Abstract — With significant U.S. federal funds now available to replace outdated punch-card and mechanical voting systems, municipalities and states throughout the U.S. are adopting paperless electronic voting systems from a number of different vendors. We present a security analysis of the source code to one such machine used in a significant share of the market. Our analysis shows that this voting system is far below even the most minimal security standards applicable in other contexts. We identify several problems including unauthorized privilege escalation, incorrect use of cryptography, vulnerabilities to network threats, and poor software development processes. We show that voters, without any insider privileges, can cast unlimited votes without being detected by any mechanisms within the voting terminal software. Furthermore, we show that even the most serious of our outsider attacks could have been discovered and executed without access to the source code. In the face of such attacks, the usual worries about insider threats are not the only concerns; outsiders can do the damage. That said, we demonstrate that the insider threat is also quite considerable, showing that not only can an insider, such as a poll worker, modify the votes, but that insiders can also violate voter privacy and match votes with the voters who cast them. We conclude that this voting system is unsuitable for use in a general election. Any paperless electronic voting system might suffer similar flaws, despite any “certification ” it could have otherwise received. We suggest that the best solutions are voting systems having a “voter-verifiable audit trail, ” where a computerized voting system might print a paper ballot that can be read and verified by the voter. I.

This paper presents a fully independent security study of a Diebold AccuVote-TS voting machine, including its hardware and software. We obtained the machine from a private party. Analysis of the machine, in light of real election procedures, shows that it is vulnerable to extremely serious attacks. For example, an attacker who gets physical access to a machine or its removable memory card for as little as one minute could install malicious code; malicious code on a machine could steal votes undetectably, modifying all records, logs, and counters to be consistent with the fraudulent vote count it creates. An attacker could also create malicious code that spreads automatically and silently from machine to machine during normal election activities—a voting-machine virus. We have constructed working demonstrations of these attacks in our lab. Mitigating these threats will require changes to the voting machine’s hardware and software and the adoption of more rigorous election procedures. 1

We provide techniques to help vendors, independent testing agencies, and others verify critical security properties in direct recording electronic (DRE) voting machines. We rely on specific hardware functionality, isolation, and architectural decision to allow one to easily verify these critical security properties; we believe our techniques will help us verify other properties as well. Verification of these security properties is one step towards a fully verified voting machine, and helps the public gain confidence in a critical tool for democracy. We present a voting system design and discuss our experience building a prototype implementation based on the design in Java and C.

Abstract not found

Remote electronic voting is currently being piloted in the UK as a means of increasing the convenience of casting a ballot, which it is hoped will be reflected in an increased participa-tion in elections. Most proposed electronic voting schemes envisage the use of cryptography in order to model the features of democratic elections, which, informally, include notions such as the secret ballot and a verifiable tallying system. This approach requires the use of a software artifact, or polster, which casts a ballot on the elector’s behalf. A consequence of this approach requires the elector to trust software supplied by the election authority, as well as limiting the range of devices on which the ballot may be cast. An alternative to the use of cryptography employs a polsterless electronic voting system. Here, a proposed polsterless system for UK elections is considered and the flaws identified. A revised scheme is then proposed that provides verifiability and improved resistance to abuse, without requiring too much additional participation from the elector.

But it appears to me indispensable that the signature of the elector should be affixed to the paper at a public polling-place, or if there be no such place conveniently accessible, at some office open to all the world, and in the presence of a responsible public officer. The proposal which has been thrown out of allowing the voting papers to be filled up at the voter’s own residence, and sent by the post, or called for by a public officer, I should regard as fatal. The act would be done in the absence of the salutary and the presence of all the pernicious influences. The briber might, in the shelter of privacy, behold with his own eyes his bargain fulfilled, and the intimidator could see the extorted obedience rendered irrevocably on the spot.

Elections in India are conducted almost exclusively using electronic voting machines developed over the past two decades by a pair of government-owned companies. These devices, known in India as EVMs, have been praised for their simple design, ease of use, and reliability, but recently they have also been criticized following widespread reports of election irregularities. Despite this criticism, many details of the machines’ design have never been publicly disclosed, and they have not been subjected to a rigorous, independent security evaluation. In this paper, we present a security analysis of a real Indian EVM obtained from an anonymous source. We describe the machine’s design and operation in detail, and we evaluate its security in light of relevant election procedures. We conclude that in spite of the machines ’ simplicity and minimal software trusted computing base, they are vulnerable to serious attacks that can alter election results and violate the secrecy of the ballot. We demonstrate two attacks, implemented using custom hardware, which could be carried out by dishonest election insiders or other criminals with only brief physical access to the machines. This case study carries important lessons for Indian elections and for electronic voting security more generally.

Abstract: This paper focuses on the feasibility of electronic voting. At first, a brief introduction of what electronic voting is; how it works and what its requirements are given. Then the popular implementation models in today’s electronic voting solutions are discussed. All the models are not perfect yet; experts are debating for the direction of electronic voting. Analyses of this paper go deep into the view of technology and non-technology. More detailed analysis on technology difficulty and different experts ’ opinions are listed. We also pictured the voters ’ opinions and experiences in electronic voting exp eriments. At last, the conclusion is given that it’s hard and a long way to realize perfect electronic voting. What should be done today is to try out approving solutions for voters. *.Key words: electronic voting; feasibility; requirement 1.

In September 2004, the Council of Europe's Committee of Ministers officially adopted a set of standards recommended by the Multidisciplinary Ad Hoc Group of Specialists on legal, operational and technical standards for e-enabled voting [7].

End-to-end verifiable voting systems allow voters to verify that their votes are cast as intended, collected as cast, and counted as collected. Essentially, end-to-end voting systems provide voters assurance that each step of the election worked correctly. At the same time, voting systems must protect voter privacy and prevent the possibility of improper voter influence and voter coercion. Several end-to-end voting systems have been proposed, varying in usability and practicality. In this thesis we describe and analyze Scantegrity II, a novel end-to-end verification mechanism for optical scan voting which uses confirmation codes printed on the ballot in invisible ink. The confirmation codes allow voters to create privacy-preserving receipts which voters can check against the bulletin board after the close of the election to ensure that their votes have been collected as cast. Anyone can check that votes have been counted as collected and that the tally is correct. We describe the Scantegrity II system and