Verifiability
Detecting Malware

Using Multiple Devices to Detect Malware

As an additional layer of security, SIV enables a voter to easily use multiple devices to verify their vote was submitted as intended. Separate devices with independent malware profiles, such as a different operating system, provide extra layers of defense.

These checks can be done in seconds, as quickly as scanning a QR code and with as many additional devices as desired. No special knowledge is needed.

Significantly, these checks can be initiated right at the time of voting, rather than waiting until the end of an election to unlock the votes, which is what checking Verification #'s requires. Ideally, this process should occur immediately after a voter submits their encrypted ballot. Checking just before submission can also work, but sophisticated malware might detect that a 2nd Device Check is being initiated, and consequently not cheat. This makes it harder to catch malicious activity red-handed.

Technical Implementation Details

After the voter submitted their selections, they can scan a QR code, which opens a link like this:

siv.org/malware-check/$election_id/$auth_token/#url_encoded_vote_data
where encoded vote data is derived from the JSON object:
{verification number, selections: [question_id]: { plaintext, randomizers } }

This passes private data only in the URI Hash, which is not sent to any external servers (opens in a new tab).

When that page loads on the new device, it:

  • Moves private vote data into document memory and uses window.history.replace() to overwrite it so that later browser users won't accidentally see it.

  • Recalculates the encrypted vote, given plaintext, randomizers, and verification # from url_encoded_vote_data.

  • Sends the recalculated encrypted vote to the server, along with the election_id and auth_token.

  • The server stores a record of this 2nd device's submission, along with a timestamp and user agent.

  • The server sends back information on whether the re-calculated encrypted vote matches or not. If they don't match, the user is alerted through the user interface, advised to contact the election admin, and the SIV admin is sent a notification about it.

  • If the server reports a match, the client is shown the vote selections again and asked to confirm their correctness. Example:

Confirm your selections:
President:Abraham Lincoln
Governor:Grover Cleveland
State Rep:Jane Samson
Local Rep:Alex Smith
Proposition A:Against
Proposition B:Against
Proposition C:For

If voter confirms "Yes":

  • Save the information in the database along with a timestamp.
  • Update the original vote confirmation page to display "Verified with 1 separate device - iPhone iOS 15.3, Safari 11.3."
  • Encourage the voter to confirm via SMS to ensure that a live person is performing the 2nd device check, rather than malware from the original device. Prompt voters for their Anti-Malware Code, if it was given out.
  • Inform the voter that they can now close the window on the 2nd device, to clear their private vote data in case the device is borrowed.

If selected "No”:

The voter is requested to provide a detailed description of the issue, which will be stored and sent to the election administrators.

The standard SIV protocol for Remediating Compromised Votes can be used, so that the voter can submit their replacement selections.

Detecting Election-Wide Trends

By maintaining a record of device types that successfully pass a 2nd Device Check, election-wide trends can be identified. For instance, it may become apparent that devices running a specific operating system and version exhibit unusually high failure rates.

This information can contribute to a more comprehensive understanding of election security and enable the swift interception of active attacks, functioning as a network-wide responsive anti-virus system.

Total Vote CountZero Knowledge Proofs