Electronic (Internet) Voting in IFIP
IFIP General Assembly September 2001 (Natal/Brazil)

The issue:

 IFIP work forces (WGs, SIGs and TCs) use the Internet for efficient and fast information exchange. This helps to significantly improve cooperation, efficiency, timeliness and results esp. as IFIP work forces are locally – and timely – distributed. There is NO RULE which excludes adequate usage of the Internet – even though it is unsafe and insecure – for such work.

BUT: from such Internet-based work, it may also seem "naturally" to use Internet to support essential FORMAL procedures as prescribed in IFIP Standing Orders, e.g. managing confidential information and discussions about personnel and elections which require physical presence of voters including proxies. The idea: an involvement of members from related IFIP working bodies might be significantly enlarged when the request for physically personal presence would be reduced to some specified form of "virtual presence", e.g. through electronic conferencing or electronic voting support.

This document is only concerned with the question whether and under what circumstances FORMAL procedures, esp. election of officers such as TC chairs can be handled via the Internet.

The question:

Is it acceptable to enhance, even if for a feasibility experiment, IFIP rules to permit IFIP Technical Committees to handle formal procedures, esp. elections of TC officers, via Internet?

The problem:

Apart from the rules (which require physical presence of a voter), several requirements (legal and technical) must be fulfilled to handle elections, NONE of which can presently be fulfilled (see appended "Risk and Feasibility Analysis"), at least in general. Only in specially constructed cases, some (though not all) requirements may be met.

General solution:

with the contemporary state-of-art of Information and Communication Technologies, essential requirements for Electronic Voting cannot be fulfilled. IFIP rules shall NOT be changed to permit Electronic Voting.

Examples: it would NOT be permissible to handle elections of TC and WG chairs over Internet. If discussions concerning personnel involve confidential information, this is possible but with proper protection.

Solution in special cases:

in special cases with very specific constraints (e.g. very small constituency, management of election done by an independent IFIP body, special procedures using multiple media to assure authenticity, secrecy, reliability and availability), an experiment may be admissible under strict control, in order to evaluate circumstances under which technical solutions may, in some future, permit IFIP working bodies to improve distributed participation also in essential managerial decisions by usage of contemporary communication technologies when they are adequately safe and secure.

Attachment: Electronic Voting in IFIP Working Groups and Technical Committees: A Risk and Feasibility Analysis (Klaus Brunnstein, August 2001)

Electronic Voting in IFIP Working Groups and Technical Committees:
A Risk and Feasibility Analysis

Klaus Brunnstein (August 25, 2001)

Foreword: IFIP as a technical and scientific society is – understandably – interested to explore whether Information & Communication Technologies (ICTs) may also be used in "new" application areas. It seems esp. reasonable to ask whether and to which degree the work of its essential working forces, esp. Technical Committees (TCs), Working Groups (WGs) and Special Interest Groups (SIGs) can be supported by emerging technologies.

One special question starts from the assumption that Internet may be regarded as model of a global marketplace, somewhat in the sense of the Athenian "AGORA" (=market) where political discussions and decisions took place. Consequently, one question is whether "traditional" voting (esp. about assignments of offices) can be dealt-with using contemporary systems and networks.

Following some discussions in IFIP Executive Board about whether and how methods of Electronic Voting could and should be introduced to help organizing the regular reproduction of duties in decentralized bodies such as IFIP Technical Committes (TCs), Working Groups (WGs) and Special Interest Groups (SIGs), the author was charged to prepare a position paper. This paper (v.1.00) is based on initial discussions as well as an analysis of the related literature. The author wishes to thank Peter G. Neumann (SRI), chair of ACMs Public Affairs Committee and renown expert on social implications and risks of digital systems, and Rebecca Mercuri (U-Pennsylvania) who both published significant contributions in areas of Electronic Voting (including Rebecca´s doctor thesis) and who testified before related committees of US Congress and several federal states. The work of Peter G. Neumann and Rebecca Mercuri as well as several reports about failures in Electronic Voting applications published in ACMs Risk Forum have helped to develop a cautious view which does not primarily look at opportunities but takes related risks from beginning into account.

General Requirement:

Voting is the basic mechanism with which a democratically organized scientific society such as IFIP reproduces the ability of its working bodies to advance their work in changing environments and with established or newly incoming personnel on the basis of expertise and knowledge as well as trustworthiness and fair practice of its official representatives.

Consequently, voting must be organized such that

Requirements for Electronic Voting:

Projecting the general requirements on electronic voting procedures, the following goals must be achieved:

  1. Non-technical goals:

A.1) Proper information: it must be guaranteed that each voter has sufficient unbiased information about all aspects of the voting process, esp. including schedules and candidates

A.2) Ability to participate: each person eligible for voting must have a guaranteed opportunity to submit her/his vote

A.3) Guaranteed receipt of vote: it must be guaranteed that any vote which is sent within the given voting period is indeed received by the counting institution

A.4) Authenticity of the voter: it must be guaranteed that the person which sent a vote is authenticated as the resp. voter but this authentication must NOT be used to disclose the vote itself

A.5) Anonymity of the vote: it must be guaranteed that no relation can be established between a voter and her/his vote

A.6) Trustworthiness of counting and tabulating: the counting procedure must be "fair", and it must be esp. guaranteed that counting is supervised by persons which are qualified to assure a correct representation of the votes, and are trustworthy and which have no interest whatsoever in the voting result.

  1. Technical requirements for Electronic Voting processes:

B.1) System integrity: the computer and network systems must behave at least tamper-resistant according to state-of-technology

B.2) System availability, reliability and accountability: computer and networks must be available when needed, must work reliably and must guarantee proper auditing to assure a defined level of assurance of these requirements

B.3) Data integrity, reliability, confidentiality: in all processes related to voting, data (esp. including pre- and post-processing, storage and distribution), it must be assured that data are reliably handled, and that their integrity and confidentiality as representing the voters intent is assured

B.4) Interface Usability: the interfaces for voters must be constructed in such a way that it is guaranteed that the electronic vote represents the true intent of the voter

B.5) Operator authentication and accountability: the personnel which is responsible for administrating any part of the election process must be strongly authenticated, and related activities must be properly logged in a way to prevent any kind of tampering

B.6) Personnel integrity: "people involved in developing, operating and administering electronic voting systems must be of unquestioned integrity" (P. G. Neumann: Security Criteria for Electronic Voting)

Fulfilment of Reqirements:

As many examples demonstrate, NONE of the requirements can presently be taken for granted. Even far from applying established criteria of Security and Quality (e.g. of software and services), Internet is full of examples both for insecure technologies as well as inadequate use.

It is well know that contemporary systems are unsafe and insecure, either by design and implementation, or by administration or usage. Recent experiences (viruses, worms, hacker attacks) demonstrate that related computer and network weaknesses may adversely influence, even unknown to users, anticipated results of IT work.

Even when ubiquitous risks such as spoofing, sniffing and hijacking are cured with additional methods (e.g. cryptographic measures such as digital signatures, encryption and check-summing), several basic requirements such as availability and reliability of the network can NOT be guaranteed (and indeed it is easy to undermine any known protection against related attacks and misuse). Moreover, essential risks which may adversely influence the proper expression of the voters intent and its adequate representation in the counting and tabulating processes are located both in the clients of voters (too often equipped with insecure systems such as Intel/MS-Windows or LINUX) and servers where voting administration is localized.

 

Conclusion:

First: In the present state-of-technologies, electronic voting can NOT fulfill the requirements. IFIP as world-leading society with high technical and ethical standards shall therefore refrain from using electronic voting under contemporary constraints.

Second: Application of contemporary technologies and methods is advisable ONLY in circumstances where essential aspects may be handled in a way to overcome technology-inherent risks.

Example: Open Electronic Voting in an unsafe technical environment:

WHEN some community organizes itself in an open electronic forum (mailing list) where everybody accepts that neither anonymity nor availability nor reliability can be guaranteed, and WHERE additional methods of establishing trust and authenticity (e.g. by signatures personally cosigned in face-to-face meetings) have been established, THEN this community may decide to accept the risk of not completely representative and safe elections on matters of lower importance. BUT such a risk-aware community should NEVER base its constitutive decisions (esp. upon officers duties) upon electronic voting.

Suggestion:

  1. IFIP opposes any attempt to change the present voting scheme (which assume personal presence and secret ballots for elections of officers in Technical Committees) in favor of opening the possibility for the application of electronic voting procedures in this present state-of-technology.
  2. IFIP asks its related expert groups, esp. including Technical Committees and Working Groups to investigate aspects of Security, Social Implications and Legal aspects and to contribute to the development of methods which some day may permit to hold IFIP-related elections with the usage of electronic means, provided that the essential requirements are fulfilled.