Abstract
We discuss a new type of attack on voting systems that in contrast to attacks described in the literature does not disrupt the expected behavior of the voting system itself. Instead the attack abuses the normal functionality to link the tallying of the election to disclosing sensitive information assumed to be held by the adversary. Thus the attack forces election officials to choose between two undesirable options: Not to publish the election result or to play into the adversary’s hand and to publicize sensitive information. We stress that the attack is different from extortion and not restricted to electronic voting systems.
We use “Snowden” as a placeholder for somebody in possession of sensitive information and do not in any way suggest that he has any intention to attack any elections. The recent presidential election in USA 2016 show that there may be other parties in possession of similar information with the intent to disrupt elections.
R. Krimmer—Work supported in part by the Estonian Research Council project PUT1361.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Swedish Election Authority: Election results 2014. http://www.val.se
Benaloh, J., Moran, T., Naish, L., Ramchen, K., Teague, V.: Shuffle-sum: coercion-resistant verifiable tallying for STV voting. IEEE Trans. Inf. Forensics Secur. 4(4), 685–698 (2009)
Halderman, J.A., Pereira, O. (eds.): 2012 Electronic Voting Technology Workshop/Workshop on Trustworthy Elections (EVT/WOTE 2012), Bellevue, WA, USA, 6–7 August 2012. USENIX Association (2012)
Halderman, J.A., Teague, V.: The New South Wales iVote system: security failures and verification flaws in a live online election. In: Haenni, R., Koenig, R.E., Wikström, D. (eds.) VOTELID 2015. LNCS, vol. 9269, pp. 35–53. Springer, Cham (2015). doi:10.1007/978-3-319-22270-7_3
Heiberg, S., Laud, P., Willemson, J.: The application of i-voting for Estonian parliamentary elections of 2011. In: Kiayias, A., Lipmaa, H. (eds.) Vote-ID 2011. LNCS, vol. 7187, pp. 208–223. Springer, Heidelberg (2012). doi:10.1007/978-3-642-32747-6_13
Khazaei, S., Terelius, B., Wikström, D.: Cryptanalysis of a universally verifiable efficient re-encryption mixnet. In Halderman and Pereira [3]
Acknowledgments
We thank a number of researchers that took part in our early discussions. We also thank civil servants and politicians in government organizations in several countries for their valuable feedback.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Situation in Selected Countries
A Situation in Selected Countries
To make things more concrete we briefly discuss how serious the attack is in a handful of countries.
1.1 A.1 Australia
Many Australian elections allow each voter to rank many candidates, so each ballot may have about 100! different possibilities. Furthermore, tallying by Single Transferable Vote (STV) generally needs knowledge of most of each permutation—there is no easy way to split up the vote when tallying. Many Australian electoral authorities make complete voting data available on the web, for the very good reason that third parties may independently redo the count.
These sorts of voting systems are also vulnerable to a coercion attack sometimes called the “Italian attack”, in which voters are coerced into casting a particular voting pattern. The attack presented in this paper uses a similar feature, namely the large number of possible votes, but in a different way. Hence there is already some literature on how to compute a verifiable STV tally using cryptographic methods without revealing individual votes [2]. These mechanisms would also address the attack described in this paper, though they remain computationally intensive and not integrated into the Australian electoral process.
1.2 A.2 Estonia
A discussion related to the attack took place in Estonia in 2011 when an invalid i-vote was experienced for the first time in the history of Estonian i-voting system. The discussion is presented in [5] 3.1 Case: Invalid I-vote. Executive summary follows. One of the i-votes was registered invalid by the system during the tabulation phase of the Parliamentary Elections on March 6th, 2011.
The analysis of the system error logs showed that the invalid i-vote appeared to be correctly encrypted with the election public key. The reason behind the invalid i-vote could have been a bug in some of the components of the i-voting system, human mistake in the system setup or somebody could have intentionally cast an invalid i-vote (by implementing their own voting client or interfering with the existing one).
Only human mistake in the setup procedures could be excluded without decrypting the i-vote, so the National Electoral Committee (NEC) decided to decrypt the invalid i-vote and examine its contents in hopes to find out the root cause of the problem. The time window between the decision and the planned action gave an opportunity to consider invalid i-vote as a possible attack. If the attacker was aiming for publicity, then the simple scenario allowing manipulation would be used by the attacker himself to decoy the election officials to show whether the NEC – contrary to their claims – can find out who did cast the vote from the contents of the ballot.
If some more sophisticated technique to invalidate the ballot would have been applied, then the contents of the ballot could have been anything from the personal identification of the attacker or personal identification of someone not involved at all to a well formed ballot with an invalid candidate number.
After considering the matter of ballot secrecy and the possibility of an attack against i-voting as such, the NEC reached the conclusion that it would be better not to create a precedent of decrypting one i-vote separately from others. The decision from April 1st was reverted on April 8th.
1.3 A.3 Sweden
In Sweden the elections for parliament, county councils, and municipalities all take place at the same time, but using three distinct ballots and envelopes. Thus, it is not a bundled election. A voter picks a ballot paper with a pre-printed party name and a list of persons. He may make a single mark in front of one of the persons to increase her chances of getting a seat. This is called a “personröst” (person vote).
Votes are then counted and sieved for invalid votes at several levels and all counting is open for the public. The ballot papers are first taken out of their envelopes in the polling station by the election workers. Ballots that are deemed invalid are put back into their envelopes and put in a separate stack. There are exceptions, but broadly speaking a ballot is invalid if it is not formed as described above. The votes are then recounted by another authority before the final result is announced. During the first counting only party votes are counted and the person votes are ignored.
The voting system in Sweden has been reformed in several ways in preparation for the 2018 elections. Fortunately, a side effect of these changes is that the attack presented in this paper is harder to execute. Before the reform a voter could cast a write-in vote for a party or person. As of 2018 all parties and persons must be registered and acknowledge that they are willing to serve if they are elected.
We remark that parties such as “Kalleankapartiet” (Donald Duck party) would always receive a couple of votes and the results from the 2014 election are available at [1]. Although there are no longer any write-in votes (of Type II as defined in Sect. 4.1), an attacker can demand to see invalid votes and she could use post-it notes of multiple colors, corrupt a handful of voters and execute the attack in this way. There is also a fair number of fringe parties that only get a handful of votes and even more individuals listed for the parties that get even fewer votes. Thus, there is plenty of room to encode a key.
The system could be substantially hardened by replacing the public counting with counting in the presence of a randomly selected set of citizens and by not reporting results for parties that receive a small number of votes, or reporting them in aggregated form at a national level if the number of votes increases notably by doing this. Furthermore, a threshold could be introduced to register a party whereby it must be made plausible that it will receive, e.g., a few thousand votes. Such thresholds are already in place in several countries. A similar approach could be used for person votes.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Wikström, D., Barrat, J., Heiberg, S., Krimmer, R., Schürmann, C. (2017). How Could Snowden Attack an Election?. In: Krimmer, R., Volkamer, M., Braun Binder, N., Kersting, N., Pereira, O., Schürmann, C. (eds) Electronic Voting. E-Vote-ID 2017. Lecture Notes in Computer Science(), vol 10615. Springer, Cham. https://doi.org/10.1007/978-3-319-68687-5_17
Download citation
DOI: https://doi.org/10.1007/978-3-319-68687-5_17
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-68686-8
Online ISBN: 978-3-319-68687-5
eBook Packages: Computer ScienceComputer Science (R0)