Vulnerability analysis of three remote voting methods

Enguehard, C., Lehn R. Vulnerability analysis of three remote voting methods. XXI IPSA World Congress of P olitical Science, RC10 Electronic Democracy - Dilemmas of Chan ge? Santiago, Ch ile, July 13, 2009. Vulnerabi lity analy sis of three remote vot ing methods Chantal Enguehard & Rém i Lehn Université de Nante s Laboratoire d'Informa tique Nantes Atla ntique 2, rue de la Houssinière BP 9220 8 44322 Nantes Cedex 03 France wit h the su pport of the European Comput er and Commu nic ation Security I nstitute Bruxelles, Belgique Resume This article analy ses three methods of remote voting in an uncontrolled environment: postal voting, internet voting and hy brid voting. It breaks down the voting process into different stages and compares their vulnerabilities considering criteria that must be respected in any democratic vote: confidentiality , anony mity , transparency , vote unicity and authenticity . Whether for safety or reliability , each vulnerability is quantified by three parameters: size, visibility and difficulty to achieve. The study concludes that the automatisation of treatments combined with the dematerialisation of the objects used during an election tends to substitute visible vulnerabilities of a lesser magni tude by i nvisible and widespread vulnerabilities. Key-words : Int ernet voting, rem ote voting, postal remote voting, hy brid remote voting, democracy , transparency , fraud, anony mity , authenticity , unicity , visibility, virus, worms. Introduct ion Remote voting procedures have been renewed recently with the introduction of optical scanners to automatically read the ballots or to completely dematerialise the objects used to vote by an internet voting process. This article studies three methods of remote voting (postal voting, hy brid voting and Inter net voting). It describes the various phases. Technical vulnerabilities of internet voting are set out in part three, while the fourth part compares the vulner abilities of each ty pe of vote. I. Remote voting I.1 - Definition Depending on the countr y, remote voting may consist of two separate concepts: — Voting is supervised but takes place outside the normal location (e.g in an em bassy ); — Voting takes place in an uncontrolled environm ent and in the absence of any electoral officer. We are interested here in remote voting outside the control of an electoral officer in the following three form s: Internet voting, postal voting and hy brid voting. 1 Enguehard, C., Lehn R. Vulnerability analysis of three re mote voting meth ods. XXI IPSA World Congress of Politica l Science, RC10 Electronic Democracy - Dilemmas of Chan ge? Santiago, Ch ile, July 13, 2009. The scope of a study of the elections may include the preparation of voter lists, the candidates' campaign up until the announcement of results. We focus here only on the ballots that we observe from their delivery to the voters until the counting of votes. We do not present questions relating to paper voting procedure that have already been studied (see [7] and [15]), or aspects of the digital divide and accessibility (see [3], [14]). I.2 - Three ways to vote remotely in an un controlled environm ent For each mode of remote voting, we define a model represented by a real application widely used and which we consider as rep res entative of the practices. — Inter net voting: Int ernet voting procedure used in the canton of Geneva in 2007 [10]. — Postal voting: as used in the canton of Geneva in 2007 [31]. — Hy brid voting: hy brid voting procedure used in the elections of the Comité National de la Recherche Scientifique (CNRS) in France in 2008. Internet voting Inter net voting (i-voting) is part of a broader package called electronic voting (e-voting). Under the latter are grouped al l forms of voting involving an electroni c device to cast or count votes. There are drafts of standards and international norms but they lack precision in their definition of the necessary organizational, legal and technological models. There are, therefore, many different Inter net voting procedures. H owever, it is possible to expos e a general pattern that is more or less respected by the us ual procedures of Internet voting that are said to be secure. Inf ormation relevant to authentication are provided to voters by mail. Voters log on an official web site to vote from any computer connected to the Intern et and equipped w ith a browser compatible with the application running on the official web site. Each voter us es the information that she had previously received to be identified (login and password), and then she express her choice. It is encrypt ed and sent to the server hos ting the official web site that collects the votes, stores them until the close of the poll and produces the results of the vote at the close of the poll. Because all the voters do not have a computer with an Internet connection, this method of voting is alway s an addition to a postal voting procedure 1 . Postal voting Each voter receives the material for voting by mail. It includes a "voting card" 2 bearing the identity of the voter, the correspondence envelope and an anonymous envelope. To vote, the voter puts the ballot of his choice in the anonym ous envelope that she seals. Then she slips this envelope and the voting ca rd that she dates and signs int o the correspondence envelope. This correspondence envelope is then sent by post to the election office. The election office collects the envelopes as they are received. The counting takes place in two phases. First, the names of the voters are ticked off on the signature register. Then, the correspondence envelopes are opened to collect the anony mous envelopes that are randomised to break any link between them and the envelopes of correspondence. Finally they are opened, ballots are extracted and votes are counted i n order to determine the outcome of the vote. 1 With the notable exception of France where the decree n° 2007 -554 of the 13th of April 2007 on det ailed rules for the electronic election on the order of nurses precises that "Electronic voting precludes any other method of voting." 2 The term " votin g card" is polysemic. Here it is a paper card bearing the name and the address of the voter. 2 Enguehard, C., Lehn R. Vulnerability analysis of three re mote voting meth ods. XXI IPSA World Congress of Politica l Science, RC10 Electronic Democracy - Dilemmas of Chan ge? Santiago, Ch ile, July 13, 2009. Hybrid voting The hybri d voting procedure is a modification of the pos tal voting procedure to allow for automated counting. Voters receive electoral materials by mail: a "voting card" and a single envelope. Each card car ries a voting mark (barcode a nd/or number) to identify the voter and a series of boxes placed in front of the proposed alternatives. The voter blackens the boxes of her choice to vote. The election office collects the envelopes as they are received. The counting is automatized: voting cards are extracted from the envelopes and then scanned. A computer updates the s ignatures re gistry to be marked and the number of votes obtained by each candidate. figure 1 : Voting card for hybrid voting I.3 - Phases of rem ote voting in an uncontroll ed environm ent Remote voti ng in an uncontrol led environm ent follows a path that can b e spli t into several abstracted phases that are common to the three methods of voting we are observing, but implemented differently depending on the voting method (see table 1): the organizers of the vote prepare electoral material (B1), and its transmission (B2). The electoral material travels through the transmission channel (C1) and is received by the voter (E1). Voters express their choice (E2) and then prepare to send their vote (E3). The ballot is transmitted (C2). The poll ing station receives ballots (B3) and then perform s the necessary counts (B4). This presentation does not include all comm unications, fo r exam ple, Inter net voting involves several communications between the voter and the voting sy stem during the vote decision phase (E2). 3 M m e C A N D I D A T E 1 - V i l l e d u N o r d s u r m e r M . C A N D I D A T 2 - V i l l e d u S u d M . C A N D I D A T 3 - V i l l e d e l ' E s t M m e C A N D I D A T E 4 - V i l l e d e l ' O u e s t M . C A N D I D A T 5 - P a r i s M m e C A N D I D A T E 6 - V i l l e a i l l e u r s 0 0 7 0 0 7 0 0 7 0 0 7 12345 Identification of the elector: - num ber - barcode Collège XX Secti on 00 Identification of th e election: - barcode - num ber Candidates boxes to blacken 1 2 3 4 5 6 7 9 8 1 1 12 13 14 15 16 17 19 18 10 21 22 20 CARTE DE VOTE Enguehard, C., Lehn R. Vulnerability analysis of three re mote voting meth ods. XXI IPSA World Congress of Politica l Science, RC10 Electronic Democracy - Dilemmas of Chan ge? Santiago, Ch ile, July 13, 2009. Intern et voting Postal voting Hybride voti ng B1* Preparation of electoral material Drawing up lists of identifiers and passwords Printin g of electoral material Printing of electoral material B2* Preparation for the dispatch of electoral material Fold up and transfer to the post office C1* Transmis sion of electoral material Login and password are sent by post The two envelopes and the ballots are sent b y post The envelope and the voting card are sent by post E1 Receipt of electoral material The electoral material is received by the elector E2 Expression of choice The voter connects to the electoral web site, registers, authenticates, makes her choice and confirms The voter express her choice through the ballot paper The voter express her choice through the voting card E3 Preparation for sending The virtual ballot is encrypted The voter puts her ballot paper in the anon ym o us envelope, and then in the correspondence envelope The voter puts her voting card in the enveloppe C2 Transmis sion of the ballot The ballot travels to the officiel servor through Internet The post transport the enveloppes containing ballots to the polling offic e B3 Reception The official w eb site stores the received envelopes, updates the signatures list and return receipts to voters The polling station receives and stores the envelopes containin g ballots B4 Counts The softw are decrypts and count the votes The signature register is updated, the anonymous envelopes are opened and the votes are counted The envelopes are opened, the scanner reads the ballot, the softw are updates the signature register and counts the votes * This step can be non -existent when voters connect with a connection card with a magnetic stripe, as in Estonia . figure 2 : Phases of remote voting in an uncontrol led envi ronment II. Method olog ical choic es II.1 - Com parative Approach All voting sy stems have vulnerabilities, there is no pe rfect voti ng s y stem that ensures strict compliance with the principles of democratic elections and gives entirely fair results. Our analysis will compare three model s of remote voting according to criteria expressed by various international organizations: the Universal Declaration of Human Rights (Article 21) [23], the Code of Good Pratice in Electoral Matters of the Venice Commission [8], the Election Observation Handbook of the Organi zation for Security and Cooperation in Europe (OSCE) [27]. These criteria may be characteristic of an y democratic vote or be specific to the remote vote [9]. We quantify the consequences of major weaknesses through three parameters: vote magnitude, visibility and difficulty . — The vote magnitude depends on the number of votes potentially affected by a fraud or a malfunction. This paramete r may be small (a few votes), average (number of votes sufficient to change t he outcome of elections) or large (potent ially n early all votes). — The difficulty is a fuzzy estimation of the likelihood of the occurrence of conditions required to exploit a vulnerability . In the case of a problem of technical reliability , it estimates if the failure is common or rare. For a fraud, it measures the complexity of its successful i mplementation (number 4 Enguehard, C., Lehn R. Vulnerability analysis of three re mote voting meth ods. XXI IPSA World Congress of Politica l Science, RC10 Electronic Democracy - Dilemmas of Chan ge? Santiago, Ch ile, July 13, 2009. of people involved, technical knowledge, cost, discretion, etc.).. This parameter can take three values ; small, medium and large. — The visibility is used to measure whether the consequences of a vulnerability are evident or not. It can take three values: zero (consequences are invisible), medium (consequences are visible but can not be proved to a court) or large (consequences are sufficiently visible to render the election null and void). The worst case scenario occurs when the vote magnitude is large, visibility is zero and the difficulty small. These three criteria are not independent: difficulty and visibility will be estimated for a large or medium magnitude. II.2 – Demo cr atic remot e voting Democrati c Elections Remote voting is part of the governance processes on which democracies are based on. The criteria set out by international agencies seek compliance with the essential qualities of democratic elections: — Unicity : the 'one elector, one vote ' principle 3 ; — Confidentiality : each voter expresses her choice alone; — Anony mity: it is impossible to link a ballot to the voter who cast it 4 ; — Sincerity : the results of the election reflect faithfully the will of the voters; — Transparency : "the s y ste m’s transpar ency must be guaranteed in the s ense that it m ust be possible to check that it is functioning properly ." (Venice Commission) [9]. Remote voting These generi c criteria are supplem ented by specific criteria to remot e voting: — Safety : the system can withstand prospective attacks; — Reliability : the system works, in spite of ha rdware or softwa re deficiencies. The main difficulty is to ensure that votes are not distorted or lost between the casting of the votes by the voters and the counting of the ballots. III - Technical vulne rabil iti es of Internet votin g Voting by Inter net is a new procedure characterized by the dematerialisation of all objects relating to the voting procedure (ballots, ballot box, signing sheet). We describe some technical flaws that may change and distort the virtual entities which represent these objects. These vulnerabilities can concern safet y or reliability. 3 It is the uni queness that makes an election being uni versal. Every person of voting age (and not deprived of his civil rights) can vote once. There are no other criteria limiting the right to vote as it was in France with the "censitaire" (a minimum income was required) or t he denial of voting rights to women, still current in some countries. 4 Confidentiality and anonymity are tw o aspects of the secrecy of the vote. 5 Enguehard, C., Lehn R. Vulnerability analysis of three re mote voting meth ods. XXI IPSA World Congress of Politica l Science, RC10 Electronic Democracy - Dilemmas of Chan ge? Santiago, Ch ile, July 13, 2009. III.1 - Safety Worms 5 and viruses The computer used by the voter is likely to host worms and viruses that can trigger attacks to modify the choice expressed by the voter. Most antivirus softwares can only detect worms and viruses that are already known, new viruses can not be identified before proceeding. In addition, the attackers have the advantage of being able to test their creati ons u s ing the same comm o nly distributed anti-virus s oftware that is used by their potential victims. The latest viruses are able to pass firewalls and other defences, and are difficult to detect [22 ] [30]. A ttackers can create new viruses, or viruses that modify existing ones (kits exist on the internet for the construction of viruses). A virus can easily infect a large number of computers without being detected and remain dormant until voting day . Viruses could carry out many undesirable operations, unbeknownst to the voter, such as capturing the server connection details, changing the vote of the elector before encry ption, spying on t he vote of the electors and disclosing all these details to a third party . Pharming The voter is a vict im of misuse of session when she ty ped in the address URL 6 the official web site address site and she navigates us ing the protocol for securing communications SSL 7 . She believed she votes on the official web s ite when in fact she is interacting with a w eb site that imitates the official web site including by sending a confirmation of recei pt of the vote. The theft can be unmasked if the voter verifies that the security certifi cate is known and valid. But a falsified sa fety certificate may have been accepted on the sam e computer during a pr evious connection to a web site thought to be secure, ca using the display of a warning (see Fig ure 3). In thi s case, many users choose to continue, without being aware that they allow a potentially falsified safety certificate to join safety certificates that have been duly approved by certification authorities. Thus, when connecting to the fake vot ing web site, there will be no security alert. figure 3 : Window Security Alert Man-in-the-middle A man-in-the-middle attack consists of impersonating the server from the point of view of the voter's computer, and impersonating the voter's computer from the point of view of the server. The fraudster can change the cast vote. Encrypti on voting offers good protection against this attack if the 5 A w orm i s a virus that has the ability to spread alone by using the network. 6 URL : Uniform Ressource Locator. 7 SSL : Secured Socket Layer. 6 Enguehard, C., Lehn R. Vulnerability analysis of three re mote voting meth ods. XXI IPSA World Congress of Politica l Science, RC10 Electronic Democracy - Dilemmas of Chan ge? Santiago, Ch ile, July 13, 2009. public key encry ption that has been sent to the voter has not been intercepted by the fraudster. It is thus necessar y to se nd this ke y via a secure mail. However it is not necessary to know the encry ption key to capture and destroy ballots and to return confirmation messages to the voters to make them believe that their votes had been registered. Voters are deprived from exercising their right to vote without knowing it unless they check the the signatures registry . Denial of service Denial of service is when a vote s erver is bombarded with connections to prevent legitimate voters from voting. The server, saturated with requests, can not respond to all the demands for connections and is likely to crash. III.2 - Reliability 1a - Hardware errors A computer may experience failures or malfunctions. There may be defects in equipment, including electronic cards (faulty welds), or even in microprocessors. Computers must therefore incorporate mechanisms for error detecti on, which is not routinely done on per sonal computers. 1b - Softw are errors There may be errors in program s that run on a computer. These errors can occur at all levels: operating sy stem, softwares, compilers, security vulnerabilities, etc. That is why the National Institut e of Standards and Technolog y (NIS T) recommends that the control of the results of an electronic voting sy stem should not be processed by a software application that, too, may experience malfunctions [24]. These results were confirmed by numerous academic studies on dematerialised voting [12] [18] [21] [33], the I rish independent commission on electronic voting [4] [5] or international institutions [26] . Several way s were explored to detect and eliminate errors in Internet voting: testing, development of formal progr ams, expertise, monitoring of elections and verification of cry ptographic results. Tests Successfully testing an application can not predict with certainty the behaviour of the s ame application in future uses, or even its performance during past operation. It is not possible to simulate or reproduce the course of a real election involving thousands of people, with all the hazards that may occur. The process of testing is inadequate to prove the correctness of a computer program . It is, therefore, not s uitable for an electronic voting application where malfunctions may go unnoticed because o f the anony mity inherent in the sy stem. Formal development In science terms, to be certain that a program has no errors, it should at least be required to use formal development m ethods. These m e thods are very expensive and limited to software components. Bey ond a certain level of complexity , there are still no sure development methods 8 . Control expert There may be certification authorities but they lack the ability to verify programs with sufficient resources and attention to detect all errors and security vulnerabilities. Finally , even if such an 8 « We don't have a theory that can guarantee system reliability, that can tell us how to build systems that are correct by construction. We only have some recipes about how to write good programs and how to design good hardware. We're learning by a trial-and-error-process » J. Sifakis [32]. 7 Enguehard, C., Lehn R. Vulnerability analysis of three re mote voting meth ods. XXI IPSA World Congress of Politica l Science, RC10 Electronic Democracy - Dilemmas of Chan ge? Santiago, Ch ile, July 13, 2009. examination was made, even if we had development methods to avoid human erro r, there would remain an unsolved problem, namely to ensure that the programs in us e are exactly those have been certified or to ensure that these programs run without modification forced by the environment (execution m odified by a m alicious piece of code introduced by some peripheral software or device). In all cases, the server uses an operating sy stem, possibly a compiler or a code interpreter, that should also be considered, etc. This approach quickly becomes daunting and therefore impraticable 9 . Monitori ng of electi ons To trace the operation of a computer application, its progress must be observed step by step. But, introducing probes into software program s to monitor their performance raises the issue of objectivity and neutrality of these probes and of the programs that analy se observed data. A s part of a voting sy ste m, such monitoring involves keeping a logbook in which all events are recorded and time-stamped: arrival of a ballot, signing the signing registry , counting, etc. The problem is that reading this logbook would allow every one's vote to be determined, which constitutes a violation of the voting secrecy . If the information in the logbook is not complete (to protect the secrecy of the vote), the process becomes useless as it is no longer possible to fully monitor the processing of information received and to detect m alfunctioning (or fraud). We note here that an e ffective measure in the context of the usual uses of the Internet (such as bank transactions) can not be successfully implemented because of the very special features o f anony mous democratic elections. Verificat ion of the results a posteriori Voting by Inter net is the subject of intense research in the field of crypto graphy to provide models allowing any voter to verify that his vote is taken into account and that the total of all votes is correct. The elector must also be able to provide evidence for its findings. Some experimental sy ste ms have been implemented as RIES [16] or V oteBox [29]. These sy ste ms exhibit a high degree of complexity , which is a factor of vulnerability: a well-designed cryptog raphic protocol may make errors of settlements and be vulnerable to fraud [17], [28]. Moreover, with these s y stems, even if a voter sees is a distortion of her vote she can not prove it. In addition, to respect the confidentiality it is indispensable to destroy the intermediate files 10 . IV. Evalu ation Different approaches are possible to structure this evaluati on because the analy sis must take into account several dimensions: compliance with the criteria that characterize a democrati c election, technical characteristics of each mode of voting, or the spatio-temporal sequence of attacks on an election. We will follow this last thread by first addressing issues common to the three methods of voting and then treating them individually . IV.1 Com mon is s ues Preparati on, dispatch and transmission of the electoral material An incident or a misconduct can lead to a failure in printing (B1) or transmitting (B2) the electoral material to a portion of the electorate. Postal mail containing electoral material can be lost, delayed or diverted during transmission (C1). The voters are thus deprived of their right to vote. 9 « les e xperts ne contrôlent que ce qu’ils veulent, ou ce qu’ils peuvent. » (Experts onl y cont rol what they want, or what they are capable to) A. Auer [2] 10 It is diffic ul t to destroy files in order to make impossible th eir reconstruction. 8 Enguehard, C., Lehn R. Vulnerability analysis of three re mote voting meth ods. XXI IPSA World Congress of Politica l Science, RC10 Electronic Democracy - Dilemmas of Chan ge? Santiago, Ch ile, July 13, 2009. These interferences with the principles of unicity and authenticity may be of average magnitude, its difficulty is small for a person involved in the organization. It presents medium visibility because the letters were not sent by registered post for reasons of cost, there is no control of their issue and inattentive voters are unlikely to notice this non-delivery and to report it officially . A strict control of the number of letters actually sent is essential. Receipt of electoral materi al (E1) When a postal mail is received, it can be intercepted by one of the many people sharing the same home. This fraud may be comm itt ed by a person close to the voter. This person is likely to know the additional information required to be allowed to vote (usually the date of birth). This fraud has a small magnitude: a fraudster may only dive rt a few votes. The biometric processes are often cons idered to prevent identification fraud for Internet voting. This approach meets different obstacles. First, it contradicts several security principles such as the fact that a password should always b e stored in a single fil e and e ncrypted, could be changed if necessary and that the stages of identification and authentication should be separate. When biometric procedures are implemented, we observe that the same data is used to identify and authenticate. This data is not secret and it is impossible to change. I n addi tion, it has been repeatedly demonstrated that it is easy to fool biometric system s [20] 11 . Finally , general izing this approach involves identi fy ing and centralizing the biometric data of all voters, which poses techni cal, organizational and ethical problems. Non receipt of electoral materi al (E1) The envelopes carry ing the electoral material that did not reach their addressee are returned to the sender, ie the polling station. It m ay be tempting to use them to vote. The magnitude of this fraud is li mited by the number of envelopes returned to the poll ing station. It is important that these envelopes are counted and that number is noted in the official minutes as a measure to identify a large scale diversion of electoral m aterial. Expression of choice (E2) Respecting confidentiality means that voters vote alone and w ithout any coercion. None of the remote voting modes in an uncontrolled environment that we examine is able to guarantee that the elector expresses his choice alone and free from coercion. Research to address the problems of coercion and thus to increase the respect for confidentiality were implemented in some s y stems by Internet voting: they offer the possibility of voting several times, the last vote being the one to be finally counted 12 . In addition, voters may vote directly at a polling s tation (in a controlled environment) during a few days before the official election day and cancelling their eventual vote by internet. Such attempts have the disadvantage of weakening the principle of anonymi ty : to enable the possibili ty of cancellation, votes must be stored on the server maintaining the link between the votes and the identifiers of the persons who s ent them. Introducin g the poss ibility of multiple voting eliminates coercion, a visible weakness (at least by the elector concerned) of s mall m agnitude, but introduces a hidden vulnerability of large magnitude: the collection and analy s is of the internal files to the server can reveal the identity of all voters and the 11 In France, these weak nesses had lead the service in charge with the state protection a nd security ( Secrétariat Général de la Défense Nationale - SGDN) to advise against the use a biometrics for the security of the computer systems of the state[3 6]. 12 Curiously, some studies suggest to give the voter the opportuni ty to mark a vote as final, although this possibilit y would destroy the benefits of multiple voting because, i n case of coercion, the victim will obviousl y being forced to mark her forced vote as final.[35] . 9 Enguehard, C., Lehn R. Vulnerability analysis of three re mote voting meth ods. XXI IPSA World Congress of Politica l Science, RC10 Electronic Democracy - Dilemmas of Chan ge? Santiago, Ch ile, July 13, 2009. choices they have made. IV.2 Postal votin g The weak point of the postal voting is the transmission of ballots (C2). The envelopes containing the ballots can be diverted (they are easily recognizable), or simply may not arrive in time to be used. A lthough postal services are expected to respect the secrecy of letters, envelopes can be opened and the votes disclosed in violation of the principle of c onfidentiality. There a re also techniques to determine the contents of envelopes without opening them. It would be theoretically possible to use a registered delivery se rvice and use only secure envelopes, but the enormous cost of such measures would make it unrealistic to apply them at large and there are countries where the concept of secure po stal services does not exist 13 . Envelopes may be destroy ed or replaced afte r receipt at the central polling station (B3). These attacks on the authenticity and confidentiality principles have a medium visibility which increases with the number of letters. The difficulty of i mplementation also depends on the scale: it is easy to remove one or two envelopes, repeating the operation for several hundreds or thousands requires the involvement of many people which increases its visibil ity . In France, postal voting has been banned for political elections by the Law N o. 75-1329 of 31 December 1975 [19] after many cases of proven fr aud. IV.3 Hybrid voting Hy brid voting has the same vulnerabilities as pos tal voting regardi ng the transmission of ballots (C2). Similarly, envelopes containing voting card can be s tolen and destroy ed after receipt (B3). Replacing envelopes containing voting cards is more complex than for postal voting because each voting card is unique. The magnitude of this fraud is thus limited if the voting card manufacturing is bey ond the reach of the central polling station. The counting stage (B4) is automated. Voting cards that bear the identifier and choice of each voter are scanned by a single application that manages both the updating of signing sheet and the counting of the votes. The separation between votes, identifiers and identities of voters is not clear. People with access to s oftware that performs the counting have the possibility of disclosing the identities and choices of voters. This infringement to the vote secrecy may be done by a single person and could affect all the votes, while rem aining undetected. IV.4 Internet vot ing Preparati on and transmission of electoral materi al With Internet voting, there is no ballot paper and no voting card. A piece of information in enough to vote. Electronic forms that contains identifiers and passwords may be copied after their generation, or at the office which prints the electoral material (B1). This operation may involve the entire electorate and not does not present great difficulties, while remaining invisible. However, to s trengthen the security , information such as the date or the town of birth, are often required. The collection of this information for many people may b e an insurmountable task, which limits the s ize of this attack. To remove this step, and therefore the vulnerabilities that accompany it, it is possible to equip each 13 Case of abroad voters. 10 Enguehard, C., Lehn R. Vulnerability analysis of three re mote voting meth ods. XXI IPSA World Congress of Politica l Science, RC10 Electronic Democracy - Dilemmas of Chan ge? Santiago, Ch ile, July 13, 2009. voter with an electronic card used as an identifier. In this case one risk replaces another: the use of a single identity card 14 to perform different actions (voting, paying taxes, etc..) makes people particularly vulnerable to abusive actions of the state that might be tempted to make use of such data for undesirable purposes. This risk should not be overlooked, especially as any state that w ould be tempted by such practices w ould almost certainly not be the most willing to inform the population of the danger s[11]. Between the expression of choice (E2) and th e reception of votes (B3) These steps give rise to interacti ons between the voter and the server of the of ficial vote web site. A virus present on the voter computer can intercept the vote between its validation (E2) and its encry ption (E3) and communicate it to others. It can also implement a diversion (pharming) to capture the session information entered by the voter. This information can then be used to vote at the place of the legitimate voter. These viral actions might affect a large nu mber of votes and stay almost invisible. Their achievement does not display an y particul ar diffic ulty for a motivated hacker. Denial of service, that disrupts access to the official we b site, is immediately visible. Many people might be tempted to vote from a computer in their workplace, especially if it is a professional election, without ever realizing that companies exercise control on the use of the internet [6] and therefore might be able to spy on their employ ees' votes. Reception (B3) et counts (B4) During its transmission via the Internet , information about the identity of the voter and information about the choice made by the voter stay together and arrive together on the offical web s ite server. This point is particularly sensitive and has been the s ubject of nu merous publications showing how to encry pt the votes in order to decode the identity of the voter independently of her choice ([13] for example). B ut it is still possible to reconstruct the votes from intermediate files storing the information received by the server, even if they ar e encry pted (having enough data and time to study facilitate this type of fra ud). There is no technical measures which would make impossible to breach the secrecy of voting by a person with malicious intent and with access to the serve rs. There are conventional process of fraud such as the introduction of a Trojan Horse or a Back Door. These frauds are s ummarized in the introduction of a few lines of program that can easily go unnoticed in the middle of programs includ ing several thousands of lines [34]. These malpractices can be implemented by a single person. It may be a programmer, a technician responsible for maintenance and updates, or any person with a phy sical or logical access to the servers. The magnitude of such fraud is larg e. Finally , the combination of automate updating of signing registers and the dematerialisation of ballots facilitate ballot stuffing on a lar ge s cale: at the final moments of the voting period a fraudulent program can gene rate many votes from voters who abstained. This risk can not be controlled by monitoring the rate of participation because it was observed that the voting sites are experiencing peak attendance in the last moments during which the vote is open. It can not be stopped by checking the voters: even if voters discover that a vote has been registered in their name when they did not vote, it will be impossible to prove. 14 Eff ec tive in Estonia. 11 Enguehard, C., Lehn R. Vulnerability analysis of three re mote voting meth ods. XXI IPSA World Congress of Politica l Science, RC10 Electronic Democracy - Dilemmas of Chan ge? Santiago, Ch ile, July 13, 2009. V. Assessment V.1 - Synthesis None of the remote voting system s can be classified as s afe. But the consequences of the vulnerabilities are heteroge neous. Postal voting Postal voting is vulnerable to fraud and heavily dependant on postal services, but attacks on the fairness of elections can not go unnoti ced when they are large. Hybrid voting Hy brid voting delegates the counting of votes and the updating of the signing registry to automatic procedures and disallows any outside intervention in this crucial stage of an election. The procedure for counting may hide malfunctions or major frauds that keep intact the total number of counted votes but undermines its sincerity. The establishment of such a fraud would require that all received voting cards were counted again by physical persons, which is impossible if there are several thousands of ballots because of practical difficulties (you must keep the ballots sealed, find enough people to make counts, above all, be able to j ustify the need for such an operation) and legal (if the recount is not completed, there is no evidence to present to the election judge qualified to allow the recount). In addition, the software may disclose to third parties how each voter voted and this violation of the secrecy of vote may be difficult to prove. This procedure has implicit vulnerabilities of large magnitude that could stay invisible and present a small difficulty . Internet voting Inter net voting presents vulnerabilities of the worst kind: they are invisib le, can affect a large number of votes, may be committed by a small number of people (from any w here in the world) and do not require expensive equipment. These vulnerabilities are present at different stages of the voting process: at the voter's c o mputer, during the delivery of votes or when the count is processed. V.2 - Analysis Remote voting vulnerabilities that we exa mined can take place at different stages of the vote and remain undetected by officials, dele gates and c andidates' representatives. These stages can be corrupted without any one knowing. With the postal voting the areas of opacity are limited to the choice by the elector and to the transmission of letters. The automatic vote counting in hyb rid voting procedures extends the areas of opacity by preventing the public counting of t he votes. Inter net voting radicalises the auto mation process by handling dematerialised objects. The voting process is displaced from the real world to a virtual world where the observations made directly through our perceptions (sight, touch, etc..) do not apply and which is outside the reach of the majority of citizens. It is impossible to directly control the voting process and evaluate how it works correctly . It is only possible to observe processes that are supposed to reflect the activity of the voting sy stem, but which can also give a distorted view. 12 Enguehard, C., Lehn R. Vulnerability analysis of three re mote voting meth ods. XXI IPSA World Congress of Politica l Science, RC10 Electronic Democracy - Dilemmas of Chan ge? Santiago, Ch ile, July 13, 2009. The votes can be affected by events that may remain invis ible: criminal acts (even easier to commit when near of the team respon sible for organizing the electi ons) or simple malfunctions. Lastl y it appears that s cience is powerless against this problem. Writing a large program that hides errors can be considered as a gre at achievement. However, ensuring that no program hosts deliberate "errors " willfully is a far more complex task. Neither tests 15 nor the expertise of the program s are sufficient, as recalls Ken Thom pson, co-designer of the UNI X s y s tem. « You can't trust code that you did not t otall y create y ourse lf. (Espe ciall y code f rom companies that employ people like me.) No amount of source-leve l verificati on or s crutin y wil l protect y ou from using untr usted code. (...) As t he level of program gets lower , these bugs will be harder and ha rder to detect. A well inst alle d microcode bug will be almost i mpossible to detect . »[34] Conclusion This study presented technical and democratic vulnerabilities of three way s of remote voting. It showed that the use of computerized tools lead, by nature to more complex procedures, making potentially invisible some massive attacks against authenticity or c onfidentiality . It appears that the dematerialisation and the transformation of information that lie in any computerized processing put the voting process in a new world where the ordinary rules of phy sics no longer apply. The imposs ible becomes possible (thousands of votes may be altered in a moment) and the apparent banality of electronic voting sy stems c an become a deceptive illusion. For example, in the real world the simple mixing of the anonym ous envelopes breaks definitively the relationship between votes and voters. In the virtual universe, there is still no way to do this: files can be copied, informa tion can be recovered afte r being erased, etc. In Franc e, the Commiss ion Nationale Info rmatique et Liberté (CNIL ) require s separate management of votes and identities but seems unaware that this separation is not likely to prohibit violations of the secrecy of the vote. Similarly , the European Commission defines transparency as the ability to verify that the voting sy stem is functioning properly, which remains an impossible task as w e have previously demonstrated. It recommends that the voter can confirm his vote and correct it 16 while this operation requires that a link betwe en voter and vote be maintained, thus weake ning the principle of anony mity . These attempts to reconcile anony mity , protection of authenticity and dematerialisation show that the transition to electronic elections conceals fundamental problems and reveals the contradictions and unexpected difficulties. « The clear consensus of computer-science experts around the world who have studied these issues is that Internet elections cannot be trusted, for all the reasons that I have explained: the voters and political parties cannot audit the operation of the software and hardware that serves as the real bureau de vote . Therefore it is not clear to me how the assesseurs can sign any thing but a surrealist image of a true procès-verbal . » [1] 15 « Il existe en outre un théorème fondamental de l a théorie de l'informat i que selon lequel il ne peut y avoir de test général pour décider si un systèm e et ses logiciels hébergent ou non un code malvei llant. » (There is a foundamenta l inform ation theory theorem that establishes t here is no test which allows to know if a sys tem and its softwares host, or do not host, a malware .) R. Oppliger [25] 16 « Furthermore, the elector must be able to obtain confirmation of his or her vote and, if necessary , correct it without the secrecy of the ballot being in any way v iol ated. » [9] 13 Enguehard, C., Lehn R. Vulnerability analysis of three re mote voting meth ods. XXI IPSA World Congress of Politica l Science, RC10 Electronic Democracy - Dilemmas of Chan ge? Santiago, Ch ile, July 13, 2009. Bibli ography [1] APPEL (A.W.) Ceci n’est pas une urne: On the Internet vote for the Assem blée des Français de l’étranger, (juin 2006). [2] AUER (A.), VON ARX (N.) L a légitimité des procédures de vote : les défis du e-voting, faculté de droit de l'Un i versité de Genève, Suis se, (décembre 2001). [3] BIRDSALL ( S.) The democratic divide, first monday , peer-reviewed journal on the interne t , (2005). [4] CEV. Commi ssion on Electronic Voting, Secrecy , Accuracy and Testing of the Chosen Electronic S y stem. first report, (December 2004). [5] CEV. Commiss ion on Electronic voting. Secrecy, Accuracy and Testing of t he Chosen Electronic Voting Sy stem. second report, (July 2006). [6] CNIL. La cy bersurveillance des salariés. rapport de la Commis sion Nationale Informat i que et Libertés, (2003). [7] COLEMAN (S.) Inter net voting and democratic politics in an age of crisis. in Trechsel A. (ed.) The European Union and E-Voting: Addressing The European Parliament's Internet Voting Challeng e, Londres: Routledge, p.223-237, (2005) [8] European Commis sion for Democracy through La w (Venise Commis sion). Code of Good Pratice in Electoral Matters, (juillet 2002). [9] European Commis sion for Democracy t hrough La w, (Venice Commis s ion), Report on the compatibility of remote voting and electronic voting with the standards of the Council of Europe adopted by the Venice Commissi on at its 58th Plenary Se s sion (Venice, 12-13 March 2004) , CDL- AD(2004)012. [10] ETAT DE GENEVE. E-Voting - Cahier des charg es. ww w.ge .ch/evoting /cahier_charg es.asp [11] DESWARTE (Y.), MALCHOR (C. A.) Current and future privacy enhancing technologies for the Internet. Ann. Télécommu n., 61, n?3-4, p.399-417, (2005). [12] DIL L (D.), DOHERTY (W.) Electronic Voting Syste ms. Report for the National Research Council, (Nove mber 22, 2004). [13] GOMEZ OLI VA (A.), SANCHEZ GARCI A (S.), PEREZ BELLEBONI (E.) C ontributions to traditional electronic sy stems in orde r to reinforce citizen confidence. Electronic Voting 2006, 2nd International Workshop, GI-Edition, Lec ture Notes in Informa t ics, Robert Krimmer (Ed. ), p.39- 49, Bregenz, Austria, (Au gust, 2nd-4th 2006). [14] HERRNSON (P. S.), NIEMI (R. G.), HANMER (M. J.), BEDERSON (B. B. ), CONRAD (F. G.), TRAUGOTT (M.) The Importance of Usability Testing of Voting Sys t ems. Electronic Voting Technology Works hop, Vancouver B.C., Canada, Aug ust 1, 2006 . [15] HOFF (J .) Towards a theory of Democracy for the informa ti on age. Discussion paper for the Democracy Platform UK-Nordic Meeting, (16-17 septembre 1999). [16] HUBBERS (E.), JACOBS ( B.), PIETERS (W.) RIES - Internet Voting in Action. In R. Bilof, Pro ceedings of the 29th Annual International Computer Software and Applications Conference, C OMPSAC' 05, pages 417-424. IEEE Comput er Society, (July 26- 28, 2005). [17] JANVI ER (R.) Lien entre modèles sym boliques et computationnels pour l es protocoles cryptographiques utilisan t des hachag es. Thèse de doctorat de l'universi t é Joseph Fourier, Grenoble, (2006 ). [18] JEFFERSON ( D.R.), RUBI N (A.D.), SIMON (B.), WAGNER (D.) Ana ly zing Internet Voting Security . Comm unications of the ACM, vo l .47, n? 10, p.59-64, (October 2004 ). [19] LOI n°75-1329 du 31 décembre 1975. codifiée s ous l' article L72-1 du code électoral, (1975 ). [20] MATSUMOTO (T .), MATSUMOTO (H.), K. YAMADA (K.), HOSHINO (S.) Impact of artificial "gummy " fing ers on fing erprint sy stems, Proceedings of SP IE, Optical Security and Counterfeit Deterrence Techniques IV, vol.4677, (2002) . [21] MERCURI ( R.) A Better Ballot Box? . IEEE S pectrum O nline, (October 2002). [22] MOORE (D.), PAXSON (V.), SAVAG E (S.), SHANNON (C.), STANIFORD (S.), WEAVER (N.) Inside the Slamm er worm. IEEE Security and Privacy , (2003). [23] NATI ONS UNIES. Déclaration universelle des droits de l'homm e, (1948). [24] NATI ONAL INSTITUTE OF STANDARD S AND TECHNOLOGY. Requiring S oftw are Independence i n VVSG 2007: STS R ecomm endations for the TGDC, (November 2006) Voluntary Voting Syste m Guidelines Recomm enda tions to the Election Assi stance Co mmission, ( Augu st 31, 2007). 14 Enguehard, C., Lehn R. Vulnerability analysis of three re mote voting meth ods. XXI IPSA World Congress of Politica l Science, RC10 Electronic Democracy - Dilemmas of Chan ge? Santiago, Ch ile, July 13, 2009. [25] OPPLIGER (R.) T raitement du problème de la sécurité des plates-formes pour l e vote par Internet à Genève, (3 mai 2002). [26] OSCE/ODI HR . USA 2 Novemb er 2004 Elections - O SCE/ODIHR Needs Assemen t Mission Report. 7-10 September 2004, Warsaw, (28 September 2004). [27] OSCE. Election Observatio n Handbook, Fifth edition, I S BN 83- 60190-00-3, (2005). [28] RYAN ( P.Y.A.), PEACOK (T.) P rêt à Voter: System s Perspective, (September 20, 2005). [29] SANDL ER (D.), DERR (K.), WALL ACH (D. S.) Vote Box: a t amper -evident, verifiable electronic voting s y stem. Proceedings of the 17th USENI X Security Sy mposium (USENIX Security ’08), (2008). [30] SCHNEI ER (B.) The T rojan Horse Race. Inside Risks 111, Commu nica tions of the ACM, vol.42, n°9, (September 1999). [31] SERVI CE CANTONAL DES VOTATIONS ET ELECTIONS. J e vote ! - élections commun ales, Election du Conseil mu nicipal du 25 mars 2007. Canton de Genève, (2007). [32] SIFA KIS (J .) cited in " In S earch of Dependable Design" by Lea h Hoffman. Commu nications of the ACM, vol.51, n°7, p.14- 16, (July 2008). [33] SIMONS (B.) Electronic Voting Syste ms: the Good, t he Bad, and the Stupid. ACM Queue vol.2, n°7, (October 2004). [34] THOMPSON (K.) R eflections on Trusting T rust. Comm unication of the ACM, vol.27, n°8, p.761- 763, (Augu st 1984). [35] VOLK AMER (M.), GRIMM (R.) Multiple Casts in Online Voting: Analy z ing Chances. Electronic Voting 2006, 2nd International Workshop, G I-Edition, Lecture Notes in Informatics, Robert Krimmer (Ed.), p.97-106, Bregenz, Austr ia, (Aug ust, 2nd-4th, 2006). [36] WOLF (P.) de l'authen tification biométriq ue ", Sécurité Informatique, n°46, p.1-6, (octobre 2003). 15