Keywords

1 Introduction

Voting is a tenant of Democracy and a fundamental right afforded to every American citizen. While it is the expectation of every voter that their vote will be counted, there are instances when this expectation is not met. Because many members of the armed services are away from their local polling place during election cycles, they are unable to cast their ballot in person. As a result, The Uniformed and Overseas Citizens Absentee Voting Act (UOCAVA) was passed allowing qualified service members to vote by mail. This process allows a state to mail a blank ballot to the UOCAVA voter. After the voter makes selections on the ballot, it can be mailed back to his or her home state to be counted. Although UOCAVA is the law, many service members and overseas voters still do not have their ballots counted due to various circumstances. According to a 2010 survey conducted by the United States Election Assistance Commission, only about 35 % of the ballots sent to UOCAVA voters were returned to the states [1]. Of those returned ballots, almost seven percent were not counted. The reasons for ballot rejection include lack of a post-mark, missed deadlines and irregularities with voter signatures. Because their ballots are often not received or are received and not counted, military and overseas voters are essentially being disenfranchised. While many have considered Internet voting to be the solution to this problem, there are those who worry about its security.

Dr. Barbara Simons, a member of the Board of Advisors of the U.S. Election Assistance Commission, has stated that Internet and electronic voting are much less secure and reliable than traditional paper ballots, like those currently used by UOCAVA voters. She argues that Internet and electronic voting systems are not secure because many do not print a paper ballot that can be hand counted [2]. Additionally, she explains that these systems are susceptible to both simple and sophisticated, viruses and denial of service, attacks [3]. The first structured analysis of Internet voting in the US was presented by the California Internet Voting Task Force (IVTF) [4]. The idea of Internet voting has been around for well over a decade. Although many issues remain such as security and Internet availability to the general public a structured well thought out Internet voting system could provide a solution to the issues of military overseas absentee voting. Along with security, scalability is often a concern for voting systems with client-server architecture. Evidence of ways to address this has been shown in previous work [5]. In the past the adoption of Internet voting systems was based on the potential benefits they offered over current implementations [6, 7]. This research suggests the development of a process called Televoting that could give military and overseas voters the ability to cast a private ballot that is counted on Election Day. With the use of the Televoting process UOCAVA voters will not need to sign and mail their ballots. This eliminates the possibility of any ballot being rejected due to signature irregularities or problems with the mail. Televoting also addresses security issues raised by Dr. Simons and others. This process is presented as a secure alternative to the problem of mailed ballots and Internet voting in general for uniformed and overseas citizen communities.

2 Related Works

There have been many Internet based voting systems developed worldwide. Many of these systems rely heavily on cryptography to make sure votes are not hacked or altered. The Estonian voting system serves as one of the first Internet voting systems implemented [8]. Currently it has the longest history of development, usage and evaluation. With this systems voters can vote on their computers/smart-card based systems or mobile phones. In the event that voters want to change their selections they also have the option of voting at a polling place later. Although the option of overriding votes is very useful, this system suffers from a vulnerability to malware hijacking the GUI. In this case voters may submit an incorrect vote without knowing. Another Internet based voting system is Helios [9]. Helios was developed mainly for low-coercion elections. Helios allows users to check if their vote has been counted using a web interface. Also it enables user to check if their ballot was changed on the server. Helios takes an interesting approach to Internet voting but is still vulnerable to malware injections during the ballot-casting phase. In the case that votes are tampered with prior to being sent to the server, voters will not be able to detect if their initial selection was changed or not. Remotegrity is another Internet voting solution that was initially developed as an absentee voting system [10]. Remotegrity is an end-to-end voting system that claims to offer voters ballot privacy. Unlike Helios, with Remotegrity ballot manipulation can be detected. After voting, users are able to verify their vote by visiting a website. Although this implementation provides advantages, it still requires users to visit polling stations. The Rijnland Internet Election System (RIES) is another implementation that utilizes the Internet [11]. RIES is amongst one of the largest Internet voting systems in the world. With RIES voters are able to check if their vote has been counted after an election is closed. The RIES system also gives users the ability to vote by regular mail. Despite some benefits, this system allows connections from all computers and assumes each connected client can be trusted.

Although these previous voting systems have made progress in recent years, many issues for Internet voting still exist. Many previous systems rely heavily on cryptography only. Previous research has shown that even with the advancements of modern day cryptography these systems could still be vulnerable to ballot manipulation. This paper presents Televoting, which builds off videoconference technology advancements used in Telemedicine. Televoting gives overseas voters the ability to vote securely and verify their vote with no need of keeping it on a server.

3 Approach

The following sections discuss the Televoting voting process and the system design. Further, current limitations will be discussed along with ways Televoting addresses current issues present in previous E-Voting systems.

3.1 The Voting Process

Televoting is an in-browser voting system that allows voters to vote and communicate with election officials via a video stream. Voters begin the process of using Televoting by filling out his/her ballot online using Prime III from their web browser [12]. Once the voter is done filing out their ballot, the voter is placed in a queue and the system notifies all connected election officials back in the voter’s home precinct. Once the election official is done assisting other voters they can service the next voter in the queue. Once connected, the voter will see and hear the election official assigned to him/her. The election official will verify the voter’s identity and vice versa.

When the voter confirms that they are ready to cast their ballot, the election official clicks the print button. This will cause the voter’s ballot to print in the same room as the poll worker back in the voter’s home precinct. As the ballot prints, the voter can hear and see the ballot being printed in real time via a camera that sits under the printer. As an additional security message the poll worker shows a number that shared between them and the voter. Figures 6 and 7 also show a secret id number (‘83’ in this case) that can be shared between the poll worker and voter as an additional security measure. The number is shown first in the face camera view and then on the printer view. This approach allows voters to verify that their ballot made it to the correct poll worker. As an additional security method the clock shown in the Fig. 6 provides a liveness test.

A camera connected to the printer will provide visual feedback to the voter allowing them to visually verify that the ballot is correct. In the case that the ballot is incorrect and has been manipulated the voter will notice and notify the poll worker. At that point the poll worker will be able to report the incident and the issue can be addressed. Once the voter confirms the contest selections on the printed ballot, s/he will tell the poll worker the correct ballot was printed and the poll worker presses a button which releases the ballot from the printer into the ballot box and the session ends.

3.2 Client

The client side interface was built using html, JavaScript, and ActionScript. The current version of Televoting uses web pages for the voter and poll worker interface. Prior to being connected to the poll worker voters are able to view the poll workers working at the polling station they will be connected to. Figure 1 shows a user waiting to be connected and browsing through the poll workers that are assisting overseas voters. Voters also have the ability to view the polling station from a bird’s eye view via an IP camera as shown in Fig. 2. This feed is sent from IP cameras over a server and sent to the voter as shown in Fig. 8. This feature was added so that voters could get a view of the poll workers they will be connected to within the polling station. Other citizens that would like to audit the polling station can also use this same view. In this way Televoting not only presents a way to submit votes but also enables citizens to detect when suspicious activity is happening at a polling station. Seeing the poll worker within their home precinct could also build voter trust regarding the system. These factors greatly influence the addition of IP cameras in the Televoting design. Prior to being connected to the voting official, voters complete their ballot as shown in Fig. 4. When the voter is done no data is sent over until the poll worker is connected. Figure 3 depicts an overseas military voter and a domestic poll worker waiting to be connected. When the poll worker is connected data is sent over and the poll worker has the ability to print the ballot. The voter page includes three video feeds as shown in Fig. 5. One feed shows a video stream of the connected election official and another feed shows the printer that prints the voter’s ballot. An additional feed shows the voter a view of both the poll worker and printer. When the voter views the stream with the poll worker’s face they will be able to confirm that it matches with the listed poll workers’ pictures. This was also a feature aimed at increasing trust and making it easier for voters to detect when the system has been compromised. In the rare case that hackers are able to intercept the video stream and stage a fake polling precinct it would also be necessary to find a poll worker that looks extremely similar to the real voting official. Keeping the human in the loop as much as possible with this system results in multiple security concerns being addressed. This also makes Televoting less likely to be vulnerable to votes being changed undetectably. The poll worker’s client view consists of a view of the current voter (if any), a list of voters in the queue and a print button. A session between a poll worker and voter can end after the poll worker clicks print and the voter verifies the printed ballot. When a poll worker finishes with one voter the ‘next voter’ button is enabled. This button is disabled prior to finishing with the current voter. This was done to prevent poll workers from skipping voters, which could have raised issues. This button allows poll workers to inform the system that they are ready for the next voter in the queue. When it is clicked the next voter in the queue will be connected.

Fig. 1.
figure 1

Voter waiting to be connected to poll worker

Full size image
Fig. 2.
figure 2

Polling station view

Full size image
Fig. 3.
figure 3

Voter and poll worker

Full size image
Fig. 4.
figure 4

Voter using Prime III

Full size image
Fig. 5.
figure 5

Voter view of printer and poll worker

Full size image
Fig. 6.
figure 6

Poll worker using liveness test on face camera

Full size image
Fig. 7.
figure 7

Poll worker using liveness test on printer camera

Full size image
Fig. 8.
figure 8

Televoting system design

Full size image

3.3 Server

The server consists of a third party media server that handles the video streams and messages between the poll workers and voters. The logic of the poll worker and voters connections is handled on the server. A connection is triggered when a poll worker selects the next voter button. This causes the server to connect the poll worker with the next voter in the queue. When connected, the server sends the video stream from the printer camera and poll worker camera to the connected client. Also a video stream from the voter web camera is sent to the poll worker. The ballot is sent to the server temporarily. Once the poll worker clicks the print ballot button the ballot is printed and the vote is deleted on the server. Deleting the ballot from the server does not influence the ability to perform a recount. Televoting relies on the printed ballot in the case that a recount is needed. The server also handles the transmission of video streams from IP cameras connected at the polling stations. These cameras use a connection that can be accessed by the public but would not interfere with the private connections between poll workers and voters. A third party media server handles the transmission and encryption of the video streams and ballots. Security concerns that may affect the server side implementation are address in the following section.

3.4 Security Concerns

All Internet based systems are susceptible to cyber attacks. Televoting was developed with security in mind first. To develop an effective Internet based voting system that achieves societal acceptance, security concerns must be a primary focus. One concern with many systems that include client-server architecture is Secure Shell (SSH) vulnerability. A way that attackers may try to attack the server is through scripts that spawn remote commands via SSH variables. If successful in gaining root access this could lead to the system being compromised and ballots being sniffed as they are submitted temporarily. Even though this would not influence voter privacy since ballots are not connected uniquely with voters it could allow attackers to stop processes running on the server. This could result in video streams or ballots not being transmitted between voters and poll workers. Another major concern is that attackers may be able to change votes on the server if the attack is successful. Although this is technically possible voters would be able to detect this change once the ballot is printed. In this case even if an attacker gains access to the server it would be nearly impossible to change the ballot without being detected. To achieve this, attackers would have to set up a extremely sophisticated system that consists of staging a fake poll station and recruiting multiple poll workers that resemble those listed on an official government regulated website. One example of a client-side vulnerability for Internet voting systems, is Cross-site scripting (XSS). XSS allows attackers to execute JavaScript by entering into elements such as input boxes. Not addressing this issue could enable attackers to retrieve information about the election (vote cast, etc.). To address this issue all input boxes within Televoting are sanitize before being passed between pages. This involves making sure no JavaScript was included in the input box. Even though this vulnerability doesn’t pose a major risk to Televoting due to how data is handled it was still addressed as a precautionary measure. Man-in-the-middle attacks are also another security concern for Internet based voting systems. These attacks allow hackers to view transmitted data with network sniffers such as Wireshark. Successful man-in-the-middle attacks can also tamper with data as it is being transmitted. As mentioned before, manipulated ballots can be detected with Televoting via the video stream of the printed ballot. Televoting takes an approach that utilizes multiple types of security measures. Along with liveness test, made possible by the video conferencing technology, standard security procedures are applied. To address the issue of man-in-the-middle attacks HTTPs connections are used. As an additional measure multiple certificates are installed on client and server machines. There are two types of clients in Televoting: voter and poll worker. The poll worker and voter have two separate keys. The first key is a public key on the client side. The second key is a private key on the server side. Without a key, other computers will not be able to connect to the server. A second certificate is required for the poll worker computers. This certificate would help insure attackers cannot attempt to stage fake polling stations.

4 Conclusion

Internet voting has gained popularity in many regions but has yet to gain much popularity in the US. This is mainly due to low societal acceptance, and security vulnerabilities that have been exposed in previous implementations. To develop an Internet system that achieves societal acceptance it must first resemble the process that is currently in place. Televoting combines the benefits of the traditional ways of voting with the benefits offered by modern day technology. More work must be done before Televoting can be offered to the general public, but it functions as a feasible option to serve overseas soldiers. Although some limitations still exist such as cost and man power, this system offers our soldiers a fundamental right that they deserve while they are serving their country.

5 Future Work

To further test Televoting, pilot studies are being scheduled on a regional level. Security is a major concern with any Internet voting system. With this in mind input from security experts from around the country are currently being collected. After the first round of testing is complete, work will be done on Televoting’s scalability and addressing security concerns such as denial-of-service. It is also important that all users (voters, poll workers) have a good experience with Televoting. To insure this, user studies will be done to investigate Televoting User Experience (UX). Based on these findings the system will be modified to better address expressed user needs and concerns.