InetVote: Register to Vote, Step 2

As it is imprudent to give personal information to untrusted agents on the web, you may wish to use an alias for this demo. The following National Identity Card has been issued for your use, containing a unique identifier. Alternatively you could use some other identifier which is unique with high likelihood.

United States of America
National Identity Card
This card certifies that
(Fill in name here)
is a citizen of the United States of America.
Unique identifying code:
231e6bd8

The product of this form is a script (program) which uses OpenSSL to create your first secret key, and creates a request (PKCS#10 file) that the Registrar of Voters sign the X.509 digital certificate that goes with that key, which proves that whoever can wield that key has the right to receive a ballot in the election.

When the script comes back, save it to a file on disc; do not let your web browser open (execute) it. Put it in the same folder (directory) where you saved the File Signing Script in the previous step.

Item Value Discussion
Name The name certified by your Name Credential.
Name Credential National Identity Card
California Drivers License
USA Passport
USA Naturalization Certificate
Document Number:
Evidence that you have the right to use this name. In production, the CGI would actually check with the issuing agency that the name and document number do match.
Address
Zip Code
Residence Credential If you're using an alias for the demo, just lie about the account number. We can't check; nobody is going to cooperate to give us corroborating information.
Land Title (Deed)
Rental Verification Exchange
(Not all landlords participate)
Phone Service
Cable TV Service
Electricity Service
Gas (Methane) Service
Water Service
Account Number:
Evidence that you reside at this address. You must be named as the owner or account holder. A match on family name is generally sufficient. In production, the CGI would check with cooperating businesses or agencies that the name and address do match.
E-mail Address Optional. If your registration is disputed, you will be notified at your residence and e-mail addresses (not for this demo, though).
Get Script
When the script comes back, save it to a file on disc with your other voting-related files; do not let your web browser open (execute) it. The suggested filename (used in examples further on) is register.sh.
Next Step

Once you have saved the script to a file on disc, proceed to the next step, where you execute the script and send in the resulting Certificate Signing Request.

Both Microsoft Internet Explorer® and Netscape® (and its various clones such as Mozilla, Opera and Konqueror) have different procedures to induce the web browser to do what the script does, create a secret key and a Certificate Signing Request, and to automatically send in the CSR. However, there is no provision to sign an arbitrary file such as your ballot, so it's necessary to get the voter to do this using OpenSSL. The procedure to generate the CSR is extremely vendor-dependent and extremely poorly documented, plus it is completely impossible for a security-conscious user to audit what is happening. Thus, I have chosen to do the whole process via OpenSSL.


How to Cheat

Registration is the point where cheating is easiest, both in the conventional manual system and in this internet-based one. There are four types of cheating: false naming, graveyard voting, identity theft, and multiple registration.

False Naming

The cheater makes up a totally fictitious identity. In the manual system he can then prove this identity's right to vote by making a manual signature under penalty of perjury. The Registrar of Voters rarely checks if the voter exists until an election is disputed, and then it is very laborious to do the checking manually. Falsely named voters are common in elections.

With InetVote, the cheater has to actually construct a complete false identity by obtaining a name credential (typically a drivers license) plus an adequate pattern of residence credentials which have to be rented or paid for. A forged drivers license will not do; the Department of Motor Vehicles has to actually tell the Registrar of Voters that the drivers license is valid. The accounts used as residence credentials have to be maintained from the time of registration until after any disputes are resolved, since the Registrar of Voters can, and probably will, check them repeatedly. This can be done for one or two identities but is prohibitively time-consuming and expensive in the quantities necessary to influence an election.

Graveyard Voting

The cheater locates an identity who is currently registered but whose qualification has lapsed, typically by being deceased, but also by moving out of the district. In the manual system the cheater need not re-register the victim; he can simply forge the person's signature to receive a ballot. If the cheater supports the dominant party, in some jurisdictions scrutiny of the signatures will not be too energetic.

With InetVote, the cheater will not have access to the decedent's secret key, and therefore will need to break the decedent's registration and then re-register him, converting the issue to identity theft. Unfortunately, a claim that the secret key was lost is all too plausible.

Identity Theft

In the legal system, a manual signature under penalty of perjury is considered to be proof, and the cheater can easily subvert this low standard to insert his own forgery as the signature of an existing person. The less likely the victim is to vote (e.g. if deceased), the less likely that the fraud will be discovered when the same person tries to vote twice.

With InetVote, the cheater needs to know the document or account numbers of the victim's name and residence credentials. With modern privacy laws this information is not available in bulk, though the low standards for its stewardship make identity theft reasonably possible.

Multiple Registration

A person should vote only in the jurisdiction of his principal residence. However, he may be registered in multiple places and may cheat by voting in all of them. In the manual system it is practically impossible to detect multiple registration.

With InetVote, the name and residence credentials must be valid and up to date in all the jurisdictions, which is difficult unless the cheater actually resides in each one simultaneously, e.g. owns a ranch in Ventura county and a beach house in San Diego county. Then, the question becomes which one is the principal residence. Maintaining multiple residences is expensive. For a cheater of ordinary means, who is simply lying about residing in the jurisdiction, this issue degenerates into the false naming case, except that the cheater's name credential(s) may truly be valid in all the jurisdictions.

The list of registered voters is public record. If there were a statewide or nationwide information exchange where all such lists were merged, multiple registration would be much harder to perpretrate.