The extent of DoS could affect a DNS known to be vulnerable to many attacks. The company regulating the Internet DNS uses only thirteen DNS root servers. In 2002, a DoS attack successfully targeted some of the DNS servers and caused server downtime and degradation in the service. On the other hand, some companies mirror the DNS server to ensure that even if the DNS server is down, users could still access the website via a mirror server.
The extent of this attack is that voters would not be able to access the website using the DNS address so only those voters who know the IP address of their voting server could then vote. Another type of attack is DNS spoofing that over-writes the real IP address with a fake address, an attack regarded as difficult. Using DNSSec (RFC 2535 und 2931) could overcome this problem; also, the use of digital certificates could distinguish between real and fake websites.
C. Router attacks
Internet routers are vulnerable to several attacks during forwarding of IP packets through the Internet to reach the voting server. A DoS attack on IP routers could affect a whole region from accessing the voting server; however, this would have low impact since the Internet protocol would re-route the packets to an alternative route to reach the voting server.
D. No post-auditing
In paper-based voting, secrecy of voting is guaranteed by physical protection, whereas in I-voting secrecy is susceptible to destruction by hackers. Therefore, in I-voting, secrecy should be ensured during the whole election process, no parties should be involved in the voting process or be able to manipulate the votes. Furthermore, the registration and authentication process should be defined clearly so that only eligible people can vote only once and, for secrecy, voters should not be able to verify their vote (Soder, 2002, pp.67-128). However, voters should have the ability to verify their vote casting through a print of a unique, randomly generated serial number which only shows the chosen candidate with the voter’s unique signature; this will support secrecy of voting and will assist in auditing the ballot’s results and prevent insider attacks (Kohono et al., 2004). Some argue that verification could reduce the risk of intimidation and vote selling. However, vote selling is actually a common and difficult abuse to control in any voting system (Anttiroiko, 2003).
Although electoral provision should ensure secrecy of vote, it is difficult to ensure that there is no external influence on it (Notton et al., 2008, pp.581-584). This risk is also high in I-voting systems. Therefore secrecy has to be related to a democratic philosophy for the election. To reduce the threat, encryption and authentication processes should allow only authorised persons to cast a vote which is then encrypted; subsequently, when gathering ballot results, only authorised persons should be allowed to gather them in a decrypted form after the voting period ends (which has the implication that voting should not be observed during the election process). Hence, in order to ensure secrecy in I-voting, the technology used for vote control should be feasible (Lazou and Papatsoris, 2000).
Chapter 3: Literature Review and Current Systems Review
3.4.3.1.5 Insider attacks
This threat is considered as low risk if the election committee uses best practice methods to protect the servers from insider attack. Possible solutions are (1) sealed servers so no unauthorised physical backup or access to equipment is allowed, (2) use of physical access control to prevent unauthorised access, (3) allow a trusted third party to observe the election, (4) harden access to the server using Threshold encryption, This encryption process will guarantee the strength of the I-voting process by reducing the chance of an unauthorised person gaining access to confidential information since the private key is reconstructed and shared by several parties instead of a single person (Boneh et al., 2005).
In conclusion, this section indicates that the greatest threat is from a DoS attack on the voting server which could result in it being cut off from the Internet, for which no effective protection mechanism is known, although some of the good practice could be used to reduce the chances of this type of attack. Also, the use of a vote receipt without mentioning the voter choice would help in preventing some of the attacks described above. The client machine could act as a DRE (Direct Recording Electronic) to prevent the impact of the voting server being down due to a DoS attack, although this is not likely to be effective due to the unreliability of the client machine (Internet Policy Institute, 2001).
According to Xianju et al. (2000), some of the good practice solutions to avoid a DoS attack are as follows:
1. Filter all the packets in the network which are entering and leaving the network to prevent attacks from the neighbouring networks. “This measure requires
installing ingress and egress packet filters on all routers” (Xianju et al., 2000).
2. Upgrade the client machine with the latest security patches and techniques to prevent, for example, the SYN flood attack. Increase the size of the connection
queue, decrease time-out waiting for the three-way handshake and employ vendor software patches to detect and circumvent the problem.
3. Disable IP broadcasting, so that the client machine will not be used as an amplifier in ICMP Flood and Smurf attacks. To prevent this attack all the neighbouring networks need to disable IP broadcasting.
4. Disable unused network services to prevent tampering and attacks.
5. Monitor traffic patterns on the network to indicate when the system is under attack, to enable protection from the attack.
The above points help in eliminating the DoS attack impact on the I-voting process. It would, therefore, be important to follow this best of practice advice in any proposed I-voting system.
Chapter 3: Literature Review and Current Systems Review
3.4.4 Other implications
There are many other implications of the I-voting system, other than the risks associated with client, Internet and server-side. The following are other issues which might arise in I-voting.
3.4.4.1 Legal issues
Since I-voting was first considered, several writers have made their contributions on the legal viability of this idea. According to Carley (2008), election issues are in every way legal issues and any slight breach of the electoral law renders the election null. This claim is, however, challenged by the fact that there have been cases of breach of electoral laws without nullification of the results (Carley, 2008). In other words, it may be possible, in some cases, to manipulate results, regardless of the existence of electoral laws, and get away with it. According to Strassman (1999), the traditional way of doing things, including voting and elections, has been greatly challenged by the advent of the Internet. He further says that the delays witnessed in the implementation of technological changes in the area of voting are actually due to the legal issues surrounding it. Thornburgh and Celeste (2006), Rubin (2006) and Niemi (2008) seem to agree that there are four main areas which present the greatest concern. These are privacy, security, availability and authentication. Additionally, policy and logistics have also been identified as needing to be addressed before I-voting can be considered a success (Schaffer 2008). Some legal experts (Strassman, 1999; Friel, 2006 and Gritzalis, 2006) have advanced the view that it is actually more difficult to handle these two than the four others combined. In some parts of the world, giant steps have already been made towards an Internet-based voting system. A classic example is the first trial held in New Zealand where over 21,000 people participated in voting for shadow representatives using the Internet (Niemi 2008). The interesting thing is that due to the security-related concerns surrounding this activity, hackers were actually invited to try and get into the system in order to help identify the possible threats.
As indicated, the laws of every single country across the world have set a particular standard within which voting can and must be done. The four areas discussed form the basis of any voting system and actually constitute the major barriers that must be
overcome before I voting in any part of the world can actually be realised (Alkhelaifi et al., 2009).
Generally, the legal requirement is that privacy be accorded to every citizen during the voting process, so that voters have the opportunity to exercise their conscience ‘behind the curtain’, so to speak (Mehdi, 2001). The aim in this case is to eliminate any possibility of manipulation or coercion from interested quarters and this is done through maintenance of voter anonymity. For Metz (1996), the legal determination of privacy is that no-one should be in a position to identify a vote with a particular person and that the voters themselves should be unable to prove that their vote was cast in a particular way. However, it seems that this can only be possible in countries with a mature democracy. The challenge in this case is that anything that is done through the Internet, including voting, cannot be fully guaranteed to be free of interference (Metz, 1996). This can however be addressed by an automatic authentication and validation system which allows for automatic encryption of information to ensure that no interference is possible (Mehdi, 2001).
The security of an electoral system seeks to ensure that only voters who are eligible can actually participate. However, the Internet does not always accord the highest level of security needed (Metz, 1996). According to Gritzalis (2006), there are, therefore, possibilities of threats such as sabotage, for instance through Trojan horse software that is highly sophisticated to the point that it could actually divert the votes or change them, while viruses can be created to cause crashes of the computerised voting systems, creating a possible legal crisis, even acting as serious challenges to democracies around the world. According to Thornburgh and Celeste (2006), for a vote cast through the Internet to be valid, it must necessarily satisfy three criteria. First, it should be free from any possible alteration. Secondly, it should be impossible for anyone to eliminate a validated vote from the final tally. Finally, invalidated votes should be automatically excluded from that final tally.
For an I-voting system to be generally accepted, the uncertainties of people regarding authentication of votes cast through the Internet must be addressed. It should be
Chapter 3: Literature Review and Current Systems Review
possible to identify a vote as being a real one (Glass, 1999). However, this is not an easy task, considering that the computer systems are designed by human beings and as such are capable of manipulation (Rubin, 2006).
Another major barrier that makes I-voting a challenging affair is availability. The technological infrastructure as well as the infrastructure needed for this undertaking is still largely unavailable. Everyone should be able to have reasonable access to Internet services (Thornburgh and Celeste, 2006).
Californian laws on I-voting offer a classical example of what can be considered a model I-voting system. There are a number of legal requirements that must be fulfilled before any individual can be allowed to vote through the Internet. For instance, voters are required to make a request in writing every time they wish to vote. It is illegal to request both I-voting and an absentee vote (Mehdi, 2001). The system of voter authorisation must be designed in such a way that it is possible to link the actual vote cast to the voters’ register for verification. Each voter must be issued with an authentication code combined with his/her PIN in order to allow voters to authenticate themselves. Additionally, any form of advertising is disallowed on the I-voting system screens. The system should allow easy navigation while at the same time preventing any cases of over-voting (Mehdi, 2001). Generally speaking, the features of the I-voting system borrow heavily from the absentee ballot system features, making possible voters’ trust in the system. The Internet voting laws in the State of California can therefore be considered best not only for California, but for other countries as well (Mehdi, 2001).
The current electoral law, namely absentee ballot system, has gained acceptance over time. This is perhaps due to its features that guarantee free and fair voting (Gritzalis, 2006). In other words, the issues discussed here as constituting the challenges of I-voting have been adequately addressed by the current legal system. The new system must therefore take an approach that is evolutionary, rather than revolutionary. This will enable it to learn from the existing laws and avoid creating vacuums in the voting process. Therefore, if the shift is to be a successful one, it ought to be gradual, but all
the principles of an absentee ballot system must be applied and maybe improved in the new system (Gritzalis, 2006).
The bringing e-transaction laws into force in Qatar was meant to open up previously unexploited possibilities. The structure and principles of these new laws have a lot to offer to the debate on the possibility of an I-voting system (Alkhelaifi et al., 2009). It would be important to understand what these laws require in order to assess whether they can actually address the challenges of I-voting. These laws can be applied successful to I-voting, because they actually address most of the challenges discussed earlier. For instance, issues of integrity, digital signature and digital signature certification, of the transmission and storage of data, of consumer protection and, more importantly, of the offences and penalties applicable to defaulters can all be successfully addressed (Alkhelaifi et al., 2009). These are provisions with extreme significance for the prospects of I-voting and, if used, can easily make it possible to vote through the Internet without raising the current challenging questions (Alkhelaifi et al., 2009).
It is concluded, therefore, that although the age of I-voting is here, it faces many challenges which must be addressed before the process can be considered to be up to the expected standard. Some of the challenges are actually not technical. Most of the already existing electoral laws need to be amended so as to accept electronic aids to the process. This can be a valuable start but the entire process must at all times be guided by integrity. The example of Qatar is a good one for setting up the technological as well as the legal infrastructure for a successful implementation of such a process.
Chapter 3: Literature Review and Current Systems Review
3.4.4.2 Transparency
Although I-voting provides faster, less costly and more accurate results, people still do not trust the system. Furthermore, since the process is not clearly available, people rely on experts’ evaluation of the source code.
An I-voting system should involve a high level of security, usability and trusted infrastructure, and software should be open source (Ata et al., 2004; Kitcat, 2004). The process should allow voting monitoring by trusted authorised parties and experts who carry out inspections to ensure voters’ trust in the voting system and that votes are not interfered with or manipulated (Muselli, Notton and Louche, 1999; Trechsel, 2005). However, existing I-voting systems hardly ever provide an open source system (Kohono et al., 2004).
In I-voting, successful fraud could be perpetrated remotely by a single person and might have a large scale effect, whereas in paper-based voting it is hard to commit an attack on a large scale (Jefferson et al., 2004). Since, in I-voting, there is a huge chance of fraud, and since the process of voting is anonymous, it is harder to investigate cases of crime. In e-commerce, proceeds of e-crimes could be easily recovered by legal actions (Marconi, n.d). The most threatening attacks are malicious programs since they might result in a considerable damage to client machines because they can alter votes (despite the system security and compressed encryption or authentication) without being detected, since they act before the encryption and authentication are applied to the data, thus leaving no proof of fraud (Rubin, 2002). Between the client and legitimate website, attackers can act as a man-in-the-middle (Phillips and von Spakovsky, 2001), but the risk of this could be reduced by use of the secure socket layer (SSL) and digital certificates available in the website.
No detection of incidents does not necessarily mean that no successful attack has occurred, since most attackers will have carefully hidden their attacks (Rubin, 2002; Jefferson et al., 2004). They are good at tricking people, they usually exploit vulnerabilities in their victims in order to engage in an attack and, once this is achieved, the secrecy of voters could be infringed, votes could be manipulated, and even the
integrity of the election itself could be destroyed (Statements about Internet Voting from Experts, 2008).
The principles of I-voting must be categorised. Phillips and von Spakovsky (2001) state that there should be a paradigm of terms of infrastructure, communication protocols, software and a hardware platform for I-voting which guarantees people’s right to vote freely and fairly through guidelines provided for all entities to follow to implement the I-voting system (Bouras, 2003), since there is a lack of understandable guidelines (Joe and Glidden, et al 2001)
According to the California Secretary of State (2000), research states that it is currently hard to replace the existing traditional voting with I-voting system since it is yet not legal or practical to develop it due to many issues associated with such a system, for example, secrecy, trust, culture, usability, etc.
Other research (US NTIA, 2000) suggests that I-voting in its first launch should be implemented along with the existing traditional voting and the use of supervised I-voting in polling stations would provide an idea of people’s acceptance of such technology and the experience of it. However, supervised I-voting would reduce voters’ convenience to vote remotely since it only allows voting in a supervised environment in specific polling stations (US National Telecommunications and Information Administration, 2000).
According to Trechsel (2005), open source applications are not welcome since they provide attackers with detailed information about the system design which they can use to commit their crimes by determining system weaknesses. The Netherlands reported that their I-voting had been hacked within 24 hours. Experts claimed that the open source had assisted in conducting the attack. However, Larman (2008) claims that open source systems should have a high level of security so that no one can use it maliciously although it is publicly available (Phillips and von Spakovsky, 2001). Open source can be considered good practice because security experts and the community could help
Chapter 3: Literature Review and Current Systems Review
detect and correct errors, since all actions are recorded in log files (Gordi and Gosep, n.d.; Marconi, n.d.). Jan et al. (2001) noted that I-voting source code should be available through the Internet to be evaluated by experts.
Transparency can be achieved not just by technical solutions but also by enhancing government trust (Leontine, 2008).
3.4.4.3 Freedom
Voters should have the full freedom to vote without stress, interference or manipulation (Okamoto, 2007, pp. 25-35). I-voting creates significant problems regarding fraud and vote selling, which might limit the freedom and integrity of voters, whereas in postal voting they are required to sign a declaration.
Freedom of voter decision could be ensured by providing privacy for voters to vote remotely from any place, using the Internet (International for Data Protection and Telecommunication, 2001, p.86).
3.4.4.4 Equality
Since voting is a practice of democracy, equality is important, where all candidates are