Select Committee on Constitutional Affairs Written Evidence


Memorandum by The Centre for Digital Security Privacy and Trust (VOT 32)

1  INTRODUCTION

  1.  The government has demonstrated an interest to improving the efficiency of the UK's electoral registration process. Recent reforms have included the introduction of rolling registration by which a local authority's electoral register is updated on a monthly, rather than annual basis. This change reflected the increasing in-accuracy of the register due to greater population mobility.

  2.  We believe that the goals of electoral registration reforms should both ensure the completeness and accuracy of the register for any given election and permit those who currently have difficulty completing paper forms the option of using a variety of channels in order to register. In the next section we respond to specific issues raised by the committee and in so doing, outline a model for voter registration which:

    —  Employs local authority staff in the task of actively registering individual voters as they become eligible (through graduation from school, for example).

    —  Permits voters to administer their registration remotely, through the use of a variety of channels (both electronic and otherwise) without being able to remotely create or destroy registrations.

2  RESPONSE TO ISSUES RAISED

  3.  Given our specific research in the field of Digital Security, Privacy and Trust we do not intend to respond to all the issues raised by the Committee in their press notice. Instead, we will respond to those issues raised which fall within the remit of our own expertise.

(a)   Advantages of individual registration compared with the existing system of household registration

  4.  We note with some concern the demand from various sources (including the Electoral Commission) for household registration to be replaced with individual registration. We anticipate that individual registration
About the Centre

The Digital Privacy, Security and Trust Group was formed in the autumn of 2001 at the University of St. Andrews. The group is based within the School of Computer Science. Relevant research projects at the Centre include:

—  Development of a modelling system for expressing the requirements for voting systems in different contexts.

—  Design and implementation of a remote electronic voting system for the UK electoral context.

We also have links with outside organisations including other research groups and industry, with whom we collaborate on joint projects.

within the existing practice of using registration forms sent to households (a form of remote registration) might take one of two forms:

      1.

    Each eligible member of the household is required to sign a single registration form declaration, instead of requiring only the signature of one member of the household, as is current practice.

      2.

    Each member of the household is required to request, complete and return their own registration document.

  5. The stated goal of individual registration has been to combat the possibility of electoral fraud, particularly using remote forms of voting such as the postal system, or newer electronic voting. Several legal cases have demonstrated the ease with which multiple fictitious identities may be registered at households, most notably with the conviction of two councillors in Hackney in 1998. However, it is unclear, how individual registration can prevent this activity. A fraudster would still have the ability to complete a single registration form sent to a household, forging the extra signatures if necessary. Alternatively, if the second type of individual registration were adopted, a fraudster might in fact be at an advantage, since they would be able to submit multiple individual registration forms over a period of time, making the detection of a large number of registrations at a single address much harder to detect (when stored in large electoral register database). Such an approach would require periodic auditing and review of entries in the register in order to detect large numbers of registrations at single addresses.

  6. Whilst the first model of individual registration might have only a limited impact on the completeness of the electoral register, we believe that adoption of the second model would be unfortunate, as evidenced by the substantially lower levels of registration experienced in the United States. The advantage of the existing system of household registration is that only a single motivated individual is required to complete and return the registration document. A move to individual registration would require each eligible member of the household to be sufficiently motivated to undertake the registration process. Evidence from the Electoral Commission's latest reports suggest that the perception of fraud is much greater than actual instances. If fraudulent registration is deemed to be a serious problem, then the government should consider ending the process of remote registration. Implementing individual registration does not address the vulnerabilities of the system and would not (in the remote context) present any additional difficulities to a fraudster.

(b)   Advantages and disadvantages of electronic rather than paper-based forms of registration systems

  7.  The prospect of online electronic registration raises the possibility of providing a range of channels for registration. This is similar to the Government's intention of providing a range of channels for voting in the near future, where every voter is able to operate a least one of the channels provided. In our response to (d) we outline a mechanism by which online administration of register entries might be implemented, whilst preventing the remote creation of new entries in the electoral register.

  8.  Conversely, it must be anticipated that the provision of online registration is associated with some increased risk to the integrity of the electoral register. Registers currently stored in isolation by local authorities would by necessity need to be connected to the Internet if online registration were implemented. The only alternative would be to provide an online means of submitting registration information to local authority staff for manual transfer to the register storage, although it is not clear if significant benefit would derive from this change.

  9.  On the assumption that the electoral register would be connected to the Internet and that the register contains information that may be regarded as valuable, measures would need to be taken to ensure that the security of the online register (in terms of both integrity and confidentiality) is sufficient to respond to the possibility of un-authorised external access. In particular, local authorities would need to consider what steps would be necessary to notify or protect those who have deliberateley removed their entries from the published register in the event of a security breach.

(c)   Availability and confidentiality of the register

  10.  We note that one possibility of developing consistent electronic registration and storage systems is the potential for web-based review of the electoral register. This feature has a number of potential advantages, for example a voter would be able to check their own entry in the register for accuracy; candidates would also be able to access an up-to-date version of the electoral roll prior to the close of nominations for an election.

  11.  However, there are clear risks to the privacy of individual voters associated with the online publication of the electoral roll. We note the controversy associated with the practice of selling electoral registers to commerical organisations by local authorities. One possibility is that a greater number of voters would request their name removed from the published register, presenting difficulties to candidates at election time.

  12.  We are currently undertaking a joint research project with the University of Northumbria's PACT laboratory (psychology) to investigate public attitudes to videoed examples of electronic registration and electronic voting. The project will investigate questions raised by the prospect of online registration and publication of an electronic register in order to determine what rules regarding the control of information contained in the register might be required by the public.

(d)   The desirability of a national electoral register

  13.  We note that the Government is currently moving towards the implementation of a national electoral register through the CORE project [1]. We understand that rather than deploying a single registration system, the government instead intends to provide a consistent means for information to be transferred between registers stored on different platforms at different local authority sites, preferably using the Election Markup Language (EML) as the standard for communication [2].

  14.  Given the development of a de-centralised national electoral register we note that voters would only need to register once—in the future this would be when they reach 18 years of age. When a voter changes address, rather than having to notify two local authorities, the voter would simply notify either once. Their electoral registration information could then be transferred between the two authorities; thus the main costs incurred are for the initial registration process.

  15.  than permitting on-line registration directly, a voter would be able to transfer their registration between addresses online, but not create new registrations. If individual registration is adopted under this model, in person registration could be undertaken in schools, colleges, immigration centres etc as part of the process of gaining full citizenship. This model would prevent fraudulent identities being incorporated into the online register (since registration would only occur in specific circumstances), whilst also permitting existing registrations to be administered by the voters themselves. The notification process could be performed using a variety of channels, via the postal system, or web-based forms for example.

(e)   Means of ensuring the security of the register: PIN numbers, electoral voting cards, signatures

  16.  We believe that the security of the register comprises two aspects:

    —  Ensuring the integrity and completeness of the register.

    —  Ensuring the confidentiality of the register where appropriate.

  17.  If online access is permitted to the electoral register (see previous section) in the form we advocate, some form of authentication mechanism is necessary when a voter wishes to administer their entry in the register. Whilst we note that a voter should not have the ability to create or delete registrations, the ability to transfer registrations leaves the potential for "gathering" registrations at a single address if a voter is permitted to administer any entry in the register without authentication.

  18.  The model described above, where registration occurs in person at specific locations and/or events provides the opportunity for the voter to be provided with a voter card printed with a PIN for authentication, for use in combination with their National Insurance number (or similar) for identification. Crucially, we do not advocate the use of publicly available information such as driving licence numbers, National Insurance numbers or similar for authentication purposes, a practice which risks identity fraud as witnessed by the use of Social Security numbers for authentication in the United States.

  19.  With regard to the confidentiality, we are (as discussed in response to section (c)) currently investigating public attitudes to the online publication of electoral registration data. We anticipate that the greater ease with which access is afforded by online publication may sway more voters to request that their information is not included in the published register. Alternatively, different opt-outs may need to be provided for online and printed publication, to the extent that voter's may only view their own entry online using the identification/authentication materials outlined above.

3  SUMMARY OF EVIDENCE

  20.  We summarise our evidence as follows:

    —  Cases of abuse of the electoral registration system in the UK are rare.

    —  The registration process is vulnerable to the creation of fraudulent entries because of the use of remote registration, not because of the practice of household registration.

    —  Introduction of remote-individual registration invites the prospect of a decline in registration rates without improving the security of the process.

    —  A combination of active in-person individual registration, combined with the ability to remotely administer individual entries in a national registers provides for an improvement in the integrity and completeness of the register through the use of a register once model.

    —  Once registered, the use of multiple channels for administering registration entries has the potential to substantially increase the convenience and accessibility of the electoral registration system.

REFERENCES

  [1]  Dylan Jeffrey and Xavia Morbey. Co-ordinated on-line register of electors (CORE) standardising electoral registration. Consultation paper, Office of the Deputy Prime Minister, Eland House, Bressenden Place, London, SW1E 5DU, May 2004.

  [2]  Aoun Charbel, John Ross, Paul Spencer, and Eric Petersen. Election markup language (EML): e-voting process and data requirements. Technical Report 2.0, OASIS Election and Voter Services Technical Committee, September 2002.


 
previous page contents next page

House of Commons home page Parliament home page House of Lords home page search page enquiries index

© Parliamentary copyright 2005
Prepared 25 January 2005