Friday, June 19, 2015

Learning about the Du-Vote internet voting system

Proponents of Internet-based voting systems for official government elections continue to gain support in countries all around the world. Considering that so much of our daily lives is conducted online, including online banking and secure business transactions, it only makes sense that many voters would want to have the same level of convenience and security when exercising their democratic right to vote.

When voting in person at an official polling station, voters are typically asked to authenticate their identity in some form. They are also checked against the official electoral roll of registered voters. Since this involves some necessary interaction with an election official, the public perception is that this kind of voter identification is more safe and secure. By contrast, a person who uses Internet voting can cast his or her ballot from the privacy and convenience of the home, workplace, or even from a mobile device. Who is there to verify the identity of the voter?

While the I-voting system of Estonia continues to lead the way with its infrastructure of validated citizen identification cards, a different system is being developed by researchers from the University of Birmingham in the United Kingdom. This system, dubbed Du-Vote, borrows much of its inspiration from the secure infrastructure and controls used by online banking.

One of the major concerns cited by critics and detractors of Internet voting is that election officials have no real way of validating the hardware on which the voter casts his or her ballot. This is stark contrast to the level of control an electoral commission would have over the development, deployment and use of electronic voting machines at traditional polling places. The machines belong to (or are being rented by) the electoral officials. With Internet voting, the citizen casts his or her ballot from a personal device, like a computer, tablet or possibly even a smartphone.

The Du-Vote system overcomes this concern by using independent hardware devices that are then connected to the end user's computer. Lead researcher Professor Mark Ryan explains that the system uses a “credit card-sized device similar to those used in online banking... you receive a code on the device and type it back into the computer.”

How is this advantageous? The credit card-sized device is fully controlled and vetted by election officials. It is made to be as secure, private and confidential as possible, just like with online banking. The security device is independent, so even if the home or work computer of the voter has been compromised with viruses and other security threats, the legitimacy and integrity of the security device is maintained. And because the security device is so much more specific in its purpose, it is far less susceptible to being compromised.

Many people may be concerned about the security of Internet-based voting and these issues are clearly worthy of debate. Even so, online voting could have the somewhat paradoxical effect of better securing elections than their more traditional paradigms and, at the same time, it could help to encourage greater voter turnout too.

The Du-Vote system has only been under development for two-and-a-half years and the researchers say they need further testing before the system can be suitably deployed. Current estimates are that it may be ready in time for the 2025 general election in the United Kingdom. That's in line with the more optimistic view of SRI International senior computer scientist Jeremy Epstein. He states that secure e-voting is at least 10 years away, but his more conservative estimate is more like 20 to 30 years. He calls for two-factor authentication, for instance, among other concerns.

More on the Du-Vote system will be presented next month at the 28th IEEE Computer Security Foundations Symposium in Verona, Italy.