Most elections are held in a somewhat bedated fashion with eligible voters entering a designated premise (usually a large room with a number of secluded phone booth sized cubicles dispersed in the middle of the room) and upon presenting some token of authorization like a card made for the occasion, a personal ID card or other means of authorization, voters are handed a ballot and directed to one of the cubicles. There, they will cast their vote by marking the ballot in idenfied areas with a pen, their thumb or some other device. Finally they will resurface from the cubicle and insert the ballot into a safely secured ballot box. This box will be emptied by election choice ordained personnel and the results are then wired to whereever the consolidated results are being collected.
The physical area is easily secured and monitorable - Voters are (depending on the kind of authorization chosen) easily authorized - Votes are easily counted (and recounted)
The costs to renting voting areas and entertaining (or paying an hourly fee) election choice ordained personnel is limiting the number of elections deployable with populations exceeding just a few thousands - logistics even so limits the number of elections - voters are more easily deters knowing that they will have to run a gauntlet of possible opponents - voters are more easily retained from voting (by limiting the number of ballot boxes/voting areas and/or narrowing the window of opportunity)
In a perfect dream any person of any age would be able to share his/her view on any issue in a kind of consolidated 'state of opinion'. If the individual would have a rational, homogeneous view morally, ethically, socially, and religiously perhaps elections could be narrowed to one person voicing his opinion. That is the Utopia. Still with a consolidated 'state of opinion' - a population would collectively be able to decide on the issue according to the majority.
TL;DR; the i-lection Ballot System (iBS) provides a secure voting platform for elections. All you bring is a fixed IP-Address (Internet Service Provision) and a secure location for installing the ballot server.
Target customers: Any population with a demand for secure cost effective voting – from a small organization to global NGO's, corporate enterprises and government
Services provided: You may ask for the browser URL only, the voting area box(es) to be dispersed at your geographical positions of choice or the entire system implemented at your premises of choice.
i-lection ballot system by Walther H Diechmann is licensed under a Creative Commons Navngivelse-DelPåSammeVilkår 3.0 Unported License.
Based on a work at http://www.alco.dk/i-lection.
Designing a system to handle (essentially an unlimited number of) elections in a secure way does face one with a number of issues!
Let's start ticking off a few of the issues!
Keeping votes in escrow is not that big an issue. We have to make sure that the ballot box does not provide any means of access except for the ones we cater for, and that those catered for are logged down to the singular key-stroke
That requires a secure room with monitored access only and a *NIX box with no way to insert a keyboard/display and no remote access enabled. If the ballot box does infact die on us - well there goes that election! Happily we are able to start another once the box is back up! This way no one can be afraid of data being monitored and/or tampered with - on the ballot box during election time.
The previous paragraphs pretty much covers this issue too and paragraphs to come will fully cover what might be left of 'peeking' issues!
This issue is one of the corner-stones to online elections!
Our design incorporate 3 tiers - the client, a voting area (box) and the ballot box. Using the Internet all way around will introduce 2 lines of communication at least!
Securing the line between the ballot box and the voting area is the easier one of the two. Setting every voting area box up with a known IP Address and allow only traffic from known hosts is one part of the scheme - using SSL is another - and finally all dialogues between the ballot box and the voting area are timed and each 'packet' signed with an agreed upon 2048-bit key being substituted every N minutes (with N being a number agreed upon by the voting area box and the ballot box by randomizing until both boxes hit a "close enough" number)
That way data channel break-ins is possible but given that this technology provides for any election to be 'executed' in hours, not days – the window of opportunity to any black hat getting his hands on enough traffic to invalidate more than 1-2 votes tops is less than the possibility of manual counting of votes being wrong.
Securing the line between the voting area box and the client is a somewhat more tricky endeavour - as the client could prove to be a 'black hat'. We expect the line to be compromised and as such no traffic going both ways can exhibit common denominators - ie what was a '1' will be a '2' the other way. The key to obfuscate all data is an out-of-channel key. Forwarded by SMS. That will require a black hat to sit with you during the voting session and in that scenario, we would have to look at another issue instead; force of hand!
A voter will present his/her token of authentication and receive an out-of-band key with which he/she will be able to see a number of checkboxes or squares to tick off or touch - and each square will have a description explaining the voter what consequences ticking off this square will have (like her voting for a bill, a new member of a board, and what-not)
In the unlikely event that a blackhat would be able to recreate the session complete with images and tokens – he would still have to guess at which image the voter actually did tick off/touch.
An online election system would prove to be the ultimate system for hackers and ill-do'ers to "own" - ie to have access to and to be able to manipulate and alter to their hearts contend!
Evading this minority of 'users' is no easy task and one is right to argue that open sourcing the design in no way offers any help to that end.
We like to think that an open sourced system will help improve the system more than it will help hackers bringing it down.
Brute Force attacks are expected but implementing “strike-three” (or even loser strike-five) strategies will offset the majority of BF attacks.
Denial Of Service attacks will always be an issue but using “tripwires” and other IP-addresses reconnaissance systems does fight DOS attacks effectively albeit at the cost of rejecting IP-address space available to voters! DOS attacks may, however, saturate the bandwidth of voting areas which may require cooperation with network providers.
Man In The Middle attacks would be possible if the algorithms used to encode voting issues as images are
But MITM attacks would have to attack two connections simultaneously to be effective — the connection between the voter and a voting area and the SSL connection between the voting area and the ballot machine.
Impersonations will occur but implementing this voting system as a “vote collection and transportation and aggregation system” and require the voter to vote by appearance will render impersonation issues negligible.
Data tampering The single greatest risk of the voting system being compromised lays with the ballot machine. Denying access to this machine during the election time window entirely — except from voting areas — will minimize the risk of data tampering.
Recent tests in Norway stress the importance of allowing voters to vote multiple times (in fact any number of times) within a preset time frame (a month).
The current design does not allow for voters to vote multiple times but this is something to be refactored into the design for sure!
Small scale tests in rural Denmark is not in anyway going to build trust into the i-lection Ballot System. This will require a series of large scale tests with thousands of voters. We are excited to have inquires!
With a smartphone/web browser, a small number of voting area boxes (webservers) and a few ballot boxes (again a somewhat modified webserver) - we believe that structure is quite lean!
The infrastructure is testable and with a test workbench capable of throwing 1,000s of requests at the voting area boxes per second, we believe to be able to demonstrate the capabilities of the system prior to launching any election!
Ohh we'd wish for that - but the reality is such that any system of scale has too many moving parts to be 100% free of downtime.
There are utility companies providing the electricity. There are telecomm's provinding the backbones (telephone, cellphone and IP) infrastructure. There are hosting providers providing the 'metal'.
It really comes down to probabilities: power x backbone x metal x software x user
It works by splitting the job into 3!
One job is to 'talk' to the voter. That job is managed by the browser.
Another job is to welcome the voter, hand-out the ballot, receive it and bid the voter farewell. That job is managed by the voting area box.
The third job is to 'print' ballots to eligible voters and collect them for safe-keeping until the election is over. That job is managed by the ballot box.