Product Catalogue Past and Present Products and Services

Analysis

Most elections are held in a somewhat bedated fashion with eligible voters entering a designated premise (usually a large room with a number of secluded phone booth sized cubicles dispersed in the middle of the room) and upon presenting some token of authorization like a card made for the occasion, a personal ID card or other means of authorization, voters are handed a ballot and directed to one of the cubicles. There, they will cast their vote by marking the ballot in idenfied areas with a pen, their thumb or some other device. Finally they will resurface from the cubicle and insert the ballot into a safely secured ballot box. This box will be emptied by election choice ordained personnel and the results are then wired to whereever the consolidated results are being collected.

Pro's

The physical area is easily secured and monitorable - Voters are (depending on the kind of authorization chosen) easily authorized - Votes are easily counted (and recounted)

Con's

The costs to renting voting areas and entertaining (or paying an hourly fee) election choice ordained personnel is limiting the number of elections deployable with populations exceeding just a few thousands - logistics even so limits the number of elections - voters are more easily deters knowing that they will have to run a gauntlet of possible opponents - voters are more easily retained from voting (by limiting the number of ballot boxes/voting areas and/or narrowing the window of opportunity)

Utopia

In a perfect dream any person of any age would be able to share his/her view on any issue in a kind of consolidated 'state of opinion'. If the individual would have a rational, homogeneous view morally, ethically, socially, and religiously perhaps elections could be narrowed to one person voicing his opinion. That is the Utopia. Still with a consolidated 'state of opinion' - a population would collectively be able to decide on the issue according to the majority.

i-lection Ballot

an online voting service

TL;DR; the i-lection Ballot System (iBS) provides a secure voting platform for elections. All you bring is a fixed IP-Address (Internet Service Provision) and a secure location for installing the ballot server.

Target customers: Any population with a demand for secure cost effective voting – from a small organization to global NGO's, corporate enterprises and government

Services provided: You may ask for the browser URL only, the voting area box(es) to be dispersed at your geographical positions of choice or the entire system implemented at your premises of choice.

Creative Commons licens
i-lection ballot system by Walther H Diechmann is licensed under a Creative Commons Navngivelse-DelPåSammeVilkår 3.0 Unported License.
Based on a work at http://www.alco.dk/i-lection.

Design

Designing a system to handle (essentially an unlimited number of) elections in a secure way does face one with a number of issues!

  • keeping votes in escrow
  • avoid any 'peeking' at votes casted
  • securing lines of communication all the way from the voter to the ballot box
  • make sure no device will be able to collect data on the choices made by the individual voter
  • evade hackers and other ill-do'ers
  • offer best chances of fighting off forced hands scenarios
  • building trust in the system
  • design for lean structure (first and foremost in the developing countries, elections should be implementable in a very cost effective way)
  • design for minimal risc of system overload
  • - and the killer of all services: down-time
Meeting expectations

Let's start ticking off a few of the issues!

ESCROW

Keeping votes in escrow is not that big an issue. We have to make sure that the ballot box does not provide any means of access except for the ones we cater for, and that those catered for are logged down to the singular key-stroke

That requires a secure room with monitored access only and a *NIX box with no way to insert a keyboard/display and no remote access enabled. If the ballot box does infact die on us - well there goes that election! Happily we are able to start another once the box is back up! This way no one can be afraid of data being monitored and/or tampered with - on the ballot box during election time.

PEEKING

The previous paragraphs pretty much covers this issue too and paragraphs to come will fully cover what might be left of 'peeking' issues!

SECURE LINES

This issue is one of the corner-stones to online elections!

Our design incorporate 3 tiers - the client, a voting area (box) and the ballot box. Using the Internet all way around will introduce 2 lines of communication at least!

Securing the line between the ballot box and the voting area is the easier one of the two. Setting every voting area box up with a known IP Address and allow only traffic from known hosts is one part of the scheme - using SSL is another - and finally all dialogues between the ballot box and the voting area are timed and each 'packet' signed with an agreed upon 2048-bit key being substituted every N minutes (with N being a number agreed upon by the voting area box and the ballot box by randomizing until both boxes hit a "close enough" number)

That way data channel break-ins is possible but given that this technology provides for any election to be 'executed' in hours, not days – the window of opportunity to any black hat getting his hands on enough traffic to invalidate more than 1-2 votes tops is less than the possibility of manual counting of votes being wrong.

Securing the line between the voting area box and the client is a somewhat more tricky endeavour - as the client could prove to be a 'black hat'. We expect the line to be compromised and as such no traffic going both ways can exhibit common denominators - ie what was a '1' will be a '2' the other way. The key to obfuscate all data is an out-of-channel key. Forwarded by SMS. That will require a black hat to sit with you during the voting session and in that scenario, we would have to look at another issue instead; force of hand!

NO SPILL OF DATA

Transmission of voting issues is encrypted within ordinary images and thus will only mean anything to the client holding the encryption key and returning the image will not give away what any voter did infact choose. Handling the presentation of images in Javascript allow us to display any given image somewhere else on any user hitting the back key.

A voter will present his/her token of authentication and receive an out-of-band key with which he/she will be able to see a number of checkboxes or squares to tick off or touch - and each square will have a description explaining the voter what consequences ticking off this square will have (like her voting for a bill, a new member of a board, and what-not)

This workflow is ir-reversible meaning that the browser (or actually Javascript) clears any data on each POST, and on window.history(-1), a new set of images would be requested (and not granted as the token has been 'used up')

In the unlikely event that a blackhat would be able to recreate the session complete with images and tokens – he would still have to guess at which image the voter actually did tick off/touch.

EVADE HACKERS & ILL-DO'ERS

An online election system would prove to be the ultimate system for hackers and ill-do'ers to "own" - ie to have access to and to be able to manipulate and alter to their hearts contend!

Evading this minority of 'users' is no easy task and one is right to argue that open sourcing the design in no way offers any help to that end.

We like to think that an open sourced system will help improve the system more than it will help hackers bringing it down.

Brute Force attacks are expected but implementing “strike-three” (or even loser strike-five) strategies will offset the majority of BF attacks.

Denial Of Service attacks will always be an issue but using “tripwires” and other IP-addresses reconnaissance systems does fight DOS attacks effectively albeit at the cost of rejecting IP-address space available to voters! DOS attacks may, however, saturate the bandwidth of voting areas which may require cooperation with network providers.

Man In The Middle attacks would be possible if the algorithms used to encode voting issues as images are

  • not strong enough
  • open source

But MITM attacks would have to attack two connections simultaneously to be effective — the connection between the voter and a voting area and the SSL connection between the voting area and the ballot machine.

Impersonations will occur but implementing this voting system as a “vote collection and transportation and aggregation system” and require the voter to vote by appearance will render impersonation issues negligible.

Data tampering The single greatest risk of the voting system being compromised lays with the ballot machine. Denying access to this machine during the election time window entirely — except from voting areas — will minimize the risk of data tampering.

FORCE OF HAND

Recent tests in Norway stress the importance of allowing voters to vote multiple times (in fact any number of times) within a preset time frame (a month).

The current design does not allow for voters to vote multiple times but this is something to be refactored into the design for sure!

BUILDING TRUST IN THE SYSTEM

Small scale tests in rural Denmark is not in anyway going to build trust into the i-lection Ballot System. This will require a series of large scale tests with thousands of voters. We are excited to have inquires!

DESIGN FOR LEAN STRUCTURE

With a smartphone/web browser, a small number of voting area boxes (webservers) and a few ballot boxes (again a somewhat modified webserver) - we believe that structure is quite lean!

DESIGN FOR MINIMAL RISK OF SYSTEM OVERLOAD

The infrastructure is testable and with a test workbench capable of throwing 1,000s of requests at the voting area boxes per second, we believe to be able to demonstrate the capabilities of the system prior to launching any election!

DOWNTIME = ZERO

Ohh we'd wish for that - but the reality is such that any system of scale has too many moving parts to be 100% free of downtime.

There are utility companies providing the electricity. There are telecomm's provinding the backbones (telephone, cellphone and IP) infrastructure. There are hosting providers providing the 'metal'.

It really comes down to probabilities: power x backbone x metal x software x user

How the system really works?

It works by splitting the job into 3!

One job is to 'talk' to the voter. That job is managed by the browser.

Another job is to welcome the voter, hand-out the ballot, receive it and bid the voter farewell. That job is managed by the voting area box.

The third job is to 'print' ballots to eligible voters and collect them for safe-keeping until the election is over. That job is managed by the ballot box.

References

This work is in no way related to any of the links following and references are merely provided for a rich selection of alternatives.



Copyright © ALCO Company 27-03-2017


Åbningstider:

mandag-fredag 08:00 - 16:00

(principielt kan du ringe til os døgnet rundt, men efter kl 16 på hverdage, og i weekenden/helligdage er det dyrere)


ALCO Company
Åbrinken 28
7700 Thisted
+45 9791 1470
+45 9791 1471
sales@alco.dk