By Phodei Ibrahim Sheriff, Philadelphia, USA.
While biometrics voting process is used in some countries in Africa, it poses a serious threat to the electioneering process and the fragile democracy currently in operation in Sierra Leone if used in the 2012 elections. This document attempts to define, describe and discuss the use of biometrics in voter registration and in voting processes in a developing country like Sierra Leone.
It is a serious consideration on the part of all Sierra Leoneans that the issue of voter fraud committed in the 2007 presidential and parliamentary elections does not repeat itself in 2012. The ordinary Sierra Leoneans whose votes were not counted and who consider themselves as disenfranchised voters by the National Electoral Commission (NEC) are concerned about what will happen to their votes in 2012. The Sierra Leone People’s Party (SLPP) is concerned as to not to use a voter registration and voting system to again disenfranchise its supporters when they cast their votes in the 2012 elections – thereby causing the party to fail in those august 2012 elections. The All People’s Congress (APC) is seemingly portraying a remedy to the manifested elections fraud committed in 2007 by introducing a new voter registration and voting system using the biometrics technology. The international community seems to have bought into the APC idea of the use of biometrics technology in the 2012 voting process by agreeing on providing funds and logistics to support that policy position of the APC. The SLPP has seemingly accepted the APC policy on the use of the biometrics to register our voters and to use the biometric templates in the voting process.
Both the APC and the SLPP seem to be comfortable with that arrangement as both have endorsed the biometric voter registration and voting as the best system for avoiding voter registration fraud, vote rigging, and election violence. It all sounds very plausible.
However, there are important elements that are missing in the entire decision making and implementation process – and which, if not addressed now moving forward, the incumbent’s opponents stand a greater chance of becoming victims of voter fraud worse than those in the past including the notorious 2007. This document is hence attempting to define and discuss the details of biometrics, use of biometrics in electioneering processes, the needed voter education to the national populace about the use of this high-end technology, the biometrics processes proposed to be used, the security surrounding the system, the issues of false accept and false reject, the authentication of voters using the biometric templates, the contingency plan for the spontaneous use of an accepted or acceptable alternative voting process should the biometric fail at any given time and at any given location to perform its functions (as they do most of the time), the character of those who administer the voting process in Sierra Leone, the election history of the incumbent APC government in Sierra Leone, and the potential threat the system poses to our fragile democracy should it fail to produce the expected performance.
What is Biometrics?
Biometrics is the science that tries to fetch human biological features with an automated machine either to identify or authenticate. Biometric products remove the need for passwords and Personal Identification Numbers or PINs. Biometric systems exchange knowledge with individual’s features such as finger print or proximity identification. It makes it comfortable and fast to record features. Contrary to passwords and PINs, biometric features are dynamic – meaning that they have the capability to change overtime. This continues to be the most challenging property of the biometric system itself.
What is E-Voting (Electronic Voting)?
According to KineticD, a leading IT Encyclopedia and learning, it defines E-Voting as, “an election system that allows a voter to record his or her secure and secret ballot electronically.” (KineticD, 2010). It is a system that allows electronic voters to be stored digitally in storage medium such as on tape cartridges, diskettes, or on smart cards similar to credit cards or SIM cards before such data is sent to a centralized location where tabulation programs compile and tabulate results. Some, who advocate for e-Voting point out that electronic voting can reduce election costs and increase civic participation by making the voting process more convenient. Those who criticize the system maintain that without a paper trail, recounts are more difficult and electronic ballot manipulation, or poorly written program codes, imminent, and could affect election results.
E-Voting and Security
Around the world, and in advanced civilizations, or in the developed world, e-Voting is probably the most security sensitive process handled electronically nowadays. This is so because the worst-case scenario is really very catastrophic. Let us assume that an electronic vote for the Presidency of Sierra Leone is discovered to have been tampered with. That fraudulent act will not only have drastic and catastrophic consequences on Sierra Leoneans, but will also have enormous consequences for the sustenance of the fragile peace our country currently enjoys. Bearing this in mind, the highest achievable security is never too much for an e-Voting system.
Generally, it is important for us as a nation to divide the requirements for an electronic vote into four basic categories:
Do our laws in Sierra Leone allow for the handling of electronic votes? Does the technical solution exist that fulfills all the restrictions and requirements imposed on it by our corresponding laws? Do the actual voters desire and accept an electronic voting system and in particular, the designed voting system? Do we have time to educate our voters on the type of system that will be used to register them to vote in the slated 2012 elections? Is the Sierra Leone situation that bad to the point that the APC government and NEC cannot manage our elections or uphold our democratic values with all deserved honesty, transparency and accountability, that we have to resort to the introduction of a complex system in the 6th poorest country? Fulfilling or answering these questions is quite challenging, especially as their individual areas of expertise are different: law, technology, and social science.
Biometric Identification in E-Voting
One of the main issues to stress is the difference between biometric authentications compared to ‘classic’ authentication such as those with smart cards. The well known concept of card readers with fingerprint authentication is different from biometric authentication. In other words, biometric inputs on smart cards are read not to authenticate the voter’s information on the smart card, but to authenticate the smart card itself. In that regard, the voting system in this manner does not interact in any shape or form with the biometric characteristics of the voter, but helps in authenticating the voter’s smart card. Other issues with the biometric system are its young age, with a set of standardization effort going on.
I will attempt to focus on just a subset of different biometric properties. I will not focus on the feasibilities, but will try to show the wide spectrum of ‘theoretically’ possible human properties that can be used in a biometric system:
Fingerprint. Fingerprint scanners are probably the most commonly used biometric system; and replaces the pin code entry to unlock the card, especially in the area of smart card readers. Similar systems include hand geometry or palmprints
Iris. Another static property of individuals are eyes. One can either use pictures of the person’s iris or use a retina scanner that scans blood vessels to create an individual data set.
Face. The human face is also a feature that can be used by biometric systems. Human face recognition by analyzing the size and position of different facial features is being pushed for use at several airports to increase security. Another possible approach is to make infrared recordings and analyze the resulting facial thermogram .
Voice. A more behavioral individual aspect of humans are their voices. Everybody has a special mode and tone while speaking. Voice recognition tries to analyze these features and use them to identify a person.
Signature. Another behavioral aspect of a person usable by biometrical analyses is the signature. Not only the form but also the dynamic aspects can be seen as a set of unique features of a person. Other possible movable biometric input could be the rhythm and pattern of a person’s walk.
DNA analysis. Now this is a rather more theoretical idea for biometric identification. Imagine a DNA reader that can create a full DNA analysis within seconds from just a few cells of a person’s body. Such a device would surely be a match to, e.g. a finger print reader, when comparing the quality of the results.
Multi-Biometric Systems. As a final approach to biometric data gathering, one can combine two or more actual biometric analyses and combine their results, i.e. use more than one uni-biometric system. This combination yields better results than each of the combined analyses individually and thereby increases the reliability of the biometric system.
To start with a localized biometric measures, example, in fingerprint scanners on the smart card reader that replaces the normal PIN code, but focuses on the truly biometric input to the actual e-Voting system, it is inevitable to have a central storage that handles biometric templates of the voters. This data storage imposes high security demands as it is possible to tamper with the biometric templates in a fraudulent manner. Attack on the template can come from two directions:
A third party could replace a number of biometric templates against other templates which would allow them manipulate the results of the vote (This hinges on NEC’s credibility issue based on past record).
Even if the risk of the above attack is seen as neglectable, there is one attacker that has a much more direct access to the biometric templates: the government. This opens a relatively straight forward route to manipulate the votes in a favorable direction for the currently governing party. One may state now that this is already possible – as many examples have unfortunately shown – even if using “old-style” paper votes.
The danger of these happening unnoticed is much larger than we may think. Imagine that in a paper based voting scheme, large scale fraud involves a large number of people. Hence, the risk of information leak is several degrees higher than in an electronic environment where fraud on a similar scale can be executed in an automated manner by very few people. The two attacks mentioned above make an attempt to move the votes in the direction favorable to the attackers. However, there is a second type of attack that is even more destructive than the rest. In this particular case, the goal of the attack is merely not change the outcome of the vote, but rather to prevent the result of the vote in the first place. There is an important possibility for the attacker. Either the attack is launched before voting starts, or it is launched when voting starts. He can certainly do so by Distributed Denial of Service (DDOS) attack on the servers of the biometric templates.
Classification of Biometric Systems
After taking a careful look at the selection of a biometric properties as well as the required infrastructure with its weaknesses, I will now set out a list of criteria that allows us to classify biometric systems.
Cost. The cost factor is very important for e-Voting systems as the number of participants tends to be very high. Each and every participant needs to spend an initial amount of money for his/her biometric reader. Depending on the recorded biometric characteristic, these costs can be rather large.
False Reject Rate (FRR). No biometric system is perfect. One of the problems that can occur are so called false rejects. A false reject is the situation where a valid user tries to authenticate and is falsely rejected by the system. One way such a false reject can happen is due to noise in the recorded biometric data, e.g. a fingerprint with a new scar or a voice altered due to a cold. Noise can also be introduced due to altered environmental conditions, e.g. humidity on a capacity finger print reader or unfavorable illumination for a face recognizer. If this “noisy” data is matched with the stored user templates, the difference can be too big and the authentication fails, i.e. the user is rejected.
Another issue with the universal applicability of biometric systems is the possibility that a user is not able to participate, as he/she does not have sufficient biometric properties within the measured domain, e.g. his fingerprints were burnt during a fire.
Final effects that may cause a false reject are time dependent variations either with the individual, e.g. tone of the voice changing over time or an accident that changes the individual’s signature, or a variation due to the reader, e.g. a new version of the reader uses slightly different sensors that yield slightly different measurements.
False Accept Rate (FAR). The second type of error a biometric system is doomed to make is a so called false accept. In contrast to false rejects, a false accept means that a user is successfully accepted (authenticated) even though he/she should have been rejected. In an e-Voting system there are actually two scenarios where we have to talk about false accepts:
An unauthorized user is erroneously accepted for a vote. This has two consequences. First, this user is able to give a vote and thereby to possibly change the vote’s outcome. Second, as the wrongly authenticated user already gave his vote, the actual user that should be allowed to vote is wrongly rejected yielding the same result as with a false reject.
An authorized user is confounded with another valid user. With this the short-term effect does not yield a wrong vote count. However, once the other user is trying to make his/her vote, he will be rejected under the assumption that he has already made his/her vote. This again leads to all the consequences of a false reject.
Another source of false accepts is the uniqueness of the tested biometric recordings. Even with assuming that a finger print is actually unique, a finger print reader will not yield different readings for all users. This stems from the fact that a finger print does not yield the complete finger print as a picture for matching against the stored template, but it actually reduces the input to a predefined feature set of typical characteristics. This introduces a theoretical upper boundary on the number of individuals that a biometric system can distinguish between.
Spoofing. Another important aspect of a biometric system is its susceptibility to spoofing. Spoofing is the willful trails to impose a false accept onto the biometric system. This type of attack is especially relevant for behavioral properties, e.g. replay of a voice recording or a blueprint of a signature. However, face recognition as well as the other physical properties are also susceptible to this type of attack.
As an example I will examine an attack on finger print readers. Modern models do not rely solely on the pattern of the applied finger, but also executes a “Life-Check” and describes how to try this approach. The approach is to first get a finger print of the impersonated person using conventional means. This fingerprint is digitally photographed and reworked using graphics software and finally transferred onto a photo layered using acid. This form is then used to make a latex print of the original finger. Due to the very thin layer of latex, it is also possible to trick the “life-check” of the reader. (LatexID, 1998).
Costs of the Biometric Infrastructure
In addition to the costs of the biometric readers, the cost of the biometric infrastructure has to be handled. The infrastructure roughly consists of two parts: enrolment infrastructure and voting infrastructure. The enrolment infrastructure is necessary to collect and maintain a database of the biometric templates of all participants. The voting infrastructure handles the actual e-Voting process, i.e. it must be able to handle authentication requests of all participants within the official voting period; Depending on the used biometric mechanism which may require considerable space as well as computing power.
Another aspect of the biometric infrastructure is its high demand on security. It has to maintain the two requirements of a secure e-Voting system: personalization and privacy. Each and every vote has to be linked to a person while preserving the person’s anonymity of what exactly he/she voted for.
Fail Safety of Biometric Infrastructure
In an access control system, a failure of the system may be acceptable. There will be a way to bypass the system and go back to a manual authentication mechanism, e.g. using guards and controlling some form of paper ID. With an e-Voting system, this is not acceptable. Let’s assume an ongoing one day vote from 8:00 in the morning to 2:00 in the afternoon. At 9:00, an attacker starts a DDOS attack on the biometric infrastructure that actually blocks it and denies most citizens to actually process their votes. In the best case, it may be sufficient to repeat the vote at a later time. However, in other scenarios, it may have much more serious consequences. Scenarios, such as the one described with the DDOS attack are quite common nowadays. As e-Voting systems become more common and votes on larger scales are handled by them, the danger of such attacks becomes more and more imminent.
Acceptance of Biometric Infrastructure
The final factor for a biometric user authentication mechanism is its acceptance with its users. Voting is mostly a matter of trust. Regardless of its actual security, a voting system (electronic or not) is only as good as its acceptance with its users. Therefore, any introduction of a new voting system requires a good deal of work to increase its acceptance with the future users. This is especially true with biometric systems. Increasing the acceptance of such e-Voting systems is probably a slow process.
Disregarding security, e-Voting systems can use biometric user authentication. However: Is this necessary? Is it worth the effort and are the security risks manageable considering our precarious situation? The answer in that context is certainly ‘NO’. The main conclusion of this document is that biometric approaches for e-Voting systems in Sierra Leone should be extremely carefully deployed. Actually, I would even recommend refraining from using biometric systems in this context at least for the next 5 years. Currently, the rejection rates are just too high for an environment as sensitive as electronic votes.
Finally, it is important for Sierra Leoneans, and especially the Political Parties Reform Commission (PPRC) or participating political parties to give a very serious consideration to the questions below, and to determine if it is in fact worth accepting and using the biometrics voter registration and voting system in our electioneering process in 2012:
Who will be in charge of the security of the biometric templates once voter registration is over?
How will the voter registration data transferred on the voter registration cards?
How will those voter registration cards be authenticated to match with the right voter?
Do the voter registration and eVoting machines have circuits in them that have WiFi capabilities that could catch Internet wireless signals? Was this biometric system policy a bill passed in parliament by our law makers?
Are our people ready, prepared and comfortable with this system? If the biometric system could fail, are there any accepted or acceptable contingency plans on how to proceed with the voting process? If the biometric is used in the actual voting process, will there be any paper trail of the entire voting process, and who generates that report?
As a party, is the SLPP involved with every process concerning this biometric system?
Points to Note
Based on the above analysis of the biometric voter registration and voting system, it is important to consider these points again:
The seeming lack of technical and energy solutions that fulfill all the restrictions and requirements imposed on it by the Biometric equipment, infrastructure, security, social science, technology, cost, and the law. The actual voters do not desire and accept an electronic voting system, and in particular, the designed voting system as we have not informed them emphatically about it yet.
The lack of time to educate our voters on the type of system that will be used to register them to vote in the slated 2012 elections?
Our situation may be bad, but to the point where an unfamiliar system that will even worsen that situation be permitted for use in a tense and precarious election. That this very system has the potential of disenfranchising our voters more than even before using artificial intelligence or automated tampering. Recommendations Based on the above findings, the following are recommended:
The APC government must initiate immediately a process that allow for all participating political parties, the PPRC, Civil Society Groups, international observers, and so on, review the documents, processes, technology and security mechanisms that will deployed using this high-end technology. Use the expertise of neutral professionals - preferably with non-Sierra Leonean background, but with background in the use of biometrics in voter registration and voting processes to examine the biometric policy, system, and processes in Sierra Leone and submit a report to all political parties, the PPRC, Civil Society Groups, etc with recommendations as to whether it is worth using the biometric system in a precarious elections like the slated 2012 elections. Provide voter education to Sierra Leoneans about the new voting system and prepare them mentally and physically for the 2012 elections.
Allow for the assignment party representatives from all participating political parties, the PPRC, Civil Society Groups, etc – Biometric Division, to be part of any initiation, planning, development, implementation, security, authentication, and reporting of the voting process including addressing any mistakes, errors and flaws in the system. Assign funds and logistics to this special body of technology professionals to help them do their work with excellence, proficiency and efficiency.
“Failing to plan is planning to fail” – Alain Lakein.
My Perspective:<> For the past 3 years I have had a strong concern for the disenfranchisement of our voters especially in the southeastern region of Sierra Leone during the 2007 presidential and parliamentary elections. This is the area where the main opposition party, the Sierra Leone People’s Party (SLPP) has most of its supporters concentrated. Through Information Technology knowledge and skills I learnt in University, and my practical experience with biometric systems, I have come to learn that it is possible to alleviate the problems of voter registration fraud and vote rigging in Sierra Leone if we do either of the following:
To reject the use of biometric system in the 2012 elections due to the unpreparedness of our country and our people as a result of the seeming lack of proper and timely planning for this high-end technology. Use the biometric system as a pilot project on local elections instead. If the biometrics system is to be used in the 2012 elections by all means, all participating political parties, the PPRC, Civil Society Groups, etc. must be part of the initiation, planning, development, implementation, security, authentication, and reporting of all identified issues, problems, concerns, mistakes, errors, and flaws. The challenge to the introduction and operation of the Biometric system, however, is twofold. First, there does not exist the trained manpower in the country to be part of the close monitoring team that will dismantle any voter registration and vote rigging ploy. And second, our country does not have enough time to educate the masses about this new high-end technology that will determine their future and future of their country.
Research suggests that biometric approaches for e-Registration and eVoting systems should be extremely carefully deployed and even recommends refraining from using biometric systems in this context at least for the next 5 years because currently, the rejection rates everywhere it is used are just too high for an environment as sensitive as electronic votes.
Further, the biometric system is considered to be a major threat to our fragile democracy and the peace our country currently enjoys. If anything major goes wrong with any of the systems, there is the potential for an even worse violence and civil disorder to erupt in Sierra Leone thereby plunging our country into another civil conflict. It is my hope therefore, that as ambitious as this system may tend to be, that due to all of the highlighted issues that come with it, to consider these realities and give this biometric policy a very careful consideration.
May God bless Sierra Leone, May God bless us all.
Phodei Ibrahim Sheriff
SLHTC DIV II
Dip. Software Application Specialist
BSc – IT (Technology Management)
MBA - Networks and Communications Management (Wireless Systems Management) – Graduation in Progress.
Jawi/Nongowa Chiefdoms, respectively.