Evaluation

We outlined seven desirable properties of polling systems in Section 2. In this section we will evaluate Sensus' ability to satisfy these properties.

While evaluating the security and privacy aspects of the Sensus system, we make a few assumptions.

• We assume that a vote cannot be linked to a particular voter by tracing the packets in which the vote is delivered to the tallier back to the sender. Thus, we assume all communication between voter and election authorities occurs over an anonymous channel. This is not necessarily the case using the current Sensus implementation; however, an anonymous channel could be secured through the use of a chain of World Wide Web forwarding servers.
• We assume that the voter is using a computer system in which it is not possible for clear text messages to be intercepted. Thus we assume no parts of the voter's computer system can be snooped through physical or electronic means. The voter's privacy while casting the vote can only be violated if the voter allows someone to look over his or her shoulder. This is, of course, not the case if the voter is using a multi-user system where other users have root privileges.
• We assume that messages from voters will not arrive at the validator and tallier in the same order, allowing the validator and tallier to collude to link ballots with the voters who cast them. This assumption is valid given a voter population large enough that multiple voters are likely to attempt to vote at approximately the same time. In addition, voters concerned about this type of collusion need not submit their ballots to the tallier immediately after obtaining validation certificates from the validator.
• We assume that all encryption algorithms used are sufficiently strong that encrypted messages cannot be decrypted without the proper keys. Thus, security in the current implementation is based on the strength of RSA.

• Accuracy
• Democracy
• Privacy
• Verifiability
• Convenience
• Flexibility
• Mobility