Confidential report finds current i-Voting system for overseas Pakistanis not secure

"The vote is encrypted on the server, this allows an internal attacker to know what the voter voted," says report

By |
Representational image. — File photo
Representational image. — File photo  

The present internet voting system for overseas Pakistanis does not ensure vote secrecy, finds a confidential audit report prepared by a Spanish company for the government.

The over 200-page report, seen by Geo.tv, has been prepared by Minsait, a Madrid-based company. Minsait was tasked by the Ministry of IT earlier this year to analyze the existing I-Voting system for expats, as well as offer recommendations to improve the system before the 2023 polls.

After a six-week audit, the report was presented by the company to the government on May 31.

The report states that the existing I-Voting system, which was sampled in 2018 by the Election Commission of Pakistan (ECP), “does not fulfill the Constitutional requirements of vote secrecy,” adding that neither the voters nor the Election Commission has “any guarantee that the results obtained from the system represent the choices made by the voter.”

Minsait notes that the Constitution of Pakistan does not explicitly allow online voting, but any internet voting system must ensure the secrecy of the ballot, as mentioned in the Constitution.

The report then critiques each aspect of the internet voting system in detail, adding that it will need to be improved before I-Voting can be offered to overseas Pakistanis.

In regards to voting encryption, the company states that the encryption process is very inefficient. “The vote is encrypted on the server, this allows an internal attacker to know what the voter voted.”

It further adds that an internal attacker “could get results at any point in time, or decrypt the individual vote of any voter.”

On voter privacy, it warns that the private system can be broken at several points, explaining that the current voting process “does not guarantee that false votes are not introduced in the ballot box. Also, the removal of votes cannot be detected.”

Troublingly, it notes that the team has “high confidence” that the system was feasible to denial of service (DoS) attacks, which would not let voters vote.

Minsait recommends that for the existing system to be upgraded, and made secure, could take between one-and-a-half to three years with a team of at least 15 to 30 engineers.

It also adds that all overseas voters will not be able to vote in a single day, due to differences in time zones.

Hence, “most countries allow voters voting from abroad a period between 5 and 14 days to cast their votes from remote locations.” It then gives the example of Mexico, which allows voting from abroad during a two-week period.

Also, an essential requirement for the internet voting system to work, the report highlights, is for the system to be trusted by all stakeholders.

The company further notes with concern that the ECP’s recommendation on online voting, prepared in 2018, has yet to be implemented by the government.