iraqi elections in 2014: a privacy requirement evaluation based on a polling place experience

Iraqi Elections in 2014: a Privacy Requirement Evaluation Based on a Polling Place Experience

Ali Fawzi Najm Al-Shammari & Adolfo Villafiorita

INFORMATIK 2014 - eVoting Workshop - Stuttgart

1,2 1

1. Fondazione Bruno Kessler - Italy2. University of Kerbala - Iraq

25th September 2014

Tuesday 7 October 14

• Historical overview.

• Current voting System in Iraq.

• Stakeholders.

• Components.

• Procedures.

• Security Issues.

• Recommendations.

• Conclusion.

Outline



• Democracy was not a common practice in Iraq before 2003.

• In 2005, the new Iraqi constitution allows citizens to elect the parliament, and the provincial councils every four years.

• Independent High Electoral Commission (IHEC) introduced to manage and run elections.

Historical Overview



Seven country wide elections were conducted:

• January 2005: National Assembly + Provincial Councils

• October 2005: Constitution

• December 2005: Parliamentary

• January 2009: Provincial Councils

• Mars 2010: Parliamentary

• April 2013: Provincial Councils

• April 2014: Parliamentary

Historical Overview



Seven country wide elections were conducted:

• January 2005: National Assembly + Provincial Councils

• October 2005: Constitution

• December 2005: Parliamentary

• January 2009: Provincial Councils

• Mars 2010: Parliamentary

• April 2013: Provincial Councils

• April 2014: Parliamentary

(Observer) (Observer)

(Station Manager)

Historical Overview



• Before 2014, paper based voting.

• Simple.

• Usable.

• There were some concerns raised:

• Vote stuffing!

• Vote manipulation!

• Some verification mechanisms, but they are manual, and time consuming.

Iraqi Voting System



• In 2014, electronic component involved in the polling place.

• Motivation is to improve the system against the current concerns, i.e.:

• Votes stuffing and manipulation.

• Improve voter’s authorization process in the poll.

Voting System Improvement



• Automates vote traceability.

• Mechanism of tracing the vote cast serial number.

• Automates voter authorization.

• Smart Identification Card (SID) for each voter.

• Biometric Identification.

Approach



Smart Card Reader System (SCRS)

Plastic SealSmart Card Reader System

(SCRS)

Thermal Printer & Smart Card ReaderDATECS DPP-250

Fingerprint ScannerFutronic FS80

Tablet BQ Maxwell Plus 2

Camera

The new tool implemented by Indra (Spanish Company).

• Offline database in the component.



Stakeholders.

Components.

Procedures.

Polling Station Experience



Polling Station - Stakeholders




Station Manager (SM)





Authorization Officer (AO)






Ballot Issuer (BI)






Ballot Issuer (BI)

Ballot Box Observer (BBO)






Ballot Issuer (BI)

Ballot Box Observer (BBO)

Queue Observer






Ballot Issuer (BI)

Ballot Box Observer (BBO) Election Observers

Queue Observer






Ballot Issuer (BI)


Queue Observer


Voters Voter





Ballot Issuer (BI)


Queue Observer


Polling Place Manager (PPM)

Voters Voter


Polling Station - Components




SCRS




SCRS

Supervisor Smart Card (SSC)




SCRSBallots Pack





SCRSBallots Pack



1010100

Party Contest

Candidates Contest

Serial Number



SCRSBallots Pack





SCRSBallots Pack

Ballot Stamp Supervisor Smart Card (SSC)




SCRSBallots Pack

Ballot Stamp

Voters’ ListSupervisor Smart Card (SSC)




SCRSBallots Pack

Ballot Stamp

Voters’ List

Voting Cabins





SCRSBallots Pack

Ballot Stamp

Voters’ List

Voting Cabins

Ballot Box





SCRSBallots Pack

Ballot Stamp

Voters’ List

Voting Cabins

Ballot Box


Security Seal




SCRSBallots Pack

Ballot Stamp

Voters’ List

Voting Cabins

Ballot Box

Voting Ink


Security Seal




SCRSBallots Pack

Ballot Stamp

Voters’ List

Voting Cabins

Ballot Box Station Forms

Voting Ink


Security Seal




SCRSBallots Pack

Ballot Stamp

Voters’ List

Voting Cabins


Voting Ink


Secure Plastic BagSecurity Seal




SCRSBallots Pack

Ballot Stamp

Voters’ List

Voting Cabins


Voting Ink


Secure Plastic BagSecurity Seal


Smart ID (SID)


Starting the Election Day

1. SM : - receives the sensitive materials from Polling Place Manager (PPM). - records the ballots packs’ serial number in station forms. - seals the ballot box using plastic seals, and records its numbers in station forms.

2. AO : - turns on the SCRS using the SSC.

Identifying a Voter

1. Voter : - walks to authorization desk.

2. AO : - inserts voter’s SID in the SCRS. - scans voter’s fingerprint by the SCRS.

3. SCRS : - verifies voter’s data. - if the voter is eligible: - saves voter’s access time. - blocks voter’s SID. - updates voter’s status in the database.

Election Procedures



Issuing Ballot

1. AO : - passes voter’s ID to the BI.

2. BI : - checks voter’s name in the voters’ list. - issues and stamps the ballot, and passes it to AO.

3. AO : - scans the QR code of the issued ballot using the SCRS.

4. SCRS : - stores the scanned code of the ballot.

5. Voter : - takes the issued ballot, and walks to the voting cabin.

Election Procedures



Casting Vote

1. Voter : - fills in the ballot anonymously in voting cabin. - folds the filled-in ballot, and walks to the ballot box. - marks her indicator finger in the voting ink. - casts her vote by putting the filled-in ballot in the ballot box.

2. BBO: - controls that a voter marks her finger with voting ink before casting the vote.

Election Procedures



Special Case...

• If the SCRS fails in reading the SID of a voter.

• e.g., SID failure, or Database failure.

• Voter’s name exists in the voters’ list.

Election Procedures



Special Case...

• If the SCRS fails in reading the SID of a voter.

• e.g., SID failure, or Database failure.

• Voter’s name exists in the voters’ list.

Election Procedures


The voter has the right to vote!


Special Case Voting Procedure

1. SM : - takes voter’s SID and puts it in a secure envelope. - writes on the envelope (voter’s name, card’s serial number, and the reason of collection).

2. BI : - asks the voter to sign in the voters’ list. - releases Ballot for the voter.

3. AO : - signs the back of the ballot with “Smart card was not readable”. - Does not scan the QR code of the ballot.

Election Procedures



Closing the Polling Station1. SCRS : - stops accepting any card.

2. SM : - secures ballot box.

3. AO : - stores the SCRS data in the SSC. - prints the SCRS report.

• polling station name.

• total number of eligible voters in the station.

• number of voters who accessed the polling station.

• total number of scanned fingerprints.

• the total number of scanned QR codes.

• the time of opening and closing the poll.

• the list of scanned codes of ballots.

4. SM : - secures the SSC and the SCRS report in a plastic bag. - records the number of the secure bag in the station forms.

Election Procedures



Tallying Process

1. SM : - verifies the serial numbers of the ballot box seals through a comparison with the records in the station forms. - open the box.

2. Polling Place Employees : - starts the tallying process publicly.

3. EO: - observes the tallying process. - records the tallying results in the station forms.

4. SM : - secures the ballots, and stations forms. - provides the secured sensitive materials to the Polling Place Manager.

Election Procedures



Stakeholders’ access.

Attack scenarios.

Privacy Evaluation



Stakeholders’ Access


Voter Ballot Serial Number

Stakeholder Pre-election During Election During Tallying After Election Day

- --




AO , BI Voter’s NameBallot Serial Number

Votes Cast (Station)

--



- --






--

SM Voter’s Name (Special Case)

Votes Cast(Station)

--



- --




ElectionOfficials

SCRSVoters’ list

- Votes Cast (Precinct) SCRS DataVoters’ ListSpecial Case Voters

-



--

SM Voter’s Name (Special Case)

Votes Cast(Station)

--



- --


General Assumption

• Malicious election official could compromise the privacy IF:

• the ballot serial number is linked with voter’s name.

Attack Scenarios



Voter Attack

• Assumption: malicious voter.

• The malicious voter collects ballot serial number and provides it to a third party.

• Forced.

• Attempt to sell vote.

Attack Scenarios



Voter Attack

• Assumption: malicious voter.

• The malicious voter collects ballot serial number and provides it to a third party.

• Forced.

• Attempt to sell vote.

Attack Scenarios


Note that, even if there is no malicious election official, some voter could be coerced by a malicious third party!

Just by asking him/her to provide the vote cast serial number as an evidence to the way she/he voted.


Attack Scenarios


Station Employee Attack 1

• Assumption: malicious AO/BI.

• The malicious AO/BI memorize voter’s name, and ballot serial number.

• The malicious AO/BI links between voter and vote while tallying the votes.


Attack Scenarios



• Assumption: malicious AO/BI.

• The malicious AO/BI memorize voter’s name, and ballot serial number.

• The malicious AO/BI links between voter and vote while tallying the votes.

We don’t need to assume that a malicious election official exists.



• Assumption: malicious Polling Place Employee.

• The malicious employee reveals the vote of the special case voter in the tallying phase.

Attack Scenarios




• Assumption: malicious Polling Place Employee.

• The malicious employee reveals the vote of the special case voter in the tallying phase.

Attack Scenarios


We don’t need to assume that a malicious election official exists.


Malicious Component Attack1

• Assumption: malicious SCRS, malicious election official.

• The malicious SCRS saves information that links voter with ballot serial number.

• The malicious election official accesses the SCRS malicious data.

Attack Scenarios



Attack Scenarios


Malicious Component Attack 2

• Assumption: malicious SCRS, malicious person nearby the polling place.

• The malicious SCRS broadcasts information that links the voter and her ballot serial number using its Wifi, or bluetooth.

• The malicious person nearby, receives this information using a malicious application installed in a device (e.g., smart phone).


• The ballot serial number is not protected.

• Voter identification and ballot issuing processes are performed together.

Main Failures



1.Protecting the Ballot Serial Number.

• Eg., scratch to reveal, or invisible ink marking pen.

• Using random codes for the ballots.

2.Modifies the procedures.

• Ballot QR codes scanning must be done after closing the poll.

• Does not marks the issued ballot of the special case.

Recommendations



• The IHEC effort was to improve traceability, and election fairness.

• Current system has vulnerabilities that could compromise privacy, caused by:

• Two critical processes performed by the same component.

• Ballot serial number is readable.

• Our goal is to improve the system with consideration of minimal changes, which includes:

• Improving the ballot.

• Modifying procedures.

• Modifying SCRS software.

Conclusions



Thank You For Your Attention

شكراً إلصغائكم

[email protected]



iraqi elections in 2014: a privacy requirement evaluation based on a polling place experience

Engineering