Upload
orien
View
35
Download
0
Embed Size (px)
DESCRIPTION
Privacy in the Voting Booth. By: Chris Groves. Reason for Privacy. Voters worry that their vote may be held against them in the future People shouldn’t be rewarded or punished for who they voted for Voters don’t want to feel socially pressured to vote a particular way - PowerPoint PPT Presentation
Citation preview
BY: CHRIS GROVES
Privacy in the Voting Booth
Reason for Privacy
Voters worry that their vote may be held against them in the future People shouldn’t be rewarded or punished for who
they voted forVoters don’t want to feel socially pressured to
vote a particular way Voters shouldn’t feel peer pressure at the voting booth
Issues
The system needs to have a physical paper trail incase the results come into question
Trail can be used to keep track of the order of votes
Must be sure that there is no record of the order that people voted ie. Video or paper
Non-Technical Measures
The physical paper trail has to have the records randomized before any person is able to physically touch it
No cameras may be permitted in the location or at entrance/exit to prevent any tracing back to database logs (if the person has video to link the time of the vote to the person then that’s a privacy issue)
Technical Issues
Recorded data needs to be heavily encrypted in the event that the physical storage medium is lost or stolen
Where do electronic votes get stored? Local or Remote
Local Storage
Must be stored on physical storageNeed to collect all of the results to get the
final tallies.After the election all of the physical media
must be collected to be stored securely so that nobody can access them
Central Server
Each voting terminal will transfer it’s votes to the central server via the Internet
Central server then maintains the totalsStill need physical paper trail created at the
voting terminal
Privacy/Security Concerns
System sends messages over the internet and so they can be intercept and read along the way
Both the voting machines and the central server have to be exposed to the internet during the voting period to allow for traffic to be sent
IP Addresses
System would use static IP addressesServer would filter traffic so that only accepts
traffic that it knows are from the network of voting machines
Must be kept a closely guarded secret
IP Addresses Cont’d
If IP addresses became known traffic could be intercepted between voting machine and central server
Attacker could spoof the IP of a voting machine and send false votes
Would also leave the system open to DoS attacks
Trusted Connection
In this case we could use a public key system to ensure traffic is between voting terminal and the server.
Better option is to use a confidential key All machines are known ahead of time so all can be
given the key before hand Saves the overhead of exchanging keys
Must be kept strictly confidential
Encryption
With these precautions packets need to be encrypted because they can be intercepted en route
Must be very high levels of encryption because the government has a great deal of computing power
Data to Store
• Stored Information should be kept to a bare minimum to minimize possibility of linking vote to voter
• For this system 3 parts shall be stored– Date – Needed in the case of a discrepancy and an
audit of the results– Candidate– Identifier – Confirms that the vote came from a
legitimate source
Identifier
Must be unique to each voter but cannot identify the voter from the ID
In Canada everyone has a Social Insurance Number to uniquely identify them. Can use that to generate our identifier
Can keep a database of generated IDs so that only people that have actually showed up to vote have IDs.
Generating the ID
We need a one way functionCould use a one way hash functionThis would be computationally infeasible to
get the voters Social Insurance Number from the ID
Use a hash function on the persons Social Insurance Number
Conclusion
For this system to work effectively it’s important that all parts work together
It’s particularly important that the Confidential Key and the list of IP Addresses be kept private
If they are confidential the technologies can ensure that the data is secure and that it can’t be linked back to an individual voter