonymity – This means that each voter’s decision is a secret.
  2. Integrity – This means that each voter’s decision is counted, unmodified, in the final tally.
  3. Trustworthy Platform – Voter’s ballots should be both reliable and accurately transmitted from their personal computer.
  4. Coercion Resistance – Voters should be able to cast the ballot of their choice, even if they are voting in an unsupervised and potentially insecure environment.
  5. Denial of Service (DOS) Prevention – The e-voting system should effectively prevent small- and large-scale DOS attacks.

Of course, ballot anonymity and integrity are properties we’d like of any form of voting system, whether in-person or remotely. These e-voting criteria are further discussed in a later article.

India’s E-Voting Machines

In 2010, Hari Prasad, an Indian security researcher, exposed significant flaws in the electronic voting machines (EVMs) used in Indian elections. Elections in the country are done almost entirely through electronic voting machines, which have been developed over the last twenty years by a couple of government-owned companies. Prasad’s research was triggered by widespread reports of election irregularities, and as such, he and his colleagues conducted a rigorous, independent security analysis of the EVMs.

Prasad’s study revealed that the machines were vulnerable to serious attacks, which could alter election results and violate the secrecy of the ballot. Even an attacker with brief access to EVMs would be able to tamper with votes and possibly change the outcome of an election. The research team demonstrated two attacks that involved physical tampering with the EVM’s hardware. They also pointed out that any safeguards against these attacks are absent or inadequate.

Summary

This article takes a look at privacy and security issues in the contexts of polls and voting. There are four main criteria for a secure voting system: 1) Anonymity; 2) Scalability; 3) Speed; 4) Accuracy. The most effective way of preventing errors in tallying is by designing simple systems that reduce the number of times a voter’s ballot must be translated. The article briefly examines criteria for e-voting (electronic voting) systems, which include: 1) Ballot anonymity; 2) Integrity; 3) Trustworthy platforms; 4) Coercion Resistance; 5) DOS prevention. Finally, the article discusses an example in which security flaws and vulnerabilities were discovered in e-voting machines in India.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:

  • Applications of anonymity tools – voting and surveying (III.E.c.iii.3.)
Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>