The proposed voting system                                                    (עברית)


The new electronic voting system is being designed and implemented by TEHILA, which is a subdivision within Israel's  ministry of finance. TEHILA's original mandate was to develop Israel's government portal. The task of developing the new voting system was assigned to TEHILA by Israel's minister of interior, Meir Shitrit.
 
TEHILA did not make public any technical paper describing their system.  This is despite their repeated promises to be transparent, and to publish technical details and code. Thus, in describing the system, we have to settle for the information that appears in the law proposal.
 
 The system's goals, as declared in the law proposal, are:
  •  saving paper and envelopes
  •  saving manpower before and during the election
  •  making forgery more difficult
  •  making the counting process more transparent, so that there are less appeals against the published results. 
[Before the elections]:  Each polling station committee has
  • an "Identification card" (I-card),
  • a "Voting card" (V-card),
  • a "Desgnated encryption card" (E-card) and, for each voter.
  • a "smart card" (S-card).
To the best of our understanding, all the above cards are smart-cards, but we use the names as written in the law proposal.  The law proposal is very vague on the way all those smart cards are used.
 
 
[Voting process]: The voting process proceeds as follows
  • A voter identifies herself before the polling station committee, and receives an S-card.
  • She goes to a voting machine (machine A) and selects her choice on a touch screen.
  • [optional] She may check the way her vote was recorded on the S-card, by checking it on a second, independent machine (machine B).
  • [optional] If she wishes, she may change her vote, but only once.
  • She then proceeds to cast her S-card.
 
[After the election]:
  • The voting committee "manually" counts the votes. This probably means they take the S-cards and feed them into another counting machine C.
  • Machine A "electronically" counts the votes chosen there.
  • The results are compared.
 
[Security by obscurity]: There are many crucial details that are missing from the above description, but this is all that we were able to reconstruct from the information provided in the law proposal (indeed, we do not think that law proposals were intended to serve as software specification!).
  • What smart cards are used, and who initializes them (is it a foreign manufacturer?)
  • A complete list of secret keys that are written on these smart cards, including those written by the manufacturer at production time.
  • Is there a master-key for all the smart-cards in a series?
  • What hardware is installed on each smart-card? 
  • What is the algorithm that is implemented on each of the smart cards?
  • What software the PCs at the polling stations run?
  • What is the code run by those machines?
What we do know for sure is that the system is fully software based, and does not have any "physical" component. As we argue here, this is a fundamental conceptual flaw in the design of the system.