Iraqi Elections in 2014: a Privacy Requirement Evaluation Based on a Polling Place Experience

Iraqi Elections in 2014: a Privacy Requirement
Evaluation Based on a Polling Place Experience
Ali Fawzi Najm Al-Shammari & Adolfo Villafiorita
1,2 1
1. Fondazione Bruno Kessler - Italy
2. University of Kerbala - Iraq
25th September 2014
INFORMATIK 2014 - eVoting Workshop - Stuttgart
Tuesday 7 October 14

Outline
• Historical overview.
• Current voting System in Iraq.
• Stakeholders.
• Components.
• Procedures.
• Security Issues.
• Recommendations.
• Conclusion.

Historical Overview
• Democracy was not a common practice in Iraq before 2003.
• In 2005, the new Iraqi constitution allows citizens to elect the
parliament, and the provincial councils every four years.
• Independent High Electoral Commission (IHEC) introduced to
manage and run elections.

Historical Overview
Seven country wide elections were conducted:
• January 2005: National Assembly + Provincial Councils
• October 2005: Constitution
• December 2005: Parliamentary
• January 2009: Provincial Councils
• Mars 2010: Parliamentary
• April 2013: Provincial Councils
• April 2014: Parliamentary

Seven country wide elections were conducted:
• January 2005: National Assembly + Provincial Councils
• October 2005: Constitution
(Observer)
• December 2005: Parliamentary
(Observer)
• January 2009: Provincial Councils
(Station Manager)
• Mars 2010: Parliamentary
• April 2013: Provincial Councils
• April 2014: Parliamentary
Historical Overview

Iraqi Voting System
• Before 2014, paper based voting.
• Simple.
• Usable.
• There were some concerns raised:
• Vote stuffing!
• Vote manipulation!
• Some verification mechanisms, but they are manual, and time
consuming.

Voting System Improvement
• In 2014, electronic component involved in the polling place.
• Motivation is to improve the system against the current
concerns, i.e.:
• Votes stuffing and manipulation.
• Improve voter’s authorization process in the poll.

Approach
• Automates vote traceability.
• Mechanism of tracing the vote cast serial number.
• Automates voter authorization.
• Smart Identification Card (SID) for each voter.
• Biometric Identification.

Smart Card Reader System (SCRS)
Fingerprint Scanner
Futronic FS80
Plastic Seal
Smart Card Reader System
(SCRS)
Thermal Printer &
Smart Card Reader
DATECS DPP-250
Tablet BQ Maxwell Plus 2
Camera
The new tool implemented by Indra
(Spanish Company).
• Offline database in the component.

Polling Station Experience
Stakeholders.
Components.
Procedures.

Polling Station - Stakeholders

Station Manager (SM)

Authorization Officer (AO)

Ballot Issuer (BI)

Ballot Issuer (BI)
Ballot Box Observer (BBO)

Ballot Issuer (BI)
Ballot Box Observer (BBO)
Queue Observer

Ballot Issuer (BI)
Queue Observer
Ballot Box Observer (BBO) Election Observers

Voters Voter
Ballot Issuer (BI)
Queue Observer

Ballot Issuer (BI)
Queue Observer
Polling Place Manager (PPM)
Voters Voter

Polling Station - Components

SCRS

SCRS
Supervisor Smart Card (SSC)

SCRS
Ballots Pack

SCRS
Ballots Pack
Party Contest
1010100
Candidates Contest
Serial Number

SCRS
Ballots Pack
Ballot Stamp

SCRS
Ballots Pack
Ballot Stamp
Voters’ List

SCRS
Ballots Pack
Ballot Stamp
Voters’ List
Voting Cabins

SCRS
Ballots Pack
Ballot Stamp
Voters’ List
Voting Cabins
Ballot Box

SCRS
Ballots Pack
Ballot Stamp
Voters’ List
Voting Cabins
Ballot Box
Security Seal

SCRS
Ballots Pack
Ballot Stamp
Voters’ List
Voting Cabins
Ballot Box
Voting Ink
Security Seal

SCRS
Ballots Pack
Ballot Stamp
Voters’ List
Voting Cabins
Ballot Box
Station Forms
Voting Ink
Security Seal

SCRS
Ballots Pack
Ballot Stamp
Voters’ List
Voting Cabins
Ballot Box
Station Forms
Voting Ink
Secure Plastic Bag
Security Seal

SCRS
Ballots Pack
Ballot Stamp
Voters’ List
Voting Cabins
Ballot Box
Smart ID (SID)
Station Forms
Voting Ink
Secure Plastic Bag
Security Seal

Election Procedures
Starting the Election Day
1. SM : - receives the sensitive materials from Polling Place Manager (PPM).
- records the ballots packs’ serial number in station forms.
- seals the ballot box using plastic seals, and records its numbers in station forms.
2. AO : - turns on the SCRS using the SSC.
Identifying a Voter
1. Voter : - walks to authorization desk.
2. AO : - inserts voter’s SID in the SCRS.
- scans voter’s fingerprint by the SCRS.
3. SCRS : - verifies voter’s data.
- if the voter is eligible:
- saves voter’s access time.
- blocks voter’s SID.
- updates voter’s status in the database.

Election Procedures
Issuing Ballot
1. AO : - passes voter’s ID to the BI.
2. BI : - checks voter’s name in the voters’ list.
- issues and stamps the ballot, and passes it to AO.
3. AO : - scans the QR code of the issued ballot using the SCRS.
4. SCRS : - stores the scanned code of the ballot.
5. Voter : - takes the issued ballot, and walks to the voting cabin.

Election Procedures
Casting Vote
1. Voter : - fills in the ballot anonymously in voting cabin.
- folds the filled-in ballot, and walks to the ballot box.
- marks her indicator finger in the voting ink.
- casts her vote by putting the filled-in ballot in the ballot box.
2. BBO: - controls that a voter marks her finger with voting ink before casting the vote.

Election Procedures
Special Case...
• If the SCRS fails in reading the SID of a voter.
• e.g., SID failure, or Database failure.
• Voter’s name exists in the voters’ list.

Election Procedures
Special Case...
• If the SCRS fails in reading the SID of a voter.
• e.g., SID failure, or Database failure.
• Voter’s name exists in the voters’ list.
The voter has the right to vote!

Election Procedures
Special Case Voting Procedure
1. SM : - takes voter’s SID and puts it in a secure envelope.
- writes on the envelope (voter’s name, card’s serial number, and the reason of
collection).
2. BI : - asks the voter to sign in the voters’ list.
- releases Ballot for the voter.
3. AO : - signs the back of the ballot with “Smart card was not readable”.
- Does not scan the QR code of the ballot.

Election Procedures
Closing the Polling Station
1. SCRS : - stops accepting any card.
2. SM : - secures ballot box.
3. AO : - stores the SCRS data in the SSC.
- prints the SCRS report.
• polling station name.
• total number of eligible voters in the station.
• number of voters who accessed the polling station.
• total number of scanned fingerprints.
• the total number of scanned QR codes.
• the time of opening and closing the poll.
• the list of scanned codes of ballots.
4. SM : - secures the SSC and the SCRS report in a plastic bag.
- records the number of the secure bag in the station forms.

Election Procedures
Tallying Process
1. SM : - verifies the serial numbers of the ballot box seals through a comparison with the
records in the station forms.
- open the box.
2. Polling Place Employees : - starts the tallying process publicly.
3. EO: - observes the tallying process.
- records the tallying results in the station forms.
4. SM : - secures the ballots, and stations forms.
- provides the secured sensitive materials to the Polling Place Manager.

Privacy Evaluation
Stakeholders’ access.
Attack scenarios.

Stakeholders’ Access
Stakeholder Pre-election During Election During Tallying After Election Day
- - -
Voter Ballot Serial Number

- - -
- -
AO , BI Voter’s Name
Ballot Serial Number
Votes Cast
(Station)

- - -
- -
Votes Cast
(Station)
- -
SM Voter’s Name
(Special Case)
Votes Cast
(Station)

- - -
- -
- -
Election
Officials
SCRS
Voters’ list
- Votes Cast (Precinct)
SCRS Data
Voters’ List
Special Case Voters
-
Votes Cast
(Station)
SM Voter’s Name
(Special Case)
Votes Cast
(Station)

Attack Scenarios
General Assumption
• Malicious election official could compromise the privacy IF:
• the ballot serial number is linked with voter’s name.

Attack Scenarios
Voter Attack
• Assumption: malicious voter.
• The malicious voter collects ballot serial number and provides it to a
third party.
• Forced.
• Attempt to sell vote.

Attack Scenarios
Voter Attack
• Assumption: malicious voter.
• The malicious voter collects ballot serial number and provides it to a
third party.
Note that, even if there is no malicious election official,
some voter could be coerced by a malicious third party!
Just by asking him/her to provide the vote cast serial
• Forced.
• Attempt to sell vote.
number as an evidence to the way she/he voted.

Attack Scenarios
Station Employee Attack 1
• Assumption: malicious AO/BI.
• The malicious AO/BI memorize voter’s name, and ballot serial
number.
• The malicious AO/BI links between voter and vote while tallying
the votes.

Attack Scenarios
• Assumption: malicious AO/BI.
• The malicious AO/BI memorize voter’s name, and ballot serial
number.
• The malicious AO/BI links between voter and vote while tallying
the votes.
We don’t need to assume that a malicious election official
exists.

Attack Scenarios
• Assumption: malicious Polling Place Employee.
• The malicious employee reveals the vote of the special case voter
in the tallying phase.

Attack Scenarios
• Assumption: malicious Polling Place Employee.
• The malicious employee reveals the vote of the special case voter
in the tallying phase.
We don’t need to assume that a malicious election official
exists.

Attack Scenarios
Malicious Component Attack1
• Assumption: malicious SCRS, malicious election official.
• The malicious SCRS saves information that links voter with ballot
serial number.
• The malicious election official accesses the SCRS malicious data.

Attack Scenarios
Malicious Component Attack 2
• Assumption: malicious SCRS, malicious person nearby the
polling place.
• The malicious SCRS broadcasts information that links the voter
and her ballot serial number using its Wifi, or bluetooth.
• The malicious person nearby, receives this information using a
malicious application installed in a device (e.g., smart phone).

Main Failures
• The ballot serial number is not protected.
• Voter identification and ballot issuing processes are performed
together.

Recommendations
1.Protecting the Ballot Serial Number.
• Eg., scratch to reveal, or invisible ink marking pen.
• Using random codes for the ballots.
2.Modifies the procedures.
• Ballot QR codes scanning must be done after closing the poll.
• Does not marks the issued ballot of the special case.

Conclusions
• The IHEC effort was to improve traceability, and election fairness.
• Current system has vulnerabilities that could compromise privacy,
caused by:
• Two critical processes performed by the same component.
• Ballot serial number is readable.
• Our goal is to improve the system with consideration of minimal
changes, which includes:
• Improving the ballot.
• Modifying procedures.
• Modifying SCRS software.

Thank You For Your Attention
شكراً لإصغائكم
alshammari@fbk.eu

Iraqi Elections in 2014: a Privacy Requirement Evaluation Based on a Polling Place Experience

Recommended

Recommended

More Related Content

Recently uploaded

Recently uploaded (20)

Featured

Featured (20)

Iraqi Elections in 2014: a Privacy Requirement Evaluation Based on a Polling Place Experience