A credible election requires a verifiable and auditable paper trail to evidence that every vote counted and the election result was accurate. In the event of inaccuracies, such paper trail provides the basis for a remedy. Election management bodies (EMBs) are entrusted with the duty to keep and safeguard the paper trail. In Zimbabwe’s specific case, the duty is implied in section 239(g) of the Constitution which authorises the Zimbabwe Election Commission (ZEC) to design, print and distribute the ballot papers. The accuracy of Zimbabwe’s 2018 election will therefore largely depend on the trust and confidence in the chain of custody: in particular its ability to withstand adversarial attacks and a process that leaves behind a verifiable, reliable paper trail.
This article discusses election security in the context of Zimbabwe’s forthcoming election. It starts by discussing security aspects of electronic voting and why it would not have made Zimbabwe’s election any more verifiable than a paper based ballot. The article then suggests that Zimbabwe can still produce a credible election based on BVR and a human-readable and auditable paper trail, subject to scrutiny, coupled with manual counting and auditing. However, this requires collective due diligence and vigilance on adherence to the rule of law including set procedures. Although this may not eliminate threats, at least it will mitigate such threats to a point where they will not sway the outcome and if they do, there will ample evidence to challenge the outcome.
Since 2000, Zimbabwe’ elections have been marred by irregularities including allegations of ballot/voter’s roll rigging. In the aftermath of the 2013 elections, observers escalated their call for a clean voter’s roll and electronic voting. The country introduced a biometric voter registration system (BVR) through Statutory Instrument 85/2017: Electoral (Voter Registration) Regulations, 2017. Section 7 of this S.I. introduced new voter registration requirements which included the taking of a voter’s fingerprints and passport size photograph. However, they ruled out electronic voting. This makes Zimbabwe’s system a hybrid one – not fully electronic but technological enough as reflected in the country’s development level.
The new rules were followed by the appointment of a new ZEC Chair, a former judge of the high court, Judge Priscilla Chigumba. Given her past credentials of being an independent thinking judge during the Mugabe era, her appointment enjoyed cross party and civil society support. To shore confidence in the election management, Judge Chigumba issued a press statement that the 2018 elections could not be rigged as the country’s voting system is “tamper-proof’ for the simple reason that the data that they collected is housed in a ‘consolidation server’. She continued, “The consolidation server contains the master server that contains all the information and we then have other servers which we are using to connect that data. Those servers have very strict protection files. They have very strict un-hackable access level passwords that are tamper-free.”
In response to the opposition’s accusations that the election would be rigged, she said, “members of the public with evidence that the voting system could be interfered with should bring it forward.” Following protestations and several demands, ZEC has supplied all political parties participating in this year’s election with the electronic roll in Microsoft Excel format. However, the opposition is now demanding a searchable roll in PDF format that includes voter’s photographs. The opposition states that this form of the voter’s roll would be easier to audit.
Global perspectives of the verifiability issue
The verifiability issue arose in the Kenyan election where the EMB failed to keep and transmit proper paper trail. The EMB also denied the challengers an opportunity to scrutinise the system. Had the EMB followed the set procedure, the Kenyan election would have complied with emerging best practice proposed by experts such as Bruce Schneier who propose that voting machines must have a voter-verifiable paper audit trails (sometimes called a voter-verified paper ballot) and must also be subjected to public scrutiny as part of other administrative steps such as the proper training of poll observers.
The presence of secure paper trail should be part of the effort to make sure that voting system has four required characteristics: accuracy, anonymity, scalability and speed. As part of the voter-verifiable paper audit trail, the machine prints out the paper ballot, which the voter is allowed to look at and verify, for two fold reasons: One, it allows the voter to confirm that his vote was recorded in the manner he intended. And two, it provides the mechanism for a recount if there are problems with the machine. However, In Venezuela, where they have voting machines with a paper trail, President Maduro said he knew exactly who had voted against him. Regardless of whether this was a mere fear tactic, technology can be complex and voting has severe requirements, with no parties who can be fully trusted. Keeping things simple, as with paper ballots, is exceptionally helpful in producing trustworthy voting systems (Rivest and Stark, 2017).
Although the paper-based ballot system supported by BVR may not meet the test of speed, the ballot paper itself constitutes a verifiable paper trail. If there is a proper administrative system in place, for a small country like Zimbabwe, this may also meet the speed test. Some experts warn against fully trusting a computer and suggest that paper ballots provide a foundation for checking the work of systems used in elections and allow voters to verify that their ballots are cast in the way they intended (Rivest and Star, 2017). Therefore, if traditional paper ballots constitute the foundation of a credible, auditable and challengeable election, where could the threats emanate from under Zimbabwe’s hybrid system?
Problems may arise if the adversary is any one of the following: the company that writes the BVR software, the people who administer it and who run the election and those who run the country if they are also administering the election. Kenya is a good example where the adversarial attack came from those who administered the election. The second issue relates to the physical security and safety of the ballot boxes and ballot papers at poll station, in transit and at tallying centres. In both cases, risk cannot be completely eliminated but can be mitigated if the ZEC adheres to Section 239(g) of the Constitution in the designing and printing and distribution of ballot papers and ensuring the security and privacy of the ballot papers, for example, sharing it in both searchable and portable document formats (pdf).
In addition, as an important step, ZEC should avoid breaks and leakages in the chain of custody. A potential adversary may exploit the system by looking at the weakest link at any one of the above stages. In Zimbabwe, just like in any country, voters should have the opportunity to demand the one thing that should be non-negotiable in every election: prove my vote counted. Second, ZEC and all stakeholders must also ask: What evidence does the voting system produce that its outcome is correct, and why should we believe it? Just as we argued following the Kenyan election debacle, all these issues do not boil down to technology but those who manage election processes and technologies. It boils down to trust.
Is electronic voting a viable option?
Zimbabwe’s elections are a combination of electronic based biometric voter registration coupled with paper-based voting. It is nevertheless, important to examine different types of electronic voting and the challenges they each face. This is necessary because observers have in the past, called for such a system. Some members of opposition political parties and civil society believe electronic voting systems are be capable of producing a tamper-proof election, as such they have echoed the call for the introduction electronic voting in Zimbabwe.
Electronic voting falls into two broad categories, namely booth voting and remote voting. In booth voting, the election officials administer the software and the hardware whereas in remote voting, votes are cast over the internet. One primary challenge in remote voting is that ballots may be ill formatted due to error or malice (Van de Graaf, 2017). Booth voting has better privacy guarantees than remote voting where election officials control the machines that transmit the ballot, which may lead to ‘coercion’ (Van de Graaf, ibid).
Booth voting can also be divided into two classes: pre-printed ballots which contain candidate details and the second category in which the voters’ input informs the printed ballot. The first category requires that ballots be kept secret and in the second system, voter privacy may be compromised through leakages in the system (Van de Graaf, 2017). Remote internet voting has a number of problems including insecurity and landscape threats such as providing strong verifiability in the presence of client-side malware, phishing, denial of service attacks, over-the-shoulder-coercion and vote buying and selling (Essex, 2017).
Elections in the U.S. and Germany have experienced some of the challenges pointed out above. Therefore, although technology can play a role where secrecy is not required, for example, vote counting, it denies citizens to exert control over every step of the election process therefore lacks transparency.
To address some of the above problems others suggest end to end verified (e2e) elections through cryptography. However, such technologies are not that usable, understandable and accessible depending on society’s status and level of education. According to Essex (2017), voting based on this can also be vulnerable to a hacker conducting what is called a transport layer security (TLS) stripping attack that downgrade an HTTPS connection to HTTP, removing all encryption and authentication between a voter and the election website.
Apart from issues around secrecy and coercion, ballot verifiability, a component of ballot security, is also crucial, especially when the outcome is being challenged. Benaloh et al (2017) argue that election security is not a simple matter of a secure system defending against attacks from an external adversary but elections must provide sound evidence of an accurate outcome even when the adversary writes the software and administers an election and runs the country.
We will develop this section of the analysis in future elections.
Source: Arthur Gwagwa and Kuda Hove
About the Authors
Arthur Gwagwa is a Senior Research Fellow at Strathmore Law School Centre for Intellectual Property and Information Technology Law and an affiliate of the Open Technology Fund working on Sub-Saharan Africa Cyber Threat Modelling project. Follow him at @arthurgwagwa
Kuda Hove has research interests in IT Law and Policy. Follow him at @kudathove
Verifiability and Trust: Two Key Ingredients to a Credible Election in Zimbabwe
Analysis and Comment | Democracy | Elections
A credible election requires a verifiable and auditable paper trail to evidence that every vote counted and the election result was accurate. In the event of inaccuracies, such paper trail provides the basis for a remedy. Election management bodies (EMBs) are entrusted with the duty to keep and safeguard the paper trail. In Zimbabwe’s specific case, the duty is implied in section 239(g) of the Constitution which authorises the Zimbabwe Election Commission (ZEC) to design, print and distribute the ballot papers. The accuracy of Zimbabwe’s 2018 election will therefore largely depend on the trust and confidence in the chain of custody: in particular its ability to withstand adversarial attacks and a process that leaves behind a verifiable, reliable paper trail.
This article discusses election security in the context of Zimbabwe’s forthcoming election. It starts by discussing security aspects of electronic voting and why it would not have made Zimbabwe’s election any more verifiable than a paper based ballot. The article then suggests that Zimbabwe can still produce a credible election based on BVR and a human-readable and auditable paper trail, subject to scrutiny, coupled with manual counting and auditing. However, this requires collective due diligence and vigilance on adherence to the rule of law including set procedures. Although this may not eliminate threats, at least it will mitigate such threats to a point where they will not sway the outcome and if they do, there will ample evidence to challenge the outcome.
Since 2000, Zimbabwe’ elections have been marred by irregularities including allegations of ballot/voter’s roll rigging. In the aftermath of the 2013 elections, observers escalated their call for a clean voter’s roll and electronic voting. The country introduced a biometric voter registration system (BVR) through Statutory Instrument 85/2017: Electoral (Voter Registration) Regulations, 2017. Section 7 of this S.I. introduced new voter registration requirements which included the taking of a voter’s fingerprints and passport size photograph. However, they ruled out electronic voting. This makes Zimbabwe’s system a hybrid one – not fully electronic but technological enough as reflected in the country’s development level.
The new rules were followed by the appointment of a new ZEC Chair, a former judge of the high court, Judge Priscilla Chigumba. Given her past credentials of being an independent thinking judge during the Mugabe era, her appointment enjoyed cross party and civil society support. To shore confidence in the election management, Judge Chigumba issued a press statement that the 2018 elections could not be rigged as the country’s voting system is “tamper-proof’ for the simple reason that the data that they collected is housed in a ‘consolidation server’. She continued, “The consolidation server contains the master server that contains all the information and we then have other servers which we are using to connect that data. Those servers have very strict protection files. They have very strict un-hackable access level passwords that are tamper-free.”
In response to the opposition’s accusations that the election would be rigged, she said, “members of the public with evidence that the voting system could be interfered with should bring it forward.” Following protestations and several demands, ZEC has supplied all political parties participating in this year’s election with the electronic roll in Microsoft Excel format. However, the opposition is now demanding a searchable roll in PDF format that includes voter’s photographs. The opposition states that this form of the voter’s roll would be easier to audit.
Global perspectives of the verifiability issue
The verifiability issue arose in the Kenyan election where the EMB failed to keep and transmit proper paper trail. The EMB also denied the challengers an opportunity to scrutinise the system. Had the EMB followed the set procedure, the Kenyan election would have complied with emerging best practice proposed by experts such as Bruce Schneier who propose that voting machines must have a voter-verifiable paper audit trails (sometimes called a voter-verified paper ballot) and must also be subjected to public scrutiny as part of other administrative steps such as the proper training of poll observers.
The presence of secure paper trail should be part of the effort to make sure that voting system has four required characteristics: accuracy, anonymity, scalability and speed. As part of the voter-verifiable paper audit trail, the machine prints out the paper ballot, which the voter is allowed to look at and verify, for two fold reasons: One, it allows the voter to confirm that his vote was recorded in the manner he intended. And two, it provides the mechanism for a recount if there are problems with the machine. However, In Venezuela, where they have voting machines with a paper trail, President Maduro said he knew exactly who had voted against him. Regardless of whether this was a mere fear tactic, technology can be complex and voting has severe requirements, with no parties who can be fully trusted. Keeping things simple, as with paper ballots, is exceptionally helpful in producing trustworthy voting systems (Rivest and Stark, 2017).
Although the paper-based ballot system supported by BVR may not meet the test of speed, the ballot paper itself constitutes a verifiable paper trail. If there is a proper administrative system in place, for a small country like Zimbabwe, this may also meet the speed test. Some experts warn against fully trusting a computer and suggest that paper ballots provide a foundation for checking the work of systems used in elections and allow voters to verify that their ballots are cast in the way they intended (Rivest and Star, 2017). Therefore, if traditional paper ballots constitute the foundation of a credible, auditable and challengeable election, where could the threats emanate from under Zimbabwe’s hybrid system?
Problems may arise if the adversary is any one of the following: the company that writes the BVR software, the people who administer it and who run the election and those who run the country if they are also administering the election. Kenya is a good example where the adversarial attack came from those who administered the election. The second issue relates to the physical security and safety of the ballot boxes and ballot papers at poll station, in transit and at tallying centres. In both cases, risk cannot be completely eliminated but can be mitigated if the ZEC adheres to Section 239(g) of the Constitution in the designing and printing and distribution of ballot papers and ensuring the security and privacy of the ballot papers, for example, sharing it in both searchable and portable document formats (pdf).
In addition, as an important step, ZEC should avoid breaks and leakages in the chain of custody. A potential adversary may exploit the system by looking at the weakest link at any one of the above stages. In Zimbabwe, just like in any country, voters should have the opportunity to demand the one thing that should be non-negotiable in every election: prove my vote counted. Second, ZEC and all stakeholders must also ask: What evidence does the voting system produce that its outcome is correct, and why should we believe it? Just as we argued following the Kenyan election debacle, all these issues do not boil down to technology but those who manage election processes and technologies. It boils down to trust.
Is electronic voting a viable option?
Zimbabwe’s elections are a combination of electronic based biometric voter registration coupled with paper-based voting. It is nevertheless, important to examine different types of electronic voting and the challenges they each face. This is necessary because observers have in the past, called for such a system. Some members of opposition political parties and civil society believe electronic voting systems are be capable of producing a tamper-proof election, as such they have echoed the call for the introduction electronic voting in Zimbabwe.
Electronic voting falls into two broad categories, namely booth voting and remote voting. In booth voting, the election officials administer the software and the hardware whereas in remote voting, votes are cast over the internet. One primary challenge in remote voting is that ballots may be ill formatted due to error or malice (Van de Graaf, 2017). Booth voting has better privacy guarantees than remote voting where election officials control the machines that transmit the ballot, which may lead to ‘coercion’ (Van de Graaf, ibid).
Booth voting can also be divided into two classes: pre-printed ballots which contain candidate details and the second category in which the voters’ input informs the printed ballot. The first category requires that ballots be kept secret and in the second system, voter privacy may be compromised through leakages in the system (Van de Graaf, 2017). Remote internet voting has a number of problems including insecurity and landscape threats such as providing strong verifiability in the presence of client-side malware, phishing, denial of service attacks, over-the-shoulder-coercion and vote buying and selling (Essex, 2017).
Elections in the U.S. and Germany have experienced some of the challenges pointed out above. Therefore, although technology can play a role where secrecy is not required, for example, vote counting, it denies citizens to exert control over every step of the election process therefore lacks transparency.
To address some of the above problems others suggest end to end verified (e2e) elections through cryptography. However, such technologies are not that usable, understandable and accessible depending on society’s status and level of education. According to Essex (2017), voting based on this can also be vulnerable to a hacker conducting what is called a transport layer security (TLS) stripping attack that downgrade an HTTPS connection to HTTP, removing all encryption and authentication between a voter and the election website.
Apart from issues around secrecy and coercion, ballot verifiability, a component of ballot security, is also crucial, especially when the outcome is being challenged. Benaloh et al (2017) argue that election security is not a simple matter of a secure system defending against attacks from an external adversary but elections must provide sound evidence of an accurate outcome even when the adversary writes the software and administers an election and runs the country.
We will develop this section of the analysis in future elections.
Source: Arthur Gwagwa and Kuda Hove
About the Authors
Arthur Gwagwa is a Senior Research Fellow at Strathmore Law School Centre for Intellectual Property and Information Technology Law and an affiliate of the Open Technology Fund working on Sub-Saharan Africa Cyber Threat Modelling project. Follow him at @arthurgwagwa
Kuda Hove has research interests in IT Law and Policy. Follow him at @kudathove
Share this update
Liked what you read?
We have a lot more where that came from!
Join 36,000 subscribers who stay ahead of the pack.
Related Updates
Related Posts:
Categories
Categories
Authors
Archives
Archives
Focus
Tags
All the Old News
If you’re into looking backwards, visit our archive of over 25,000 different documents from 2000-2013.