Disclaimer: These notes are taken for the CS577 Data Privacy course offered by Dr. Erman Ayday in the 2021/2022 Fall Semester at Bilkent University.
Electronic voting, or e-voting, in short, is one of the most controversial topics on privacy. As it offers voters convenience and will increase turnout, especially among younger voters who are more comfortable with technology, it also brings questions about anonymity and the security of ballots. A combination of different factors described in Table 1 could be used when building a complete e-voting system [1]. Properties of e-voting protocols are the following [2]:
- Eligibility: only legitimate voters can vote, and only once.
- Fairness: no early results can be obtained which could influence the remaining voters.
- Individual verifiability: a voter can verify that her vote was really counted.
- Universal verifiability: the published outcome really is the sum of all the votes.
- Vote-privacy: the fact that a particular voter voted in a particular way is not revealed to anyone.
- Receipt-freeness: a voter does not gain any information (a receipt) which can be used to prove to a coercer that she voted in a certain way.
- Coercion-resistance: a voter cannot cooperate with a coercer to prove to him that she voted in a certain way.
Receipt-freeness is the property of voting protocols that a voter cannot create a receipt that proves how she voted.
Advantages & Disadvantages
Enfranchisement: By definition, enfranchisement means the giving of a right or privilege, especially the right to vote. One of the motivations of e-voting is to increase voter participation.
Over/Undervote Detection: Voters unintentionally skipping contests on a ballot (under-votes) or voting for too many candidates for a contest (overvotes) have been a historic problem. Dedicated or supervised systems for ballot return can provide undervote and overvote detection and provide warning either as part of software running in the voting device, in the server that receives the ballot, or both.
Cost and Staffing: Reducing the staffing levels through automation is an attractive option to localities, as is reducing the cost per voter of conducting the election.
Coordination: If the tasks involved in voting supervision include determining voter eligibility (even including eligibility for a provisional ballot), the election official must be able to make decisions for each of the localities that can be serviced through the voting system. Because states have radically different laws (frequently including that an election official is a resident of the state or even locality of the voter), there may be legal impediments to such consolidation. For dedicated voting systems, localities (or states) must agree on the requirements for the voting equipment.
Software Compatibility: Dedicated voting systems can be specified for hardware compatibility, while non-dedicated voting systems must be able to run correctly on a wide variety of voter computer systems. Both options require more development time than traditional paper ballots, which do not require any voter technology.
Privacy and Accuracy When Casting Ballots: The voter must rely on the software to mark the ballot as instructed. Software bugs or malicious software in the voter’s computer could modify the candidates selected before the ballot is returned, even if the voter examines the ballot on the computer screen.
Privacy of Returned Ballots: Blank ballot systems are equivalent to other absentee ballots, and hence the mechanisms should require minimal changes. Supervised ballot returning systems may not have any voter-specific information associated with the electronic ballot, if the election supervisor prevents access to the voting system except by authorized voters, although correlations may be possible through records kept by local election supervisors. Unsupervised ballot returning systems, whether dedicated or not, require that the voter sends some form of identifying information along with her ballot so that the vote can be adjudicated by the election official upon receipt.
Vulnerabilities: Vulnerabilities in Internet voting systems can occur in three places: the client (the computer used by the voter for casting the ballot), the network (which transmits the blank and/or marked ballots), and the server (where the blank and/or marked ballots are stored).
Fraud/Coercion: Any form of unsupervised voting is subject to fraud and coercion.
[1] J. Epstein, “Internet voting, security, and privacy,” Wm. & Mary Bill Rts. J., vol. 19, p. 885, 2010. [2] S. Delaune, S. Kremer, and M. Ryan, “Verifying privacy-type properties of electronic voting protocols: A taster,” in Towards trustworthy elections, Springer, 2010, pp. 289–309.
Further Reading:
Delaune, Stéphanie, Steve Kremer, and Mark Ryan. "Coercion-resistance and receipt-freeness in electronic voting." 19th IEEE Computer Security Foundations Workshop (CSFW'06). IEEE, 2006.