Page 94 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 94
J.A. Goler and E.J. Selker
86
Adversary Model
3
Unintentional Bugs and Physical Failures
3.1
On a systemwide basis, the largest likely contributor to failure in an electronic
voting system is the unintentional failure of one of the components in the system.
A monolithic system with one operating system, set of COTS (Common Off
The Shelf) hardware, communication mode and voting software will suffer a
catastrophic failure if a single component has a bug. While such failures may
not be common, having a common failure mode may cascade and could render
the entire system compromised. An example of such a large cascading failure is
the 2003 northeast power failure [1], which started at a single failure point and
affected the Eastern Seaboard, Midwest and Eastern Canada. In software, the
blaster worm [4], caused serious outages throughout the world. Having diversity
in the code of the voting system would help mitigate common failures and ensure
that the vote can be properly counted even if some modules are compromised.
One concern about the Internet is that electronic transmissions can be held up
or slowed down for one reason or another. A system that communicates electron-
ically can batch the communication for later transmission, use land telephone
lines to communicate the information, or use cell phones or satellite phones as
alternate communications modes to make communication reliable. SAVE mod-
ules utilize both encryption and cached data so that disruption or compromise
of the communication.
Additional hazards to the voting process include simple access to electronic
power, and problems in transmitting votes from the polling stations. The dangers
of power outages have successfully been addressed in Brazil where the computer-
based voting system relies on batteries that last 14 hours. The question of mes-
sages being intercepted is one of simple encryption; the issue of changed messages
would be dealt with using redundancy, cryptography and message authentication
codes (MACs) to ensure integrity.
3.2 Intentional Manipulations
There are four groups of actors that we surmise would be interested in compro-
mising the voting process.
The Evil Development Company. The danger of losing contracts due to
faulty equipment has been a constant concern of election technology com-
panies. They have small close-knit development organizations and review
their work together. These are all safeguards for their systems. Still, there is
concern that either as an individual or organization, the author of a voting
system might insert malicious code. This code could change votes, delay or
drop votes, or produce intentionally incorrect tallies. In addition, the code
could flood the rest of the system with invalid messages, damaging the per-
formance of the system. Finally, compromising elements such as specially
designed cryptographic code might be inserted to leak information about
