The Netherlands

This photo shows the user interface of the RIES system as an election official begins to type in the voting authorisation code prior to casting a test ballot. The background on the screen (TEST TEST TEST) indicates that the system knows that this is a test ballot and not a real ballot. Other aspects of the screen are identical to the design for casting a real ballot, including an image of the paper vote authorisation document with the authorisation code circled and an arrow to the dialogue box where the voter is required to transcribe the authorisation code.

Test ballots cast on RIES had the potential to serve as a useful auditing mechanism, however, this potential was defeated by several failures in the implementation. The fact that the system knew that test ballots were being cast was one. The fact that all test ballots were cast from the same PC was another. The fact that all test ballots were voted identically was yet another.

In the 2006 Dutch parliamentary elections, the option of Internet voting was provided as an alternative to postal voting for Dutch citizens living or working abroad.[1] The system, Rijnland Internet Election System (RIES), developed by the Higher Water Board, had a relatively modest goal, namely that the “capacity, reliability, security and transparency of the Internet voting system must be on at least the same level as the system of postal voting.”

Because of the ease with which digital files can be copied, it is almost impossible to prove conclusively that all copies of a file have been destroyed. Yet the security of RIES depended on the ability to destroy certain files. Not only is file destruction a major technical challenge, but such destruction runs counter to long-standing efforts by computer security experts to convince users to back up their systems frequently. With RIES, election officials were being told that they must not maintain backups of certain key files.

The designers of RIES wanted government officials to admit observers to whom they would prove that the sensitive files had indeed been destroyed. But officials refused, claiming that for security reasons the destruction should be done behind closed doors. While undoubtedly acting with the best of intentions, officials did not understand that they had the security argument backwards, suggesting that some of the security requirements were counterintuitive.

RIES illustrates how the kind of security needed for Internet-based end-to-end cryptographic voting systems (systems that allow the voter to verify that her vote was counted as cast) can be difficult to manage.

A description of the system. In preparation for the election, Dutch citizens living abroad had to register and indicate if they wanted to vote on the Internet. They had the choice of mailing a request for a postal ballot or an Internet ballot, mailing their proxy to someone who could go to the polls, or traveling to the Netherlands to vote in person.

Internet voting took place over five days, starting November 18, 2006. During that time roughly 20,000 valid Internet votes were received. The total cost for the Internet voting was 1,951,300 euros, or 90 euros per Internet voter.[2]

There are many similarities between the Dutch and the Geneva Internet voting systems. Both mailed paper containing a voting code to the voters. Both acknowledged the risk of denial of service attacks, as well as vote buying and selling. Both were susceptible to virus and man-in-the-middle attacks. Perhaps most significantly, both recognized the limitations of Internet voting.

Voters in the Netherlands who chose to vote over the Internet were sent a voting code in an envelope that was difficult to open or view without detection. The envelope also contained a number viewable from the outside, called the Voter ID. Since the Voter ID was an encryption (actually a hash) of the voting code, the voter could not be identified directly from the Voting ID, so long as proper security requirements were adhered to. This meant that computer files linking voters to their Voter IDs had to be destroyed before any votes were decrypted and counted.

Instructions on how to vote over the Internet, which included the precise address (url) for the voting website, were also sent to the voter. The voter was instructed not to click on any links that she might have received, but instead to type the url directly into her browser. The purpose of the detailed instructions was to minimize the risk of a spoofing or phishing attack.

When the voter navigated the voting website, voting software (applet) was downloaded onto her computer. The voter then entered her voting code into the appropriate location in the applet and made her candidate selection. Once she finalized her vote, the applet encrypted it and sent the encrypted vote (the encrypted candidate number), together with the Voter ID, to the voting website. (Technically, a trap door function combined the candidate selection and the voting code to create the encrypted ballot.)

Lost voting codes could be replaced up to 72 hours before the start of the election; extra voting codes were set aside for this purpose. If a voter requested a new voting code, her previous Voter ID would be listed as invalid and a new voting code and Voter ID would be mailed to her. Whenever voting codes were allocated, the computer files containing those allocated voting codes were destroyed as soon as the envelopes were printed, so that only the voter would know her voting code.

In order to tabulate the results, there needed to be a way to link encrypted candidate numbers with the correct candidates. This was done using a “codebook” that contained all Voter Ids.[3] For each Voter ID, the codebook contained a pre-computed list of the candidate names (unencrypted), together with the corresponding encrypted candidate numbers.

After the election, authorities posted the encrypted ballots, as well as the codebook. Consequently, if the voter retained a copy of her encrypted ballot, she could check that her vote was received and properly counted. The same feature that allow voters to check that their own ballots were counted correctly also facilitated vote selling, since it would be relatively easy for a voter to prove that she had voted for a particular candidate. The developers of RIES opted to accept this risk, because they considered it comparable to the risk of vote selling using postal ballots, where a vote seller could simply show her ballot to the vote buyer before sealing it into the envelope and mailing it.

The link between the voter and the Voter ID was an obvious security risk and illustrates how RIES did not protect against malicious insiders. First, a malicious insider could illicitly mark Voter IDs of particular voters as invalid, thereby disenfranchising those voters. Second, if the link between a voter and the Voter ID were retained after the election results had been published, (unencrypted) votes could be linked to specific voters, thereby violating the voters' privacy. Third, it would be possible to submit fraudulent votes (ballot box stuffing) by exploiting unused reserve voting codes.

The developers of RIES were aware of the ballot box stuffing risk and made a point of destroying the Voter ID/ballot CD-rom in front of several witnesses, including Douglas W. Jones, as they released the codebook.

In spite of the cost and questions about the security of the system, the official evaluation of the system recommended that Internet voting be made a permanent option for Dutch citizens living or working abroad.[2] However, primarily as a result of efforts by a group called “We Don't Trust Voting Computers,” the Netherlands banned DREs in September 2007. A subsequent analysis of software and structural security issues in RIES was published by the same group.[4] The portion of the government that administered RIES responded by saying in essence that they would fix the software bugs, but the response did not address the serious structural issues.[5] In June 2008, the DRE ban was followed by an Internet voting ban.