iraqi elections in 2014: a privacy requirement evaluation based on a polling place experience
DESCRIPTION
The slides about e-voting. It describes the recent voting system in Iraq, and shows some privacy issues in the system. Also, it contains some recommendations to mitigate these issues.TRANSCRIPT
Iraqi Elections in 2014: a Privacy Requirement Evaluation Based on a Polling Place Experience
Ali Fawzi Najm Al-Shammari & Adolfo Villafiorita
INFORMATIK 2014 - eVoting Workshop - Stuttgart
1,2 1
1. Fondazione Bruno Kessler - Italy2. University of Kerbala - Iraq
25th September 2014
Tuesday 7 October 14
• Historical overview.
• Current voting System in Iraq.
• Stakeholders.
• Components.
• Procedures.
• Security Issues.
• Recommendations.
• Conclusion.
Outline
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
• Democracy was not a common practice in Iraq before 2003.
• In 2005, the new Iraqi constitution allows citizens to elect the parliament, and the provincial councils every four years.
• Independent High Electoral Commission (IHEC) introduced to manage and run elections.
Historical Overview
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Seven country wide elections were conducted:
• January 2005: National Assembly + Provincial Councils
• October 2005: Constitution
• December 2005: Parliamentary
• January 2009: Provincial Councils
• Mars 2010: Parliamentary
• April 2013: Provincial Councils
• April 2014: Parliamentary
Historical Overview
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Seven country wide elections were conducted:
• January 2005: National Assembly + Provincial Councils
• October 2005: Constitution
• December 2005: Parliamentary
• January 2009: Provincial Councils
• Mars 2010: Parliamentary
• April 2013: Provincial Councils
• April 2014: Parliamentary
(Observer) (Observer)
(Station Manager)
Historical Overview
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
• Before 2014, paper based voting.
• Simple.
• Usable.
• There were some concerns raised:
• Vote stuffing!
• Vote manipulation!
• Some verification mechanisms, but they are manual, and time consuming.
Iraqi Voting System
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
• In 2014, electronic component involved in the polling place.
• Motivation is to improve the system against the current concerns, i.e.:
• Votes stuffing and manipulation.
• Improve voter’s authorization process in the poll.
Voting System Improvement
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
• Automates vote traceability.
• Mechanism of tracing the vote cast serial number.
• Automates voter authorization.
• Smart Identification Card (SID) for each voter.
• Biometric Identification.
Approach
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Smart Card Reader System (SCRS)
Plastic SealSmart Card Reader System
(SCRS)
Thermal Printer & Smart Card ReaderDATECS DPP-250
Fingerprint ScannerFutronic FS80
Tablet BQ Maxwell Plus 2
Camera
The new tool implemented by Indra (Spanish Company).
• Offline database in the component.
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Stakeholders.
Components.
Procedures.
Polling Station Experience
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Stakeholders
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Stakeholders
Station Manager (SM)
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Stakeholders
Station Manager (SM)
Authorization Officer (AO)
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Stakeholders
Station Manager (SM)
Authorization Officer (AO)
Ballot Issuer (BI)
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Stakeholders
Station Manager (SM)
Authorization Officer (AO)
Ballot Issuer (BI)
Ballot Box Observer (BBO)
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Stakeholders
Station Manager (SM)
Authorization Officer (AO)
Ballot Issuer (BI)
Ballot Box Observer (BBO)
Queue Observer
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Stakeholders
Station Manager (SM)
Authorization Officer (AO)
Ballot Issuer (BI)
Ballot Box Observer (BBO) Election Observers
Queue Observer
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Stakeholders
Station Manager (SM)
Authorization Officer (AO)
Ballot Issuer (BI)
Ballot Box Observer (BBO) Election Observers
Queue Observer
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Voters Voter
Tuesday 7 October 14
Polling Station - Stakeholders
Station Manager (SM)
Authorization Officer (AO)
Ballot Issuer (BI)
Ballot Box Observer (BBO) Election Observers
Queue Observer
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Polling Place Manager (PPM)
Voters Voter
Tuesday 7 October 14
Polling Station - Components
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Components
SCRS
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Components
SCRS
Supervisor Smart Card (SSC)
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Components
SCRSBallots Pack
Supervisor Smart Card (SSC)
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Components
SCRSBallots Pack
Supervisor Smart Card (SSC)
INFORMATIK 2014 - eVoting Workshop - Stuttgart
1010100
Party Contest
Candidates Contest
Serial Number
Tuesday 7 October 14
Polling Station - Components
SCRSBallots Pack
Supervisor Smart Card (SSC)
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Components
SCRSBallots Pack
Ballot Stamp Supervisor Smart Card (SSC)
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Components
SCRSBallots Pack
Ballot Stamp
Voters’ ListSupervisor Smart Card (SSC)
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Components
SCRSBallots Pack
Ballot Stamp
Voters’ List
Voting Cabins
Supervisor Smart Card (SSC)
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Components
SCRSBallots Pack
Ballot Stamp
Voters’ List
Voting Cabins
Ballot Box
Supervisor Smart Card (SSC)
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Components
SCRSBallots Pack
Ballot Stamp
Voters’ List
Voting Cabins
Ballot Box
Supervisor Smart Card (SSC)
Security Seal
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Components
SCRSBallots Pack
Ballot Stamp
Voters’ List
Voting Cabins
Ballot Box
Voting Ink
Supervisor Smart Card (SSC)
Security Seal
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Components
SCRSBallots Pack
Ballot Stamp
Voters’ List
Voting Cabins
Ballot Box Station Forms
Voting Ink
Supervisor Smart Card (SSC)
Security Seal
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Components
SCRSBallots Pack
Ballot Stamp
Voters’ List
Voting Cabins
Ballot Box Station Forms
Voting Ink
Supervisor Smart Card (SSC)
Secure Plastic BagSecurity Seal
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Polling Station - Components
SCRSBallots Pack
Ballot Stamp
Voters’ List
Voting Cabins
Ballot Box Station Forms
Voting Ink
Supervisor Smart Card (SSC)
Secure Plastic BagSecurity Seal
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Smart ID (SID)
Tuesday 7 October 14
Starting the Election Day
1. SM : - receives the sensitive materials from Polling Place Manager (PPM). - records the ballots packs’ serial number in station forms. - seals the ballot box using plastic seals, and records its numbers in station forms.
2. AO : - turns on the SCRS using the SSC.
Identifying a Voter
1. Voter : - walks to authorization desk.
2. AO : - inserts voter’s SID in the SCRS. - scans voter’s fingerprint by the SCRS.
3. SCRS : - verifies voter’s data. - if the voter is eligible: - saves voter’s access time. - blocks voter’s SID. - updates voter’s status in the database.
Election Procedures
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Issuing Ballot
1. AO : - passes voter’s ID to the BI.
2. BI : - checks voter’s name in the voters’ list. - issues and stamps the ballot, and passes it to AO.
3. AO : - scans the QR code of the issued ballot using the SCRS.
4. SCRS : - stores the scanned code of the ballot.
5. Voter : - takes the issued ballot, and walks to the voting cabin.
Election Procedures
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Casting Vote
1. Voter : - fills in the ballot anonymously in voting cabin. - folds the filled-in ballot, and walks to the ballot box. - marks her indicator finger in the voting ink. - casts her vote by putting the filled-in ballot in the ballot box.
2. BBO: - controls that a voter marks her finger with voting ink before casting the vote.
Election Procedures
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Special Case...
• If the SCRS fails in reading the SID of a voter.
• e.g., SID failure, or Database failure.
• Voter’s name exists in the voters’ list.
Election Procedures
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Special Case...
• If the SCRS fails in reading the SID of a voter.
• e.g., SID failure, or Database failure.
• Voter’s name exists in the voters’ list.
Election Procedures
INFORMATIK 2014 - eVoting Workshop - Stuttgart
The voter has the right to vote!
Tuesday 7 October 14
Special Case Voting Procedure
1. SM : - takes voter’s SID and puts it in a secure envelope. - writes on the envelope (voter’s name, card’s serial number, and the reason of collection).
2. BI : - asks the voter to sign in the voters’ list. - releases Ballot for the voter.
3. AO : - signs the back of the ballot with “Smart card was not readable”. - Does not scan the QR code of the ballot.
Election Procedures
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Closing the Polling Station1. SCRS : - stops accepting any card.
2. SM : - secures ballot box.
3. AO : - stores the SCRS data in the SSC. - prints the SCRS report.
• polling station name.
• total number of eligible voters in the station.
• number of voters who accessed the polling station.
• total number of scanned fingerprints.
• the total number of scanned QR codes.
• the time of opening and closing the poll.
• the list of scanned codes of ballots.
4. SM : - secures the SSC and the SCRS report in a plastic bag. - records the number of the secure bag in the station forms.
Election Procedures
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Tallying Process
1. SM : - verifies the serial numbers of the ballot box seals through a comparison with the records in the station forms. - open the box.
2. Polling Place Employees : - starts the tallying process publicly.
3. EO: - observes the tallying process. - records the tallying results in the station forms.
4. SM : - secures the ballots, and stations forms. - provides the secured sensitive materials to the Polling Place Manager.
Election Procedures
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Stakeholders’ access.
Attack scenarios.
Privacy Evaluation
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Stakeholders’ Access
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Voter Ballot Serial Number
Stakeholder Pre-election During Election During Tallying After Election Day
- --
Tuesday 7 October 14
Stakeholders’ Access
INFORMATIK 2014 - eVoting Workshop - Stuttgart
AO , BI Voter’s NameBallot Serial Number
Votes Cast (Station)
--
Voter Ballot Serial Number
Stakeholder Pre-election During Election During Tallying After Election Day
- --
Tuesday 7 October 14
Stakeholders’ Access
INFORMATIK 2014 - eVoting Workshop - Stuttgart
AO , BI Voter’s NameBallot Serial Number
Votes Cast (Station)
--
SM Voter’s Name (Special Case)
Votes Cast(Station)
--
Voter Ballot Serial Number
Stakeholder Pre-election During Election During Tallying After Election Day
- --
Tuesday 7 October 14
Stakeholders’ Access
INFORMATIK 2014 - eVoting Workshop - Stuttgart
ElectionOfficials
SCRSVoters’ list
- Votes Cast (Precinct) SCRS DataVoters’ ListSpecial Case Voters
-
AO , BI Voter’s NameBallot Serial Number
Votes Cast (Station)
--
SM Voter’s Name (Special Case)
Votes Cast(Station)
--
Voter Ballot Serial Number
Stakeholder Pre-election During Election During Tallying After Election Day
- --
Tuesday 7 October 14
General Assumption
• Malicious election official could compromise the privacy IF:
• the ballot serial number is linked with voter’s name.
Attack Scenarios
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Voter Attack
• Assumption: malicious voter.
• The malicious voter collects ballot serial number and provides it to a third party.
• Forced.
• Attempt to sell vote.
Attack Scenarios
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Voter Attack
• Assumption: malicious voter.
• The malicious voter collects ballot serial number and provides it to a third party.
• Forced.
• Attempt to sell vote.
Attack Scenarios
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Note that, even if there is no malicious election official, some voter could be coerced by a malicious third party!
Just by asking him/her to provide the vote cast serial number as an evidence to the way she/he voted.
Tuesday 7 October 14
Attack Scenarios
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Station Employee Attack 1
• Assumption: malicious AO/BI.
• The malicious AO/BI memorize voter’s name, and ballot serial number.
• The malicious AO/BI links between voter and vote while tallying the votes.
Tuesday 7 October 14
Attack Scenarios
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Station Employee Attack 1
• Assumption: malicious AO/BI.
• The malicious AO/BI memorize voter’s name, and ballot serial number.
• The malicious AO/BI links between voter and vote while tallying the votes.
We don’t need to assume that a malicious election official exists.
Tuesday 7 October 14
Station Employee Attack 2
• Assumption: malicious Polling Place Employee.
• The malicious employee reveals the vote of the special case voter in the tallying phase.
Attack Scenarios
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Station Employee Attack 2
• Assumption: malicious Polling Place Employee.
• The malicious employee reveals the vote of the special case voter in the tallying phase.
Attack Scenarios
INFORMATIK 2014 - eVoting Workshop - Stuttgart
We don’t need to assume that a malicious election official exists.
Tuesday 7 October 14
Malicious Component Attack1
• Assumption: malicious SCRS, malicious election official.
• The malicious SCRS saves information that links voter with ballot serial number.
• The malicious election official accesses the SCRS malicious data.
Attack Scenarios
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Attack Scenarios
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Malicious Component Attack 2
• Assumption: malicious SCRS, malicious person nearby the polling place.
• The malicious SCRS broadcasts information that links the voter and her ballot serial number using its Wifi, or bluetooth.
• The malicious person nearby, receives this information using a malicious application installed in a device (e.g., smart phone).
Tuesday 7 October 14
• The ballot serial number is not protected.
• Voter identification and ballot issuing processes are performed together.
Main Failures
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
1.Protecting the Ballot Serial Number.
• Eg., scratch to reveal, or invisible ink marking pen.
• Using random codes for the ballots.
2.Modifies the procedures.
• Ballot QR codes scanning must be done after closing the poll.
• Does not marks the issued ballot of the special case.
Recommendations
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
• The IHEC effort was to improve traceability, and election fairness.
• Current system has vulnerabilities that could compromise privacy, caused by:
• Two critical processes performed by the same component.
• Ballot serial number is readable.
• Our goal is to improve the system with consideration of minimal changes, which includes:
• Improving the ballot.
• Modifying procedures.
• Modifying SCRS software.
Conclusions
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14
Thank You For Your Attention
شكراً إلصغائكم
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14