There are several stages in the election process when a need arises to reliably identify a person. The obvious stage is when a person votes, but identification systems may also be needed when a person registers to vote, or where an employee needs access to a workplace or a computer system.
Some countries rely on the honesty of their voters, and do not require voters to provide proof of their identity. Others do require proof, leading to a need for an identification system.
As electronic voting becomes more widespread and more automated, particularly where voting is introduced on the internet or by telephone, identification systems become crucial to ensure that only eligible voters are able to vote.
There are a range of different kind of identification systems:
- Identity cards
- Personal Identity Numbers (PINs)
- Bio-identification systems (including voice, hand, finger/thumb, retinal identification systems)
- Digitized photography
- Barcoding
- Public Key Infrastructure
- Passwords
Identity cards
In some countries, identity cards are used daily for a wide variety of uses. Other countries have resisted the use of identity cards for day-to-day uses. Local sensitivities towards identity cards will impact on their suitability for use in particular circumstances.
For electoral purposes, identity cards can be used to identify voters when they are registering to vote and when they are voting at a polling place. Identity cards can be used by electoral staff for access to workplaces and other sensitive locations such as polling places and counting centres. Identity cards can also be used by electoral staff conducting door-to-door electoral roll checks or enumerations.
Identity cards can be divided into two main types: those that include digitised data (usually on a magnetic strip) and those that do not. Identity cards of both types can also be divided into those that include photographs and those that do not.
Where identity cards include digitised data, these can be further categorised into 'read only' cards (that contain data about the person that cannot be changed after the card is issued) and 'read-write' cards (that contain data about the person that can both be read by card readers and updated with new information by card writers). Read-write cards are also known as 'smartcards'.
Read-write smartcards have great potential for electoral uses. If a polling place is equipped with a smartcard reader attached to a database, a smartcard could be used by a voter to prove the voter's eligibility to vote, to provide a record that the person voted and to ensure that the person could not vote again in the same election using that card.
Smartcards can also be used as part of bio-identification systems (see below).
Another use for smartcards is to allow staff to gain automatic access to secure buildings.
As identity cards are used to verify the identity of people during sensitive events such as voting, most identity cards contain features that are aimed at minimising opportunities for fraud. Inclusion of a photograph and/or a signature and/or a finger or thumb print serve as visual checks on identity (although be aware that there may be cultural sensitivities to inclusion of some of these features). Security printing devices like holograms or difficult-to-reproduce coloured designs can be used to guard against forged cards. Bio-identification features built into cards also serve to prevent fraud.
Personal Identity Numbers (PINs)
PINs are in widespread use in many countries as more and more services are provided through automated systems, such as bank Automatic Teller Machines, Electronic Funds Transfer at Point of Sale (EFTPOS) retail systems, and telephone and internet banking and bill-paying facilities.
PINs are not yet in general use for electoral purposes. However, as electoral authorities move to introduce automated voting systems by telephone and/or internet, PINs will become a vital part of the voting process.
PINs serve as unique identifiers when people are using automated services, in order to verify that the person is entitled to access that service in that person's name. For this process to be effective, care must be taken in the way PINs are allocated and stored.
When a bank issues a PIN, this is usually done either by mail (when the card or account to which the PIN is associated is usually sent separately) or by requiring the person to come to a bank office to allocate his or her own PIN number after providing some proof of identity. PINs used over the internet can be allocated by email.
For electoral authorities, systems for allocating PINs need to be devised to ensure that the PINs are allocated to the correct person. Distributing PINs by mail or email carries some risk, as it may be difficult to guarantee that the person receiving the mail is entitled to receive that PIN. On the other hand, it may be difficult or impractical to require PINs to be allocated in person. One device for limiting misuse of PINs is to require a second identifier in addition to the PIN, such as an identity card or a different identity number such as a social security number or tax file number.
Where a PIN has been stolen by an unauthorised person, that PIN could be misused if the system to which it is linked does not require any other verification of identity. For added security, PINs can be restricted so that they can only be used in conjunction with a smartcard, requiring both the PIN and the card to gain access to the system.
Bio-identification systems
Bio-identification systems can be divided into two main types: visual and electronic.
Visual bio-identification methods include use of photographs, signatures and/or finger or thumb prints on identity cards. These are relatively low cost to implement and administer. Many off-the-shelf identity card issuing systems incorporate inclusion of photographs and signatures. At polling places, polling staff are expected to compare the photographs, signatures and/or finger or thumb prints on the identity cards with the voters.
This process has its weaknesses. Signature and finger print comparisons are highly skilled tasks, and as such polling staff cannot be expected to master these skills. As for photographs, a person's appearance can often change significantly from that contained in an identity photograph, particularly if it is not updated regularly. Nevertheless this kind of identity system will probably suffice in most cases where the risk of voting fraud is not unacceptably high.
If visual bio-identification systems are not considered secure enough, electronic bio-identification systems can be used. Electronic bio-identification systems can include digitised voice, hand print, finger/thumb print, or retinal images. Using these systems, digital records of a person's voice or physical features are stored on disk or smartcard and compared to the actual features of the person using some form of electronic reader. Access is only provided where there is an exact match.
Electronic bio-identification systems are expensive to acquire and administer, and may not be practical for use with the general voting population (although this may change as the relevant technology becomes more widespread and cheaper). However, they are a feasible option for providing security at sensitive locations.
Some of these systems are sophisticated enough to measure the heat in a person's hand, to prevent anyone from using a murder victim to gain access. However, this feature can be a problem in cold climates where access may be denied to a cold but very much alive person.
Digitised photography
Digitised photographs of people's faces can be used to determine whether an individual has registered more than once. Computer software can compare different photographs to determine whether the same person appears in more than one photograph if all registered voters have their photographs taken and digitised.
Barcoding
Barcoding can be used as a means of identifying objects. A barcode is a series of coded lines that can be read by laser barcode readers and converted to a machine-readable string of digits.
Barcoding is a very simple and efficient method of assigning a unique identifier to just about any object. Barcodes are widely used in retailing, where they can identify and price each item, as well as record sales and stock levels. Barcodes can also be used for inventory purposes and on identity cards.
Electoral authorities also can use barcodes to identify and keep track of accountable items. For example, a particular form could be assigned a barcode, enabling that form to be readily identified by a scanning system. If there is a need to uniquely identify each form, a unique barcode could be assigned to each individual form using a computer-generated laser printing technique.
Barcode systems are also used extensively for mailing applications. Some countries have mail systems that allow users to print address barcodes on mail, so that postal authorities can process the mail without having to print barcodes in their mail-rooms, thereby creating a discount for the user.
As barcodes can identify both the name and address of the voter, they can be used by electoral authorities to process the mail when it is returned. This is particularly useful for postal ballots to automate the recording of voter names. These barcodes can also be used where addressed mail is returned 'not known at this address' in order to capture those details for electoral roll update purposes.
Public Key Infrastructure/Electronic signatures
As more and more government transactions become available over the internet, the need arises for a form of electronic proof of identity, or 'electronic signatures'.
Public Key Infrastructure is the name given to the process of transmitting encrypted electronic information using a private electronic 'key' to encrypt the information and a public 'key' to decrypt it once received. The use of the private 'key' also serves to identify the sender by giving that person a unique electronic identity. These private keys are generally issued by a responsible authority, which require a person to provide proof of identity.
For more information see Encryption.
Passwords
Passwords are primarily used to uniquely identify users to computer systems. As a general rule, all electoral computer systems should be password protected to prevent unauthorised access.
There are several basic rules that apply to use of passwords, aimed at ensuring that unauthorised users cannot discover them:
- Passwords should never be written down and left where an unauthorised user might find them - if passwords have to be written down (ideally they should be memorized), they should be securely locked away
- Passwords should be changed regularly - about once a month is a good standard
- Passwords should not be obvious - they should not be the name of the user, the organization, a relative, friend or famous person or thing - obvious words can be guessed by others - in particular, the password should not be 'password', as everyone starts out with that one
- Passwords should ideally contain a mixture of letters and numbers and, if the computer system is case sensitive, a mixture of upper and lower case letters - such combinations are harder to crack
- Passwords should not be too short - they are easier to crack - around 8 characters is a good length
- Passwords should not be shared with colleagues, relatives or friends - each person should have their own password
- In the case of very sensitive systems it may be desirable for the computer system to keep track of which passwords are used at what times, and what data is accessed
- It is desirable to limit the number of times in a session when a person can try to enter a password and fail - this is particularly important where password access is permitted on a public network like the internet (some computer programs can be set up to automatically try huge numbers of possible passwords if the system permits this)
- Where an employee who is assigned a password resigns or leaves a workplace to work elsewhere, that person's password access should be revoked
- System administrators need the ability to reset passwords for users who forget them
- Anyone with password access to a computer system (including any externally employed contractors or systems administrators) should have a security clearance at a level appropriate to the data accessible on the system