3List of Requirements

3 - List of Requirements

Back to Cybervote Reports List

3.1 Legal requirements
3.2 Technical requirements
3.3 Voters' requirements

3 LIST OF REQUIREMENTS

The following sections lists the requirements that shall/should be fulfilled by the CyberVote system. All requirements have a unique identifier that will be helpful during later phases of the project. This identifier results from the combination of LEG (for legal requirement) or TEC (for technical requirement) or VOT (for voter requirement) with letters (B, I or K) and a number. The letters indicate the user representatives of the CyberVote consortium who agree with the expressed requirement. If all the 3 user representatives have came out with the requirement, then it will lettered BIK (for Bremen, Issy and Kista). If one or two partners disagree with the requirement, this will be reflected by the letters mentioned in the identifier. The `Indicator/criteria' column and the `How to test fulfilment' column give guidelines for later evaluation on how to check that the requirement has been properly addressed.

3.1 Legal requirements

3.1.1 Principles

Identifier

Requirement

Indicator/ Criteria

How to test fulfilment

LEG-BIK-1

The CyberVote system SHALL be flexible enough to accommodate with the demands of various national electoral laws.
The principles of the electoral law in force within each European country are the basics for any legal elections and have to be respected in online-voting processes.
The electoral principles usually are:

- General Vote,
- Secret Vote,
- Equal Vote,
- Direct Vote,
- Free Vote.

Relevant national laws.
Functional specification.

Review by national experts.

3.1.2 The voting period

Identifier	Requirement	Indicator/ Criteria	How to test fulfilment
LEG-BIK-2	The CyberVote system SHALL allow to customise to restrict or to extend the voting period according to the legal practice. At least 2 weeks early voting by means of mail and electronic media should be allowed. This requirement is understood to become a parameter of the software system in order to comply with different national legal boundary conditions. In one country, online-voting might be possible in advance (like in vote-by-mail) while others might restrict the possibility to cast a vote to the opening hours of the polling stations, e.g. for reasons of equality.	National Electoral law. Voting period allowed.	Review by national experts.

3.1.3 Suffrage, etc.

Identifier	Requirement	Indicator/ Criteria	How to test fulfilment
LEG-BIK-3	Equal suffrage SHALL be ensured. "Equality" in the context on online-voting refers to equal access for all online-voters - not equal access for all voters. The "equality of votes", i.e. one voter-one vote, remains completely independent from this requirement	General principle. Online voters hence shall be equipped with same or comparable technical prerequisites to access the voting system.	Requirement is fulfilled, when all the respective voters do have same or comparable chance to access the voting system (e.g. with PC or mobile clients).
LEG-BIK-4	Free elections SHALL be ensured. "Free" in the context of online-voting means, that nobody who is willing to participate as online-voter shall be excluded from this possibility. Furthermore, "free" means "free of any discrimination", not necessarily "free of any costs".	General principle.	This requirement is fulfilled, when everyone applying for voting will get the possibility to do so.
LEG-BK-5	Secret ballot: Anonymity SHALL be ensured. Even under court order, nobody (not even the voter) shall be able to correlate a particular vote with a particular person after the vote has been cast.	National Electoral law.	Certification Process.
LEG-BK-6	Universal suffrage SHALL be ensured. "Universality" of elections mean, that all citizens - regardless of sex, race, income or property, class, education or religion has the right to vote.	Inherent criteria.	Not applicable.

3.1.4 Election register, etc.

Identifier	Requirement	Indicator/ Criteria	How to test fulfilment
LEG-BIK-7	Correlation of a vote with an election register SHALL be ensured. This is to prevent fake votes.	Casting a vote twice must be impossible.	Attempting to cast a vote by somebody, who already has cast his/her vote before.
LEG-BIK-8	Correlation of a vote with an electoral district SHALL be ensured. In political elections, each vote must be correlatable with the electoral district in which the respective voter is entitled to vote. His/her vote has to count to the result of the election in his/her district (decentralised, i.e. federal democratic political system in Germany). Tallying the ballot must allow a district-wise representation of results. The votes per district have to sum up to the number of all votes cast (Check-Sum).	District-wise result of the election is calculated. Check-sum is correct.	Tallying the ballot must allow a district-wise representation of results. The votes per district have to sum up to the number of all votes cast (Check-Sum).
LEG-BIK-9	Only eligible voters SHALL be able to participate in the election. Control of the identity of the voter with the election's database.	Connection with the election's database.	List of the voters compared to the election's database.
LEG-BIK-10	The names of the different lists or candidates SHALL be given according to an order defined according to each national law (alphabetic, date of candidature, ...).	To be provided by programs.	To compare the introduction list with the final list.

3.1.5 Voter identification

Identifier	Requirement	Indicator/ Criteria	How to test fulfilment
LEG-BIK-11	Voter identification in compliance with the European guideline for digital signatures SHOULD be ensured. The system shall facilitate an authentication of the voter in compliance with the existing European guideline for digital signatures. The use of certified digital signature has to be tested during special security tests.	Use of certified digital signature./digital identification certificates.	During the voting process, a voter is requested to insert his/her Digital Signature Card into an appropriate smart card reader and to enter his/her PIN. Only after online-verification of his/her identity, his/her presence on the list of voters and his/her eligibility to vote (i.e. he/she has not yet cast his/her vote online or in a conventional way before), he/she can enter the next step of the voting process.
LEG-B-12	Voter identification in compliance with the National Electoral Law SHOULD be taken into account. In Germany, the system has to ensure voter identification in the online voting process by technical means compliant to the German "Digital Signature Act" (SigG - Signaturgesetz). Certified Signature Cards (Smart Cards) and Certified Reading Devices have to be used. The voting protocol and system software have to interact with the smart-card.	Use of certified Signature Cards (Smart Cards) and Certified Reading Devices.	During the voting process, a voter is requested to insert his/her Digital Signature Card into an appropriate smart card reader and to enter his/her PIN. Only after online-verification of his/her identity, his/her presence on the list of voters and his/her eligibility to vote (i.e. he/she has not yet cast his/her vote online or in a conventional way before), he/she can enter the next step of the voting process.
LEG-BIK-13	Vote selling SHALL be prevented. General principle written in some national laws.	National Electoral law	Review by national experts

3.1.6 Voting media

Identifier	Requirement	Indicator/ Criteria	How to test fulfilment
LEG-K-14	Different voting media SHALL exist. Polling station voting, mail voting, electronic voting.	National Electoral law.	Review by national experts.
LEG-BIK-15	In the polling places or the public spaces, the system SHALL be used with polling booths. To ensure the secrecy.	Existence of polling booths.	Review by national experts.
LEG-IK-16	The CyberVote system in polling places SHALL be controlled by a Chairman, several assessors and one secretary. Their role will be to ensure that all the legal rules are applied.	Procedure of control must be included in the program to permit at any moment a visual control.	List of the voters must be established for control at any time with the list of the election's database.

3.1.7 Vote counting

Identifier	Requirement	Indicator/ Criteria	How to test fulfilment
LEG-K-17	Different voting media SHALL be integrated. Existence of priority principles between media.	National Electoral law.	Review by national experts.
LEG-BIK-18	The system SHALL allow for different voting systems. For instance, majority vote, proportional vote, vote for parties, votes for individual on party lists, crossing out of individuals on such lists, etc.	National Electoral law.	Review by national experts.
LEG-BIK-19	The CyberVote system SHALL be flexible enough to allow its use on different kinds of elections. It shall be used when voters are voting for a list of candidates, for a unique candidate, for a referendum. It shall also be able to run on simultaneous elections.	Different documents presentation for introduction screen..	Visual control.
LEG-IK-20	Different voting media SHOULD be prioritised. Each person SHALL be able to vote more than once using different media (but only the highest priority vote shall count).	National Electoral law.	Review by national experts.
LEG-K-21	Only one vote per person SHALL count. Only the highest priority vote (selected by priority principles ) shall count in the case a voter used more than once using different media.	National Electoral law.	Review by national experts.

3.1.8 Audit

Identifier	Requirement	Indicator/ Criteria	How to test fulfilment
LEG-BIK-22	The voter SHALL be able to inspect that his/her encrypted vote was properly registered/counted. The voter should be able to check that a particular encrypted vote was counted.	National Electoral law.	Review by national experts.
LEG-K-23	Independent audit SHALL be possible. Independent observers must be able to retrospectively inspect that the voting and vote-counting procedures were correctly performed. This means each vote must be verifiable backwards through the system to the actual ballot.	Log system.	Review by national experts.

3.1.9 Other

Identifier	Requirement	Indicator/ Criteria	How to test fulfilment
LEG-K-24	Voting system SHALL be easily accessible for all. This means manual voting must be allowed to complement the electronic voting. It also means a "help desk" function is necessary for the e-voting	Existence of help desk.	Review by national experts.
LEG-BIK-25	No additional cost (except Internet communication costs) SHALL be charged to the voter when casting his/her vote through the CyberVote system. Except Internet communication costs, the user of the CyberVote system will not support any additional equipment or usage cost.	Cost calculation.	Review by national experts.

3.2 Technical requirements

Back to Cybervote Reports List

3.2.1 Usability

Identifier	Requirement	Indicator/ Criteria	How to test fulfilment
TEC-IK-1	Clear voting alternatives SHALL be presented to the voter. The voting information must be designed so users make no mistakes in understanding the alternatives.	Voting alternatives.	User panel.
TEC-BIK-2	Ballots SHALL be unambiguously designed. The ballots must be designed so users make no mistakes in using them.	Voting alternatives.	User panel.
TEC-BIK-3	Usability standards SHALL be ensured Usability standards such as [7] and [8] include a great number of criteria which must be addressed in a context rather than one by one.	Usability.	User panel.
TEC-BIK-4	95% of the test persons involved in the trial elections SHOULD report being able to use the system without any difficulties. This requirement addresses the user-friendliness of the system, here included its design to fit the needs of the disabled persons. The ease of use has to be evaluated within interviews and usability tests with potential voters.	95% of the test persons have to be able to use the system without any difficulties.	Interviews and usability tests with potential voters.
TEC-BIK-5	Human Factor Standards SHALL be taken into account. Addresses the possible human factors standards (e.g. ISO standards, Web Accessibility Initiative (WAI) standards of the W3C - see [9], [10], [11] and [12]) that may need to be applied to the design. The system has to comply with applicable standards.	Has to comply with applicable standards (complies or not).	Compliance with the standards.
TEC-BIK-6	No computer knowledge SHALL be required by the user when casting his/her vote via the system. Once the system is properly connected to the Internet and the citizen is given to possibility to vote on-line, no particular computer knowledge shall be necessary to cast his/her vote.	Easy use of the system.	Tests with potential voters.

3.2.2 Security & compatibility

Identifier	Requirement	Indicator/ Criteria	How to test fulfilment
TEC-BIK-7	Online-voting via standard browsers (IE or Netscape in their latest available version at the time of the trial applications) SHALL be ensured.	Client software expert analysis.	Test on standard browsers.
TEC-I-8	The CyberVote SHALL find the best compromise between -the technical requirements necessary to take the legal issues and the user requirements into account, - the obligation for the CyberVote System to be supported by the different version of standard browsers.	Client software expert analysis.	Test on standard browsers.
TEC-IK-9	The system SHALL be compatible with all commonly used operating systems.	Software analysis.	Test run by software experts.
TEC-BI-10	The voting system SHALL provide an interface to import existing voter-databases (list of voters). Compatibility addresses the ability of technical solutions to communicate with other technical solutions. Every online-voting system has to be integrated in the technological equipment already used by the organisers of elections.	Number of systems/ software the CyberVote system is compatible with.	Compatibility tests.

3.2.3 Voting & vote counting

Identifier	Requirement	Indicator/ Criteria	How to test fulfilment
TEC-BIK-11	The results of the vote SHALL be given in a very short time after the closing of the poll and in any case in less than 30 minutes. The advantage of using an electronic procedure should allow calculating the tally in a very short time.	Measurements.	Control should be done during the trials.

3.2.4 Technical robustness

Identifier	Requirement	Indicator/ Criteria	How to test fulfilment
TEC-K-12	Software SHALL be hacker-tested. Analysis and tests shall be made testing security from hostile hacker attacks.	Expert analysis.	Security attacks by software experts.
TEC-BIK-13	Fail-safe system (1): It SHALL be ensured, that a system server crash during an election / in the very moment of casting a vote is recoverable. The actual status of the ballot at the moment before the crash has to be reproducible after re-booting the respective device. The proper recovering of the system status could serve as indicator for the fulfilment of this requirement. Tests (e.g. disconnecting from AC power supply during operation) have to be carried out in order to check as to what extend the requirement is fulfilled.	Proper recovering of system status.	Test (e.g. disconnecting from AC power supply during operation).
TEC-BIK-14	Fail-safe system (2): It SHALL be ensured, that a client-crash during the voting process allows a reconnect after re-booting the client device and a continuation of the voting process or to start the process all over from the beginning. This requirement addresses the proper recovering of the status of user interaction before the client crash, or resetting to the starting point. Tests (e.g. disconnecting from AC power supply during operation, or pushing the reset button during the voting process etc.) have to be carried out in order to check as to what extend the requirement is fulfilled.	Proper recovering of the status of user interaction before the client crash, or resetting to the starting point.	Test (same as TAC-B-4a, or pushing the reset button during the voting process etc.).
TEC-BIK-15	Integrity of data transfer SHALL be ensured. This requirement addresses the aspect of the integrity of the data transfer. The integrity of data has to comply with the electoral law, (e.g.in Germany, IuKDG - Federal Information and Communication Services Act - and the TKDG - Federal Telecommunication Services Act). Integrity of data means, that the receiver of data can be sure, that the data he/she received have not been changed during transfer.	Electoral law, IuKDG (Federal Information and Communication Services Act), TKDG (Federal Telecommunication Services Act). The methods to ensure data integrity have to be defined in the voting protocol development. To the best of our knowledge, signed hash-values (i.e. private key encryption) compared with original hash-values (of a vote) could be used to facilitate this.	The fulfilment of this req. can not be tested per se. The method is considered to be secure as long as the encryption cannot be compromised.
TEC-BIK-16	Data secrecy SHALL be ensured. Recorded communication between voter (voting client) and system must not be decipherable.	Recorded communication between voter (voting client) and system must not be decipherable.	Fulfilment can be tested by mathematical proof (probability calculus). The fulfilment of this req. can not be tested per se. The method is considered to be secure as long as the encryption cannot be compromised.
TEC-BIK-17	Secure data transfer during the entire voting process (wiretapping) SHALL be ensured. Impossibility to scan/wiretap and to record the communication between voting client and voting system by third parties / unauthorised entities. Usage of suitable communication protocols. This req. adds additional trust to the system. Even if recorded communication is indecipherable today, it might be cracked in some years time from now. If wiretapping/recording of communications could be prevented from the very beginning, the potential threat of decrypting votes in the future due to massively increased computing power could be invalidated.	Impossibility to scan/wiretap and to record the communication between voting client and voting system by third parties / unauthorised entities. Usage of suitable communication protocols.	The fulfilment of this req. can not be tested per se. The methods/protocols used are considered to be secure as long as nobody can provide counter-evidence.
TEC-BIK-18	Sturdiness of software and equipment SHALL be user adequate. Does the software support rough manipulation without any bugs or crashes, does the equipment support normal handling or more? The sturdiness of the system can be tested by a predefined limit of rough handling.	Should support a predefined limit of rough handling. System shall fall into a predefined status upon rough handling.	Tests (e.g. disconnect from power supply during operation, disconnect peripherals, randomly push buttons etc.).
TEC-BIK-19	The system SHALL ALWAYS be protected against any kind of software attacks. Hacking, spamming or jamming the system shall not be possible during the whole voting period.	Software analysis.	Test run by software experts.
TEC-IK-20	The system SHALL be automatically invalidated if the voter enters successively 3 wrong passwords. In that case, the voter shall not be able to cast his/her ballot through the CyberVote system but traditionally.	To be defined by the program.	Tests.

3.2.5 Maintenance

Identifier	Requirement	Indicator/ Criteria	How to test fulfilment
TEC-IK-21	Ease of equipment maintenance SHOULD be taken into account. This addresses the simplicity in maintaining the prototype system in good working order.	Software analysis.	Software experts.

3.3 Voters' requirements

Back to Cybervote Reports List

3.3.1 Control of vote

Identifier	Requirement	Indicator/ Criteria	How to test fulfilment
VOT-B-1	The voter SHALL be independent from a specific location when casting his/her online-vote. This requirement addresses the effort needed to access the online-voting system. Only prerequisite to access the system should be the availability of an IP-connection and a browser software.	Yes or No.	Not applicable. Either IP-connectivity and a browser software are sufficient, or not.
VOT-BIK-2	The voter SHALL have the possibility, just before the submission of his/her choice, to change it. A summary of the voter's choice shall be presented with the following choices : "submit" or "cancel". If the voter wants to change his/her choice, he/she will have to click on "cancel" to start again his vote. If he/she wants to valid his/her vote, he/she will click on "submit".	Yes or cancel and yes.	Tests.
VOT-IK-3	The voter SHALL be given a clear indication to inform him/her that his/her vote has been accepted A mention "vote accepted" or "has voted" to be indicated on the screen.	Visual control.	Tests during trial.
VOT-BIK-4	The system SHALL allow online-voting from home Only the possibility to vote from home is considered to be a real innovation.	Yes or No.	Access to the voting system from home shall be possible by means of a home computer, IP-connectivity and a standard browser.

3.3.2 Added value for users

Identifier	Requirement	Indicator/ Criteria	How to test fulfilment
VOT-B-5	Casting a vote via CyberVote SHALL take less than 5 minutes. When voting via paper, the overall voting procedure (authentication of the voter, receipt of ballots, filling out of the ballot form, cast in the ballot box, etc.) takes on average 15 minutes. In addition, travel to go to the polling station and back usually takes an additional 20 minutes.	Time factor (effectiveness).	Comparison of the time spent for traditional voting and online-voting.

3.3.3 Interactivity

Identifier	Requirement	Indicator/ Criteria	How to test fulfilment
VOT-BIK-6	Invalid votes: The voter SHOULD have the possibility to give comments or marking his/her vote intentionally as "invalid". The system should enable the voter to give comments and thus, to cast an invalid vote!!!	Yes or No.	Add comments to a vote and make it intentionally invalid. This vote must be clearly identified when tallying the ballot.

3.3.4 Languages

Identifier	Requirement	Indicator/ Criteria	How to test fulfilment
VOT-IK-7	The election officials SHOULD have the possibility to enter election information in ANY language. In some places, there are more than 10 languages spoken,	Yes or No.	Test.
VOT-BIK-8	The voter SHOULD have the possibility to choose between various languages (at least 3 if provided by the respective national laws. In some places, there are more than 10 languages spoken. In others, it is only allowed to vote in one official language. The voter should therefore have the possibility to choose between the authorised languages.	Yes or No.	Test.

3.3.5 Other

Identifier	Requirement	Indicator/ Criteria	How to test fulfilment
VOT-BIK-9	The user interface and ballots SHALL be easy to navigate and manipulate.	User acceptance.	Questionnaires during trials.

Back to Cybervote Reports List