Citizen engagement and compliance with the legal, technical and operational measures in ivoting Michel Chevallier Geneva State Chancellery
Setting the stage Turnout is low in many modern democracies Does easy voting mean more voting? Postal vote (introduced 1995) increased turnout by 20 percentage points After 5 years of postal voting, 95% of votes come in by post Yet, 40%-45% of citizens still do not vote Can we reach for them through a new delivery channel? To see it for ourselves, we began ivoting in 2003 We run 3 channels: postal vote, ivote and polling station
Our perimeter of compliance As we are handling protected data the voters' register, the votes we must comply with strict rules ivoting must be at least as secure as postal voting: this is the benchmark set by the federal authorities It has legal translations in the federal constitution, in the federal law on political right and its ordinance and in the Geneva cantonal constitution and legislation These texts define our perimeter of compliance
What are the rules? The law states technically neutral yet very specific security rules to be implemented: One citizen, one vote Impossibility to capture or alter a substantial amount of votes All ballots must be counted for the final result No third party must see a vote (protection of the vote secrecy) (protection of the citizens' choice) Ballots must be encrypted in the voter's PC, for the transmission procedure (anonymity of the votes) IT application linked to vote process must be split from all other IT apps. During ballot opening time, interventions on the IT system must be performed jointly by at least two persons and recorded in a log book Before every ballot, authorities must check the hardware, software, organisation and procedures according to the current best practices An independent 3rd party endorsed by the Confederation must confirm that all safety measures are met and that the system works properly
Defining the right perspective Like notes on a score, laws must be interpreted In most people's view, the security of electronic voting is associated with voter ID protection and vote secrecy It boils down to a user-centric approach: "I want to be protected from my neighbour sniffing on me" The correct approach is a society-wide one The society requires trust and certainty, i.e. accurate ballot results that reflect correctly the voters' intent Protecting the community against ivoting misuse means therefore protecting the data integrity
Tales of two worlds Two worlds unite in ivoting, the real one and the virtual one We have to manage both harmoniously
The real world
Physical identity It is tempting to use a token based on the X509 norm to identify the voter This would raise more problems than it would bring solutions The identity control would be delegated to the browser We would not be able to know who is behind the keyboard Therefore, we combine something that the voter owns (the Pin code reproduced on his voting card) with something he knows (his birth date and municipality of origin) The voting card is a numerical ID with time-limited validity
The voting card ivoting Paper-based ballot
The virtual world
Three contexts three features There are three contexts or environments that we must take into account in the virtual world The voter's PC The internet The State's IT system (electoral register and vote processing application) We only control one of these: the State's IT system Our challenge is to ensure data protection in uncontrolled environments
Change of paradigm In our approach to security, we have changed paradigm In the past, we operationalized the legal rules one by one This imposed trade-offs between usability and security This illustrates our old approach We have now adopted a systemic approach We view the system as a platform to be secured including the web and the voters' device The world as it is The voting application is "plugged" into this platform Security is our main business, voting is a side-offer User friendliness Security A simple case: the relationship security/ user friendliness
A word about the procedures Auditing by the Confederation Systematic splitting of crucial data: Anonymisation of the voters' register you are but a number in our files Anonymisation of the vote by splitting the vote from the voter's authentication parameters Permanent electoral commission, created when online voting was introduced in the law as additional watchdog ISO 27001 certification process achieved for budgetary reasons, we will not seek the actual certification ISO 27001 means that all procedures are documented and their implementation can be checked by the electoral commission
The secure channel The SSL protocol is vulnerable on two accounts: Because it is activated by the browser, it can be easily compromised It can be broken by brute force attack The secure channel (a java applet) fulfils a triple function: It provides an second encryption layer on top of the SSL, without having any link to the browser It checks whether the messages we receive from the voters are coherent with a normal voting procedure By doing this, it keeps the malware that might have infected your PC away from our IT system The secure channel encryption key is made of true random numbers generated by a quantum generator
SSL without secure channel SSL only Wahlgang Scrutin Scrutinio Scrutini Poll Wahlgang Scrutin Scrutinio Scrutini Poll Ja Oui Si Gea Yes Ja Oui Si Gea Yes Nein Non No Na No Nein Non No Na No Hacker
SSL with secure channel What you see is unreadable Wahlgang Scrutin Scrutinio Scrutini Poll DEMK3A2#3KKJLJNJ{@ 3*BSÉ1=DEMK3A2#3K KJLJNJ{@3*BSÉ1= Hacker?????
Guaranteed ballot box integrity The coherence control performed by the applet guarantees the integrity of the ballot box's content We know for sure that it is possible to read the ballots We know for sure it does not contain any incoherent result A second control is provided by the test ballot box The electoral commission owns the ballot box's encryption keys in application of the principle of segregation of duties Its members vote in a imaginary constituency and also record their votes on paper Comparing this constituency's electronic ballots with the paper notes provides a confirmation that the system does not introduce a bias
A large controlled perimeter The strength of the polling station resides in the control by the State of the voting and ballot counting premises Postal voting weakens this control The secure channel contributes re-establishing State control over the full voting perimeter The hardening of all IT levels (vote application, OS, hardware and network) also contributes recreating conditions close to the polling station's We are already past our government defined benchmark, postal voting
A large controlled perimeter: illustration Controlled perimeter with secure channel (in this case, port 80 is being used instead of port 443) consoles voters' register citizen browser internet 443 IDS/IPS IDS/IPS firewall web server Controlled perimeter without secure channel application server electronic ballot box Cryptographic factory quantum generator
The control code The control code fulfils two functions: It confirms the voter that she is connected to the State of Geneva voting web site (as we know that hardly anybody ever checks the site's certificate) It allows us to embed the voters' choices in an image, thus adding noise to the message This code is different for each citizen It changes for each ballot You find it on the voting card
The control code (followed)
A few other measures No connection electronic ballot box/voters' register Voters' register only contains voting cards numbers eballot box has a built-in encrypted device to record the number of cast votes This device is off-limits for the database administrator; no vote can be subtracted without us noticing Altering the votes is impossible: the ballot box's encryption key is owned by the electoral commission The ballot box is shaken before being decrypted in order to alter the ballots' reading order Helpdesk calls are screened for feedbacks
The ivote users
Two publics There are two publics for ivoting: The Swiss living abroad The Swiss residents ivoting offers the expatriates an effective way to exercise their political rights (at last) For them, ivoting makes a qualitative difference Between 35% and 50% of all votes cast from abroad are electronic votes Consider in valuating this figure that the border is 5 km away and that "abroad" begins 5 km from here
Residents: ivoting appeals to young voters 100% Weight of the different age groups among active voters with evote Weight of the different age groups among active voters without evote Demographical weight of age groups 18-29 30-39 40-49 50-59 60-69 70-79 With evote, the younger voters cast their ballot according to their demographic weight
No men/women digital divide 100% 18-29 30-39 40-49 50-59 60-69 70-79 Until 50, weight Demographical weight of age groups vote online according to their demographic Their behavior through age is similar to the Online voting behavior by Men Women (parallel lines)
Two voting channels, two styles 60% 50% 52% 40% 44% Postal vote 30% 36% 44% 52% evote 20% 20% 23% 25% 10% 0% 1st ballot Semaine week 1 2nd Semaine ballot 2week 3rd Semaine ballot 3 week
The search for a driver Why do some voters use ivote? Do the ivote users have anything in common? Multifactor analysis shows that socio-demographic and political preference variables have no explanatory value I can't anticipate your voting channel based on your age, gender, income or education I can't anticipate your voting channel based on your political opinion
What evote users have in common Subjectively They assess positively their own IT skills They trust online information, communication and transactions Objectively They use the web on a daily basis They have a broadband access
A broken barrier While 22%-25% of all voters use internet 55.5% of usual abstainers use it 18.7% of regular voters use it Online voting breaks an invisible barrier that keeps many voters away from politics Internet voting reaches further, it touches citizens more distant from politics Internet voting makes a paradigmatic difference, it appeals to one's subjectivity or way of life
The hosting process The conception of our platform allows a great deal of versatility We took advantage of this to propose other Swiss cantons to host their citizens on our system We are currently working with three cantons, hosting their expatriates (some 25'000 citizens altogether) To manage this project and keep these cantons in-line, we have set up a user group The user group is an added security factor because it forces us to rethink and optimise our procedures
Hosting illustrated Hosted canton Ballot type (date, topic, etc). 1 Hosting canton Ballot description Voting material Electoral register Voters id / authentication 2 Print file 4 3 Electoral register of the hosted canton electronic ballot box Voters Voting cards E-voting 5 6 Results Turnout Postal voting recording Publication
A last word ivoting is totally different from any other "e" project It cannot live on without trust How did we achieve it? By a very careful project management approach We went on slowly, never forcing the politicians As we would like to capitalize on our achievements, we licensed two private companies to commercialize our system outside of Switzerland
Thank you for your attention www.ge.ch/evoting michel.chevallier@etat.ge.ch