share
1 Introduction
The 2018 midterm elections in the United States saw numerous contentious races come down to the wire as jurisdictions counted and recounted ballots. One of the biggest pressure points was that of absentee ballots: in many states, there was intense litigation over which absentee ballots could be counted in the totals. Georgia saw a federal court overrule the policies in Gwinnett County, where ballots from Asian-American voters were being rejected at significantly higher rates than other voters [13]. Other states like Florida and Arizona saw similar issues [33, 26]
Much of the litigation around absentee ballots focused on signatures: in the United States, absentee ballots require the voter to sign their name to the ballot to provide authentication and legally swear that they are not committing fraud. An example envelope is shown in Figure 1. This issue is sure to be compounded by the rise of vote-by-mail in the U.S.: in 2018 three U.S. states cast ballots almost entirely absentee, and numerous other states permit no-reason absentee voting, with the number increasing each election cycle as more states pass election reforms [4].
Signature validation is often done by hand [25], though there are automated solutions available [2]. Both schemes have inherent flaws, as human-generated signatures change over time and often are not consistently reproduced by the signee.111The field of forensics has numerous studies about the failure of trained experts and automated systems to correctly identify correct or forged signatures, for example [28, 15, 8, 18]. They can also be omitted entirely, by mistake. Some difficulties are well documented in election worker training manuals, such as [3] from Colorado. Local regulations and election worker training may change between jurisdictions, so absentee ballot rejection rates based on signature validation can vary by several percentage points even within one state [29]. All of these factors contribute to a need for a more robust method of voter authentication for absentee ballots.
In this paper, we present an application of cryptography to solve this problem. Local governments can establish a shared secret with voters through processes which are already in place (voter registration), with little additional cost. Voters can then use this shared secret to derive a cryptographic signature code for their ballot, which they will write on the envelope in place of a handwritten signature bearing the voter’s name.
Using signature codes like 14- or 20-digit numbers is a vast improvement over handwritten name-signatures, as there is less room for interpretation of a voter’s handwriting. Techniques like OCR can be more effectively applied to this approach, as the form of the signature is no longer important, only its content.
Asking voters to write down long numbers may not be an acceptably usable approach. We propose some mitigations to this process, and argue that writing signatures codes in this way is not inherently less usable than the current standard. Handwritten name-signatures can also always be used as a backup, in case the technology fails or a voter has difficulty using the approach.
The rest of this paper is structured as follows: Section 2 provides an overview of the current vote-by-mail landscape and the role signatures play, as well as providing a threat model. Section 3 develops our approach and addresses some of the nuance therein. Finally, Section 4 contextualizes the solution and concludes.
2 Background
2.1 How absentee voting works
Absentee ballots in the United States function in one of two ways. Some states, like Colorado, Washington, and Oregon, send ballots to all registered voters a few weeks prior to the election. Other states, like Michigan, Texas, and Georgia, require voters to explicitly request absentee ballots. Ballots are sent via the postal service, and voters have up until some deadline to fill them out and mail them back to their election office.
A typical absentee ballot voting process involves filling out the ballot, placing the ballot in an inner secrecy envelope, and then putting the secrecy envelope with the ballot inside an outer envelope. The voter then signs the outer envelope and mails the ballot back to their clerk.
2.2 Threat Model
Postal voting in this way has four main potential adversaries:
-
Coercers—coercers are often people the voter knows, e.g. a spouse or boss. They can cause (either by force or by enticement) the voter to surrender her ballot and either vote in the voter’s place, or simply disenfranchise the voter. Coercers may forge the voter’s signature or compel the voter to sign. Signature validation may detect this kind of attack, if the coercers do not produce faithful forgeries [32, 24].
-
Impersonators–these voters order ballots on behalf of people who don’t vote frequently (or who are no longer eligible to vote but have not been removed from the voter rolls. There is little to no evidence that this type of election fraud occurs in the U.S. [14].
-
Insiders—insiders run the elections. They can potentially reject ballots or change the votes on a ballot, assuming there are not strong policies in force to prevent this. This kind of issue has been raised by litigation about “exact match,” where election officials use very strict rules when evaluating voter information and signatures [23].
-
Nation-states—nation-states can prevent ballots from being delivered to the voter by sending a flurry of fake absentee requests for the wrong address, or by meddling in voter registration data. We have already seen intrusion into voter registration systems in the United States [34]. They may also be able to tamper with tabulation of the ballots, but this is outside our scope.
It is worth pointing out that the current signature validation scheme used in much of the U.S. provides no mitigation to any of these threats. There are other procedural security measures that can prevent, say, insiders from throwing out ballots or nation-states from overwhelming the postal system, but we shall consider them outside of scope.
3 Implementation
In this section we discuss our scheme for absentee voter authentication and some of the implementation details. A step-by-step procedure is provided in Figure 2.
3.1 The Scheme
Establishing a shared secret Voter registers to vote, as usual. The voter registration system derives a shared secret in some way, e.g. by generating a nonce or hashing the voter’s data. The shared secret is sent to the voter, via a voter information page, physical mail, a hardware token, etc. Voting The voter recieves her ballot in the mail and votes it. The voter generates a signature code via the voter information page, a phone app, a hardware token, or other means. The code may be, for example, a hash of the last code (the first code would be a hash of the shared secret). The voter writes the code on her ballot in place of a name-signature. The voter mails her ballot back to the elections office. Validation Upon receiving the voters ballot, the elections office generates the signature code using the same procedure as the voter. The elections office code is compared to the code written on the envelop. If the codes match, the ballot will be counted. Otherwise, the ballot may be ignored. The voter may be notified that their vote will not be counted.
The first critical components to our scheme is a shared secret established between the local or state elections office and the voter. This secret can be established at the time of registration or after the fact, and may be derived from information about the voter’s data as well as a source of randomness. Details about this shared secret and its derivation are further discussed in Section 3.2.
The other component in our scheme is a signature code generator, which takes the voter’s shared secret as input and produces a unique identifier that can only be generated by the voter and the elections office. Details of this generator are further discussed in Section 3.3.
Once the voter has voted their ballot and sealed it within the envelope, they use the generator and their shared secret to generate a value, and write it on the envelope. Once the election office receives the envelope, they use the same information to derive the signature code and count the ballot if it matches. Otherwise, they reject.222We omit solutions for “curing” invalid signature codes, as they are frequently highly constrained by local regulation and outside our scope.
3.2 The Shared Secret
Driver’s license numbers are frequently used as authentication tokens by voter registration systems (e.g. in Washington, Michigan, Georgia, etc.). However, driver’s license numbers in some states are derived in a deterministic fashion. This means that anyone with basic information about the voter (name, date of birth, home address, etc.) can derive the voter’s driver’s license number and potentially change the voter’s registration data. Utilities to do this sort of thing already exist on the web [12].
Another authentication token used by existing voter registration systems is the last four digits of a social security number, a national identifier used for administrative purposes and authentication by numerous entities within the United States. These numbers are also deterministic, and do not alone make a good token for authentication. Worse, these data regularly leak due to data breaches [22], and moreover most voter data is already publicly available [19].
Jurisdictions should thus use some other form of data to derive the shared secret with the voter. One option would be a hash of the voter’s existing voter information data and a random nonce securely generated by the voter registration system. Voters can then regenerate the secret as needed, and the secret can be updated on a per-election basis and when the voter updates his or her information. If the voter discloses her secret in any manner, the situation can be remedied by generating another secret.
It is likely desirable for the secret generation process to be controlled by the election office, as an attacker with the voter’s registration information may be able to generate their own shared secret and impersonate the voter. This attack is already present in the current signature validation model as an attacker could forge the voter’s signature or coerce the voter into signing a ballot they control, so we consider this attack out of scope. Another consideration is that the transport mechanism of the shared secret, once generated, must be protected, otherwise an attacker could simply sniff the secret and impersonate the voter.
3.3 Generating a signature code
Signatures can be generated in myriad ways. A pseudo-random number generator can be used, with the shared secret as a seed. Alternatively, a hash of the secret can be used.
Of course, if the shared secret is established as a traditional cryptographic key, say, an RSA key, then the signature code can also be a cryptographic signature signed over some pre-established information (e.g. the voter’s name, the date of the election, or in electronic voting schemes, the content of the ballot).
The generation of signature codes can be done online or offline, and we encourage the process to be done in a transparent manner. For most voters, it is probably sufficient to embed signature codes onto voter information websites, or distribute codes via other mechanisms like a phone app or text message. Some voters, like those overseas or in the military, may not have sufficient access to derive codes in this way. To handle this, alternative applications may be feasible, like hardware tokens with the shared secret and generator function embedded in them. In the United States, the military has some infrastructure to support this already, like the Common Access Card
[1].3.4 A realistic implementation
A likely implementation of our scheme is that the voter and election office agree upon a shared secret during registration, and that the voter registration system provides the functionality to generate signatures code for the voter. This can be done with just a hash function: provided the voter authenticates herself to the voter registration system, each signature code can be just a hash of the shared secret and a nonce or timestamp, or a hash chain of past signature codes.
This implementation solves the problem of faulty signature code validation, and it does not subject voters to more risk from bad actors than the current handwritten name signature system. Further, if the system is implemented such that the voter can increment the code at will, this may provide some weak protection against a coercer. E.g., if a voter has her ballot submitted by a coercer, she can increment the signature code such that when the elections office receives her ballot, it will be canceled due to an expired signature code. This is not unlike the alarm code approach hinted at in [7], and approaches like Civitas [11] and Juels, Catalano and Jakobsson [20].
This approach does not prevent against nation-state attacks or insider threats, however it can mitigate coercion and impersonation, which is an improvement over the current signature-based system.
This implementation is conceptually simple and easy to implement from an engineering perspective. Most U.S. states already have online voter information portals (for instance, see Figure 4), and adding a hash output to the voter information page would be a fairly simple task. Further, states already communicate out-of-band with voters, sending voter registration cards through the mail (an example can be seen in Figure 3. The shared secret could be generated and printed on the card. Ultimately, this solution is cheap and simple.
4 Discussion
In this section we discuss some properties of our scheme, suggest where it can be applied, and discuss some future work.
As a brief aside, this system prevents malicious or intentional disenfranchisement of voters due to strict pattern matching during the voter registration process. If strict matching is used, this scheme can provide additional assurance, or act as an alarm of sorts, that a mismatch was unintentional and warrants further investigation by an election official
4.1 Related Work
4.2 Usability
Once generated, the voter still has to correctly transcribe the signature code onto the ballot envelope. This may present a usability issue: human transcription of many-digit numbers is not well studied.333[21] provides some discussion of handwriting recognition, that’s somewhat unrelated. There has also been some work on CAPTCHAs, which is a similar task [10]. If this does present an issue, other kinds of signature codes may be generated. Following after some of the usable password work [9], signatures codes may be random sentences constructed based on the output of the signature code function. This provides a neat property: even if the voter makes a mistake, it is unlikely that the mistake will make their signature code unverifiable: a typo in one word of a sentence does not obscure the content of teh sentence.
Further work is needed to establish what impact our scheme has on the usability of absentee voting. Better understanding how accurate humans are at transcribing numbers is paramount to making our scheme work. Moreover, requiring voters to perform an additional step in the process voting may have negative affects on voters’ ability to vote successfully, and this also needs further study.
4.3 Conclusion
In this paper we presented a remedy to the problem of absentee ballot signature validation. Signature validation will only become a more pressing problem as absentee voting expands in the United States and elsewhere. This paper is a first step towards solving voter authentication for remote voting, and we hope that future work will illuminate better mechanisms to solve this problem.
References
- [1] DOD ID Card Reference Center. http://www.cac.mil/.
- [2] Runbeck automated signature verification. https://runbeck.net/election-solutions/ballot-software/automated-signature-verification/.
- [3] Signature verification guide. https://www.sos.state.co.us/pubs/elections/docs/SignatureVerificationGuide.pdf. Colorado Secretary of State.
- [4] The Verifier. https://www.verifiedvoting.org/verifier/.
- [5] Vote-by-mail made easy. https://www.co.washington.or.us/assessmenttaxation/elections/votebymail/index.cfm.
- [6] Voter information card. https://www.votewalton.com/Voter-Registration/Voter-Information-Card. Walton County Supervisor of Elections.
- [7] M. Bernhard, J. Benaloh, J. A. Halderman, R. L. Rivest, P. Y. Ryan, P. B. Stark, V. Teague, P. L. Vora, and D. S. Wallach. Public evidence from secret ballots. In International Joint Conference on Electronic Voting, pages 84–109. Springer, 2017.
- [8] C. Bird, B. Found, K. Ballantyne, and D. Rogers. Forensic handwriting examiners’ opinions on the process of production of disguised and simulated signatures. Forensic Science International, 195(1-3):103–107, 2010.
- [9] J. Bonneau, C. Herley, P. C. Van Oorschot, and F. Stajano. The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. In 2012 IEEE Symposium on Security and Privacy, pages 553–567. IEEE, 2012.
- [10] E. Bursztein, S. Bethard, C. Fabry, J. C. Mitchell, and D. Jurafsky. How good are humans at solving CAPTCHAs? A large scale evaluation. In Security and Privacy (SP), 2010 IEEE Symposium on, pages 399–413. IEEE, 2010.
- [11] M. Clarkson, S. Chong, and A. C. Myers. Civitas: A secure remote voting system. Technical report, Cornell University Computing and Information Science Technology Report, May 2007. http://www.truststc.org/pubs/545.html.
- [12] A. De Smet. Unique ID: Driver’s License Numbers. http://www.highprogrammer.com/cgi-bin/uniqueid.
- [13] T. Estep. Voting, civil rights groups home in on gwinnett’s absentee rejections. https://www.ajc.com/news/local-govt–politics/just-group-sues-kemp-gwinnett-elections-board-over-ballot-rejections/1qMxof9sA0um6w32vmrG2I/, October 2018.
- [14] B. C. for Justice. Debunking the voter fraud myth. https://www.brennancenter.org/analysis/debunking-voter-fraud-myth.
- [15] B. Found, J. Sita, and D. Rogers. The development of a program for characterizing forensic handwriting examiners’ expertise: Signature examination pilot study. Journal of Forensic Document Examination, 12:69–80, 1999.
- [16] K. Gjøsteen. The Norwegian Internet voting protocol. In 3rd International Conference on E-Voting and Identity, VoteID ’11, 2011.
- [17] K. Gjøsteen and A. S. Lund. An experiment on the security of the Norwegian electronic voting protocol. Annals of Telecommunications, pages 1–9, 2016.
- [18] H. H. Harralson. Developments in handwriting and signature identification in the digital age. Routledge, 2014.
- [19] R. Igielnik, S. Keeter, C. Kennedy, and B. Spahn. Commercial voter files and the study of us politics. Pew Research Center Report, Washington, DC, available at www. pewresearch. org/2018/02/15/commercial-voter-files-and-the-study-of-us-politics, 2018.
- [20] A. Juels, D. Catalano, and M. Jakobsson. Coercion-resistant Electronic Elections. In ACM Workshop on Privacy in the Electronic Society, WPES ’05, pages 61–70, Nov. 2005.
- [21] G. Little, L. B. Chilton, M. Goldman, and R. C. Miller. Turkit: tools for iterative tasks on mechanical turk. In Proceedings of the ACM SIGKDD workshop on human computation, pages 29–30. ACM, 2009.
- [22] L. Matthews. Millions of voter records are for sale on hacker forums. https://www.forbes.com/sites/leemathews/2018/10/16/millions-of-voter-records-are-for-sale-on-hacker-forums/#4c2b186024a7, October 2018.
- [23] S. McCord. Kemp sued over ‘exact match’ protocol for voter registration. https://www.augustachronicle.com/news/20181012/kemp-sued-over-exact-match-protocol-for-voter-registration, October 2018.
- [24] B. Murphy and E. Portillo. At center of voter fraud scandal, a convicted felon and ‘grassroots’ campaigner. https://www.charlotteobserver.com/news/politics-government/article222459875.html, December 2018.
- [25] B. Naylor. Sign here: Why elections officials struggle to match voters’ signatures. https://www.npr.org/2018/11/17/668381260/sign-here-why-elections-officials-struggle-to-match-voters-signatures?utm_campaign=storyshare&utm_source=twitter.com&utm_medium=social, November 2018.
- [26] A. Press. Arizona gop sues to limit mail-in ballots in senate race. https://www.nbcnews.com/politics/elections/arizona-gop-sues-limit-mail-ballots-senate-race-n933866, November 2018.
- [27] C. M. Sehat. Internet Voting Pilot: Norway’s 2013 Parliamentary Elections. Technical report, The Carter Center, March 2014.
- [28] J. Sita, B. Found, and D. K. Rogers. Forensic handwriting examiners’ expertise for signature comparison. Journal of Forensic Science, 47(5):1–8, 2002.
- [29] D. A. Smith. Vote-by-mail ballots cast in florida. https://www.aclufl.org/sites/default/files/aclufl_-_vote_by_mail_-_report.pdf, September 2018.
- [30] M. Solvak and K. Vassil. E-voting in Estonia: Technological Diffusion and Other Developments Over Ten Years (2005 - 2015). Technical report, Johan Skytte Institute of Political Studies University of Tartu in cooperation with Estonian National Electoral Committee, 2016.
- [31] D. Springall, T. Finkenauer, Z. Durumeric, J. Kitcat, H. Hursti, M. MacAlpine, and J. A. Halderman. Security analysis of the Estonian Internet voting system. In 21st ACM Conference on Computer and Communications Security, CCS ’14, pages 703–715, 2014.
- [32] S. Swisher. State police reviewing allegations of voter fraud in palm beach county. https://www.sun-sentinel.com/local/palm-beach/fl-palm-absentee-ballot-probe-20160805-story.html, August 2016.
- [33] G. Thrush, A. D. S. Burch, and F. Robles. In florida recount, sloppy signatures placed thousands of ballots in limbo. https://www.nytimes.com/2018/11/14/us/voting-signatures-matching-elections.html, November 2018.
- [34] U.S. Senate Select Committee on Intelligence. Russian targeting of election infrastructure during the 2016 election: Summary of initial findings and recommendations, May 2018. https://www.burr.senate.gov/imo/media/doc/RussRptInstlmt1-
- [35] F.~Zagórski, R.~Carback, D.~Chaum, J.~Clark, A.~Essex, and P.~L. Vora. Remotegrity: Design and Use of an End-to-End Verifiable Remote Voting System. In 11th International Conference on Applied Cryptography and Network Security, ANCS '13, pages 441–457, 2013.
Comments
There are no comments yet.