Smartmatic Page1of8 24Dec.17

Submission to: The NSW Electoral Commission for Call

for submissions: Report on the iVote system.

Smartmatic Page2of8 24Dec.17

TableofContents1 ExecutiveSummary......................................................................................................................3

2 Internetvotinghaspassedthetest..............................................................................................4

3 WhetherthesecurityoftheiVotesystemisappropriateandsufficient?....................................4

3.1 Blockchain-baseddigitaltimestamping...................................................................................5

3.2 Minimisingtheuseofexternaldependenciesandservices.....................................................5

4 WhetherthetransparencyandprovisionsforauditingtheiVotesystemareappropriate.........5

4.1 Observingonlinevoting...........................................................................................................5

4.2 Auditing....................................................................................................................................6

4.3 Sourcecode..............................................................................................................................6

4.4 4.4Formalverificationofprotocol...........................................................................................6

5 WhetheradequateopportunityforscrutineeringoftheiVotesystemisprovidedtocandidatesandpoliticalparties..........................................................................................................6

6 WhatimprovementstotheiVotesystemwouldbeappropriatebeforeitsuseatthe2019StateGeneralElection?.......................................................................................................................7

6.1 Recommendation1)ImprovedprotectionagainstTLSvulnerabilities....................................7

6.2 Recommendation2)ImprovedprotectionagainstDistributedDenialof-service(DDoS)attacks...............................................................................................................................................7

6.3 Recommendation3)Improvedsecurityandtraceability.........................................................7

6.4 Recommendation4)Improvedscrutiny–OpenSourcecode..................................................7

6.5 Recommendation5)Offeruniversal,legallybindingInternetvotingasanoptiontoallvoters.................................................................................................................................................8

Smartmatic Page3of8 24Dec.17

1 ExecutiveSummary

Smartmatic Australia welcomes this opportunity to provide this submission to the NSW ElectoralCommissionforCallforsubmissions:ReportontheiVotesystem.

Smartmatic is a multinational company that designs and deploys technological solutions aimed athelping governments fulfil, in themost efficientway, their commitmentswith their citizens. It is thelargest cutting-edge technology supplier to Election Commissions (ECs) and Electoral ManagementBodies (EMBs), with a wide and proven experience in the United States, Asia, Africa, Europe, LatinAmericaandtheCaribbean.

Onlinevotinghasevolvedoverthepast10yearsfromscience-fictiontoviableoptionforgovernmentsseekingtoenfranchisetheircitizens inthedemocraticdecision-makingprocesses,regardlessofwheretheyarelocated.

Severalgovernmentsaroundtheglobe,includingEstonia,Switzerland,Norway,AustraliaandCanadatoname a few, have either implemented or ‘piloted’ forms of online voting. Modern online votingmethodsdiffersignificantlyfromtraditionalpaperbasedvoting,butincoalitionwithtraditionalvotingmethodsstillsupportthesameunderlyingkeydemocraticprinciples:universalsuffrage,freesuffrage,equalsuffrageandsecretballot.

The idea of online voting initially seems to be a straightforward application of Internet basedtechnologiesandpracticesintothefieldofelections.Providingonlinevotingshouldnotbeharderthansetting up a database systemwith aweb front-end. At the very least, it should not be harder thanrunninganInternetbankingsystem.

Elections demand voting methods to accurately gather preferences of those eligible to vote and toproduce an accepted voting result according to these preferences. The nature of the votingmethoddefineshowthepreferencesaregathered.

Inthecontextofonlinevoting,acombinationoftechnological,proceduralandorganizationalstructuresandprotocolsneedtobealignedtosuccessfullycarryoutthefollowingcorefunctions:

§ Voterauthorization–theoperationofpermittingaccessonlytoeligiblevoters;Voting–theprocessofmarkingandcastingaballotinaccordancewiththevoters’preferences;

§ Recordingofthevotes–theprocessofrecordingthecastvote;§ Storingvotesfortally–theprocessofstoringthecastvotesaftercastingandbeforetallying;§ Tabulationofthevotingresult–theprocessofproducingthecorrectresultbytabulatingvalid,

castballotsinaccordancewiththeelectionrules.

Hugestridesintechnical,operational,securityaspectsandauditabilityintheaboveareasareoccurringeveryyear.

To help EMB's with their challenge of having to deal with an increasingly mobile and dispersedelectorate, increase participation rates and election credibility, online voting is the most effectivemethod.Itbringstheballottothevoter.

Webelievethatonlinevotingshouldbeoneofthemanychannelsavailableforvoterstosubmittheirvotedballotsinaconvenientandsecureway.Arobustvotingsystemshouldcomprise:

1. In-personvoting,whenvotersareexpectedtoshowupataspeciallocationtocasttheirballots.Thismaytakeplaceinanelectronicvotingmachineoronpaperballotsthatcanbecountedelectronically.

2. Remotevoting,whenvotersareallowedtocasttheirballotfromanywhereinthecountryoraroundtheglobeusingasecureInternetvotingplatform.

Withrespecttothetermsofreference,wehavemadeanumberofrecommendationsaspartof thissubmission.

These include technical and architectural recommendations that we believe will need to beimplementedtoguaranteethesecurityaspectsoftheiVotenetworkintothefutureandalsoLegislativechanges,whichwouldallowallvotersinNSWtheabilitytoengageandvoteonlineasanoption.

Smartmatic Page4of8 24Dec.17

2 Internetvotinghaspassedthetest

Internetvotinghasbeeninoperationsinotherjurisdictionssuchforover10years.

The Estonian i-voting solution is the longest-standing, most technologically advanced, and highlytrustedinternetvotingsolutioninexistence.Ithasbeenusedtosupporteverybinding,governmentalelectionheldsince2005.SuchisthelevelofpublictrustinthesystemthatnearlyathirdofallEstonianballotsarecastonline.The186,034i-voterswhousedthesystemintherecentlocalelections(October2017),representanincreaseof39%morevotessincethepreviouslocalelectionsin2013,andreaffirmthecontinuedadoptionofi-votinginEstonia.

EstoniaElections2005–2017Achievements:

§ Usedin9consecutivenationalelections§ 32%ofthevoterscasttheirballotonline§ 12%ofi-votersusedmobilephonestoauthenticatethemselves§ 60%ofadvancevotingwasdoneonline§ EnfranchisedEstoniansin116countries§ Overallturnouthasrisensincetheintroductionofi-voting,§ Universaldigitalverification

�*$"1(-,

�����7��

�������������

�

�������������7��

�

�����7��

�

����������7�

�����7�

�

�������������7�

�

����������7�

�����7�

�

�*$"1-/ 1$�0(6$

�2+!$/�-%�3-1$/0

� /1("(. 1(-,�/ 1$

�2+!$/�-%�-,*(,$�3-1$/0

�2+!$/�-%�3-1$/0�4'-�3-1$#�-,*(,$� ,#�(,�.-**(,&�01 1(-,

�2+!$/�-%�2,/$3-)$#�-,*(,$�! **-10

�$" 01�-,*(,$�! **-10

�*$"1(-,

�����7��

�������������

�

�������������7��

�

�����7��

�

����������7�

�����7�

�

�������������7�

�

����������7�

�����7�

�

�� ��� ������ ������ ������� ������ ������� ������ ������� �������

�� �� ���� ����� ����� ����� ����� � ������ ����� ��� �

��� �� ��� �� ��� �� ��� ��� ��

���� ���� ����� ����� ������ ������ ��� ����� ������

�� � �� � �� �� � ��

���� ����� ���� ����� ������ ����� ���� ����� � ���

��� ��� �� ���� ����� ���� ��� �� �� �� �

�' /$�-%�-,*(,$�3-1$/0�1-� **�3-1$/0

�' /$�-%�-,*(,$�3-1$/0�1-� **�$ /*5�3-1$0

�' /$�-%�-,*(,$�3-1$0�" 01� !/- #

�2+!$/�-%�"-2,1/($0�3-1$#�%/-+�20(,&�-,*(,$�3-1(,&

�$,&1'�-%�-,*(,$�3-1(,&�.$/(-#��# 50�

�2+!$/�-%�-,*(,$�3-1$/0�20(,&�+-!(*$���

�' /$�-%�-,*(,$�3-1$/0�20(,&�+-!(*$���

�' /$�-%�3-1$0�3$/(%($#�20(,&�(,#$.$,#$,1�3$/(%(" 1(-,� ..*(" 1(-,

��� � � ���� ��� ���� �� ���� ��� � ����

��� ���� � ��� ���� ���� �� �7 ��� ���� �����

� � �� ��� ���� ��� ���� ��� ���

�� � � � �� �

� � � � � � � � �

� � � � 7��� 7� � 7��� 7��� ��7

� � � � ��� ����7 ��� �� ����

� � � � � ���� ���� ���� ����

Verified votes - Individually verifiable online voting schemes provide voterswith tools to verify that their voteswere cast asintendedandthattheywerecorrectlyacceptedbythevotingsystem.

Asyoucanseefromthetableabove,thereareseveralkeytrendsthatonlinevotinghasenablesaftercontinualusewithinacountry.

§ Participationrateshaveincreasedyearonyear,indicatingthatonlinevotingtechnologyhelpsthevoterengageandconnectwiththeelections.

§ Theshareofvotesbeingreceivedonlinealsohasincreasedexponentially.

3 WhetherthesecurityoftheiVotesystemisappropriateandsufficient?

Nocyberdefenceorinformationsystemcanberegardedas100%secure.Whatisdeemedsafetodaywon’tbetomorrowgiventhe lucrativenatureofcybercrimeandthecriminal’s ingenuitytoseeknewmethodsofattack.

Onlinevotingneedstoensureballotsecrecy.Itisessentialthatduringallstagesoftheelectionprocess,the vote contents remain secret and are protected from disclosure. Through the entire process it isessentialthatnostakeholdercantellhowavotervoted.

Smartmatic Page5of8 24Dec.17

Online votingmust provide an accurate votingmethod, which captures the intent of the voter andprotects the vote preferences from being tampered with (altered), deleted, and prevents bogus(ineligible)votesfrombeingadded.This iscritical toensuringelection integrityandcreating trust inthesystem.

WerecommendthatiVoteimplementtwoadditionalmaintechnologies,whichprotecttheintegrityofthedigitalballotboxandindividualvoteskeptinside;

1. Blockchain-baseddigitaltimestamping.2. Minimisingtheuseofexternaldependenciesandservices

3.1 Blockchain-baseddigitaltimestamping

Todayifanattackergainsaccesstoablockchainnetworkandthedata,thisdoesnotnecessarilymeantheattackercanreadorretrievetheinformation.Fullencryptionofthedatablockscanbeappliedtodata being transacted, effectively guaranteeing its confidentiality, considering the latest encryptionstandardsarefollowed.Theuseofend-to-endencryption,whereonlythosewhohaveauthorizationtoaccesstheencrypteddatai.e.throughtheirprivatekey,candecryptandseethedata.UsingencryptionkeysinconjunctionwithPKIwillprovideNSWECwithahigherlevelofsecurity.

Blockchains improve cyber defence as theplatform can secure, prevent fraudulent activities throughconsensus mechanisms, and detect data tampering based on its underlying characteristics ofimmutability, transparency, auditability, data encryption& operational resilience (including no singlepointoffailure).

Blockchain-baseddigital time stamping is amethodof proving in an irrevocablemanner that certaindataexistedatagiventimepoint.

Online voting protocols, which utilize this, commit a cryptographic ‘fingerprint’ of every vote to anexternaltimestampingserviceandreceiveacryptographictimestampinreturn.Thetimestampisbothstoredandgiventothevoter.Itcanbeusedtoverifythatthevotewasacceptedtothevotingsystem.Based on the timestamps it is later possible to verify, in cooperation of the voting system and timestampingservice,thatnovoteswerealteredorremovedfromthesystem.

Digital signatures prevent vote alteration and ballot-box stuffing. Blockchain-based digital timestampingpreventsvotealterationanddeletionof thevotes fromstorage.Thecryptographic schemeensuresthatitispossibletoverifythatthevotessentfortabulationwereexactlythevotessentbythevoterstoballotbox.

3.2 Minimisingtheuseofexternaldependenciesandservices

The security of online voting system requires that any potential attack vector be minimised. This,however, may be hard to control if system components or services are used, which have not beendevelopedforthespecificpurposesofonlinevotingor,aredevelopedbyvendorswhodonot/cannotprovideaccesstosourcecodeforreviewand/orcertification,orservicesareusedwhichresideoutsidethecorei-votinginfrastructure.

In this respectwe stronglyadvocateminimising relianceon thirdparty systems (includingdatabases)andtoensurestrictinputvalidationonanyexternalinterfaces

4 WhetherthetransparencyandprovisionsforauditingtheiVotesystemareappropriate

4.1 Observingonlinevoting

Webelievethat therecanneverbeenoughtransparency inanyelectionoranygovernmentprocess.Thedilemmais–howdoyouprovidecompletetransparencywithoutcompromisingthesecurityofthenetworkoropeningituptocyberattackormanipulation?

Wherehumanobservationplaysa large role in the trustworthinessof traditionalpaper-basedvotingmethods. The remote nature of online voting is inherently unobservable by traditional means andthereforerequiresalternativetechniquestoverifythecorrectoperationoftheelectionprotocol.

Smartmatic Page6of8 24Dec.17

Itisimpossibletodeterminetheincorrectoperationofacomputersystemsolelybytheobservationoftheprocedure.Verifiableonlinevoting schemesmakeitpossibletoassurethestakeholdersthattheelectionhasbeenperformedcorrectly.

Individually verifiableonline voting schemesprovidevoterswith tools to verify that their voteswerecastasintendedandthattheywerecorrectlyacceptedbythevotingsystem.

Auditable online voting schemes provide auditors with tools to verify that all accepted votes weretabulatedcorrectly.

Auditingcombinedwithindividualvoterverificationprovideeffectiveobservationtechniquesforonlinevoting,whichhelpimprovetransparencyandenhancetrustinthesystem.

4.2 Auditing

Online votingmust provide an accurate votingmethod, which captures the intent of the voter andprotects the vote preferences from being tampered with (altered), deleted, and prevents bogus(ineligible)votesfrombeingadded.Thisiscriticaltoensuringelectionintegrityandcreatingtrustinthesystem.

Itisimportantforanyorganisationtohaveanaudittrailtoverifyresults.Thiswillincludeanumberofelements both technical and operational. The current iVote system obviously has a broad range ofmeasuresinthisarea.

WewouldrecommendthattheuseofBlockchainwouldsignificantlyimprovetheauditingcapabilitiesoftheiVotesolutioninthefollowingareas.

§ Time-stampingstoredvotesusingblockchain§ Zero-knowledgecryptographicproofsofmixing§ Zero-knowledgecryptographicproofsofdecryption§ Endtoendverifiable-Everyvotecanbeirrefutablytracedtoitssourcewithoutsacrificinga

voter'svoteanonymity.Endtoendverifiablevotingsystemswillgivethevotertheabilitytoverifyiftheirvoteiscorrectlyrecordedandcorrectlycounted,forinstance,ifaballotismissing,intransitormodified,itcanevenbedetectedbythevoterandcaughtbeforetheelectionisover.

4.3 Sourcecode

Shouldthesourcecodeopenforreviewbyindependentauthorities?

Disclose the source code toapproved independentauthorities toaudit the solution toensure that itcompliesthehighestlevelsofsecurityandaccuracy.

We strongly advocate the use of third party independent authorities as a mechanism of enhancingpublictrustinanyautomatedelection.

4.4 4.4Formalverificationofprotocol

We strongly advocate the formal review and verification of the chosen online voting protocol. AtSmartmaticweseektoengagewithexpertacademicstovalidateourdesigndecisionandinparticularthecryptographicprotocolswhichunderpinouronlinevotingtechnologies.Notonlycanthisbeusedtoidentifyanypotentialweaknessesorvulnerabilities,butthepublic,peer-reviewedforumofopennesscanbeusedtofosteradditionaltrustinthesystembyvalidatingitsintegrity.

5 WhetheradequateopportunityforscrutineeringoftheiVotesystemisprovidedtocandidatesandpoliticalparties.

To provide the opportunity for the candidates and parties, the implementation, data structures andproceduresmustbewelldocumented.Toeaseimplementingindependentauditingsoftware,referenceimplementationsshouldbemadepublic.

Smartmatic Page7of8 24Dec.17

6 WhatimprovementstotheiVotesystemwouldbeappropriatebeforeitsuseatthe2019StateGeneralElection?

Aswithanytechnologyandanymarket,thisisanevolvingarea.Theanswertodaywillnotbethesameastheanswertomorrowortheanswer12monthsago.Itisimportanttocontinuouslyimproveandstayaheadofanypossiblethreats.

Atahigh level,webelievethat the iVotenetworkshouldstrive todrivecontinuous improvements inthefollowingkeyareas.

6.1 Recommendation1)ImprovedprotectionagainstTLSvulnerabilities

iVoteshouldenforcetheuseofthestrongest,mostuptodateversionTLSprotocolstoeliminatetheriskofTLS/SSLdowngradeattacks.

6.2 Recommendation2)ImprovedprotectionagainstDistributedDenialof-service(DDoS)attacks

iVote should deploy a range of provisions to ensure the highest availability andminimise the risk ofserviceoutagebyDistributedDenialofservice(DDoS)attacks.

Thesewouldinclude:

§ Loadbalancing(Network,DNSandapplicationslevels)toensureefficientusesofavailableserviceresources.

§ Horizontalscalabilitytoseamlesslyaddnewserversifthemonitoringdetectsanoverloadofexistingservices.

§ Verticalscalabilitytoaddadditionalprocessingperformancetoexistingservices§ Distributedstoragetoensureballotboxintegrityandavailability.§ Extensivebenchmarkingtounderstandandmodelexactthresholdsforservicedegradation

andfailureandappropriateresourcemodelling.§ NetworklevelroutingrestrictionsincollaborationwithISP’stodefinerulesforhandling

networktraffic.§ Thirdpartypreventionservices(whereapplicableandcontrollable)

In addition, extending theonline votingperiod for a numberof days limits thepotential affects of asuccessfulDDOSattackbyallowingvoterstotryvotingagainatadifferenttimeintheunlikelyeventofaDDoSoutage.

6.3 Recommendation3)Improvedsecurityandtraceability

Therearetwomaintechnologies,alreadydiscussed,whichprotecttheintegrityofthedigitalballotboxandindividualvoteskeptinside;

1. Blockchain-baseddigitaltimestamping2. Minimisingtheuseofexternaldependenciesandservices

It can be argued that Blockchain technology will become the biggest enabler in the adoption andcredibilityofonlinevotingsystemsglobally.

It provides a solution for all of the characteristics youwouldwant in a platform that is arguably themostimportantpartofademocraticsociety;

§ Itisabsolutelyfault-tolerant,§ Youcannotchangeanyeventsinthepast,§ Youcannothackthepresentandmanipulateresults,§ Youcannotaltertheaccesstothesystem,§ Everynodewithaccesscanseetheexactsameresults,and§ Endtoendverifiable

6.4 Recommendation4)Improvedscrutiny–OpenSourcecode

Shouldthesourcecodeopenforreviewbyindependentauthorities?

Smartmatic Page8of8 24Dec.17

Disclose the source code toapproved independentauthorities toaudit the solution toensure that itcompliesthehighestlevelsofsecurityandaccuracy.

We strongly advocate the use of third party independent authorities as a mechanism of enhancingpublictrustinanyautomatedelection.

6.5 Recommendation5)Offeruniversal,legallybindingInternetvotingasanoptiontoallvoters.

Engageyourvoters,engageyouryouth.

Citizens are becoming more mobile in term of their lifestyles, there are increasing pressures ongovernmentsandElectionManagementBodies(EMB’s)tooffer improvedmethodstoallowvoterstovoteremotely, therebyeffectivelybringing theballot to thevoter rather thanrelyingonthevoter totraveltoaspecificvotinglocation.

We do not see online voting as the only answer but as a one of the options available to the voter.Onlinevotingshouldbeoneofthemanychannelsavailableforvoterstosubmittheirvotedballotsinaconvenientandsecureway.

Arobustvotingsystemshouldcomprise:

§ In-personvoting,whenvotersareexpectedtoshowupataspeciallocationtocasttheirballots.Thismaytakeplaceinanelectronicvotingmachineoronpaperballotsthatcanbecountedelectronically.

§ Remotevoting,whenvotersareallowedtocasttheirballotfromanywhereinthecountryoraroundtheglobeusingasecureInternetvotingplatform.

Wewouldrecommendthatlegislationischangedatethatallvoterswouldbeeligibleforvotingonlinein2019.