Breaching the Privacy of Israel's Paper Ballot Voting System
BBreaching the Privacy of Israel’s Paper BallotVoting System
Tomer Ashur , Orr Dunkelman , and Nimrod Talmon ESAT/COSIC, KU Leuven and iMinds, Leuven, Belgium University of Haifa, Haifa, Israel Weizmann Institute of Science, Rehovot, Israel [tomer.ashur] @ esat.kuleuven.be[orrd] @ cs.haifa.ac.il[nimrodtalmon77] @ gmail.com
Abstract.
An election is a process through which citizens in liberaldemocracies select their governing bodies, usually through voting. Forelections to be truly honest, people must be able to vote freely withoutbeing subject to coercion; that is why voting is usually done in a privatemanner. In this paper we analyze the security offered by a paper-ballotvoting system that is used in Israel, as well as several other countriesaround the world. we provide an algorithm which, based on publicly-available information, breaks the privacy of the voters participating insuch elections. Simulations based on real data collected in Israel showthat our algorithm performs well, and can correctly recover the vote ofup to 96% of the voters.
One of the fundamental mechanisms that allow for democracy is the notion offree elections. In free elections, eligible voters express their opinions on importantmatters via voting. In liberal democracies, periodical elections (which we refer toas “election cycles”) are held for electing the members of the governing bodies.For people to freely express their opinions (that is, without being coerced toexternal pressure), voting is usually done in a private manner. In other words,the elections allow voters to maintain their privacy regarding their specific votewithin a large anonymity set.One can learn about the importance of secrecy in election processes fromthe
Declaration on Criteria for Free and Fair Elections , published by the
Inter-Parliamentary Union in 1994, and which states [9]:“2. Voting and Elections Rights:(7) The right to vote in secret is absolute and shall not be restricted inany manner whatsoever.” The Inter-Parliamentary Union (IPU) is an international organization of 162 stateparliaments and 10 regional parliaments. This union, which was established in 1889,has a permanent observer status at the United Nations and general consultativestatus with the Economic and Social Council. a r X i v : . [ c s . CR ] A ug imilarly in spirit, the state of Israel have recognized the importance of secretvoting and determined in its Basic Law: The Knesset [4], in Section 4 that:“The Knesset shall be elected by general, national, direct, equal, secret,and proportional elections, in accordance with the Knesset ElectionsLaw.”In this paper, we demonstrate that only a few observations are required to breachthe privacy of the voters in the Israeli general elections. Our attack uses only thefollowing information: (1) the results of the elections per ballot box (which arepublished at the end of the election cycle by the general elections committee);(2) the time of vote for each voter (which is collected by the various politicalparties); and (3) a periodical count of the ballots left in the tray (which can becollected by the members of the local elections committee who are continuouslymanning the ballot box). It turns out that, by collecting the above informationover several election cycles and using it to intersect the anonymity sets, it ispossible to recover most votes.In what follows we report on simulations performed on real data from the2013 Israeli general elections. We consider variable number of election cycleswhich the adversary is acting upon and consider different time intervals by whichthe adversary is able to count the ballots left in the tray. We mention that anattack does not have to be global, and that the adversary can focus on specificpolling stations that are of interest.We do use some assumptions in our simulations. First, we assume that anadversary can periodically count the ballots; we elaborate on this assumption inSection 3.1. Second, in the specific simulations reported here, we assume thatvoters do not switch parties between election cycles; while this assumption is nottrue for all voters, it is true for most of them (as is apparent by studying recentelection surveys [2, 19]). While this assumption somewhat weakens the results,it is being used in the absence of sufficient real-world data about specific voters.We further discuss our assumptions in Section 5.Expectedly, the success of our attack increases with the number of electioncycles considered and decreases (though not dramatically) when the frequencyof the count is reduced. Our simulations demonstrate that, for example, withonly three election cycles, it is sufficient to count the ballots once in half anhour, to recover as much as 63% of the voters. Moreover, it turns out thatwe can correctly recover almost all votes, reaching 100% success in most pollingstations, and reaching 93% on the average, using six election cycles and countingonce in half an hour. Further, by counting only once in an hour, this numberremains as high as 69%. We briefly discuss several definitions for privacy in elections. Then, we show howthe Israeli election system can be modeled as a timed-mix, and mention several The
Knesset is the name of the Israeli parliament.
Privacy in Elections
There are several definitions for privacy in elections,most of which borrow ideas from differential privacy. In short, a voting system issaid to preserve privacy if it is impossible to distinguish between two scenarios,differentiated by the behavior of several voters; the idea is that, if such eventsare indistinguishable, then an adversary cannot infer which of them occurred inreality. We mention several papers [6, 11, 16, 17] in this context. In this paperwe simply quantify the number of voters whose vote we could correctly de-anonymize. We view our definition as being more natural, and, contrasted withthe available definitions—which are specifically tailored for e-voting, more suitedto the context of the current paper.
Attacks on Mixes
Mixes are widely used to model private communications.Proposed by Chaum in 1981 [7], a mix is a means for delivering messages anony-mously between senders and receivers. Communication in a mix is split intorounds, such that in each round n senders send messages which are then sent to n receivers in an arbitrary or random order.Each ballot box in the Israeli voting system can be modeled as a certain kindof a mix, namely a timed-mix. In such a mix, a buffer of messages is mixed oncein each time period. The set of voters in each polling station corresponds to theset of senders, while the set of parties contesting in an election corresponds tothe set of receivers. There are various known attacks on mixes [1, 10, 14, 15, 22]and we refer the interested reader to a recent survey [18].Most of the above-mentioned papers de-anonymize single receivers and as-sume either a uniform distribution of the other receivers or try to approxi-mate that distribution. In our case, the overall tally is given, and we aim tode-anonymize the whole electorate. The paper is organized as follows: Section 2 gives a brief description of the Israelivoting system. Section 3 describes our attack. In Section 4, we evaluate our attackthrough simulations and discuss its tightness. In Section 5, we discuss some ofthe limitations of the attack, suggest ways to overcome these limitations, discusspossible countermeasures, and present future research directions. We concludethe paper in Section 6. 3
The Israeli Voting System
The Israeli voting system is described in the
Knesset Elections law - 1969 [21].In a nutshell, every eligible citizen is assigned to a polling station. In order tovote, each voter arrives to her assigned polling station and identifies herself tothe local elections committee. The committee then crosses the voter’s name fromthe list of assigned voters, and hands her a special envelope.Fig. 1: An example of the tray for the 2013 elections.The voter walks behind a curtain and chooses a ballot (a piece of paper withthe name of her selected party on it) from a tray, representing her preferredparty. The tray (which can be viewed in Figure 1) includes a stack of ballotsfor each candidate party (34 parties contested in the 2013 elections). The voterputs the ballot into the envelope, seals, and casts it into the ballot box, where itmixes with all the other envelopes. The members of the local elections committeeare all, except for the chairperson, appointed by the political parties. As partof their role these representatives periodically check behind the curtain that allballots are available to voters. Another informal role of the committee membersis to send the time of vote of every voter to the parties, so that the parties canstimulate their support base who did not show up yet, for example, via phonecalls or SMS.At the end of the elections day, the local elections committee breaks theballot box’s seal, opens it, extracts the ballots from each envelope, and countsthem. The results of the tally are then sent to the general elections committee,which aggregates and publishes the results (including per-ballot-box statistics).The key observation in this research is the following.
Observation 1
The size of the stack of leftover ballots “echos” the choices madeby previous voters. We stress that the count is done locally, and the votes of each ballot box are notmixed with other boxes.
In this section, we describe our attack, whose goal is to reveal the votes in Israel’sgeneral elections.
The adversary collects observations over several election cycles u = [1 , . . . , U ].For each election cycle, in order to collect the required observations, the adver-sary counts all the ballots in the tray at the beginning of the elections day. Wedefine this count to be in time t = 0.Then, the adversary starts counting the ballots in the tray periodically, intimes t = [1 , . . . , T ]. The technical question of how the adversary can countthe stack of ballots is discussed in Section 5.1; we only mention that one mightuse, for example, accurate weight scales, laser based measurement equipment, orbanknote counters. The adversary also collects the time of vote for each voter.This information is already collected by the local elections committee, and issent to the parties via a dedicated form called “Tofes-1000” (which translates to“1000-Form”).We define a frame to be the time period between two consecutive counts.Through their voting times, we can divide the voters into frames, and assign aprobability distribution to their vote according to the count of the respectiveframe. We refer to the set of voters between the count in time t − t , in election cycle u , as V u,t , and refer to the probability distributionassociated with this time frame as C u,t . Notice that we have t frames: frame 1 toframe t . The probability distribution C u,t can be represented as a vector, suchthat each element in it corresponds to a party p , and each value in it is equal tothe number of ballots of party p which are missing from the stack in this frame,normalized by the total number of voters in the frame. For example, if in thesecond elections Alice voted for the party named Meretz between time t = 5 andtime t = 6, then we have that the set V , contains Alice and C , [ M eretz ] > v ∈ V u,t isat most the number of non-zero items in C u,t (and not the number of non-zeroitems in the tally of the whole polling station).Notice that using these frames, the adversary can recreate the real tally ofeach polling station. However, the adversary can also directly collect the realtally of each polling station, since this information is published by the centralelectionsIndeed, from the perspective of each voter, every election cycle is composedof exactly one frame to which she belongs and an arbitrary number of frames towhich she does not belong. 5 .2 The Attack Algorithm Our algorithm is composed of the following three functions. – The
Find Homogeneous Frames function iterates over all frames, search-ing for homogeneous ones, i.e., frames in which all voters voted for the sameparty. If such a frame is found, then all voters in it are assigned to this party,the size of the frame is subtracted from the tally of that party, and the votersin the frame are removed from all other frames they participate in. – The
Find Single Option Voters function iterates over all voters. For eachvoter, it intersects the frames in which it participates, to find which partiesare shared by all involved frames. If only a single party is shared between allframes in which a voter participates, then it assigns this party to the voter.The tally for this party is then reduced by 1 and the corresponding framecounts are updated. – The
Likelihood Estimation function iterates over tuples of (voter, party,frame). For each such tuple, it estimates, independently for each frame, thelikelihood that a voter in the frame voted for each of the parties involved inthat frame. The likelihood is calculated as the number of votes which theparty got in this frame over the number of voters in this frame. The likeli-hood for a voter to vote for a certain party is the product of the respectiveprobabilities in all frames she participated in. The output of this function isa matrix L where each row v is a voter, and each column p is a party. Anelement L v,p in this table is the likelihood that a voter v voted for a party p . We search for the pair ( v, p ) giving the largest value L v,p and assign thevoter v to the party p . The tally is then decreased by one for that party p and the corresponding frame counts are updated.The attack algorithm is composed of two phases: the safe phase and the un-safe phase . In the safe phase we call Find Homogeneous Frames andFind Single Option Voters over and over until no new assignments can be made.This phase is safe in the sense that whenever the algorithm assigns a party to avoter, this assignment is necessarily correct. In other words, it can either returnthe right party for a voter, or output a symbol indicating that it was unableto de-anonymize her. In Section 4, we present the success rate of the algorithmwhen only this phase is being used.In the unsafe phase, which we invoke after no more voters can be de-anonymizedthrough the safe phase, the Likelihood Estimation procedure is used for mak-ing a probabilistic decision, assigning a party to a single voter for which weare most certain about. We then start over the process of calling to FindHomogeneous Frames and Find Single Option Voters until they can no longerde-anonymize voters, in which case we call Likelihood Estimation again. The al-gorithm halts when all voters have been assigned to parties. Note that during thecourse of this phase, Find Homogeneous Frames and Find Single Option Voterscan err due to previous wrong guesses made by Likelihood Estimation. However,as we will see in Section 4, although the unsafe phase can make wrong guesses,its success probability is much higher than that of safe phase, suggesting that itusually does not. A pseudocode of the attack is given in Algorithm 1.6 lgorithm 1 Pseudocode of the attack for a certain polling station.
Input:
List of voters V u,t for t ∈ [ T ] and u ∈ [ U ] (list of voters) Input:
Normalized frame counts C u,t for t ∈ [ T ] and u ∈ [ U ] (one value per party;sums to 1) { Safe phase } while progress is made do { Find Homogeneous Frames } for u ∈ [ U ]; t ∈ [ T ]; party p doif C u,t [ p ] = 1 (and thus, for each p (cid:48) (cid:54) = p , we have C u,t [ p (cid:48) ] = 0) then assign all voters in V u,t to p and decrease the tally of p by | V u,t | end ifend for { Find Single Option Voters } for voter v doif ∩ u ∈ [ U ] ,t ∈ [ T ] ,v ∈ V u,t { p : C u,t > } = { p } then assign v to p , decrease the tally for p by one, and update C u,t end ifend forend while { Unsafe phase } while not all votes have been extracted do { Likelihood Estimation } for voter v ; party p do compute likelihood of v voting for p as L v,p = Π u ∈ [ U ] ,t ∈ [ T ] ,v ∈ V u,t C u,t [ p ] end for let v (cid:48) and p (cid:48) be the pair for which the likelihood value L v (cid:48) ,p (cid:48) is maximalassign v (cid:48) to p (cid:48) , decrease the tally for p by one, and update C u,t while progress is made do { Find Homogeneous Frames } for u ∈ [ U ]; t ∈ [ T ]; party p doif C u,t [ p ] = 1 (and thus, for each p (cid:48) (cid:54) = p , we have C u,t [ p (cid:48) ] = 0) then assign all voters in V u,t to p and decrease the tally of p by | V u,t | end ifend for { Find Single Option Voters } for voter v doif ∩ u ∈ [ U ] ,t ∈ [ T ] ,v ∈ V u,t { p : C u,t > } = { p } then assign v to p , decrease the tally for p by one, and update C u,t end ifend forend whileend while Evaluation of the Attack
In this section we evaluate, through simulations, the success rate of the attackproposed in Section 3. The model considered here assumes that voters do notchange their minds between election cycles. We defer the justification of thisassumption to Section 5. We also assume, for the sake of simplicity, that votersalways vote in the same polling station, and that no new voters join or leave theregistry.
To calculate the success rate of the attack, we ran simulations based on theresults of the 2013 general elections in Israel as published by the general electionscommittee [20]. In these elections, Israel’s eligible voters were divided into 9879polling stations. The law upper-bounds the maximal number of eligible votersassigned to a polling station at 900; in practice, the maximal number of votersassigned to a polling station was 894, and the median number of voters assignedto each polling station was 590. The voting turnout was low, and out of the5,654,842 eligible voters only 3,617,857 (64%) actually voted; as a result, themedian number of actual voters per polling station was 366. Out of these, atotal number of 3,579,793 votes were counted as legitimate votes. We model each polling station independently of all other polling stations, aswe see no dependencies between different polling stations. The published resultsinclude, per polling station, the number of assigned voters, the number of voterswho arrived, the number of legitimate votes, the number of votes received byeach party per polling station, and an accumulated turnout rate per two hours.Due to obvious reasons we do not have the real data needed to actually runthe attack, although we do use real data from the tallies of the various pollingstations. We therefore resort to the “second-best” option and use a simulationof the elections process. We denote the number of voters in the attacked pollingstation by n and set the number of frames T to be either 30, 15, or 7: for the vastmajority of the polling stations, this corresponds to counting the ballots once inhalf an hour, an hour, or two hours. We created n “virtual” voters, and splitthem randomly over the frames according to the turnout rate. For each frame we“counted” the number of missing ballots, and built the voting distribution forit. This procedure is repeated U times, corresponding to U consecutive electioncycles; we chose U = { , , , , , } . Absentee votes (that is, voters who do not vote in their assigned ballot, such as diplo-mats, soldiers, and seamen), which account to about 5% of the votes, are excludedfor simplicity. This independence implies that an adversary can focus their effort on subsets ofpolling stations which are of interest, or where they expect to achieve a high successrate. When T = 7 the first count is done after 3 hours. T = 30, for extracting the exactparty that the voters voted for, and the political group that the voters belong to.The baseline is 38% for extracting the party and 54% for extracting the group. Election cycles safe phase unsafe phase, party unsafe phase, group2 7% 46% 59%3 19% 63% 73%4 35% 76% 83%5 50% 84% 89%6 62% 90% 93%7 71% 93% 96%
We begin by reporting and analyzing our results, where we set T to be 30. Laterwe report on simulations done with T = 15 and T = 7. Average success rate
The average success rate of the attack (over the pollingstations) is provided in Table 1. The baseline is the success rate had the adversaryalways assigned the largest party or political group to all voters of the ballot box.When trying to recover the political group that a voter voted for we firstlet the algorithm assign a party to the voter and count it as a success if thisparty is part of the correct group. Since the safe phase cannot output incorrectassignments, the success rates do not change for that phase. In contrast, we cansee in the table that for the unsafe phase, the success rate increases in all cases.The more natural course, where we first merge the parties into politicalgroups and then run the algorithm with 6 “virtual” parties, was tried but offeredinferior results compared with the selected approach. Consider the following sce-nario: a voter v voted for party 1 and shares a frame in u = 2 with a voter v who voted for party 2 and in u = 3 with a voter v who voted for party 3.Assume that parties 2 and 3 are of the same political group. Now, before merg-ing them we could exclude parties 2 and 3 as possible parties for v . This is nolonger possible after the merge as v and v are indistinguishable. Size and homogeneity
For a more detailed understanding of the factors whichaffect our success rate, we provide further results. Specifically, We show the suc-cess rate of the attack as a function of the polling station size, and the homo-geneity of the polling station (the homogeneity of a polling station is defined tobe the standard deviation of its normalized tally with respect to the unanimousvector, i.e., the squared root of the squared difference between the frame and aframe where all parties got the same number of votes, normalized by the numberof voters), both for the safe phase of the algorithm and for the unsafe phase ofthe algorithm, for U = { , , , , , } election cycles.Further, we consider the attack as trying to reveal either (1) the exact partyfor which the voters voted for, or (2) the political group for which the voters votedfor. Specifically, the political parties in Israel, as of 2013, can be grouped intosix almost distinct groups: left (Meretz and HaAvoda), right (Habait Hayehudi,9ikud, and Otzma Leisrael), center (Eretz Chadasha, Kadima, Or, Yesh-Atid,and Hatnuaa), ultra orthodox Jews (Yahadut Hatora, Am Shalem, and Shas),Arabs (Balad, Hatikva-Leshinui, Chadash, Raam, and Daam), and MISC (all theother parties, all of which do not meet the election threshold for representation).The corresponding figures are given in Figures 2, 3, and 4. In those graphs, weshow results for U = { , , , } , and do not visualize the results for U = { , } ,to not clutter the image too much, and since the point is already clear with thosevalues.Fig. 2: Results for the safe phase, showing the success rate as a function of thesize (left) and the party (right), when extracting each voter’s party.Fig. 3: Results for the unsafe phase, showing the success rate as a function of thesize (left) and the party (right), when extracting each voter’s party. Results Analysis
There are several important variables which affect our suc-cess rate. First, as one might expect, using more election cycles (that is, increas-ing U ), or aiming at finding only the political group for which the voters votedfor, increases the success rate of the algorithm. Second, the unsafe phase indeedincreases the success rate of the attack, however at the cost of sometimes makingwrong decisions and assigning wrong parties to some voters. Sometimes referred to as “secular”. size homogeneity2 election cycles − .
56 0 .
293 election cycles − .
70 0 .
174 election cycles − .
76 0 .
095 election cycles − .
76 0 . The other two important variables are the size of the polling station and thehomogeneity of the polling station. Specifically, it is apparent that the strongestfactor on our success rate is the size of the polling station. Indeed, we see thatthe polling station’s size and the success rate are highly correlated; concretely,the smaller the polling station is, the higher the success rate.Less strong than the size of the polling station, the homogeneity of the pollingstation is an important factor on the success rate of the algorithm. (Recall thatwe measure the homogeneity of a polling station as the standard deviation of itsnormalized tally.) Specifically, it seems that the more homogeneous the pollingstation is, the better the attack performs. Interestingly, the correlation is de-creasing as we consider more election cycles.The opposing trends of these correlations suggest that, as the number ofconsidered election cycles grow, the importance of the homogeneity decreases infavor of the size of the polling station which becomes more prominent.For validation, the Pearson correlation between the polling station’s size andthe success rate, and the polling station’s homogeneity and the success rate, aregiven in Tables 2 and 3 when considering the safe phase, the unsafe phase whenthe exact party is extracted, and the unsafe phase when the political group isextracted.Importantly, the size of the polling station seems to be not correlated withits homogeneity (in fact, the Pearson correlation between these two variables isas low as 0.04). 11able 3: Pearson correlation between the polling station’s size and homogeneityto the success rate for extracting the exact party of voters and the politicalgroup, using the unsafe phase. Each cell contains two numbers, the first of whichcorresponds to the exact party while the second corresponds to the politicalgroup. size homogeneity2 election cycles − . − .
36 0 .
57, 0 .
813 election cycles − . − .
62 0 .
30, 0 .
564 election cycles − . − .
70 0 .
16, 0 .
385 election cycles − . − .
70 0 .
05, 0 . Table 4: Average success rate of the attack, for extracting the exact party thatthe voters voted for, and the political group that the voters belong to, for T = 15and T = 7, that is, when counting 15 times a day and 7 times a day. Election cycles safe phase unsafe phase, party unsafe phase, group T = 15 , T = 7 T = 15 , T = 7 T = 15 , T = 73 3%, 0 .
6% 41%, 30% 55%, 46%4 5%, 0 .
9% 47%, 33% 60%, 49%5 7%, 1 .
2% 53%, 36% 65%, 51%6 9%, 1 .
4% 59%, 38% 69%, 53%7 12%, 1 .
6% 63%, 41% 72%, 54%
In this section, we report on results of our simulations with varying intervaltimes for counting the ballots. Specifically, the results from the previous sectionwere for T = 30, corresponding (for almost all polling stations) to counting theballots once in half an hour. Next, in Table 4, we report the average success rateof the attack (over the polling stations) for T = 15 and T = 7, corresponding(for almost all polling stations) to counting the ballots once in an hour and oncein two hours. In this section, we begin by briefly discussing various methods for counting theballots and the time intervals by which an adversary is able to perform thosecounts. We continue by discussing some consequences of our research. Then,we discuss countermeasures which can be taken in order to guard the systemagainst attacks as the one described in this paper. Finally, we discuss possibleways of extending our attack when we allow voters to change their minds betweenelection cycles. 12 .1 Counting the Ballots
The question of how exactly to count the ballots is somehow beyond the scopeof the current paper, however, we do mention some methods bellow, which seemto be sufficient for our needs. As examples, one might use accurate weight scales;one might use laser-based measurement equipment; or one might use banknotecounters.Notice that, during election day, members of the polling station committeeare allowed, and encouraged, to go behind the curtains once in a while to checkthat all parties have sufficient ballots.We remark also that there is no need for a nation-wide systematic attack, asthe polling stations are independent of each other, and it is sufficient to performthe attack on each polling station on its own, thus allowing to focus the effortson high priority polling stations.
We now give examples for countries where a similar voting system is being usedand discuss possible consequences in their context.Our first example is Algeria [13] where the young democracy is still strugglingwith conducting free elections. During the elections there have been numerousreports about voting-related violence and it is not unreasonable to believe thatvoting for the “wrong” candidate may put someone under physical danger.Even in less extreme cases such as Israel, there may be unwanted reper-cussions such as government-led investments made to prefer some voters overothers. This has been more prominent in the early years of Israel, where betterrations where given to members of Mapai, the ruling party at the time. Suchblunt favoritism has been long abolished now but even today the phenomenon ofvoting-contractors still exists; a voting-contractor is a person having the powerto tell a large group of people how to vote. The power of a voting-contractor isdetermined by the number of people they can enlist. It is very hard nowadaysfor a party to contest without soliciting such voting-contractors and this activityis not even being conducted in secret anymore.Finally, even in countries where the government is unlikely to act dubiouslysuch as Sweden [5] there may still be social consequences for not voting aseverybody else in the village. Finally, we mention Spain [12] and France [8]as two further countries where similar voting systems are used.
In this section, we briefly present possible countermeasures for the attack. Themost obvious countermeasure is switching to cryptographically secure votingsystems. Such systems are not only better understood than traditional ones, butthey also allow to quantify the security loss in various scenarios.Should a paper based system is still desired, we note that the weakness ofthe system comes from the fact that the stack of tickets available to the voters13remembers” all previous choices. This weakness can be avoided by changingthe ballot to a one that requires the voter to choose an item from a closed listprinted beforehand; consider, for example, the ballots used in most countries ofthe EU. An additional advantage of such a ballot is that it allows the voters torely a more complex decision (for example, reordering the members of the listas done in Europe, or moving the vote to another party as done in Australia).Another improvement that can be introduced into the system is to not allowany information to leave the polling station. The current law in Israel alreadydisallows any form of radio communication. Extending the law to prevent anytransfer of information but the tally outside the polling station (both duringand after the elections), would make processing such information illegal for thirdparties, moving our attack from the “gray area” to the black.Finally, as the obligation to conduct fair elections is the role of the govern-ment, it may be useful to develop a mathematical model that will take bothheterogeneity and polling stations’ sizes to help decision makers to reassign vot-ers to voting precincts.
The whole purpose of holding elections is to allow people to change the compo-sition of the governing bodies. The reason we assume that voters do not changetheir behavior is made for the sake of simplicity. We can loosen this restric-tion completely and allow each voter to choose the party she votes for in everyelection cycle, even uniformly at random. This would be, however, too extreme,since most voters do not tend to change their viewpoints dramatically betweenelection cycles.Intuitively, in a multi-partied system, a voter who voted for party p in oneelections cycle will probably vote for a party ideologically close to p in the suc-cessive cycles. There is actually some concrete evidence supporting the aboveintuition, as we discuss next.Indeed, by analyzing election surveys provided by the Israel National ElectionStudies [2, 19], we found out that roughly 50% of the voters did not change theirvote between the 2009 and the 2013 elections (this number becomes roughly 60%if we count the successor of a party as not necessarily the one which inheritedits name, but the one which is ideologically closest. .Moreover, when groups of parties are being considered, the change is insignif-icant. In fact, the change in the political map between the 2015 and the 2013elections was that only a one seat (corresponding to 0.83% of the elected seats)moved between the groups. These numbers mean that we can simply run ourattack without accounting for voters which change their minds, and we expectto preserve a fairly high success rate. Moreover, one could take such informationinto account; we next discuss one possible way of doing so. Due to the somewhat unstable political system of Israel, a large amount of peoplecannot find their political home in any of the existing parties, and tend to votein every elections cycle to a newly “trending” party. Moreover, parties often split,merge, or change their names.
14n our attack, instead of computing the likelihood of each voter to vote for aspecific party in all election cycles, we can compute the likelihood of each voterto vote for a list of different parties (one element per each election cycle); then,given the information encoded in the transition matrices, we can multiply eachlikelihood by the ‘global‘ likelihood of such a vote.We were not able to perform simulations for such scenarios since we do nothave the real votes of voters across election cycles. That is, while we have thetallies for each election cycle, we can not infer the real turnover, i.e., which votescorrespond to which voters in different election systems.
Free elections are an essential element in modern liberal democracies. In thispaper, we presented a way to attack the Israeli voting system (as well as severalother similar systems), showing that it is possible to recover the votes of voters inthis system. Specifically, this is possible using a very small amount of additionalpublic information, which includes the results of the elections, the time of voteper voter, and a periodical count of the ballots from the tray.We would like to end with some ideas for future research and extensions ofthis attack. First, since the attack assigns voters to the parties they voted for, itsounds reasonable that, using flow techniques (which are successfully being usedfor assignment problems), we might improve the success rate of the attack. Sec-ond, since the safe phase of the attack is based on evaluating constraints on thepossible parties for which each voter might have voted for, it sounds reasonablethat using constraint satisfaction techniques might improve the success rate ofthe attack.
Acknowledgment
The authors would like to thank Aviad Stier for bringinginto our attention the fact that the parties collect the time of vote of all voters,Adv. Jonathan J. Klinger for assisting us with our petition to the Israeli generalelections committee, Amihai Bannett for permitting us to use hit photos in thispaper and in a poster that presented preliminary results of this work [3]. Wethank Dubi Kanengisser for pointing us to good resources in the field of politicalstudies. Special thanks are to colleagues with which the authors discussed thisresearch, specifically to Gustavo Mesch, Claudia Diaz, Tamar Zondiner, YairGoldberg, Atul Luykx, Alan Szepieniec, Shir Peled, as well as to the anonymousreferees.The first author was partially supported by the Research Fund KU Leu-ven, OT/13/071 and by European Unions Horizon 2020 research and innovationprogramme under grant agreement No 644052 HECTOR and grant agreementNo H2020-MSCA-ITN-2014-643161 ECRYPT-NET. The second author was sup-ported in part by the Israeli Science Foundation through grant No. 827/12 andby the Commission of the European Communities through the Horizon 2020 pro-gram under project number 645622 PQCRYPTO. The third author is supportedby a postdoctoral fellowship from I-CORE ALGO.15 eferences
1. Dakshi Agrawal and Dogan Kesdogan. Measuring Anonymity: The DisclosureAttack.
IEEE Security & Privacy , 1(6):27–34, 2003.2. Asher Arian and Michal Shamir. The 2009 Israel National Elections Data, 2009.Available online at .3. Tomer Ashur and Orr Dunkelman. On the anonymity of Israel’s general elections.In Ahmad-Reza Sadeghi, Virgil D. Gligor, and Moti Yung, editors, , pages 1399–1402. ACM, 2013.4. Basic Law. The Knesset – 1958. Available online at .5. Bengt Nyman. Valsedlar Fr Europaparlamentet 2009. https://commons.wikimedia.org/wiki/Category:Ballot_papers_in_Sweden .6. David Bernhard, V´eronique Cortier, Olivier Pereira, and Bogdan Warinschi. Mea-suring vote privacy, revisited. In
Proceedings of the 2012 ACM conference onComputer and communications security , pages 941–952. ACM, 2012.7. David Chaum. Untraceable Electronic Mail, Return Addresses, and DigitalPseudonyms.
Commun. ACM , 24(2):84–88, 1981.8. Claude Truong-Ngoc. France Prsidentielles 6 Mai 2012 Bulletins de Vote SecondTour. https://commons.wikimedia.org/wiki/File:France_%C3%A9lections_pr%C3%A9sidentielles_6_mai_2012_bulletins_de_vote_second_tour.JPG .9. The Inter-Parliamentary Council. Declaration on criteria for free and fair elections.Unanimously adopted by the Inter-Parliamentary Council at its 154th session,March 1994. Available online at .10. George Danezis. Statistical Disclosure Attacks. In
SEC , pages 421–426, 2003.11. St´ephanie Delaune, Steve Kremer, and Mark Ryan. Verifying privacy-type prop-erties of electronic voting protocols: A taster. In
Towards Trustworthy Elections ,pages 289–309. Springer, 2010.12. El Correo. Las Papeletas de Bildu, Protagonistas de la Jornada deReflexin. .13. Facebook TV. Le prsident algrien Abdelaziz Bouteflika lections en Algrie 17 Avril2014. .14. Dogan Kesdogan, Dakshi Agrawal, and Stefan Penz. Limits of Anonymity in OpenEnvironments. In
Information Hiding , pages 53–69, 2002.15. Dogan Kesdogan and Lexi Pimenidis. The Hitting Set Attack on Anonymity Pro-tocols. In
Information Hiding , pages 326–339, 2004.16. Ralf K¨usters, Tomasz Truderung, and Andreas Vogt. A game-based definition ofcoercion-resistance and its applications. In , pages 122–136. IEEE, 2010.17. Ralf K¨usters, Tomasz Truderung, and Andreas Vogt. Verifiability, privacy, andcoercion-resistance: New insights from a case study. In
Security and Privacy (SP),2011 IEEE Symposium on , pages 538–553. IEEE, 2011.18. Tianbo Lu, Puxin Yao, Lingling Zhao, Yang Li, Feng Xie, and Yamei Xia. Towardsattacks and defenses of anonymous communication systems.
International Journalof Security and Its Applications , 9(1):313–328, 2015.19. Michal Shamir. The 2013 Israel National Elections Data, 2013. Available onlineat .
0. The Central Elections Committee. Final Results of the Vote to the 19thKnesset, January 2013. Available online at .21. The Knesset. Knesset Elections Law – 1969. Available online at (Hebrew).22. Carmela Troncoso, Benedikt Gierlichs, Bart Preneel, and Ingrid Verbauwhede.Perfect Matching Disclosure Attacks. In
Privacy Enhancing Technologies , pages2–23, 2008., pages2–23, 2008.