1

What are the security flaws of this voting system ?

Let's say one month before the elections an offline machine auto-generates sealed envelopes for each voter which contain 3 unique GUID codes. The envelops are sent by mail to voters.

If a voter signs for receiving the envelope he can participate only in online voting. If he doesn't then he can only participate in offline voting.

The machine drops the codes for the people who did not sign and releases their voter identities for the offline vote. At this point the machine deletes the voter identity to ensure vote secrecy. The only place which still associates vote identity with the codes is the envelope found in possesion of the voter.

In voting day the user provides code 1 and the site answers with code 2, proving that it is not hacked. Then user provides code 3 which proves to the site that the user is legit. Then user can vote. The vote is associated with code 3, NOT the voter's identity, which does not even exist on the server.

The user can at any time check it's vote to see it's correct. If it's not (for whatever reason) he can go with the envelope (which has hard to reproduce security marks-like money) to a regular voting place, where his electronic codes are canceled and he can do a normal vote.

When the voting is done the machine publishes the full list of codes (the 3rd ones) and also the full list with all the codes that have voted. That way anyone with a bit of excel/data analysis knowledge can check that there are no extra codes , and count the results, acting like an observer.

PS. Of course all other security measuers still apply: a VPN room for every town, voters receive a CD/DVD with a dedicated secured virtual machine with the VPN preconfigured, etc

cmu111
  • 11
  • 1
  • 2
    If not all people vote, how do you prevent the central server from inventing number sets for some part of the abstainees, and inflating votes with them, claiming voter turnout was higher than it was? – J.A.K. Jun 01 '19 at 15:23
  • 2
    But perhaps more importantly, the site is a single point of failure; anyone with access to all of the codes could dictate the outcome of the election. How do you get the codes to people without them being centrally stored or even generated? That point has all the trust. – J.A.K. Jun 01 '19 at 15:26
  • your questions fully apply to paper vote too. I am only interested in the security of the online aspects – cmu111 Jun 01 '19 at 15:29
  • FWIW Microsoft announced a few weeks ago that they were open sourcing an online voting solution which, insofar as I could tell, was excellent and basically addressed every theoretical objection that one might have on online voting. Remains practical objections, such as compromised devices. – Denis de Bernardy Jun 01 '19 at 16:34
  • @DenisdeBernardy Microsoft's ElectionGuard has the same problem as this one. It allows individual verification of votes and therefore supports vote selling. – Brythan Jun 02 '19 at 15:49
  • @Brythan: That's incorrect. When you verify your vote, your vote gets cancelled and you must revote. The purpose of being able to verify your vote in ElectionGuard is to give voters the opportunity to verify that the system can be trusted to tally their vote correctly. – Denis de Bernardy Jun 02 '19 at 16:32

1 Answers1

2

This system allows people to sell their votes.

  1. Take the envelope and show it to the vote buyer, who now knows the voter's three numbers.
  2. Vote.
  3. The vote buyer can now check how you voted by checking each of the three numbers.
  4. If you voted as the buyer wants, you get paid.

The flaw here is that it assumes that the voter wants to keep the voter's identity private. But in a vote selling situation, that is not true. The voter wants to let the buyer see the voter's vote.

The typical approach to avoid this with online verification is to arrange things so that the voter can change from the original plan and vote different numbers. However, that is still subject to the problem that the vote buyer can usually detect the different numbers. Because when the buyer checks the agreed combination, there's no vote there with the desired ballot. But with your system, it's not even that difficult. Each number is unique and only one of the three would count. So a buyer can easily check all three.

Brythan
  • 121
  • 3
  • That isn't a new problem. Consider this: you take your vote-by-mail/absentee ballot to the vote buyer, fill it out in from of him, sign and seal the envelope in his presence, then give it to him to mail. – user71659 Jun 01 '19 at 17:13
  • 3
    Pointing out a flaw in another voting system does not make this one secure, though... – Geir Emblemsvag Jun 02 '19 at 07:42