Issues of electronic commerce and a simple demonstrator Vassilios Yannimaras BSc Information Systems 2002

Summary
This project report concentrates on the issues that surround present and future e -

voting systems. The most important aspects of e-voting systems, such as system requirements, deployment options, user authentication, security risks and countermeasures, the present state in the EU, are going to by presented and examined. The final chapter shall include is sues

concerning the simple on -line demonstrator that I have constructed, to show how the voting process might look like.

Acknowledgements
I would like to thank my family, friends and teachers for helping and supporting me throughout the duration of my project.

Table of Contents
1. Introduction 1.1 Importance and purpose of project 1.2 Chapter Importance 1.3 Key success factors and evaluation criteria 1.4 Minimum requirements 1.5 Problem-solution approach 2. Project Management 2.1 Initial plan 2.2 Milestones 3. EU Sponsored Projects 3.1 3.2 4. 5. Projects Presentation Their Advantages 1 1 1 2 2 2 4 4 5 6 6 8 10 13 13 14 15 17 17 22 25 25 26 27

System Requirements Deployment Options 5.1 Poll site and kiosk Internet voting 5.2 Classification based on software/hardware approach 5.3 Remote Internet voting

6.

Security Issues 6.1 Security Risks 6.2 Countermeasures

7.

User Authentication 7.1 Poll site and kiosk user authentication 7.2 Remote Internet voting user authentication

8.

EML (Election Markup Language)

9.

Simple Demonstrator 9.1 Voting process 9.2 Screenshots 9.3 Implementation and possible improvements 9.4 User testing

29 29 29 30 31 32 33 36 39 40

10. 11.

Conclusion Evaluation

Appendix A Bibliography/References Appendix B Project Experiences Appendix C Gant Charts

1 Introduction
Over the last two or three years we have all witnessed the rapid growth of e commerce activities, over the Internet. Furthermore more and more countries are starting to use the Internet to provid e services for the public sector. Their purpose is to improve the services they provide to their citizens, by improving the convenience and lessening the cost, both economic and time wise. In this project report I shall present the most important aspects of e -voting (electronic voting.). Electronic voting is a step further in the services that governments provide for their citizens, as it allows them to vote in general elections by using electronic means and Internet technologies. To do that e -voting systems borrow, and are to a great extend based on, technologies and techniques from the context of e -commerce. -

Additionally I shall build an on -line demonstrator to highlight how the voting process might look like.

1.1 Importance and purpose of project As anyone could understand general elections lie at the heart of each democratic state, as they give the ability to citizens to elect their governors. So the proposed system must protect the process through all its stages. A breach of the security, integrity and reliability of the system could cause the whole process to collapse. All the above highlight the importance of an e-voting system and the great care that has to be taken while building and implementing it. On the other hand I am looking forward to unde rstand how projects of this magnitude are being implementing, with a lot of different teams, all over the word, trying to come up with end products. Sometimes by working with each other by exchanging and publishing ideas and findings, and sometimes by comp eting with each other. In addition I am looking forward to expanding my technical knowledge (i.e. security issues), through the conduction of my final year project. As the demonstrator is concerned, my goal is to provide with and example of hoe the voting process looks like and to further expand my web site building skills. The purpose of the demonstrator is not to build a fully functional system, as that would not be possible or applicable.

1.2 Chapter Importance Following my research on the subject, I h ave decided to include the following

chapters, as after reading the appropriate references I have decided that they were the most important aspects of e -voting. I have decided to include a chapter on the E.U. sponsored projects and the advantages they have . If these projects are successful they will be a great

benefit of citizens and will help towards a united and democratic Europe that will function as one state. In the requirements chapter I shall present the attributes that a solid and reliable e voting system should have. In the deployment options chapter I shall present the different options that are in to consideration for any future e -voting system, and highlight their

advantages and disadvantages that have to be taken into consideration before procee ding with the implementation. User authentication is a very important aspect of e -voting, as it will be different from traditional systems. In the corresponding chapter I shall talk about the related issues. In the security issues chapter I shall talk abou t the security risks that e -voting systems may face, which are probably their Achilles hill, and ways to overcome them. I have also decided to include a chapter on EML (Elections Markup Language), as its aim is to provide a standard framework for transferring data (i.e. ballots), which is a very important bit. Finally in my chapter on the web site that I have constructed, I shall explain the process and talk about its functionality.

1.3 Key success factors and evaluation criteria For my final year projec t the key success factors consist of a conduction of a

comprehensive study of e -voting, the identification of the key issues of this subject, the construction of a simple demonstrator to illustrate what e -voting may look like and its testing on users, and finally the gain of extra experience on web design with its related technologies. The criteria for measuring them are respectively: a) the use of a list of references that are going to be characterized by their quality and diversity, b) the production of a issues with clear and significant importance in the e limited list of

-voting context, c) by determining the

features (of a proper e -voting system) that the demonstrator can and cannot show and by testing methodologically how acceptable it is by users, d) style, functionality and limitations. by assessing the demonstrators

1.4 Minimum requirements Conduct a survey on issues of electronic voting Produce a simple Demonstrator

1.5 Problem-solution approach To sum up I would like to make a comment of the problem/solution perspective of

my project. In this case we do not have a specific problem for which I am supposed to produce a piece of software that will constitute the solution. On the other hand, the problem in this case can be defined as pinpointing t he most important issues (the security issues for

example) that surround e -voting. On the other hand a solution may be the presentation of the factors (the right deployment options, the requirements etc) that will make an e-voting system

successful. By knowing and understanding the important issues that surround e -voting it will be easier to make the right choices when we actually come to the design and construction stage.

2 Project Management
2.1 Initial Plan Identify Projects Present them thoroughly Identify security problems

Analyze security problems

Design Demonstrator

Produce first version

Improve first version

Project Evaluation

Oct Apr

Nov

Dec

Jan

Feb

Mar

As I realize now my initial time plan had quite a few flaws.

First of all the

identification and presentation of the E.U. projects finished before the Christmas break, as it only took one chapter of the final report. Furthermore the identification/presentation of the security problems was meant to be identification/ presentation of technical issues in general. Lastly the demonstrator was implemented between the 15
th th

of March and the 15

of April,

due to the fact that it longer than expected to finish the technical issues.

At this point I would like to state that I found out the project proved to be an on going process. By that I mean that I kept doing my research and writing the chapters at the same time. Furthermore a lot of times I did more than one things at the same time (e.g. write the report and implement th e web site, write more that one chapters concurrently). So the limits between different things are sometimes blur. In the appendices I offer a few Gant diagrams that explain the time scale of my whole project.

2.2 Milestones 25/3/02: Finish my on-line research and finalized the projects chapters 10/4/02: Finish the chapters on technical issues of e-voting 15/4/02: Finish the demonstrator 27/4/02: Finish the secondary chapters (e.g. conclusion, evaluation etc)

3 EU Projects
The rapid growth of the Internet and the Word Wide Web that we witnessed, after the middle of the past decade, has been followed by an extraordinary increase in e -commerce

activities, over the last two or three years. By the t erm e-commerce we mean the acquisition of product and services by using electronic means. Furthermore the use of the Internet becomes more common and more common in personal communication and in the services that governments and states provide for their ci tizens. As it is natural the thought of general elections over the Internet (e -voting) has already risen. General elections could be the single most important bit of a democratic country. The above fact in combination with all the design, implementation and testing issues and problems of an e -voting system, make its construction a very important yet extremely difficult task.

3.1 Projects Presentation At the present moment there are three main projects, funded and run under the shield of the European Commu nity (EU), which are tying to address the problem. These are E -

VOTE, E -POLL and CYBERVOTE. There are further two (WEBOCRACY, EURO -CITY) whose e -voting is part of their curriculum, or part of their findings could be used in a successful implementation of an e-voting system. All of them have a cost between three and three and a half million euros (except WEBOCRACY which cost is 1.7 million euros), and at this point are in their execution stage, with contractors and vendors companies all over Europe. The later could be a potential problem, during the project, as neither of them started before 2000 or has a completion date before 2003. So by the present day they have not proceed deep into the implementation process, and that could be a problem in finding resources and information, as a lot of the issues will have not been addressed yet. In the following section I shall provide details and information for each of the projects individually. The objectives of the E -VOTE are to design, implement and test an Internet -based electronic voting system that will provide all the required services for organizing and running a general election process. The E-VOTE system will support the following main functions: a) ballot generation, b) specification of voting precincts, c) v oters registration and credential

validation, d) computation of the vote tally, e) communication of candidate parties with the public. Conventional Web browsers and WAP -enabled mobile phones would be used for access in the system. Furthermore, it will exh ibit a Voting Protocol that will act as a shield against frauds or compromising the voters privacy, by implementing a wide set of security. E-VOTE's acceptability shall be test by employing personnel specializing on voting

procedures, legal aspects, as we ll as on the sociological and behavioral aspects of such processes and systems. (Main contractors: Quality & Reliability International S.A).

The E -POLL project introduces innovative systems to support any voting process based on cutting edge technologies, as well as introducing new technologies. The goal of E POLL is to bridge the gap between the availability of leading edge technologies and the existing issues related to their application to the voting process (e.g., legislation, confidentiality, security and reliability, roles in the election process, costs). On the other hand, the main obstacle to the introduction of electronic voting is the lack of clear guidelines on how to implement an electronic voting system; lack of standards has previously led to lack of interoperability between the developed solutions. It has also led to reduce confidence from of voters and legislators. The E -POLL project will cope with these problems by defining an abstract framework (the European Virtual Ballot Network), by defining the components of the electronic vote process (voting lists, virtual polling stations, vote collection systems, voters identification devices, etc.) and lastly by defining and ensuring the information flow between the actors involved. This framework s hall also address the vote preparation, the voter

identification/anonymity, the voter authorization, and the vote transmission/ security/ count. (Main contractors: Siemens Informatica S.p.a.).

The CYBERVOTE project aims to contribute to the progress of Eu ropean democracy by giving the ability to all its citizens to use a state of the art electronic voting system. The main goal is to increase the total participation of European citizens to all kind of elections and especially to increase the participation of the following groups: a) young people, b) physically challenged people, c) immigrate minorities, d) socially excluded people. The objective of the CYBERVOTE project is to enable European citizens to vote through their mobile phones and PCs connected to I nternet, by taken advantage of the first completely secure cyber voting system based on WAP, WML, XML, HTML and Java technologies. While designing CYBERVOTE the following issues will be taken into account in the proposed solutions: a) allow the user authe ntication while guaranteeing ballot secrecy, b) sanctity and integrity but also the freedom of expression of the voter, c) the user -friendliness and the acceptability of the system. Also, trial applications will be conducted with disabled, ill and travelin on different pilot elections. (Main contractors: Matra Systemes & Information). g people

The goal of WEBOCRACY is to provide citizens with innovative communication, access to voting systems that support and benefit increased participation of citizens in g eneral elections, and to increase transparency and accessibility of Public Administration. The objectives of the WEBOCRACY project can be summarized in two main parts: a) the

organizational objectives: they aim at a new type and new quality of services pro

vided for -

citizens, b) the scientific objectives: the design of a generic modular architecture of a Web based system (referred as the Webocrat system), and the development of modules of the Webocrat system and their implementation in an integrated fashion. Technical University of Kosice). (Main contractors:

The EURO-CITI project aims to specify, develop and validate a common architecture (and related services) that targets the public sector. The proposed services include the following features: a) e -voting, b) electronic submission of forms, c) e -consulting. E-voting will be used for opinion polls and petitions, which could be initiated by both the local authorities and citizens that aim to reinforce the concept of direct democracy. The proposed architecture will integrate, and where applicable enhance, key technologies that solve that issues of security, voters authentication/authorization, data description, user -centred

interfaces, etc. The resulting EURO -CITI platform will be dynamically re -configurable to allow the performance of different tasks, like simultaneous voting, on the same problem, at geographically distributed areas. The testing will be supported by a generic methodology that allows process re -engineering and will be held in three different, (Main contractors: University of Athens). major European cities.

3.2 Their Advantages As I have already mentioned in the introductory section of this report I shall not investigate the disadvantages of e -voting system and their negative impact on society and

democracy as I believe the above are closely related to a more social approach to the whole matter, which is outside the sphere of concerns of this report. On the other hand, at this point, I would like to present some of the benefits and advantages, a s they will help as realize the importance of the above projects. The main argument that supporters of the e -voting system put forward is that it will increase the turnout in general elections. But we have to remain skeptic; as for example only the 35% of the UK population has home Internet access. There is no doubt that convenience shall increase by the use of a user -friendly system and by offering no time and place restrictions, hopefully it may appeal to younger and IT friendly people, they will offer a dvantages over traditional voting systems, like the ability notifying voters for any mistakes they make while voting. Furthermore t he infrastructure ( of the systems) can reduce the gap between the traditional European Union member countries and young democratic countries wishing to join the EU by providing an European network specialized in electronic voting to apply common standards to electronic voting processes1. And last but not

E-poll web site

least it could reduce involved in setting up and staffing poll sites. additional costs and several years of investment2.

However, new voting

arrangements would, at least ay first, in addition to existing systems. This would entail large

Houses of Parliament Home Page, Online Voting Report

4 System Requirements

As we saw in the previous chapters there are quite a few serious attempts to build an on-line electronic voting system or to develop related technologies. In this chapter I shall concentrate on the specific requirements, which this kind of system should meet. As with any other computer system, the requirements of an e-voting system depend on the purpose that the system will be used for, and the functions it will perform. An e -voting system must satisfy all the requirements of a traditional voting system, and even more as different and new

technologies will be implemented. We have all participated in some form of election process and it is not hard to spot a lot of common features and elements. In a nutshell we could say that the main goal of any voting system is to prot ect two things: a) the integrity of the whole election process, and b) the privacy of all voters participating in the elections. To be more specific we have to consider things like determining who is eligible to vote, asking for credentials when they attem pt to vote and keeping track so no one will be able to vote more than once, collecting the ballots and counting them to produce a result. Based on the above facts, in this chapter I shall present a collection of requirements, which may not be exhaustive (and the order is of no particular importance), but as will shall see from the importance of each requirements, in and every one from the following requirements must be satisfied.

Eligibility and Uniqueness : the system should only allow authorized voters

to cast

their vote and prevent everyone from voting more that once. This way the democratic nature of both the system and the process could be assured.

Verifiability: the system should give the ability to any proper independent authority (universally verifiable) to actually verify that all votes have been counted correctly and the correct result have been computed and announced. In this part we also have the term individually verifiable, which means that the voters themselves have the ability to verify the votes they have cast, and correct any mistakes.

100% Accuracy : every vote must be correctly counted, with zero tolerance for a mistake. What this means is that no validated vote must be excluded from the final count and no incorrect or invalid vote s could be added to the final count. Furthermore the system must give the capability so that any problems in the form of inaccuracies could be detected and corrected. Flexibility: election equipment should allow a variety of ballot question formats (e.g. open ended question, write -in candidates, survey question etc). The single bit (yes/no) votes

that some voting and cryptography protocols allow is a sign of inflexibility. In addition room must be made for multi-lingual support and also special features for people with disabilities.

Convenience and Mobility: a system would be consider convenient if it allows voters to cast their votes in a short amount of time with the use of minimal equipment and without the need of any specialized skills. As mobility i s concerned there must be no restrictions

(except logistical ones) on the location where a citizen could practice his or hers voting rights.

Efficiency and Cost -effectiveness: we should be able to administer and monitor the whole process with the use of a minimal amount of resources, both human and material. In addition the total cost of building and implementing the e -voting system should lay in -

between some pre-defined economical margins. If the total cost exceeds those boundaries, by a lot, there is the fear of canceling out all its other benefits and advantages.

Reliability and System Robustness : the system should have the ability of working robustly (without the loss of any votes), in numerous accusations including the possibility of a external hackers attack, the loss of the communication link, voting machines hardware failure etc.

Documentation: the whole of the design and implementation process, as well as all the operational and testing procedures must be consistently and unambiguously doc umented. The documentation should be focused towards the acceptance of the system as well as helping with future maintenance, improvement or expansion of the e-voting system.

System and Data Integrity : the distributed computer system (both hardware and software) that will be implemented must be tamperproof. In an ideal situation system changes must be forbidden and avoided throughout every of the active stages of the election process. What this means is that once certified the core code, configuration info rmation and initial

parameters must remain static, otherwise the system will be vulnerable to attacks. Furthermore all data involved should be tamperproof (i.e. no one should be able to forge or modify votes without being detected.

Privacy and Non-coercibility: by this we mean two things: a) absolutely no one, not even election official, should be able to link a particular ballot to the person who cast it, b) no voter should be able to prove, in any way, that she or he voted in a particular way. The later is a great importance in the context of vote buying/selling, coercion and extortion. People will not be able to sell their votes (and no one will be able to extort them), if they con not prove

beyond any reasonable doubt, to buyer, that they voted for a particular party or candidate. The above must be preserved even in a case where the whole system or part of the system fails, and also after the elections for an unlimited period of time.

Transparency: voters, beyond the specific HCI issues, should be abl

e to posses a

general knowledge and understanding, up to a certain point, of the voting process. This should help towards increasing the publics degree of acceptance of the e-voting system.

Reliable Vote Transport and Storage

: votes must be safely t

ransported to the

electronic ballot box and subsequently stored in such a way that there is no chance for them to be lost or altered. Furthermore, in a poll site system, we must provide the means in order for the votes to be stored on both the poll site co mputers as well as in the central ballot box, for security and redundancy reasons.

In the above list I decided not to go into details about any technical bits (especially the security issues), as they will be examined in the next chapters. But the impor tance of all the requirements still remains and they must all be taken into accounts for any present or future implementation of an e-voting system.

5 Deployment Options
Through my research in electronic voting systems I have come to the conclusion that there appear to be more that one options for the deployment of any new e-voting system. Each one has each own advantages and drawbacks. A major criterion for categorizing them is the place (i. e. location) from where citizens have the ability to cast their own vote. Under that prospective we have poll site, kiosk site and remote Internet voting. A further classification can be made by taken into account the kind of software and specialized compu ter machinery that is being used in each case. In this chapter I shall thoroughly present each case and also point out the advantages and disadvantages of each case respectively.

5.1 Poll site and kiosk Internet Voting

As mentioned above the first distin ction that can be made, is based on the location from where citizens can cast their votes. The first two categories are poll site and kiosk voting. Poll site Internet voting refers to the casting of ballots at official public voting sites. Proper authorities (i.e. election officials) would control the whole of the voting platform. By the term voting platform we mean the software and hardware, which would be deployed to allow citizens to vote, plus the physical environment in which the process would take pla ce. In this option voting clients and terminals can only be accessed at the designated poll sites, under the observation of the voting authorities. Poll site Internet voting main advantage is that it promises to deliver maximum convenience and efficiency, as it would give citizens the

ability to cast their votes from many and different polling sites, and the counting process would be both fast and accurate at the same time. Furthermore managing the security risks and applying all the different security standards would be much easier for the voting officials, as in this case they have control of the voting platform.

An intermediate option between poll site and remote Internet voting is what is frequently referred to as kiosk voting. In this option votin g terminals would still be tamper resistant, but they would be located away from traditional voting sites and would be located to convenient places suck as schools, shopping malls, post offices etc. The voting platform would still remain under the control of the proper authorities. Elections officials, specially

trained observer or even security cameras could be used to control and monitor the physical environment and protect voters against coercion or any other kind of intervention. The main advantage of k iosk voting is that it offers a well -balanced trade off between the maximum conveniences of remote Internet voting and the much more secure poll site voting.

5.2 Classification based on software/hardware used

We can further categorize poll and kiosk sites by the type of hardware and software they use to allow citizens to vote. The first option would involve the citizens using computer equipment and software applications to cast their votes. The system would consist of a server and a number of workstations (local network) according to the size of the site. The software application should be user -friendly and quite simple to develop. At the end of the voting process the server could forward the local results and cast ballots to the main server via a communication link.

One of the advantages of this option is that there would be a minimal change in the voting culture, as voters would still have to visit a poll site, on the elections day, to cast their votes. This can help people accept the new system more easily. On the other hand we have the extra advantage of people being able to cast their vote form any voting site in the nation. Furthermore human interference with the counting of votes could be minimized, as the system would be able to automatically and ac curately provide local and then collective results, thus minimizing the possibility of an error.

The main disadvantage of this option is the cost involved to implement something like this in national scale, especially of the computer hardware. Based on a survey by the

Australian Electoral Council the cost of each server would be around $3,000 and an estimated cost for each workstation is around $2.000. Furthermore there is need additional back -up

hardware (in case of failure), and that would add to the co st an amount of $20,000 per voting site. Additionally we have the cost of a service contract for support to computer equipment at the voting sites. Finally in this option there would be no paper trail of the ballots, and that could reduce the voters confident and trust towards the new system.

The second option involves citizens using touch screen computers (located at the voting sites) in order to cast their vote. A specialized software application could be developed, which would allow voters to cast the ir votes just by selecting (by simply touching the equivalent logos or names on the screen) the party and candidates of their personal preferences. The voters could have the ability of going through the forms (that make up the ballot) and make any final c hecks or alterations before they cast their vote. Again here, at the end of the voting process, the results could be tabulated and send to the main server via a communication link. In this case the touch screen computers do not necessarily need to be networked. Again in this case it should be quite simple to develop a user application. -friendly software

In this option we have the same advantages as before with a few additions. Voters will be able to select from a pre -defined list their language of prefere nce. This way minority groups will no longer have a disadvantage. Additionally in this case it is much more easier to provide facilities and options for people with disabilities. Voters with severe sight problems would be given the ability to use an earpie ce and a headphone in order to cast their vote.

Positive feedback was given from disabled voters, who used the above option, in the previous US general elections for the first time.

On the other hand the main disadvantage in this case is again the cost. The Australian Electoral Council computed that the cost for each touch screen computer would be $7,000. As we can understand nationwide installation would prohibiting for any country, as the total cost would be massive. The cost would be significant even i n the case of selective installation in specific sites. In addition again in this case there would be no paper trail of the ballots, and that could reduce the voters confident and trust towards the new system.

5.3 Remote Internet voting

Finally except the poll site and kiosk site voting options, we have the remote Internet one. The main goal of remote Internet voting is to fully replace attendance voting. In this case each voter would have the capability of casting his or hers vote, virtually from any po int or place with Internet access. Their houses, their workplaces etc. In this case the control of the voting platform and the physical environment is out of the hands of the official authorities.

As it obvious the main advantage of remote Int ernet voting is that it offers maximum convenience, as there are no time or place restrictions. People who live in remote locations (and not only them) will not have to go to a poll site to vote, as they will be able to do it from the comfort of their on h ome. Furthermore people would be able to vote at a time 100% convenient to them.

On the other hand this option poses serious security and technical issues, which will be thoroughly presented in a later chapter. In a nutshell, we can say that the nature of the system leaves it exposed and vulnerable to outside attacks, which threatened the integrity and privacy of the process. Additionally there is a strong possibility of coercion, as the proper election authorities no longer control the physical environment.

Figure 1: A schematic sketch of a generic Internet voting system. In poll site voting, the voting clients would be precinct -voting terminals, whereas in remote voting, these would be individual computers in homes an d workplaces. The clients are connected to one or more Internet service providers (ISPs), and to the ISPs at the server side of the system through the Internet. The server side is divided into two parts: sub-system A, that collects encrypted votes; and sub-system B, that decrypts ballots, tallies and archives votes, and produces reports. (Figure taken from IPI e-Voting Workshop Homepage)

As we saw from all the above the most applicable option is poll and kiosk site voting, by using standard computer equ ipment. The cost of touch screen computers is very high and remote Internet voting, although it may sound very attractive, posses dangers, as we will see later on, which can not be overcome complete. At this point at would like to mention the option of voting in general elections using mobile phones that enable WAP technologies. But this option falls out of the scope of this project and will not be examined.

6 Security issues
As it obvious from the previous chapters a very important part, in the implementation of an e-voting system, is probably all the relevant security issues. We must at no point forget that at the heart of any democratic society lays the principle that the people have the ability to elect their own desirable government. So any process that has the potential to threaten the integrity of the system, or the perceived integrity, should be treated with the utmost caution and suspicion 3. At this point I would like to clarify that security issues concentrate on the degree of resistance of a particular system over deliberate and malicious attacks. On the other hand reliability focuses on the systems capability to overcome hardware or software failures. In this chapter I shall present the different types of attack, their consequ ences and where

applicable ways to prevent them. Furthermore in the system there must be a trade of between ballot secrecy and election integrity, if the ballot is kept secret by merely stripping voter information from the ballot, then election integrity can be compromised by allowing ballots to be changed, added or deleted. On the other hand, if the audit trail of the election is protected too tightly, the voters secret ballot can be violated4.

6.1 Security Risks As with every other distributed compu ting system, an e -voting system would be

prone to outside attacks mainly at three points: a) the client, b) the server, c) the communications path in-between them. The first two could be examined together, as they are vulnerable to penetration attacks. In a penetration attack a delivery mechanism is used to

transfer a malicious payload to the target host. For a delivery mechanism an input medium could be used, like floppy disk or CD -ROM, as many users do not keep their systems in a secure enough environment . Furthermore we can have remote automated delivery, via electronic mail. The problem in this case, is that the virus can spread very quickly, in a short amount of time, and affect a great number of systems. Furthermore there is a general misconception, by a lot of people that you have to open an attachment or run an executable in order for their system to get affected. But this not the case, as it can take as little as the preview in the Outlook mailer on a message, to activate a virus designed so. In addi tion

operating systems and the application software that sits on top of them have numerous bugs, in their code, as well as security flaws. Someone could take advantage of that to remotely install malicious programs to the users computer. Last but not leas t we have ActiveX

3 4

Rubin Adler

controls, which are downloaded automatically, and without the user knowing, by the browser, and can install a malicious module to the users computer.

Malicious payloads have progressed during the last couple of years. By that we me an that they can do far greater damage, are more difficult to be traced and generally have better chances of succeeding. The malicious payload could be of the form of Trojan horse, these are named after the Trojan horse which delivered soldiers into the c ity of Troy. Likewise, a

Trojan program is a delivery vehicle for some destructive code (such as a logic bomb or a virus) onto a computer. The Trojan program appears to be a useful program, but when a certain event occurs, it will attack your PC in some wa y5. It can also be in the form of a

remote control program. Once delivered to the host, activation does not have to be intentional (it can be activated through a timer mechanism, remote control, or by detection of certain events on the hosts computer). O nce executed they can cause numerous problems, like spy on ballots, not allow citizens to vote, temper with the result of the elections. In fact the damage it can do is essentially unlimited. Furthermore the malicious payload could have the ability of self-erasing, thus making much more difficult to detect or correct the fraud.

What makes the problem even worst, is that conventional security mechanism, like secure socket layers (SSL), are defenseless against this kind of attack, at the level of the users computer, in that target is below the below the level of abstraction, at which those security protocols operate 6. By this we mean that the malicious code can inflict damage on the data, before encryption and authentication can be applied. In addition an ti-virus and

intrusion detection software is highly likely to be proven inadequate, against attacks of this sort, as they generally search for well known signatures of malicious payloads and viruses. On the other hand these stealth attacks generally emana te from unknown or modified programs, and alter system files to affectively authorize the changes made7

At this point I would like to present two examples to illustrate how simple it would be to disrupt general elections that are held over the internet, but yet with disastrous effects. First of all for the sake of simplicity we can safely assume that the vast majority of the users of the World Wide Web, use either Internet Explorer or Netscape Navigator as their browsers. Both of them have an option setting that says that all web communication must go through a proxy. A proxy is a specialized program that sits between a client and a server, and is extremely useful for sites or systems that have a firewall of some sort. Most important of all it has the
5 6

Stiller IPI, National Workshop on Internet Voting, Internet Voting Report 7 IPI, National Workshop on Internet Voting, Internet Voting Report

ability to control the Internet traffic between a client and a server. Each user can alter the parameters in the proxy by changing fields in the preference menu. Depending on the changes the browser the adds a couple of lines of code to a configuration file Netscape, the existence of the following lines in the file: . For example, in

c:\program_files\netscape\prefs.js

delivers all web content to and from the users machine to a program listening on port 1799 on the machine www.badguy.com.
user_pref("network.proxy.http", "www.badguy.com"); user_pref("network.proxy.http_port", 1799);
8

If a hacker, somehow, gain access to our someones computer, he or she will be able to add these two lines of code to the preference menu (changing www.badguy.com with h is or hers URL), and thus actually controlling the users web experience. So the user without realizing it could be connected with the attacker.

A second example, this time of a malicious payload, is the CIH virus (i.e. the Chernobyl virus). The nature of this virus illustrates two things. Firstly this virus is triggered and does harm only on one particular day of the year, 26
th

of April. This could have very

serious consequences, as the day of the general elections, of a particular country, is well known in advance. Secondly the virus is constructed in such a way that it tampers with the BIOS (Basic Input Output System), thus not allowing the system to boot. This damage is so severe, that it requires specialized equipment in order to reprogram the BIOS c hip. As it

obvious the vast majority of computer users cannot perform that job on their own, and the virus could prevent them from voting on the elections day.

1. Modify a voted ballot 1.1. Change voted ballot on server 1.1.1. Convince web server operator to change voted ballot 1.1.2. Spoof voter's ballot using voter's private signing key 1.1.3. Hack into server and change plaintext ballot 1.2. Change voted ballot in transit
8

Rubin

1.2.1. Redirect vote from server 1.2.2. Compromise NAP and reissue plaintext ballot packets 1.3. Change voted ballot on browser 1.3.1. Compromise browser platform 1.3.1.1. Unknowingly translate voter's intent before encryption 1.3.1.2. Discard voter ballot and re-issue compromised ballot 1.3.1.3. Modify ballot viewed by voter 2. Spy on a voted ballot 2.1. Read voted ballot on server 2.1.1. Convince web server operator to view voted ballot 2.1.2. Read encrypted voted ballot 2.1.3. Read vote during tabulation 2.1.4. Hack into server and view plaintext ballot 2.2. Read voted ballot in transit 2.2.1. Sniff plaintext ballot 2.2.2. Read encrypted voted ballot 2.3. Read voted ballot on browser 2.3.1. Compromise browser platform 2.3.1.1. Monitor voter input through surreptitious program 2.3.1.2. Monitor EM signatures from computer screen and keyboard 2.3.2. Shoulder surf 2.3.3. Convince voter to reveal vote Figure 2: Partial Attack Tree for Compromising a Voted Ballot (Addler)

On the other hand, along the communication path, two things are required: a) encryption for the information being transmitted, to protect its integrity, and b) an authenticated link in-between the client and the server. But the above methods cannot provide one hundred percent security, as the system could still be vulnerable to DOS (Denial Service) attacks. In a DOS attack the communication between the server and the client is interrupted. To achieve this someone could use a number of computers, in order to flood the server with more requests than it can handle. A more advance version of the technique of

described above is called DDOS (Distributed Denial of Service). DDOS involves the installation of a special program called daemon on a great number of computers, with any of the delivery mechanism described above. Another piece if software is installed on a different system. The whole system remains idle, until the hacker decides to send a message to the master, specifying the target to be attacked. The master then passes this information to all the daemons, which at the same time flood the attacked server with more requests that it can

handle (by combining and using the total bandwidth of all the systems that have been infected by daemons). As a result the attacks prevents the server with communicating with anyone, until it stops. There have been cases where the results ware so severe that the system had to be rebooted. Furthermore it is extremely difficult to trace the attacker.

Figure 3 (IPI, National Workshop on Internet Voting, Internet Voting Report)

One final point in this c ontext that I would like to draw attention to is the risk of spoofing. By the term spoofing we mean the situation where the user thinks he is connected to a legitimate server (in this case the election one), but instead he is connected and communicating with the site of an imposter. While the proper technologies exist (such as SSL and digital certificates) to enable as to make the distinction between a legitimate server and a non-legitimate one some assumptions have to be made and some facts have to be take n under consideration. Under no circumstances can we assume that the average computer user, who wants to vote in the elections from his own home, has all these protective measures functioning properly on his or hers PC, understand the above concepts and ho w they work, or even distinguish between a page with an SSL connection to the legitimate server and a non SSL page from a malicious server that had the exact same look as the real page9.

A hacker would be able to spoof the official voting site by usi

ng various methods.

First of all he could act as the man -in-the-middle, by somehow logging on to the legitimate server, and presenting a fake web page to the user. This way he will be able to control all the traffic between the two of them (cancel votes, alter them etc). Furthermore it is well known that the DNS (Domain Name Service) is vulnerable to a specific sort of attacks (like cache poisoning) in which the information held about IP addresses of computers is being altered. In this scenario the user c ould be tricked and directed to the false web address, even if the user types to his or hers browser the correct one. As it is obvious the results of something like that
9

Rubin

could be extremely serious as someone would be in the position of even interfering wit h the outcome of the elections, without anyone noticing.

6.2 Countermeasures On the other hand, for an officially controlled voting site, all the above threats (particularly DDOS) can be eliminated. Effectively what this means, is that the voting sites should be implemented with the capability of functioning properly, even under attack when the communication path between them and the elections server is lost suddenly. In other words do not take the reliability and security of the communication path for g ranted. This can be done if voting sites are given the ability to use a DRE (Direct Recording Electronic) system. So if the system comes under attack, it would be able to switch to DRE mode, which means it will store all the ballots locally, and upload the m to the server (in a batch) once the attack is over and the communication path has been restored. This way the voting site is not vulnerable to DDOS attacks any more and not even a single is lost.

Additionally across all voting sites we must have the a bility to successfully prevent inside fraud. First of all specially trained and checked personnel should make sure that all hardware and software implemented is working correctly and is providing the desirable standards and levels of security. Secondly to effectively combat inside fraud, trust and

authority should be distributed to more than one party (independent observers, political party representatives, election officials, system vendor technicians), like in traditional elections. This way no single aut hority could tamper the system, and change something, without on of the other members taking notice.

Beyond the specific security measures that have to be implemented to protect voting centers, there are quite a few steps that must be taken in order to p rotect the communication path and the remote voters PCs, despite the security risks. Cryptography could be used to provide protection to the communication between the users browser and the election server. By using a security process based on encryption algorithms, data could become resilient
10

against corruption. An encryption algorithm is a mathematical expression that describes how, for example a piece of data is to encrypted (and decrypted, if the method is different) . An

implementation process is co ncerned with the above process could be carried out in reality. Essentially what the implementation does is applying some privileged knowledge to the data. Both or just one party could hold that knowledge. The algorithms are held and operated be special pieces of software or hardware. The algorithm used to encrypt a message is called the

10

Whyte p243

public key. If someone knows the public key and gets hold of the message, does not automatically mean that will know how to decrypt it due to various mathematical attributes of the public key, public key encryption systems rely on the fact that some mathematical operation are easy to perform in one direction, but difficult in another. This means that data could be transmitted safely through an insecure channel. On the other hand the algorithm used to decrypt the message is called the private key (operates as an invert to the public one) and should be transmitted through a secure channel (e.g. between two firewalls).

In addition, a basic yet substantial step in providing s ecurity for the users computers is the variety of anti -virus tools and products, which are now available in the market. Anti virus software can be divided into three subclasses: a) detection tools (e.g. scanners), b) identification tools (e.g. modificatio n detection programs, vulnerability monitors, and

scanners) and c) removal tools (e.g. disinfectors). Of all the above examples scanners and disinfectors are the most popular and commonly use modules of anti -virus software. They

have a great disadvantage, though. They rely up to a great extent to an a priori knowledge of the virus code, which means that they have to be updated quite frequently. Scanners search for signature strings or use algorithmic detection methods to identify known viruses. Disinfectors rely on substantial information regarding the size of a virus and the type of modifications to restore the infected file's contents
11

. On the other hand, vulnerability and

monitors may prevent a virus from doing any damage, by trying to prevent any access

modification to sensitive and critical parts of the system. In order for this to be achieved, a lot of information about normal system use is required (these decisions are up to the user), as most viruses that infect PCs do not circumvent any securit y features. Last but not least, we have modification detection that could be considered a general method, as it is able to detect the presence of a virus, without requiring any information about it at all. Modification detection programs are usually checks um based. This process begins with the creation of a baseline, where checksums for clean executables are computed and saved. Each following iteration consists of checksum computation and comparison with the stored value
12

. At this

point I would like to ma ke clear that only cryptographic checksums provide the maximum level of security, as both simple checksums and cyclical redundancy checks (CRC) can be defeated.

As we saw there are various ways in which we could provide security at the users PCs level. But there are some issues that have to be addressed, before anything could be

11 12

Current Protection Against Viruses Current Protection Against Viruses

implemented, will the anti

-virus software be provided for free, who will have the

responsibility of maintaining it etc.

7 User Authentication
User authentication is a major issue in an e -voting system, as the procedure will be different form the one in the traditional voting process, especially for remote Internet voting. The system must be able to allow only eligible voters to cast their vote s and no one must be able to vote more that once. Various ways to ensure the above have been put forward. The most serious two are the use of smart cards, which hold digital signatures, for use in poll site and kiosk site voting and the use of public key c ryptography for remote Internet voting. Both of them have their own advantages, but also carry some serious drawbacks. In this chapter I shall present and try to criticize these solutions that have been put forward for the different options of e-voting.

7.1 Poll site and kiosk user authentication

For poll site and kiosk site voting a smart card can be used to be swiped through a specialize device and start the voting application, providing that after the exchange of the proper credentials between the c lient and the voting terminal, it is proven that the user is entitled to vote. Smart cards are actually mini computers that are encapsulated within plastic bodies that are the exact same size as a credit card. We define them as computers as they have (amongst others) a processor, read only and versatile memory, an input/output connection and a power source. The processors are designed to run very slowly on purpose, as this way they consume very little electrical energy. The smart card has also fixed ROM th at contains

programming instructions. For security applications (as in this case), it could include an encryption algorithm, the user private key and a digital signature. Encryption algorithms and digital signatures have been explained in the previous chapter. A digital signature is a piece of digital code that can be attached to a piece of information, verify its integrity and uniquely identify the user or the sender. Smart cards may be convenient for poll site and kiosk site voting, but they would be inapplicable for remote Internet voting as no one can expect user to buy smart card readers for their PCs (plus all the special software needed) and governments would not be able to provide everyone with one.

Figure 4: Sample of a smart card (Jugendgemeinderatswahl Esslingen a.N. 2001)

Figure 5: Elections in Italy and France from the E authentication by using a smart card)

-POLL project (includes voters

7.2 Remote Internet Voting user authentication On the other hand as remote Inte rnet voting is concerned, voters could use a PIN to log into the system. Public Key Cryptography (as discussed in the previous chapter) could be used to address the security issues, but this technology is not 100% mature to ensure that the system is not vu lnerable to attacks that would interfere with the users votes and to provide a level of confidence as to the authentication of the user at the time of voting. So as we saw from the above the best way for user authentication, before the election progress, is the use of a smart card, which is both efficient and easy to use. But this provides us with another reason to prefer poll site and kiosk voting, rather than remote Internet voting. .

8 EML (Election Markup Language)

Before I pro ceed analyzing and talking about EML, there is a need to clarify some things about XML, as EML is an extension of it. XML stands for Extensible Markup Language. XML is a W3C -endorced standard for document markup. XML defines a generic syntax that is then used to mark up the document with simple, human-readable tags. Here data is included in documents as strings of text. The strings of text are surrounded by text markup that describes the data. A particular unit of data and markup is defined as an element.

Furthermore XML can be defined as a meta -markup language. This means that we do not have a predefined set of tags and elements. Instead XML is extensible, which means that it can be adapted to meet different needs and cover different areas of interest. Cert ain

individuals or organizations may agree to use only certain sets of tags. These sets of tags are defined as XML applications . The markup that is allowed in an XML application can be documented in a DTD (Document Type Definition). The purpose of the DTD is to list all

legal markup and to specify how and where the markup can be used in a document. To sum up we can say that XML offers the possibility of truly cross-platform, long-term data formats.
rd

On the 3

of May 2001, in the US, a non

-profit technical consortium, called

Organization for the Advancement of Structured Information Standards (OASIS), announced the formation of a new technical committee, called Election and Voters Services Committee. Its purpose is to create a standard based on XML (and that is EML), which will provide for all the intercommunication needs and data interchange for the elections industry. At the moment there are a lot of different hardware and software vendors and suppliers. Their products operate in different levels of automation and perform different functions. EML seeks to standardize the specification for exchanging data between election and voter registration systems developed by those different software and hardware vendors. The EML specifications will be applicable to both public and private elections. The development of the specifications is estimated that will take between twelve and eighteen months.

The committee will also look at a wide range of possible implementations for the new specifications. Amongst others t hese could include voter registration, change of address tracking, polling place management, ballot delivery and tabulation, election notification, elections result reporting. At this point we have to make it clear that the Election and voter Services Committee will only crate the specifications and it will be up to technology vendors to implement them. But Karl Best, the director of technical operations of OASIS, is confident that the W3C backing -up of XML would encourage the adoption of EML by a wide ran g of

vendors that develop and offer voting systems. Furthermore the EML standards shall be applicable to far more than just web -based voting systems, according to Gregg McGilvray chairman of the committee. He expects the EML standards to allow different pl including touch screen voting computers and even telephone atforms,

-based systems, to share and

exchange data regardless of what operating system is being used or how the information is collected.

Ballot.dtd (Taken from XML Group )

<!ELEMENT ballot (ballot_id , ballot_description , item+ )> <!ELEMENT ballot_id (#PCDATA )> <!ELEMENT ballot_description (#PCDATA )> <!ELEMENT item (item_id , item_type , item_input_type , item_description , votelimit , undervote , writeins , selection+ )> <!ELEMENT item_id (#PCDATA )> <!ELEMENT item_type (#PCDATA )> <!ELEMENT item_input_type (#PCDATA )> <!ELEMENT item_description (#PCDATA )> <!ELEMENT votelimit (#PCDATA )> <!ELEMENT undervote (#PCDATA )> <!ELEMENT writeins (#PCDATA )> <!ELEMENT selection (selection_id , selection_description )> <!ELEMENT selection_id (#PCDATA )> <!ELEMENT selection_description (#PCDATA )>
The above is a model/sample of a DTD for a ballot. We can distinguish the all the different elements with their attributes and the type of data they accept (in this case string of characters #PCDATA ). What follows is a simple terminology list to help us understend

the different elements.

BALLOT: The means by which a VOTE is cast ITEM: The thing voted upon whether it is an office, position-elect or referendum ITEM_TYPE: Describes the type of ITEM (such as first -past-the-post, plurality, proportional vote, etc WRITEIN: Describes the number of write in CANDIDATES allowed UNDERVOTE: Indicates whether it is allowable to VOTE for few SELECTIONS VOTELIMIT: Defines the number of vacancies to be filled in a particular ITEM SELECTION: The CANDIDATE, answer, etc which is the option or choice for ELECTION er than the allowable

9 Demonstrator
9.1 Voting Process For my voting demonstrator I decided to implement a model that represents an on line version of how Greek general elections are being conducted. I did that because having talking part in them two times already, I have a clear understanding of how the whole process works. The voting p rocess follows the following pattern. Initially the voter is asked for its user name and password. After he or she has submitted them, and they are verified, he is asked to choose the area in which he or she is registered, form a pull down, and to click on the logo of political party of references. Is someone chooses to vote null then he or she proceeds to the exit, otherwise he or she has the ability of choosing their preferred candidate(s), form an ordered list, by ticking he box at the right of their nam e. At any time during the voting process, the user has the ability of getting help (if he or she get confused at any of the steps), or viewing general information for the web site, just by clicking on the appropriate links on the left frame. 9.2 Screenshots

User authentication

Area selection

Party selection

Candidate Selection

Links for Help and General Info

9.3 Implementation and Possible Improvements To implement the web page I used three frames. The top one holds the title of the web site. The left one hold the links for help and general info. The right one is the main one of the web site and all subsequent pages are load into that one. For the functionality of the web site I used forms. I used the <input> e lement with the following attributes: a) password and text for the username and password, b) checkbox for the candidates selection, c) reset to reset all the fields in each form. Finally I used the <option> element to create the drop box for the area selection. For the rest of the web site standard static HTML tags where used. Various things can be done to improve the functionality of the web site. For example the user name and password form can be connected to a database in order to properly check the use r name and password. Furthermore ASP code can be implemented so according to the combination of registration area and political party, a different list of candidates could appear, as it is in real life in Greece. Finally a piece of JavaScript code can be u sed to impose a restriction on the number of candidates that someone can choose. 9.4 User testing Usability plays a very important role in web sites, as it makes the difference for the user, in performing a task or going through a process easily and fast or with problems and frustration. For an election web site this plays a very important role as it can set the borderline between success and failure. If voters find t difficult to vote on line, through the web site, they will seek alternatives way s of voting and the on -line part of the project will collapse. To test my voting web site I used a few of my fellow students of the university. None of them were students in the School of Computing, but they all had an average to good background in I.T. the testing took place in my room and I tried to create a relaxed atmosphere. While they were going through the voting project I encouraged them to give me live feedback, which I recorded. The feedback included the following: a) they all agreed on the necess ity of including a help link but failed to see any reason for a general info link, b) none of them had any problems with the username and password authentication, c) not all people realized that the area selection meant the area in which the voter is regis tered, d) English students did not understand the Blank option, which is how the Null vote is referred to in Greece, e) the was a proposal of including the partys logo next to the list of candidates, so the voter can be sure he or she did not make a mistake.

10 Conclusion
From the different of the report, which cover different aspects of e -voting systems, a number of conclusions can be drawn and the ability is given to us to discuss the future of e voting in general and ma ke a few comments. As we saw remote Internet voting systems pose a significant risk to the integrity of the voting. The security risks and vulnerabilities associated with them are numerous and very persisting. In the security chapter I presented some count ermeasures that could be used against them, but even them (that use the most sophisticated technology up to date) cannot offer total security, which is a prerequisite to ensure the integrity of the voting process. Furthermore there is no such thing as a co mpletely secure system. Even if a system appears 100% secure today, it might be cracked after some time. So the security of a remote Internet voting system should be under constant revision. Taking all the above into consideration we can draw the conclusio n that remote Internet voting should not be used for general elections in the near future. On the other hand poll site and kiosk Internet voting offer a lot of benefits and it is possible that they could be used in the coming years for the conduction of general elections.

While there are still a lot of things to be resolved and to be taken into consideration, before implementing them, the fact that the voting platform will be under the control of officials and their finite number make this option applicab le. Furthermore as we saw in the deployment options chapter, the only option that is economically feasible is the use of computer equipment and specialized software to run the election process. The different pilot programs in Europe and in the US can provide the basis for testing and future voting systems.

Additionally short and long -term future research has to be focused on a number of keys issues, in order for any future e-voting system to be successful. Research is needed in the security area of both the system itself and the authentication process. In addition standards have to be agreed and adopted (EML) for the transfer of data, e.g. ballots. Lastly the whole voting process may need review, as the new technology that will be used may change it to a large extent.

11 Evaluation
As I said in the introduction chapter I shall evaluate my final year project based on four critical success factors (a conduction of a comprehensive study of e -voting, the identification of the key issues of the subject, the construction of a simple demonstrator to illustrate what e -voting may look like and its testing on users, and finally the gain of extra experience on web design and its related technologies). In this chapter I shall go by th em, one by one, measure and judge them according to the list of criteria I again list in the introduction chapter. I shall also pinpoint what went well during the conduction of my final year project and also the problems I encountered and the things that I could have done better or still have room for improvement. The conduction of a comprehensive study of e -voting will be based on the quality of the resources that I used. To start of with the negatives things, one major problem that I encountered was t he lack of any specific books on this subject, and this was because it is a new and specialized one. On the other hand I did use book recourses to cover a lot of the technical aspects in the security issues chapters, which is a more generic one. So I had t o use the Internet to find all the information that I needed. The references that I have used are of both quality and diversity. Mainly I used information from the official sites of the E.U. funded e -voting projects, official organizations in the US and Au stralia that are responsible for such projects, from non -profitable organizations that help in the development of e -voting systems, from published articles of IT professionals and computer scientists and finally from private companies that develop and sell e -voting systems. On the other hand almost every piece of information is on how an e -voting system should be like and about all the things that have to betaken into consideration. This is due to the fact that no country has proceeded yet into implementing an e -voting system for general elections. Additionally the private companies offer systems of smaller scale (e.g. for private elections within an organization) or are not to keen on revealing details for competition reasons. Using the information I gat hered from my research I identified the key issues that surround e -voting systems and I included them in the chapters of my report. After going through my Internet sources I came to the conclusion that up to a point, there was a repetition of the same issues. By that I mean that people where highlighting the same things that had to be taken under consideration and where drawing the same conclusions. All the above helped me pinpoint what I believed was worth including in my final year project. So I included the requirements that any new system should meet, a presentation of EU funded projects, the different deployment options available, security issues, user authentication and data transfer using EML. The importance of all the above is clearly stated in the i ntroduction chapter and in the individual chapters. On the other hand I was planning on including a chapter based on the debate about if the source code of the system should be open or not. I abandoned this idea for two reasons: a) I have adopted as one of the requirements that the source code should be open in order for it to be publicly verifiable, b) although I found a lot of articles in favor of an open code source e -voting system, this was not the case for the opposite side, so I could not get a balanced understanding of both sides. As my on -line voting demonstrator is concerned, I had mentioned in my mid -project report that I was planning on building it in two iterations (building an initial model and that improving it). Unfortunately I was not able to do that due to poor time management and due to the fact that I overestimated my web site building skills. Despite the above facts the demonstrator gives a good idea of what the on -line voting process might look like, by talking the user through some sta ndard steps like authentication, area selection, party and candidate selection. All the different users that I tested it on managed to go through the voting process successfully. On the other hand they all gave my some feedback (further details are availab le

on the demonstrator chapter) on how I could improve my design and eventually make the whole process more clear. Again unfortunately, due to time restrictions I did not have time to implement this changes. Finally, in my mid -project report I mentioned th at I would include UML diagrams to explain the voting process in my demonstrator. I did not find that to be necessary as the web site is quite simple and I fully explain the voting process in my demonstrator chapter. Lastly one of my objectives was to gain experience on technical issues, through the conduction of my final tear project (from both the research and writing of the report and the construction of the demonstrator). I believe that the first part went rather well. Throughout the conduction of m y research I had the opportunity to learn a lot of things on the security risks and possible countermeasures of distributed computing systems. And this is area, which is not covered completely by our department, as there is no separate module on security. On the other hand one of my objectives was to gain extra experience on web design. I managed to succeed this objective only up to a small percentage. For my demonstrator I was planning to implement ASP code, so according with the choice of area and politic al party the user would get a different set of candidates. I also to tried to implement JavaScript code, in order for an applet to could take the user name and the password during user authentication. I did not succeed in any of the above as I overestimate d my abilities to understand and use ASP or JavaScript in a short amount of time. On the other hand I did gain some experience in static web pages as I manage to use successfully frames and forms, tags that I had never used before. As we all know there is always room for improvement. The same thing applies for my final year project as well. As my research and writing is concerned I could have gone into more depth while explaining certain technical issues, but I fear it might be considered too rd complicated and not understandable enough, for a 3 year student in the School of Computing. Additionally the demonstrator can be improved significantly both in terms of design and functionality.

Appendix A References/Bibliography
Homer A, Ullman C, Wright S, (1998), Instant HTML Programmers Reference, WROX Publishing Harold E, Means W, (2001), XML in a Nutshell A Desktop Quick Reference, O Reilly Publishing Whyte W S, (2001), Enabling eBusiness, John Wiley & Sons Ltd E-POLL project official web site, URL: http://www.e-poll-project.net/ [Dec 2001] CYBERVOTE project official web site, URL: http://www.eucybervote.org/ [Dec 2001] EURO-CITI project official web site, URL: http://www.euro-citi.org/ [Dec 2001] WEBOCRACY project official web site, URL: http://esprit.ekf.tuke.sk/webocracy [Dec 2001] CORDIS (Community Research & Development Information Service), URL: http://www.cordis.lu/en/home.html [Dec 2001] IST (Information Society Technologies), URL: http://www.cordis.lu/ist/ [Dec 2001] IPI (Internet Policy Institute), National Workshop on Internet Voting, Internet Voting Report, URL: http://www.netvoting.org/ [15 Mar 2002] Electoral Council of Australia, Electronic Voting and Electronic Counting of Votes Status Report, URL: http://www.eca.gov.au/ [15 Mar 2002] Avi Rubin, Security Considerations for Remote Electronic Voting over the Internet, URL: http://avirubin.com [15 Mar 2002] Houses of Parliament Home Page, Online Voting Report, URL: http://www.parliament.uk [15 Mar 2002] OASIS, Technical Committees, Election and Voters Services Technical Committees, URL: http://www.oasis-open.org/committees/election [11 Mar 2002] Todd R. Weiss, XML Group to Create Specifications for Voting Systems, URL: http://www.computerworld.com [11 Mar 2002]

XML Cover Pages, Election Markup Language (EML), URL: http://xml.coverpages.org/eml.html [11 Mar 2002]

Sustainable Enterprises, Touch-screen voting for democracy and business, URL: http://www.sustainableenterprises.com/Community/voting.htm [17 Mar 2002] Electronic Voting Bibliography and Links, URL: http://www.swi.psy.uva.nl/usr/oostveen/evote.html [24 Mar 2002] Stiller, Introduction to Viruses, URL: http://www.stiller.com/ [10 Mar 2002] Current Protection Against Viruses, URL: http://csrc.nist.gov/publications/nistir/threats/ [10 Mar 2002] Jim Adler, Internet Voting Primer Jim Adler, Security Versus Compatibility in online Elections Jim Adler, Internet Voting Security, URL (for the above articles): http://www.swi.psy.uva.nl/usr/oostveen/evote.html [10 Mar 2002] Lorrie Faith Cranor, Electronic Voting: Computerized polls may save money, protect privacy, URL: http://www.acm.org/crossroads/ [17 Mar 2002] Peter G. Neumann, Security Criteria foe Electronic Voting, URL: http://www.csl.sri.com/users/neumann/ncs93.html [17 Mar 2002] Rebecca Mercuri, Electronic Voting, URL: http://www.notablesoftware.com/evote.html [17 Mar 2002] GNU.FREE: Heavy-Duty Internet Voting, URL: http://www.free-project.org/ [21 Mar 2002] CPRS (Computers Professionals for Social Responsibility) Home Page, URL: http://www.cpsr.org/ [21 Mar 2002] election.com, Electronic or Traditional Election Services, URL: http://www.election.com/uk/services/public.htm [21 Mar 2002] Safevote, Information Center, URL: http://www.safevote.com/information.htm [21 Mar 2002] TrueBallot Inc, URL: http://www.trueballot.com/ [21 Mar 2002] The Bell, Newsletter on Internet Voting, URL: http://www.thebell.net/ [21 Mar 2002] Tutorial E-Voting, URL: http://www.eurescom.de/message/messageSep2001/evoting.asp [21 Mar 2002] Jugendgemeinderatswahl Esslingen a.N. 2001, URL: http://www.jgrwahl.esslingen.de/ [15 Mar 2002] Making a Web Site Usable, URL: http://www.ad-mkt-review.com/public_html/docs/sf005.html [10 Apr 2002]

Appendix B Project Experience

The one major lesson I learned from the conduction of my final year project was that of time management. In order to complete my final year project I had about six and a half months available. That is from mid October until the end of April. I also had a 5 -3 split of

modules during the two semesters. Furthermore this was the first time ever that I had to do a project/coursework over such a long period of time. The result of all the above was to manage my time resources very poorly. Although I devised a time plan, which seemed reasonably initially, I did not stick to it so everything had to be pushed back by a couple of months. So I ended doing very little work in the first semester and a lo t of work in the last three months before the deadline. Additionally the initial timetable proved to be wrong to a great extent, as I had devoted a lot of time to things that needed much less and there where aspects of the project that I had not taken into account at all (e.g. the evaluation chapter).

My lesson learned form the above problems, and the advice I would give to future third year students is the need to carefully plan ahead (after a significant part of the research is done) so you have a clear view on the needs of the any project, divide the work as equal as you can over the time available and always allow time for changes or for things that will do wrong. I believe that the department could push (in a good way) students towards the above, if the mid-project report counted for a percentage of the final grade (e.g. 10 credits), as it is the case with other departments. Additionally I believe that there should be a mark for the meetings with our supervisor. This will give students a motive to do w regularly and present their work to their supervisor. ork much more

Appendix C Gant Charts

15th Oct

15th Mar 25th Mar

15th Apr

Research Demonstrator Implementation

1st Nov

20th Mar

10th Apr

27th Apr

Chapters on technical issues of e-voting

Secondary Chapters