By Emmanuel Ewere

The Nigerian Bar Association (NBA) is the foremost professional legal association in Nigeria. The association holds their elections every two years. The last two elections of the NBA were marred with allegations of election malpractices.

This very fact was confirmed by the current president Olumide Akpata, who assured the members that he would set up a committee to ensure a better electoral process. Now, in view of the forthcoming election, I conducted  research on the challenges faced in the past elections to adequately understand how future elections can be done in a way to minimse corruption and set a path for others to follow..

As a Graduate/Master’s student of  of Information Technology  Law and my work time with the Nigerian electoral body (INEC) and an examination of the Estonia electronic voting system has given me deep insight and knowledge on the technicalities of e-voting. The 2018 NBA election that resulted in alleged massive over voting and disenfranchising of many eligible voters was caused by the fact that organizers had problems with organizational security. My research noticed that many procedural rules were either unavailable or were not followed correctly. Following such rules is very important to avoid creating any weaknesses in the system. For example, the voting software was developed using developers’ personal computers rather than purpose-specific computers meant  just for the elections. My   research further showed that such users’ computers cannot be trusted to work appropriately as they can be infected by malware. For example, it is possible to infect a user’s computer with malware that saves the access codes of members and uses these later to recast the vote. It is difficult for an end-user to detect such malware, especially if the attacker is an insider with advanced cyber offense capabilities. Also, the vote verification application did not provide protection against this attack as the malware can easily recast the vote after the allowed verification period.

Now after highlighting the above challenges, it is expedient to recommend solutions to them. First, to simplify the security analysis of an e-voting system,I wil break and explain it from two sides which cludes, the client-side (members of NBA) and the server-side (Election organizers) will be analyzed separately. Besides the client and the server, it is also important to focus on the security of the transport channel, this can be secured with standard measures.

Second, it is important that the behavior of the server  be audited. No  malicious party should be able to modify the election result. Thus,  I l recommend a new version of the voting system that distributes the server-side tasks between two independent entities. The vote registration service should be separate from the rest of the server-side software. The vote registration service registers the received encrypted and signed votes, therefore, once the voting period ends, the signatures are removed, and the encrypted votes are sent through a re-encrypting mix-net which removes the link between the encrypted vote and the signature. The mix-net also generates a cryptographic (mathematical) proof, which shows that all of the encrypted votes coming out of the mix-net are the same that were inserted into the mix-net (that were signed by eligible voters). The re-encrypted votes are decrypted in an air-gapped machine, and the decryption software generates cryptographic proof, which can be used to check that the decrypted votes represent the encrypted votes. Thus, it must be checked that the software that performs decryption does not cheat. Importantly, this check has to be done by an independent auditor.

The client-side of the voting system should provide the voter with the means to encrypt the vote and verify the vote. In addition, it is difficult to check if malware has abused their electronic identities to issue legally binding signatures. Thus, when voters can not trust their phones or computers, it is difficult to get a guarantee that their vote was not overwritten by malware. However, to change the election result, a large number of voters would have to be attacked. The bigger the attack, the more probable it is detected. In addition, the election organizers can detect anomalies from the server-side logs. For example, if the number of voters who re-vote increases significantly, it should be carefully checked if there is malicious activity involved.

Huge monetary allocations are usually made for elections which can cover the cost of procuring this security system and competent hands to oversee without contracting big companies without security guarantees.

I believe we can make the system better and set the pace for the future e-voting system desired by the Nigerian electoral system.

Emmanuel Ewere is an IT law expert with Adamson Adeboro and co.