Thursday, January 26, 2017

Failure Modes of Internet-based Elections

Many companies and organizations depend upon online voting to elect people to leadership positions.  It is difficult to ensure that the system used cannot be subverted. It is like ensuring that a rambling big house is safe against entry of burglars. The house might have strong walls and doors, but a single point of weakness can endanger the whole thing. For instance, can one remove a set of tiles and enter the house? Or can someone inside the house be fooled into opening a door for the intruder?
Good technology is valuable in making elements of the system strong, but envisaging all possible modes of failure requires healthy skepticism and a system science point of view.

A service provider usually makes available the software and related infrastructure for running an election to the entity holding the election over the Internet. The service provider is selected to be a trusted partner, and is beyond suspicion.

However, the client organization needs to ensure that everything else is well thought out and is free of risks. Some service providers create a password file starting with a list of email IDs of all voters provided by the client entity, and linking a machine-generated password to each ID. Each voter will need the password linked to his/her email ID in the password file for casting a vote. The service provider’s system would send an email to each voter for this purpose, giving the password to be used. It would also describe the procedure to be followed.

The password file would be sent to an officer nominated by the client entity, to inform them the list of all voters contacted. This would also allow the voters to be offered any necessary help in case of a missed email, etc. The officer nominated to handle the password file could be a paid employee or an elected person (let us call this officer Y). Some of the possible risks to the election arise from how safely this file is handled.

Another possible risk arises from the fact that the list of eligible voters may not be accurate enough. Some of them might have left their companies and their email accounts might have been deleted, unknown to the party conducting the election. Hundreds of orphaned emails inviting members to vote and giving the necessary password could bounce; the election software might direct them to Y. How these emails are handled, and who all can access them, will again decide how reliable the election is going to be.

One would have to consider the specifics of any system used and the supervisory mechanisms that oversee the election to find possible modes of failure such as the two described above.

In many cases, there may be simple ways of reducing risks from any anticipated failure mode. For instance, the service provider who makes the IT infrastructure available for elections could withhold the password file till the election is over and then make it available to Y. Similarly, there is no need to make available any bounced emails to Y till after the election is over. This means that Y cannot help any voter who does not receive an email from the service provider; however, if the list of voter email addresses given to the service provider is reliable, Y’s intervention would be unnecessary.

The mode of operation described above is only one of many possible modes; but the concern for integrity of the election will be there in any case!

The aim of this blog post is to sensitize all those concerned with the integrity of online elections to some of the obvious risks in one mode of operation.