Memorandum by The Centre for Digital Security
Privacy and Trust (VOT 32)
1 INTRODUCTION
1. The government has demonstrated an interest
to improving the efficiency of the UK's electoral registration
process. Recent reforms have included the introduction of rolling
registration by which a local authority's electoral register is
updated on a monthly, rather than annual basis. This change reflected
the increasing in-accuracy of the register due to greater population
mobility.
2. We believe that the goals of electoral
registration reforms should both ensure the completeness and accuracy
of the register for any given election and permit those who currently
have difficulty completing paper forms the option of using a variety
of channels in order to register. In the next section we respond
to specific issues raised by the committee and in so doing, outline
a model for voter registration which:
Employs local authority staff in
the task of actively registering individual voters as they become
eligible (through graduation from school, for example).
Permits voters to administer their
registration remotely, through the use of a variety of channels
(both electronic and otherwise) without being able to remotely
create or destroy registrations.
2 RESPONSE TO
ISSUES RAISED
3. Given our specific research in the field
of Digital Security, Privacy and Trust we do not intend to respond
to all the issues raised by the Committee in their press notice.
Instead, we will respond to those issues raised which fall within
the remit of our own expertise.
(a) Advantages of individual registration
compared with the existing system of household registration
4. We note with some concern the demand
from various sources (including the Electoral Commission) for
household registration to be replaced with individual registration.
We anticipate that individual registration
About the Centre
The Digital Privacy, Security and Trust Group was formed in the autumn of 2001 at the University of St. Andrews. The group is based within the School of Computer Science. Relevant research projects at the Centre include:
Development of a modelling system for expressing the requirements for voting systems in different contexts.
Design and implementation of a remote electronic voting system for the UK electoral context.
We also have links with outside organisations including other research groups and industry, with whom we collaborate on joint projects.
| | |
| | |
within the existing practice of using registration forms sent
to households (a form of remote registration) might take one of
two forms:
Each eligible member of the household is required to
sign a single registration form declaration, instead of requiring
only the signature of one member of the household, as is current
practice.
Each member of the household is required to request,
complete and return their own registration document.
5. The stated goal of individual registration has been to
combat the possibility of electoral fraud, particularly using
remote forms of voting such as the postal system, or newer electronic
voting. Several legal cases have demonstrated the ease with which
multiple fictitious identities may be registered at households,
most notably with the conviction of two councillors in Hackney
in 1998. However, it is unclear, how individual registration can
prevent this activity. A fraudster would still have the ability
to complete a single registration form sent to a household, forging
the extra signatures if necessary. Alternatively, if the second
type of individual registration were adopted, a fraudster might
in fact be at an advantage, since they would be able to submit
multiple individual registration forms over a period of time,
making the detection of a large number of registrations at a single
address much harder to detect (when stored in large electoral
register database). Such an approach would require periodic auditing
and review of entries in the register in order to detect large
numbers of registrations at single addresses.
6. Whilst the first model of individual registration might
have only a limited impact on the completeness of the electoral
register, we believe that adoption of the second model would be
unfortunate, as evidenced by the substantially lower levels of
registration experienced in the United States. The advantage of
the existing system of household registration is that only a single
motivated individual is required to complete and return the registration
document. A move to individual registration would require each
eligible member of the household to be sufficiently motivated
to undertake the registration process. Evidence from the Electoral
Commission's latest reports suggest that the perception of fraud
is much greater than actual instances. If fraudulent registration
is deemed to be a serious problem, then the government should
consider ending the process of remote registration. Implementing
individual registration does not address the vulnerabilities of
the system and would not (in the remote context) present any additional
difficulities to a fraudster.
(b) Advantages and disadvantages of electronic rather
than paper-based forms of registration systems
7. The prospect of online electronic registration raises
the possibility of providing a range of channels for registration.
This is similar to the Government's intention of providing a range
of channels for voting in the near future, where every voter is
able to operate a least one of the channels provided. In our response
to (d) we outline a mechanism by which online administration of
register entries might be implemented, whilst preventing the remote
creation of new entries in the electoral register.
8. Conversely, it must be anticipated that the provision
of online registration is associated with some increased risk
to the integrity of the electoral register. Registers currently
stored in isolation by local authorities would by necessity need
to be connected to the Internet if online registration were implemented.
The only alternative would be to provide an online means of submitting
registration information to local authority staff for manual transfer
to the register storage, although it is not clear if significant
benefit would derive from this change.
9. On the assumption that the electoral register would
be connected to the Internet and that the register contains information
that may be regarded as valuable, measures would need to be taken
to ensure that the security of the online register (in terms of
both integrity and confidentiality) is sufficient to respond to
the possibility of un-authorised external access. In particular,
local authorities would need to consider what steps would be necessary
to notify or protect those who have deliberateley removed their
entries from the published register in the event of a security
breach.
(c) Availability and confidentiality of the register
10. We note that one possibility of developing consistent
electronic registration and storage systems is the potential for
web-based review of the electoral register. This feature has a
number of potential advantages, for example a voter would be able
to check their own entry in the register for accuracy; candidates
would also be able to access an up-to-date version of the electoral
roll prior to the close of nominations for an election.
11. However, there are clear risks to the privacy of
individual voters associated with the online publication of the
electoral roll. We note the controversy associated with the practice
of selling electoral registers to commerical organisations by
local authorities. One possibility is that a greater number of
voters would request their name removed from the published register,
presenting difficulties to candidates at election time.
12. We are currently undertaking a joint research project
with the University of Northumbria's PACT laboratory (psychology)
to investigate public attitudes to videoed examples of electronic
registration and electronic voting. The project will investigate
questions raised by the prospect of online registration and publication
of an electronic register in order to determine what rules regarding
the control of information contained in the register might be
required by the public.
(d) The desirability of a national electoral register
13. We note that the Government is currently moving towards
the implementation of a national electoral register through the
CORE project [1]. We understand that rather than deploying a single
registration system, the government instead intends to provide
a consistent means for information to be transferred between registers
stored on different platforms at different local authority sites,
preferably using the Election Markup Language (EML) as the standard
for communication [2].
14. Given the development of a de-centralised national
electoral register we note that voters would only need to register
oncein the future this would be when they reach 18 years
of age. When a voter changes address, rather than having to notify
two local authorities, the voter would simply notify either once.
Their electoral registration information could then be transferred
between the two authorities; thus the main costs incurred are
for the initial registration process.
15. than permitting on-line registration directly, a
voter would be able to transfer their registration between addresses
online, but not create new registrations. If individual registration
is adopted under this model, in person registration could be undertaken
in schools, colleges, immigration centres etc as part of the process
of gaining full citizenship. This model would prevent fraudulent
identities being incorporated into the online register (since
registration would only occur in specific circumstances), whilst
also permitting existing registrations to be administered by the
voters themselves. The notification process could be performed
using a variety of channels, via the postal system, or web-based
forms for example.
(e) Means of ensuring the security of the register: PIN
numbers, electoral voting cards, signatures
16. We believe that the security of the register comprises
two aspects:
Ensuring the integrity and completeness of the
register.
Ensuring the confidentiality of the register where
appropriate.
17. If online access is permitted to the electoral register
(see previous section) in the form we advocate, some form of authentication
mechanism is necessary when a voter wishes to administer their
entry in the register. Whilst we note that a voter should not
have the ability to create or delete registrations, the ability
to transfer registrations leaves the potential for "gathering"
registrations at a single address if a voter is permitted to administer
any entry in the register without authentication.
18. The model described above, where registration occurs
in person at specific locations and/or events provides the opportunity
for the voter to be provided with a voter card printed with a
PIN for authentication, for use in combination with their National
Insurance number (or similar) for identification. Crucially, we
do not advocate the use of publicly available information such
as driving licence numbers, National Insurance numbers or similar
for authentication purposes, a practice which risks identity fraud
as witnessed by the use of Social Security numbers for authentication
in the United States.
19. With regard to the confidentiality, we are (as discussed
in response to section (c)) currently investigating public attitudes
to the online publication of electoral registration data. We anticipate
that the greater ease with which access is afforded by online
publication may sway more voters to request that their information
is not included in the published register. Alternatively, different
opt-outs may need to be provided for online and printed publication,
to the extent that voter's may only view their own entry online
using the identification/authentication materials outlined above.
3 SUMMARY OF
EVIDENCE
20. We summarise our evidence as follows:
Cases of abuse of the electoral registration system
in the UK are rare.
The registration process is vulnerable to the
creation of fraudulent entries because of the use of remote registration,
not because of the practice of household registration.
Introduction of remote-individual registration
invites the prospect of a decline in registration rates without
improving the security of the process.
A combination of active in-person individual registration,
combined with the ability to remotely administer individual entries
in a national registers provides for an improvement in the integrity
and completeness of the register through the use of a register
once model.
Once registered, the use of multiple channels
for administering registration entries has the potential to substantially
increase the convenience and accessibility of the electoral registration
system.
REFERENCES
[1] Dylan Jeffrey and Xavia Morbey. Co-ordinated on-line
register of electors (CORE) standardising electoral registration.
Consultation paper, Office of the Deputy Prime Minister, Eland
House, Bressenden Place, London, SW1E 5DU, May 2004.
[2] Aoun Charbel, John Ross, Paul Spencer, and Eric Petersen.
Election markup language (EML): e-voting process and data requirements.
Technical Report 2.0, OASIS Election and Voter Services Technical
Committee, September 2002.
|