From:
Carol Boughton
To:
Spence, Rohan
Cc:
Clive Boughton
Subject:
HPE CM: Security issues for the ACTEC telephony (IVR) Platform
Date:
Thursday, 4 April 2019 9:23:06 PM
Ro
Last week you asked the question about the security of IVR voting. Below are some
comments provided by our partners.
Regards
Carol
Security and IVR/Telephone Voting for ACTEC
An Interactive Voice Response (IVR) in an election context could perform a number of functions,
but is commonly associated with registration processes, voting options provided for absentee or
remote voters, and improved accessibility for voters with disabilities.
Certain security aspects of these systems are set out in the Australian Telephone Voting
[i]
Standard issued by the Electoral Council of Australia (section 10) . However these are more to
do with the security and privacy requirements, rather than methods used to ensure compliance
with those requirements
Generally, a telephone voting system will be subjected to all of the security principles that would
apply at a polling place, such as anonymity and secrecy of the vote, and security of transmission
of the votes for counting. The IVR servers would mirror the eVACS® system in terms of
presentation of stored data.
The IVR servers (minimum of two) would be a standalone system either physically located within
[ii]
an ACSC certified high level security environment (such as the Vault hosting facility in
Canberra), or co-located with other appropriate vote storage physical infrastructure (e.g. with
the Election Server).
A system located within the proposed high level security environment at Vault would be
protected by Vault’s certified firewall, with a number of access approvals required before access
to the system is granted.
The IVR system stores votes in an eVACS® generated server which then uploads to the Election
Server for counting, just like votes from polling places and scanning. The storage media will have
been encrypted.
[iii]
We are proposing that the IVR platform undergoes its own IRAP Assessment
in conjunction
with eVACS®.
Security associated with the PSTN (Public Switched Telephone Network)
The IVR encrypts all communications within its control (and within the hosting facility) via the
Secure Real-Time Protocol (SRTP).
Transmission issues: Telephone voting via the PSTN means that voters may initiate a call from
various devices (home analogue/digital landline, business extension or mobile phone) and as
such the levels of security available will also vary. For example, the 4G network in Australia
provides encryption of mobile phone calls to base stations, but not end to end.
Where telephone voting for government elections is available (e.g. some jurisdictions in
Australia), the possibility of unlawful interference with calls over the PSTN is considered an
acceptable risk, while ensuring compliance with Australian Government Information Security