ISLAMABAD: An international audit firm has reported that the existing i-voting solution for overseas Pakistanis has a number of shortcomings and does not fulfill the constitutional requirement of vote secrecy.
The report by the Spanish audit firm Minsait concludes: “As a result of the in-depth analysis of the existing i-voting solution, the audit team agrees that the system, at the state that has been shared with Minsait, does not fulfill the constitutional requirements of vote secrecy, and neither the voters nor the ECP would have any guarantee that the results obtained from the system represent the choices made by the voter.”
A third party audit was done for the government by Minsait for the analysis, design and implementation of internet voting for overseas Pakistanis. In its 231-page report, recently submitted to the government, the audit firm “strongly recommended” that the existing system be upgraded prior to being used in any election.
It warned that the technologies included by Nadra are outdated and vulnerable and could be exploited by attackers. I-voting would remain a risky affair even if the present system is improved, the report says, arguing that the resulting system would probably be more resilient than the current one but would still fail to give all the guarantees that voters and candidates deserve.
The report’s main concern is how to protect i-voting from external and internal attacks – for example by hackers or system administrators. The system must ensure that the vote is secretly cast against any third party, including system administrators and potential hackers, breaking the conventional security measures protecting the voting platform. .
According to the report, the results shown have been achieved after six weeks of audit work comprising the study of documentation, meetings and interviews with stakeholders, source code reviews and tests on the systems provided by Nadra.
“Minsait has done the best possible effort to analyse the situation of the existing i-voting system. Nadra and the ECP provided the information requested, but more detailed documentation would have helped understanding the system better,” said the report.
The report highlighted that in the present i-voting system for overseas Pakistanis, voters have no way of verifying that their vote was cast as intended, recorded as cast or counted as recorded. It added that voter privacy can be broken at several points in the system.
It also pointed out that the server technology and other elements used are outdated and with many known vulnerabilities; key management is inadequate for voting, the encryption process is very inefficient, not using homomorphic encryption; no information is digitally signed; there is no collective protection of private key by selected custodians, and there is no immutable technology being used to ensure the system as auditable.
In order to have a system that would fulfill the constitutional voter secrecy requirements and have the legitimacy that auditable results provide, Minsait recommends improving the system following the roadmap given in the report. “Every aspect on the list shall be implemented. By not implementing one or more of the items, the resulting system would probably be more resilient than the current one, but still would fail to give all the guarantees that voters and candidates deserve,” reads the report.
The recommended strategy as given in the report is as follows: Voter registration should be upgraded; the i-voting solution should be replaced by one that fulfills the requirements set; the weblogic server, operating system, database etc should be upgraded and patched; voter registration, while not being critical on the voter privacy aspect is a target for denial of service or voter impersonation attacks. Therefore, the integrity of the information and the resilience of the service are of paramount importance; voting application improvements; voter privacy improvements; auditability improvements; for the sake of integrity, a task should be implemented to verify the ballot box against the vote signatures on the blockchain, and implement a method for voters to query the blockchain to check whether their vote is in the ballot box (not revealing voter intent).
The report says that the ECP is the owner of the election process, while Nadra and other institutions are service providers. With this understanding, it is the recommendation of the audit team that the ECP should build the resources to control key areas of the i-voting process.
It also recommended legislative changes. The report says that The Election Act 2017 indicates that no voter shall be disenfranchised. “The audit team observes that the current process of having a single day for voting for voters abroad, and during the same time as the voters in Pakistan is, de facto, disenfranchising voters that live in other time zones like Australia or America.”
It added, “Most countries allow voters voting for abroad a period between 5 and 14 days to cast their votes from the remote locations.,” the report said, recommending, “the current legislation be reviewed to increase the voting period from abroad.”
Judge raised the query after warning to announce the verdict if Maneka’s lawyer remained absent from the hearing and...
The development came amid the United States’ explicit opposition to the bilateral project
Qaiser claimed that both parties rejected entire process which led to the formation of the incumbent government
She examined a proposed site for the construction of a state-of-the-art hospital in Murree and approved
Raoof Hasan warned against any attempt to extend the tenure of Chief Justice of Pakistan Qazi Faez Isa by another...
These payments will help PBA members to clear some of their liabilities
