iraqi elections in 2014: a privacy requirement evaluation based on a polling place experience

Iraqi Elections in 2014: a Privacy Requirement Evaluation Based on a Polling Place Experience

Ali Fawzi Najm Al-Shammari & Adolfo Villafiorita

INFORMATIK 2014 - eVoting Workshop - Stuttgart

1. Fondazione Bruno Kessler - Italy2. University of Kerbala - Iraq

25th September 2014

Tuesday 7 October 14

• Historical overview.

• Current voting System in Iraq.

• Stakeholders.

• Components.

• Procedures.

• Security Issues.

• Recommendations.

• Conclusion.

Outline

• Democracy was not a common practice in Iraq before 2003.

• In 2005, the new Iraqi constitution allows citizens to elect the parliament, and the provincial councils every four years.

• Independent High Electoral Commission (IHEC) introduced to manage and run elections.

Historical Overview

Seven country wide elections were conducted:

• January 2005: National Assembly + Provincial Councils

• October 2005: Constitution

• December 2005: Parliamentary

• January 2009: Provincial Councils

• Mars 2010: Parliamentary

• April 2013: Provincial Councils

• April 2014: Parliamentary

Historical Overview

Seven country wide elections were conducted:

• January 2005: National Assembly + Provincial Councils

• October 2005: Constitution

• December 2005: Parliamentary

• January 2009: Provincial Councils

• Mars 2010: Parliamentary

• April 2013: Provincial Councils

• April 2014: Parliamentary

(Observer) (Observer)

(Station Manager)

Historical Overview

• Before 2014, paper based voting.

• Simple.

• Usable.

• There were some concerns raised:

• Vote stuffing!

• Vote manipulation!

• Some verification mechanisms, but they are manual, and time consuming.

Iraqi Voting System

• In 2014, electronic component involved in the polling place.

• Motivation is to improve the system against the current concerns, i.e.:

• Votes stuffing and manipulation.

• Improve voter’s authorization process in the poll.

Voting System Improvement

• Automates vote traceability.

• Mechanism of tracing the vote cast serial number.

• Automates voter authorization.

• Smart Identification Card (SID) for each voter.

• Biometric Identification.

Approach

Smart Card Reader System (SCRS)

Plastic SealSmart Card Reader System

(SCRS)

Thermal Printer & Smart Card ReaderDATECS DPP-250

Fingerprint ScannerFutronic FS80

Tablet BQ Maxwell Plus 2

Camera

The new tool implemented by Indra (Spanish Company).

• Offline database in the component.

Stakeholders.

Components.

Procedures.

Polling Station Experience

Polling Station - Stakeholders

Station Manager (SM)

Authorization Officer (AO)

Ballot Issuer (BI)

Ballot Box Observer (BBO)

Ballot Issuer (BI)

Ballot Box Observer (BBO)

Queue Observer

Ballot Issuer (BI)

Ballot Box Observer (BBO) Election Observers

Queue Observer

Ballot Issuer (BI)

Queue Observer

Voters Voter

Ballot Issuer (BI)

Queue Observer

Polling Place Manager (PPM)

Voters Voter

Polling Station - Components

Supervisor Smart Card (SSC)

SCRSBallots Pack

1010100

Party Contest

Candidates Contest

Serial Number

SCRSBallots Pack

Ballot Stamp Supervisor Smart Card (SSC)

SCRSBallots Pack

Ballot Stamp

Voters’ ListSupervisor Smart Card (SSC)

SCRSBallots Pack

Ballot Stamp

Voters’ List

Voting Cabins

SCRSBallots Pack

Ballot Stamp

Voters’ List

Voting Cabins

Ballot Box

SCRSBallots Pack

Ballot Stamp

Voters’ List

Voting Cabins

Ballot Box

Security Seal

SCRSBallots Pack

Ballot Stamp

Voters’ List

Voting Cabins

Ballot Box

Voting Ink

Security Seal

SCRSBallots Pack

Ballot Stamp

Voters’ List

Voting Cabins

Ballot Box Station Forms

Voting Ink

Security Seal

SCRSBallots Pack

Ballot Stamp

Voters’ List

Voting Cabins

Voting Ink

Secure Plastic BagSecurity Seal

SCRSBallots Pack

Ballot Stamp

Voters’ List

Voting Cabins

Voting Ink

Secure Plastic BagSecurity Seal

Smart ID (SID)

Starting the Election Day

1. SM : - receives the sensitive materials from Polling Place Manager (PPM). - records the ballots packs’ serial number in station forms. - seals the ballot box using plastic seals, and records its numbers in station forms.

2. AO : - turns on the SCRS using the SSC.

Identifying a Voter

1. Voter : - walks to authorization desk.

2. AO : - inserts voter’s SID in the SCRS. - scans voter’s fingerprint by the SCRS.

3. SCRS : - verifies voter’s data. - if the voter is eligible: - saves voter’s access time. - blocks voter’s SID. - updates voter’s status in the database.

Election Procedures

Issuing Ballot

1. AO : - passes voter’s ID to the BI.

2. BI : - checks voter’s name in the voters’ list. - issues and stamps the ballot, and passes it to AO.

3. AO : - scans the QR code of the issued ballot using the SCRS.

4. SCRS : - stores the scanned code of the ballot.

5. Voter : - takes the issued ballot, and walks to the voting cabin.

Election Procedures

Casting Vote

1. Voter : - fills in the ballot anonymously in voting cabin. - folds the filled-in ballot, and walks to the ballot box. - marks her indicator finger in the voting ink. - casts her vote by putting the filled-in ballot in the ballot box.

2. BBO: - controls that a voter marks her finger with voting ink before casting the vote.

Election Procedures

Special Case...

• If the SCRS fails in reading the SID of a voter.

• e.g., SID failure, or Database failure.

• Voter’s name exists in the voters’ list.

Election Procedures

Special Case...

• If the SCRS fails in reading the SID of a voter.

• e.g., SID failure, or Database failure.

• Voter’s name exists in the voters’ list.

Election Procedures

The voter has the right to vote!

Special Case Voting Procedure

1. SM : - takes voter’s SID and puts it in a secure envelope. - writes on the envelope (voter’s name, card’s serial number, and the reason of collection).

2. BI : - asks the voter to sign in the voters’ list. - releases Ballot for the voter.

3. AO : - signs the back of the ballot with “Smart card was not readable”. - Does not scan the QR code of the ballot.

Election Procedures

Closing the Polling Station1. SCRS : - stops accepting any card.

2. SM : - secures ballot box.

3. AO : - stores the SCRS data in the SSC. - prints the SCRS report.

• polling station name.

• total number of eligible voters in the station.

• number of voters who accessed the polling station.

• total number of scanned fingerprints.

• the total number of scanned QR codes.

• the time of opening and closing the poll.

• the list of scanned codes of ballots.

4. SM : - secures the SSC and the SCRS report in a plastic bag. - records the number of the secure bag in the station forms.

Election Procedures

Tallying Process

1. SM : - verifies the serial numbers of the ballot box seals through a comparison with the records in the station forms. - open the box.

2. Polling Place Employees : - starts the tallying process publicly.

3. EO: - observes the tallying process. - records the tallying results in the station forms.

4. SM : - secures the ballots, and stations forms. - provides the secured sensitive materials to the Polling Place Manager.

Election Procedures

Stakeholders’ access.

Attack scenarios.

Privacy Evaluation

Stakeholders’ Access

Voter Ballot Serial Number

Stakeholder Pre-election During Election During Tallying After Election Day

AO , BI Voter’s NameBallot Serial Number

Votes Cast (Station)

SM Voter’s Name (Special Case)

Votes Cast(Station)

ElectionOfficials

SCRSVoters’ list

- Votes Cast (Precinct) SCRS DataVoters’ ListSpecial Case Voters

SM Voter’s Name (Special Case)

Votes Cast(Station)

General Assumption

• Malicious election official could compromise the privacy IF:

• the ballot serial number is linked with voter’s name.

Attack Scenarios

Voter Attack

• Assumption: malicious voter.

• The malicious voter collects ballot serial number and provides it to a third party.

• Forced.

• Attempt to sell vote.

Attack Scenarios

Voter Attack

• Assumption: malicious voter.

• The malicious voter collects ballot serial number and provides it to a third party.

• Forced.

• Attempt to sell vote.

Attack Scenarios

Note that, even if there is no malicious election official, some voter could be coerced by a malicious third party!

Just by asking him/her to provide the vote cast serial number as an evidence to the way she/he voted.

Attack Scenarios

Station Employee Attack 1

• Assumption: malicious AO/BI.

• The malicious AO/BI memorize voter’s name, and ballot serial number.

• The malicious AO/BI links between voter and vote while tallying the votes.

Attack Scenarios

• Assumption: malicious AO/BI.

• The malicious AO/BI memorize voter’s name, and ballot serial number.

• The malicious AO/BI links between voter and vote while tallying the votes.

We don’t need to assume that a malicious election official exists.

• Assumption: malicious Polling Place Employee.

• The malicious employee reveals the vote of the special case voter in the tallying phase.

Attack Scenarios

• Assumption: malicious Polling Place Employee.

• The malicious employee reveals the vote of the special case voter in the tallying phase.

Attack Scenarios

We don’t need to assume that a malicious election official exists.

Malicious Component Attack1

• Assumption: malicious SCRS, malicious election official.

• The malicious SCRS saves information that links voter with ballot serial number.

• The malicious election official accesses the SCRS malicious data.

Attack Scenarios

Malicious Component Attack 2

• Assumption: malicious SCRS, malicious person nearby the polling place.

• The malicious SCRS broadcasts information that links the voter and her ballot serial number using its Wifi, or bluetooth.

• The malicious person nearby, receives this information using a malicious application installed in a device (e.g., smart phone).

• The ballot serial number is not protected.

• Voter identification and ballot issuing processes are performed together.

Main Failures

1.Protecting the Ballot Serial Number.

• Eg., scratch to reveal, or invisible ink marking pen.

• Using random codes for the ballots.

2.Modifies the procedures.

• Ballot QR codes scanning must be done after closing the poll.

• Does not marks the issued ballot of the special case.

Recommendations

• The IHEC effort was to improve traceability, and election fairness.

• Current system has vulnerabilities that could compromise privacy, caused by:

• Two critical processes performed by the same component.

• Ballot serial number is readable.

• Our goal is to improve the system with consideration of minimal changes, which includes:

• Improving the ballot.

• Modifying procedures.

• Modifying SCRS software.

Conclusions

Thank You For Your Attention

شكراً إلصغائكم

alshammari@fbk.eu

iraqi elections in 2014: a privacy requirement evaluation based on a polling place experience

Engineering

polling on elections and policy - papor.org€¦ · polling...

evaluation of methodology of 2008 primary polling ... ·...

districts results by polling division and all island...

dear elections officials, for... · polling district. •...

high risks & dangers on personal security of voters in the...

polling station staff training session local government...

polling station staff briefing session referendum on the...

easy read guide to voting at 2018 elections your nearest...

eoni-rep-128 - polling station scheme - polling station...

2020 local government elections - election day polling...

polling station staff training session local government...

electoral integrity, voter fraud and voter id in polling...

ada checklist for polling places · ada polling place...

general elections - polling on single day, in single phase

manual for polling - iec.org.af ppr polling manual 2005 07...

elections law (2013 revision), section 61(4) ·...

handbook for polling station staff...handbook for polling...

elections in iraq - ifes | the international foundation...

polling place field...

districts results by polling division and all island...