Anti-Malware Codes: How Voters Can Prove They Confirmed Their Vote
For government elections that require the highest level of security, SIV recommends using a Voter Authentication and Invitation system based on sending custom invitations through postal mail.
The invitation letter sent to voters can include a few random numbers labeled as "Anti-Malware Confirmation Codes." These codes will be exclusively used for 2nd (or 3rd or 4th) devices utilized for Post Vote-Submission QR or Verification # confirmation methods. By using these codes, voters can effectively prove that they did a 2nd device check, without the check being falsely claimed by malware from the first device.
Since these numbers would never be entered onto the first device, there is strong protection even if the first device is infected.
This allows a voter to effectively prove that they did a 2nd device check, without the check being falsely claimed by malware from the first device.
Since the code is only used during a 2nd device check, there is no need for high levels of entropy in these numbers. A simple two-digit number, such as "83" or "15", would be sufficient. This makes it quick and easy for the voter to enter the code on the 2nd device. Additionally, providing a few extra codes for 3rd and 4th devices is beneficial.
Each number should be independently random and unique for every voter, with no duplicates between devices. The election official, such as the clerk or election director, will have access to these codes, which are effectively like additional device Authentication Tokens.
When a voter enters them, the election admin server can query whether they are correct for that voter. If the code is incorrect, the system will log the error, display a warning, and allow the voter to try again.
By implementing the "Anti-Malware Confirmation Code" system, it becomes possible to accurately track how many voters are performing a second device check. It could even be technically feasible to make such checks mandatory if desired. However, making them required is not necessarily recommended as voters could still find ways to circumvent the system, such as by using an incognito window, a second browser, or by spoofing their user-agent.
Despite the potential for workarounds, it would be very powerful to imagine a scenario where over 75% of SIV voters choose to perform a second device check to protect against malware.
To provide an additional layer of security, it is recommended to conduct more extensive randomly sampled audits of voters in person or over the phone to ensure the integrity of the system. The combination of voter-autonomous checks (Verification # Check & 2nd Device QR Code Check) , and auditor-supervised checks can be scaled effectively to enhance the security of the auditing process.
Voter-autonomous checks are advantageous due to their ease of implementation on a large scale, while supervised checks ensure that the voter-autonomous checks are reliable. By utilizing both approaches, the auditing process can be strengthened, ensuring a comprehensive evaluation of the system's integrity.
To ensure the effectiveness of the Anti-Malware Codes system, it is important to consider the potential vulnerabilities and corresponding mitigation options. One such vulnerability is the possibility of an attacker gaining access to the codes by intercepting them during transmission or accessing them from the election admin's servers.
However, even with this risk, implementing the Anti-Malware Codes system provides an improvement in security as it requires the attacker to compromise both the canonical sources and the voter's device.
In certain situations, it may be desirable to display the individual names of voters who have and have not yet checked. This could be particularly useful in smaller group settings where voters know each other (e.g. less than 1000), and seeing that everyone has checked can provide reassurance and encourage responsible behavior.
However, it is important to be cautious when publishing such lists. In situations where less than 100% of voters are expected to check, publishing a list of those who have not checked could make them more attractive targets for attackers. It may also be counterproductive in settings where voters may not have access to a second device, such as in-person events where they may only have one smartphone available.
Rather than everyone assuming that others confirmed their vote, Anti-Malware Codes provide a powerful and reliable mechanism, having the voters explicitly confirm that they checked their vote and that it was counted correctly.