3 - Online Voting Systems |
  |
3 ONLINE VOTING SYSTEMS |
This chapter presents the online voting systems that are being developed today.
A principal division is made between systems that are developed and offered by private (commercial) voting companies and systems that are developed within broader e-democracy projects that are (mostly) a co-operation between governments, universities and private companies.
3.1 Commercial solutions for online voting systems |
|
Today already a number of companies offer systems for Internet Voting.
However, they usually do not focus on the legal constraints and requirements for real public elections.
In this analysis, public elections are defined as general elections for citizens' representatives in local, regional, national or supranational legislative bodies. As analyzed in the report on the Legal Aspects of Internet Voting (Volume 2 of this Deliverable), public elections are subject to particular rules concerning e.g. secrecy, fairness, verifiability, accuracy, democracy, etc.
Except for a few mock elections, none of the described online voting systems have yet been used in real public elections.
The companies described however seem to have a profound knowledge of and experience in conducting private online elections (these are elections in which is not voted for representatives in legislative bodies).
As to the number of binding Presidential Election Primaries partially conducted online in the USA, it is to be remarked that they do not fall within the category of "public elections". These primaries are organized to nominate a presidential candidate within a particular political party and are only subject to the election rules of that (private) political party.
3.1.2.1 Introduction
Election.com (www.election.com) is an international company with offices in New York (Garden City, Headquarters), Texas, Washington DC, Australia, France, United Kingdom and New Zealand.
The company offers solutions, from traditional voting systems to Internet voting.
It supplies an operational Internet voting system, which has been tried out in numerous trials.
The company claims that, by acquiring the leading election services companies around the world, it has brought together technological and election experts: the management team consists of members with skill sets that cross many specialities relating to voting and the senior executives have their professional roots in technology and/or election-related businesses.
3.1.2.2 Scope of the system
Election.com is a "complete election services provider", which manages member/voter registration, database management, traditional or Internet ballot design, tabulation, reporting, etc.
It provides a standard package called the "ElectPro product family", which is intended for associations, credit unions, pension funds and not-for-profit organisations. Customers can choose ElectPro I, II or III, depending on positions, candidates, complexity of ballot and biography requirements.
Some of their clients include: Sierra Club, Pennsylvania State Employees Credit Union, The IEEE (The Institute of Electrical and Electronics Engineers, Inc.), American Association for the Advancement of Science, The Florida Bar, AIMR (Association of Investment, Management and Research), Arizona Democratic Party, Alliance for Continuing Education, Institute of Food Technologists, Association for Speech, Language and Hearing and United Nations Federal Credit Union.
Election.com also offered for websites, free of charge, a voter registration and absentee ballot request system for US citizens residing within the US or overseas.
3.1.2.3 System Overview
3.1.2.3.1 Security
Election.com makes several statements about the security of their system, some of which are quoted below. However, apart from applying standard security techniques and the use of standard cryptographic primitives, no special-purpose voting protocol is used by their system. Therefore, the election.com system is just another instance of the "trusted server approach", where ultimately the election server must be trusted both to keep the voters' votes private (ballot secrecy) and to publish the correct election result (election integrity). Note that CyberVote aims to remove this type of trust by using a special-purpose voting protocol that provides ballot secrecy and election integrity at the same time, without requiring trust in the election server.
Some election.com security statements:
"All election.com security solutions comply with rigorous industry standards and are compatible with the widest range of platforms available. There is no additional software for a voter to download or install."
"Election.com guarantees security for all phases of the online voting process, including member authentication, session verification and server protection."
"All election.com servers are protected against attack by state-of-the-art firewall and intrusion detection software."
"Security platform: We have developed a multi-layered encryption framework with the goal of ensuring a secure and confidential voting process from the start to finish. The technology that supports our voting systems has been designed to withstand "hack" attacks and has been designed to be scalable to ensure that it is capable of handling much greater volume as our business grows and online voting increases. We support a variety of security techniques including: passwords, PIN numbers, multi-factor authentication, identification questions, encryption algorithms and digital signature providing our clients with varying degrees of security to satisfy their business needs."
3.1.2.3.2 Global architecture
Ballot packages are mailed to all members (in case of a hybrid paper/online election). This package instructs members to logon to the election.com Web site to cast their vote.
Each ballot contains a unique PIN # (usually your membership ID#), as well as a random ballot sequence #. Members will be able to view the candidate biographies both online or on paper (if hybrid).
Members use their PIN # and a random ballot control # to log in to the secure election server. Following the confirmation of the login data, the Internet ballot will appear on the screen. Members can scroll through candidate biographies and point, click and cast their vote.
After a vote is cast, a final screen will appear confirming selection.
3.1.2.3.3 Techniques
"While we rely on our proprietary software to administrate, secure, tabulate and report on elections, we are committed to offering the broadest range of industry-standard based access to our system. We provide secure online voting on our platform using standard, unmodified browsers from Netscape and Microsoft. We intend to support newest Internet-based appliances as they become viable."
Used techniques include Java (on the client workstation) and PKI.
3.1.2.3.4 Platforms
"(...) we have assembled and deployed our proprietary application on a state-of-the-art platform using leading edge technologies from companies such as Cisco and Microsoft".
The election.com system is claimed to be compatible with the widest range of platforms available. There is no additional software for a voter to download or install.
Voting from mobile phones is not supported.
3.1.2.3.5 Communications
Use of the TCP/IP protocol.
3.1.2.3.6 MMI
(1) The voter enters his/her voter number and his/her password.
(2) Some questions (i.e. date of birth, department or town of birth) are randomly asked to the voter in order to check his/her identity.
(3) Once the identity checked, the ID number and the password are stored in a certain database.
(4) If the voter is not identified after 3 attempts, the process stops.
(5) To vote, the voter clicks on one of the options proposed in each section.
(6) Once the voter has validated his/her vote, the vote is stored in a second database. It is not possible to link the voter and his/her vote.
3.1.2.4 Example Trials
3.1.2.4.1 Arizona Democratic Party, March 12, 2000
The Arizona Democratic Party held "the World's first binding public election over the Internet".
On March 12 2000, 39,942 citizens of Arizona had cast their vote online during the Arizona Democratic Party's Presidential Preference Primary. This amount tripled the total number of votes during the 1996 Democratic Primary.
Remote voting as well as polling place voting happened over the Internet.
3.1.2.4.2 ICANN, October 1-10, 2000
The Internet Corporation for Assigned Names and Numbers (ICANN) selected election.com to conduct the on-line elections for five directors for the ICANN board.
ICANN wanted to allow Internet users from all over the globe to have a voice in its policymaking structure for the Internet's domain name and numbering systems.
More than 76,000 Internet users around the world have become At-Large members of ICANN, and were eligible to vote over a 10-day voting period from October 1-10, 2000.
According to election.com, it provided a secure login system and a voting response and tabulation system. The voting system was available to members in multiple languages, and voters were able to use the system on a 24-hour basis to accommodate busy schedules and different time zones.
Finally, more than 34,000 registered members cast their vote on-line.
3.1.2.4.3 EU Student Vote, Fall 2001
EU Student Vote (www.eu-studentvote.org) proposes the election of a European Council of Students, which will think about and discuss European Education policies, and will be an interlocutor between European Institutions and University students. The elections will take place in the Fall 2001 during three or four days. The target is to reach about 1 million voters or 5/10% of EU students.
EU Student Vote is supported by the European Commission and was launched in October 2000 by eight complementary European organisations:
· BALTIMORE (Ireland). Security of the election, by providing a "UniCERT" licence in order to generate certificates vital for the identification of voters.
· CNRS, French National Centre For Scientific Research (France). Setting up of a network of specialists (one team in each European member) so as to consider online voting through its various aspects.
· EUROPE 2020. Prospective analysis allowing to replace the European Student Vote project in a global vision of Europe in the coming decades.
· election.com (USA). Provider of a system of online registration for voters. All technical aspects of EU Student Vote.
· The Internet Society. Promotion of the event and provider of computers in the public places used for the election.
· NEUROCOM (France). Integration of each delivered certificate in the security framework (e-token or smart card) and checking that they will be sent to the right place.
· Newropeans Student Networks. Contribution to boost the student dynamic trend around EU Student Vote and organisation of the election in EU universities.
· LEONARD DE VINCI University (Italy). Marketing operations management. Control of the working of the electoral process: candidates lists, online forum, electoral registration, election days...
· PROMETHEUS-EUROPE. Technical support (making of European wide projects, knowledge of European and national institutions).
Any university or organisation that wishes to participate in the promotion or organisation (e.g., provide some computers during election days) is susceptible to become a member/partner of the association.
Candidates will contact each other through this website, build their list and write a proposal on the issues related to Education.
Voters will elect one of these lists, under a proportional system, to form a council of 50 people (the European Students Council, ESC), which will then become a natural interlocutor between university students and the European Institutions.
Technically speaking, a pin and a password will be sent by secured email to the students so as to ensure "one student-one vote" on the web.
3.1.2.4.4 www.youthevote.net, October 23 - November 2, 2000
Youth-e-vote is a non-profit project of FreedomChannel.com, a provider of political interactive media. It is powered by election.com and is also supported by Channel One, HiFusion, KidsVotingUSA and National Student-Parent Mock Election.
In this project, national registration and online voting was conducted voluntarily through the nation's schools and a www.youthevote.net website. Every student in every school was encouraged to get online to learn about the candidates, the issues and how elections work.
Students cast mock votes online for President, Senate and Governor as well as for other issues of national importance. More than one million students cast their votes between October 23rd and November 2nd with all results reported the night of November 2nd, five days before Election Day 2000.
According to election.com, this project was not only a good way to try their software and system, but it also motivated youngsters to be interested in politics and gave them a greater feeling of involvement and participation.
3.1.2.4.5 US Presidential Election, 2000
563,000 citizens living in the US registered to vote using election.com. 11,500 citizens living overseas requested absentee ballots via election.com, as did 144,900 US citizens living in the US.
Voters had to be registered to election.com or had to request an absentee ballot by logging on to election.com. About 45% of the voters using this system were in the 20 to 30-year-old age group.
3.1.2.4.6 International Association of Hewlett-Packard Computing Professionals
Election.com conducted the election for the board of directors of the International Association of Hewlett-Packard Computing Professionals (Interex).
Voters were able to cast an online vote from any home or office computer. More than 7,000 Interex members had the opportunity to cast their votes through mail-in ballots or via the Internet. Of the voting members, 57% chose to mail in their ballots, while 42% opted for online voting. Turnout nearly doubled over the previous election.
3.1.2.4.7 American Pharmaceutical Association, 2000
Election.com organised an election using a hybrid system: voters could cast their vote using paper or Internet ballots.
Customised ballots were developed for each member, so members could only vote in those races for which they were eligible.
In the first year of partnership with election.com, member participation increased by 3% over the previous year, with more than 20% of the votes cast over the Internet.
3.1.2.4.8 United Nations Federal Credit Union, 2000-2001
In this trial as well, a hybrid system was used.
In 1997, the UNFCU required its members to vote in person, at local branches. Turnout was very low, with only approximately 600-700 votes cast, none of which came from outside the U.S.
Election.com worked with UNFCU to develop a multi-year, phased approach. The solution initially replaced on-site voting with mail ballots, transitioning over time to a hybrid Internet voting system.
In 1998, turnout increased by 5 fold to 3000 returns. The election in which the Internet component is introduced is currently in progress.
3.1.2.5 Cost of the System
Election.com aims at an election cost of 1 Euro per voter.
3.1.3.1 Introduction
Safevote provides technology for secure Internet voting and is located in San Rafael, California.
The company publishes an Internet voting newsletter, called "The Bell" and participates in the Internet Voting Technology Alliance (IVTA, founded in Washington, D.C. in February 2000). The IVTA is a body, which discusses and recommends peer-reviewed public standards for Internet voting protocols.
In January 2000, Safevote licensed Modulo Security Solutions to apply and sell Safevote Internet voting technology in Latin America. Modulo has a long public election experience in electronic voting via closed computer networks.
Advisory Board members are being defined during the year 2000.
A demo is available at Safevote's web site (www.safevote.com), using 2000 Presidential Election ballots as an example.
3.1.3.2 Scope of the system
Safevote supports many different kinds of voting, which require different technologies.
Safevote aims at diverse markets in private, government and Internet sectors and they have a specific strategy for each of these sectors.
3.1.3.3 System overview
3.1.3.3.1 Introduction
Safevote states that three qualities are essential in their system:
· Voter privacy: the inability to know who the voter is;
· Vote secrecy: the inability to know what the vote is;
· Election integrity: the inability of any number of parties to influence the outcome of an election except by properly voting.
Safevote's products and services are based on a peer three-party and n-party technology called Multi-PartyTM. The design strategy behind the Multi-PartyTM technology is:
· Use a few proven and simple components;
· Allow a large number of different connections of such components;
· Define trusted introducers and trusted witnesses based on qualified reliance;
· Make every connection have a trusted introducer and a trusted witness;
· Define a multi-risk model where risk can be not only "average loss" but also "probability of loss" and/or "value at stake";
· Favour multiple, independent communication channels over one "strong" channel;
· Define clear evaluation criteria such as voter privacy, vote secrecy, and election integrity;
· Put voter privacy as the first criteria.
3.1.3.3.2 Security
Safevote recently released some details on the security design of their systems. A lot of attention is devoted to generic security measures, but these are often not unique to Internet-based voting. As such these security measures are essential to any voting system, yet not sufficient to guarantee all of the security properties required of an Internet-based voting system. In particular, the Safevote system relies on so-called DVCs (Digital Vote Certificates) that are claimed to be anonymous, i.e., not to divulge the identity of the voters. However, it is not clear how it can be achieved that these DVCs are sent to voters without the party distributing these DVCs knowing which voter gets which DVC, other than by trusting this party not to record the correspondence between voters and their DVCs. A further issue is whether the election officials must be trusted not to create spare DVCs, i.e., to create more DVCs than one per voter. The following Safevote quotes are in line with this reasoning.
"The use of multiple control structures and independent channels of information can considerably increase the reliability and trustworthiness of network voting systems, as well as auditing, vote recounting and verifiability of the election."
"The DVC (Digital Vote Certificate) and Electronic Ballot components of the Multi-Party technology allow detailed real-time auditing and post-election auditing by election officials, as well as allowing each voter to verify on the Internet whether their vote was received at the servers without compromising voter privacy, vote secrecy or election integrity.''
"The DVCs and their passwords are unknown at the very servers that will authenticate the DVCs. There is no voter authentication file to protect at the servers. Yet, DVCs can uniquely authenticate not only each voter to a server but also the ballot style designated to each voter by the registration service, without identifying the voter and without requiring the registration service to be online. DVCs provide for strong authentication and non-repudiation proofs within a closed-loop distributed control system. This enables an end-to-end security design that begins with voter registration and continues to ballot issuance, voting and tallying, which tallying can then be compared with earlier tamperproof entries in voter registration tables."
3.1.3.3.3 Global architecture
The machines at the voting office are connected via an effectively unknown and changing IP address, and then in turn making connections to six other machines in unknown locations, again with unpublished IP addresses.
The Multi-PartyTM technology uses DVCs and Electronic Ballots comprising an end-to-end secure system that provides for fail-safe voter privacy, cryptographically strong vote secrecy, and verifiable election integrity.
DVCs use a "thin client" model with the main part of the work being performed at the servers. Industry-standard SSL is used to authenticate the server to the client, but other methods can also be employed as desired.
3.1.3.3.4 Techniques
· Precinct-based and remote voting (e.g. voting from home);
· Compact and mnemonic voter credentials;
· Digital vote certificates (DVCs);
· Electronic ballots;
· High entropy ballot encoding and virus neutralization;
· Systems for detection and prevention of Distributed Denial of Service attacks;
· Voter interfaces;
· Distributed firewall systems.
3.1.3.3.5 Platforms
PC with Internet access running Linux.
Netscape browser.
No support for mobile phones.
3.1.3.3.6 Communication
Use of the TCP/IP protocol.
The technology allows interoperation with PKI technology (e.g., X.509, PKIX, PGP, SSL, S/MIME) as well as non-PKI technology (e.g., proprietary voting systems, direct recording electronic voting machines -- also called DREs).
3.1.3.3.7 MMI
The voter interface is very intuitive and uses either a mouse or a touch-screen.
3.1.3.4 Example Trial: Internet Voting Test, Contra Costa County, October 30 - November 3, 2000
During a five-day-long Internet election test, exactly 307 people cast mock votes for the 2000 Presidential Elections.
Partners:
· Secretary of State of California,
· Safevote.com
The test was done at one location, using one computer (another computer was always online but as back-up). In the test, 140 different ballot styles were actually assigned to voters based on their addresses in the county. The total number of ballot styles available in Contra Costa and in the test was 280. Average registration and login time was 60 seconds.
"No hackers managed to successfully attack the system, which was on the public Internet for five days and 24-hours per day, in spite of an attack-hotline with phone, email and web-page support, and time-saving hints provided by Safevote. (...) Attackers were also encouraged to submit theoretical attacks on the data structures used, not just the networks. Hackers also tried Denial-of-Service attacks, but with no effect. The Internet access used by Safevote was provided in dial-up and the attack test never put the election office network in Contra Costa at any risk whatsoever."
Deleting ballots on purpose tested the failure modes of the system.
About voters' feedback, Safevote claims that all voters found the system easy to use. Safevote also observed a high level of awareness of privacy and security issues among the voters. In general, voters desire to verify whether their ballots were actually received for tallying.
3.1.3.5 Cost of the System
The average cost per vote in a public election in the U.S.A. varies from $3 to $7 and Safevote pretends that with their technology, they can bring the cost per vote to $0,02.
3.1.4.1 Introduction
TrueBallot Inc., a company that organises automated elections, was founded in 1995 and is located in Maryland (www.trueballot.com).
TrueBallot has developed a number of systems: ScanVote, TeleVote, TouchVote and WebVote.
· ScanVote is an automated paper based registration and tallying system for mail and on site. Interesting in this system is the fact that each voter sees only those issues on which he or she is entitled to vote. So, by generating a single ballot for each voter, there is no need to generate spare ballots. Duplicate ballots can be generated and electronically tracked so that each voter can vote only once.
· The second system is the TeleVote voice voting system. "The voter calls a designated telephone number, and after passing a security check, listens to the issues that he or she is permitted to vote on. The voter then votes using the buttons of his or her touch-tone telephone. TeleVote automatically offers the voter a chance to review and change his or her vote until finished." All kinds of guarantees are offered, for example as is concerned secrecy: "Once the ballot is cast, it cannot be altered and cannot be traced to the voter."
· TouchVote is an on site voting system. The system is touch screen driven. Again, ballots are individualized for each voter. The voter fills out the ballot by touching the screen.
· TrueBallot also provides a WebVote system, which can be used independently or to supplement and enhance a paper ballot or TeleVote to ensure security, accuracy and efficiency. The TrueBallot database allows for a multilevel security system to make sure that only eligible voters are permitted to vote and vote only once. "Tabulation is virtually instantaneous and reporting is unlimited. TrueBallot ensures the accuracy, safety, reliability and confidentiality of organisational voting."
3.1.4.2 Scope of the system
The company designs and runs elections and referenda for organised labour and associations, both on and off-site (Unions, associations, county administrations, state administrations, school boards, government election committees, transportation committees).
About having any plans of presenting these election possibilities for public elections, the company says there are no such plans for the moment. The company seems to specialise in organizing private elections on a small scale.
3.1.4.3 System overview
No technical information available.
3.1.4.4 Example Trials
No information available.
Clients of TrueBallot include (e.g.): the American Bar Association, California Travel and Tourism Commission, Plumbers and Steamfitters Union, American, American Federation of Television and Recording Artists, American Postal Workers Union, National Air Traffic Controllers Association, Kean University etc.
3.1.4.5 Cost of the system
No information available.
3.1.5.1 Introduction
vBallotTM is called the election service, provided by the company Validity Systems (formerly known as the company eBallot.net). It was originally founded as VirtuVote in 1998. Their office is situated in Seattle, Washington (www.validitysystems.com).
Validity Systems' services do not restrict to online elections. Their services expand to building solutions designed to assist market research, education and medical industries to more efficiently collect and store data.
As to their online election service - called "vBallotTM" -, Validity Systems develops secure technologies that enable organisations to conduct secure online elections. The company claims to provide technology for secure, authenticated elections and polls that guarantees member-only participation, and also that each member will have only one vote or response. In addition, the company claims to have a cutting-edge firewall technology and encryption methods that ensure end-to-end integrity and allow for built-in anonymity and secrecy.
Validity Systems claims to have brought together recognised experts in Internet software, computer security and election administration. The company has an executive team, directors and advisors.
A demonstration is available on the web site of Validity Systems.
3.1.5.2 Scope of the system
vBallot aims to enable voters to cast e-ballots from home, from work, on holiday - anywhere access to the Internet is available.
The company works with any association, co-operative, union, non-profit or educational organisation to provide a complete election and polling experience. vBallot is able to offer its clients elections and polls with both an electronic and a paper option. By implementing a mixed-media election, an organisation can begin the phased-in transition to Internet-based voting and polling processes.
Validity Systems commits to a phased-in approach to Internet voting that aids the natural evolution of the election process. They explicitly aim to gradually integrate e-balloting with existing legal systems.
3.1.5.3 System overview
3.1.5.3.1 Security
Validity Systems claims to have a cutting edge firewall technology and encryption methods, which ensure end-to-end integrity and allow for built-in anonymity and secrecy. No special-purpose cryptographic protocols are known to be used.
3.1.5.3.2 Global architecture
The voter gets an email with an invitation to vote. He or she has to enter the voting website through a secure connection.
The voter has to follow 5 steps: Login, Ballot, Review, Cast and Finish.
· The user has to login with his or her personal PIN-code (Personal Identification Number) and a VRN (Voter Registration Number). (This is received by traditional mail)
· Then he or she gets the ballot, after voting he or she can easily reconsider his or her vote in the "review-step". (The voter can repeat this process until satisfied.)
· In the "cast-step" he or she has to re-enter his or her PIN-code to send the vote and to finish (5th step). All (encrypted) ballots are sent via a secure connection to a central data centre.
The vBallot has already been successfully tested using a scenario of 267,056 casts within 12 hours.
3.1.5.3.3 Techniques
· Use of a TTP (Trusted Third Party).
· Use of a PIN and a VRN (Voter Registration Number) to be used in the tabulation process.
· Firewalls.
· Encryption.
· "Flexible reporting tools that deliver comprehensive auditable tabulation and reports."
3.1.5.3.4 Platforms
PC with Internet access and a webbrowser. The user needs no additional software and can use a PC or Mac.
No mobile phone.
3.1.5.3.5 Communication
TCP/IP protocol.
3.1.5.3.6 MMI
No information available.
3.1.5.4 Example Trial: Reform Party USA Primary, August 7-9, 2000
Validity Systems administered the Reform Party of the United States of America (RPUSA) mixed media (choice between traditional election and internet election) 2000 Presidential Nominating primary election.
The Internet election intended to provide the broadest access to eligible voters, to automate the tabulation and registration process, to reduce costs and time, to establish the party as a progressive party and finally to promote the voting system.
Founder and chairman of the Reform Party (Michael Farris) began to work in 1996 to revise party bylaws so they allowed electronic voting.
There were 887,928 eligible voters (nation wide). Officials estimated that 30% would vote.
Each eligible voter received a mail ballot packet including unique ballot authorisation identification (PIN + VRN).
Traditional voting began at July 17, 2000 and ended August 8, 2000. Internet Voting began August 7, 2000 and closed August 9, 2000 (people who voted traditionally could vote afterwards on the Internet, only the last vote is valid).
The ballot in both paper and online environment looked the same to avoid confusing voters and to ensure that all candidates were treated fairly.
An independent security team (Deloitte & Touch) supervised (and tested) all procedures to ensure the authenticity.
During voting, there was assistance (email and telephone). No major problems were experienced.
Finally, 72,631 valid paper and 5,442 electronic ballots were cast.
Officials of Validity Systems stopped all 35 attempts to hack into the Reform Party's presidential nomination process. They say the system is quite secure.
"The 2000 RPUSA presidential primary election is a prime example of how to successfully conduct a mixed-media election using paper and electronic balloting. For those considering the Internet as a tool to support an election, the RPUSA election is an illustration of both the process and the methodology deployed by Validity Systems when administering an online election." (Case Study, RPUSA Election)
In the RPUSA trial it was rather easy to change bylaws of the party. However, on the website is mentioned that Validity Systems is working in co-operation with various legislators and working to integrate e-voting in existing legal systems, but without saying how this will be done.
3.1.5.5 Cost of the system
No information available.
3.1.6.1 Introduction
VoteHere.net is located in Bellevue (Washington) and was founded in 1996 (www.votehere.net).
At first, this company only supplied cryptography products for the Internet. Meanwhile Votehere.net were developing an election system, which was launched in 1998 and now is operational.
VoteHere.net claims to have a strong technical background combined with a track record of successful, secure elections, both private and public. There is a Management team, a Board of Directors and an Advisory board. Members have a strong technical background (cryptography, Internet security, algebraic and geometric computation, etc.), business, financial, management and government experience and experience in human resources, customer service etc.
VoteHere.net works together with the following companies:
· Compaq and VoteHere.net have worked together to deliver complete solutions for the online voting pilots for the November presidential election.
· Content Technologies is a leading global supplier of content security and policy management solutions.
· Counterpane Internet Security offers security services for business and e-commerce. Counterpane provides security monitoring, as well as penetration detection, prevention, and response.
· InterNAP develops technologies, techniques and services to deliver Internet packet data from point to point in the fastest and most reliable way possible, using existing Internet backbone infrastructure.
· Dallas Semiconductor designs, manufactures and markets a broad line of mixed-signal, especially semiconductors. Markets served include broadband telecommunications, wireless handsets, cellular base stations, secure Internet communications, networking, servers, and data storage.
· F5 develops turnkey solutions that increase the availability and performance of Internet Protocol (IP)-based servers and network devices such as firewalls, routers, cache servers, and proxy servers.
3.1.6.2 Scope of the system
The system is said to be able to be used "in any case where individual preferences are sought, fraud is unacceptable, and privacy is paramount" (e.g. corporate employee and customer surveys, university and organised labour elections).
VoteHere.net offers two different products:
· VoteHere Platinum - This system is designed to meet the stringent security, audit and verification standards for public-sector elections. VoteHere Platinum, which is targeted for certification as an election system in the United States and internationally, provides the highest levels of security, privacy and verifiability. VoteHere is currently pursuing certification of its Platinum system for binding public elections in more than 40 U.S. states.
· VoteHere Gold - This system is targeted for use in private sector elections, surveys, polls, and market research. VoteHere Gold is designed for companies and organizations where security and privacy are a high priority for their online elections and the system provides greater security than typical Internet financial and e-commerce transactions. A demo is available on the website.
3.1.6.3 System overview
3.1.6.3.1 Security
The VoteHere.net systems are closest in nature to what is targeted by the CyberVote project. Below two extracts from the VoteHere.net website are included.
"The critical element of `distributed trust.' It is generally satisfactory for a poll or survey to be conducted by a "trusted authority" (a single entity who is entrusted with the task of ensuring the integrity of an election) as there is little to no incentive for that authority to change the outcome and little incentive for outsiders to pay off someone to change the outcome. Conversely, in a public sector government election, the outcome is of much greater importance and - although illegal - there are powerful people and organizations that may have the resources to "fix" an election outcome by influencing someone on the "inside". Therefore, whether using the Internet or conventional procedures, a public sector election must be overseen through a "distributed trust" or multi-authority process where a number of designated persons must be present to activate the "key" to tabulate the results of the election."
"Universal verification. VoteHere.net election systems store all the encrypted ballots, which contain the voter's name followed by an encrypted string of alphanumeric characters indicating their choice. This allows the election to be audited to verify who has voted without disclosing how they voted, as required by state election law. Once the polls close, election authorities and designated observers use tabulation keys to decrypt only the election tally. Individual ballots remain encrypted, ensuring that all voters' choices remain private. As each online vote is received at the "ballot box" (Data Center), a confirmation is sent to the voter informing them that their ballot has been cast successfully. The individual ballots, which remain encrypted, are permanently recorded on indelible media to allow for a recount should it be necessary."
Apart from these fundamental cryptographic properties the systems also use state-of-the-art security techniques to achieve good overall security.
3.1.6.3.2 Global architecture
After off-line authentication, the registered voter is provided with a digital certificate, typically stored on a floppy disk, to be used when he or she cast his or her ballot.
To cast a vote, the user accesses the VoteHere.net website through an Internet-connected computer. Here the user is prompted for personal identification as well as their digital certificate. After authorization, the voter is presented with a personalized ballot.
When the voter casts his or her vote, the ballot is encrypted, digitally signed and sent to the VoteHere.net secure election center. All encrypted ballots are stored on indelible media. Once the polls close, election authorities and designated observers use cryptographic keys to decrypt only the election tally; the individual ballots remain encrypted.
Extracts from the VoteHere.net website:
"Voters are authenticated either by poll workers at a poll-site or in the same manner that mail-in or absentee voting is done today - through a voter declaration form submitted to the county prior to the election. Once authenticated, the registered voter is provided with a digital certificate, typically stored on a floppy disk, to be used when they cast their ballot."
"When the voter is ready to cast their ballot, they access an Internet-connected computer (either at the poll-site or remotely) and enter the VoteHere.net election website. The voter will be prompted for personal identification as well as their digital certificate. Once the system acknowledges that the voter is eligible to vote, the voter is presented with a personalized ballot containing lists of candidates, initiatives, and referenda specific to their district. Using a mouse or other pointing device, voters make choices by clicking next to candidate names or next to yes or no for ballot measures. At the end of the process, choices are displayed for confirmation and the voter clicks on a "Cast Your Ballot" button."
"At this time, the ballot is encrypted, digitally signed and sent to the VoteHere.net secure election center. When the center receives a ballot, it checks the digital signature for verification and then removes the voter's name from the list of eligible voters, thus preventing multiple ballot entries by the same registered voter - one person, one vote. The VoteHere Election System stores all the encrypted votes on indelible media. For each ballot issue or race, the ballot box contains the voter's name followed by the 1024-bit encrypted string of alphanumeric characters indicating their choice. This allows the election to be audited to verify who has voted without disclosing how they voted. Once the polls close, election authorities and designated observers use cryptographic keys to decrypt only the election tally; the individual ballots remain encrypted."
3.1.6.3.3 Techniques
Extract from the VoteHere.net website:
- Physical Data Center Security
"The VoteHere Gold system is hosted at a secure facility with controlled, monitored access."
- Data Center Infrastructure
"The data center utilizes uninterruptible power supplies, the physical space is protected with a non-destructive fire suppression system, and the data center is climate controlled with redundant cooling systems."
- Internet Connectivity Provider
"Internet connectivity is provided by a high-end vendor offering premium services for mission critical applications. The vendor utilizes private network access points to work around Internet congestion and has developed intelligent routing technology to directly deliver data to and from destinations in a faster more reliable manner."
- System Architecture
"The system is designed for high availability, redundancy, scalability, simplicity, and security. Extraneous functionality has been removed to simplify the system and remove possible security threats. The system does not run on a general Internet connection and is designed at every level to only allow traffic and capabilities necessary for running, managing, and monitoring the election."
"Before any ballot is written to the database, it is first written to optical media that serves as an original copy of all ballots received."
- Security Monitoring
"The VoteHere Gold system utilizes three levels of monitoring: Our ISP, Counterpane Internet Security, and the VoteHere operations staff."
- PIN Structure
"VoteHere provides 10-digit alphanumeric PINs to ensure the integrity and security of the voting process."
- System Logs
"The system provides extensive logs of the entire election process, which can be analyzed in many forms. The logs can be used to detect intrusion activity and attempts at election fraud and also serve as a comprehensive audit trail."
- Secure Transfer and Storage of Data
"Completed ballots are transmitted over the Internet using Secure Socket Layer (SSL) encryption. Ballots are received at the VoteHere.net election data center, encrypted using 1024 bit encryption and stored on a secure server. In order to ensure voter privacy, the votes are tallied without ever being decrypted. System Monitor The VoteHere Gold System Monitor provides our customers with unparalleled remote access to real-time, in-depth information related to their online election or survey. The System Monitor can be accessed through a standard web browser from any Windows-based computer and does not require plug-ins or additional software."
3.1.6.3.4 Platforms
Browsers supported (PC):
· Netscape: 4.5, 4.51, 4.6, 4.61, 4.7;
· Internet Explorer: 4.01, 5.0
Browsers supported (MAC):
· Mac Netscape 4.5, 4.51, 4.61, 4.7;
· Internet Explorer: not supported
Operating Systems supported:
· Windows 95, 98, NT4.0;
· PowerMac OS 8.6 or higher
This means that you cannot cast your vote using a mobile phone.
3.1.6.3.5 Communications
All online communications are done using the TCP/IP protocol with SSL (Secure Socket Layer) security.
Extract from the VoteHere.net website:
"Internet Connectivity Provider Internet connectivity is provided by a high-end vendor offering premium services for mission critical applications. The vendor utilizes private network access points to work around Internet congestion and has developed intelligent routing technology to directly deliver data to and from destinations in a faster, more reliable manner."
3.1.6.3.6 MMI
Extract from the VoteHere.net website:
"Once the system acknowledges that the voter is eligible to vote, the voter is presented with a personalized ballot containing lists of candidates, initiatives, and referenda specific to their district. Using a mouse or other pointing device, voters make choices by clicking next to candidate names or next to yes or no for ballot measures. At the end of the process, choices are displayed for confirmation and the voter clicks on a "Cast Your Ballot" button."
3.1.6.4 Example Trials
VoteHere.net participated in many election-projects. A few are looked at closer.
3.1.6.4.1 Iowa Municipal Election, Woodbury and Johnson Counties, Iowa November 2, 1999
In a few Iowa counties, a mock Internet election was conducted using Internet polling stations in parallel with standard poll-site voting.
Voters cast their votes traditionally and then were given the option to also vote on identical ballots via an Internet polling station available at the same location.
3.1.6.4.2 Presidential Primary, Thurston County, Washington, February 29, 2000
Voters had the opportunity to participate in countywide mock Internet election during the Washington State presidential primary.
3,638 voters cast ballots over the Internet and 94% said that they would vote that way if it were offered as an option in the future.
Internet ballots were cast from remote locations such as homes and offices, and also from ten official polling sites where Internet equipment was stationed alongside conventional election equipment.
3.1.6.4.3 Kansas State University Student Governing Association (SGA) Election, Manhattan, Kansas, March 6-8, 2000
Students from the campuses of Kansas State University participated in a binding university Internet election.
Over the three-day period, students were able to vote remotely from any computer with Internet access. Students were authenticated through the university's K-State Access Technology System (KATS) that interfaced to the VoteHere.net system for vote casting.
3.1.6.4.4 Presidential Preference Primary, Florida, March 14, 2000
More than 5700 high schools students in two Florida counties could cast their votes for the United States president in a mock Internet election.
The counties' Supervisors of Elections sponsored the election.
Poll-sites were set up at the campus and students were able to register to vote as well as cast their ballots online.
3.1.6.4.5 Boeing SPEEA contract vote, Seattle, Washington, March 19, 2000
VoteHere.net was used to bring about a rapid resolution to contract negotiations between the union and Boeing management and the Society of Professional Engineering Employees in Aerospace (SPEEA).
More than 70% of SPEEA engineers and technical workers voted on March 19 to accept the contract offer.
The VoteHere.net system was also used for out-of-state members to vote on the contract offer. A voter authentication protocol had been created to ensure that only valid, out-of-area SPEEA members had access to the system.
3.1.6.4.6 Cornell University Election Ithaca, New York, September 27, 2000
Cornell University students elected officers in an online election on September 27 using the VoteHere Gold Election System.
The entire voting process was conducted online: there were no traditional paper ballots.
Cornell holds a second student government election in March 2001, in which 19,000 students have the opportunity to cast ballots online.
Computers were set up on campus poll-sites.
VoteHere.net states: "We were able to make good use of university resources and made voting more convenient for students, which led to a significant increase in voter turnout, and provide timely election results more efficiently than before. Students found the on-line election easy to use and not as stressful as the old paper-based process"
3.1.6.4.7 Mock online US Presidential Elections, October - November 2000
3.1.6.4.7.1 San Diego, California
From October 23 to 27, 2000, voters in San Diego County, California had the opportunity to cast ballots online in a presidential election trial of online voting.
Partners:
· Secretary of State Bill Jones,
· San Diego County Registrar Mikel Haas,
· VoteHere.net (secure online voting system)
· Compaq Computer Corporation (iPAQ Internet appliances).
The pilot election was held in a poll-site on Election Day. During the online election trial, voters were able to vote a sample ballot.
The San Diego trial was the first of three online voting pilots conducted by VoteHere.net.
3.1.6.4.7.2 Sacramento, California
From October 30 to November 7, 2000, voters in Sacramento County, California had an opportunity to cast ballots online in a presidential election trial of online voting.
Partners:
· Secretary of State Bill Jones,
· Sacramento County Registrar Ernie Hawkins,
· VoteHere.net (secure online voting system).
· Compaq Computer Corporation (iPAQ Internet appliances).
The Sacramento County trial was the second of three online voting pilots by VoteHere.net.
3.1.6.4.7.3 Maricopa County, Arizona
On November 7, 2000, voters in Maricopa County, Arizona had an opportunity to cast mock ballots online in a presidential election trial of online voting.
Partners:
· Secretary of State Betsey Bayless,
· Maricopa County Recorder Helen Purcell,
· VoteHere.net (secure online voting system)
· Compaq Computer Corporation (iPAQ Internet appliances).
This trial was the third of three online voting pilots conducted by VoteHere.net.
3.1.6.5 Cost of the system
No information available.
3.1.7.1 Introduction
Votia Empowerment (short: "Votia") is a Swedish company, founded in June 2000 by 2nd and 3rd generation Internet-professionals (www.votia.com)
The company sees itself as an e-democracy company offering services for effective information, dialogues and media-independent decision-making. Votia claims to offer the only available service that combines information, interaction and media-independent voting.
It aims to develop software that enables people, not only to vote, but also to take part in dialogues, online or via fax, letter and telephone.
Votia.com explicitly aims at using technology to innovate new forms of democracy and it claims to be well-placed to influence how politics is organized in the future.
Votia emphasizes that e-democracy is more than just voting at your computer or posting information on the Internet. By creating continuous dialogues, where individuals make decisions on a direction or a goal, you redefine the political landscape and make democracy something more than an election held every four years.
Votia has introduced its first e-democracy project in Sweden in the fall of 2000. Discussions with potential clients in Norway are also under way. Votia aims to begin its international expansion in Europe later in 2001. The goal is to have a minimum of 20 million voters using the company's services in 2003.
Votia is comprised of people who have solid experience in both national and international politics, communications, marketing, public affairs, and the Internet in such companies as Levi's, Torget.se, Electrolux, Unilever, Pepsico, Procter & Gamble, Telia, Startup Factory and General Electric. The company also has an extensive advisory board.
3.1.7.2 Scope of the system
The company offers integrated services for cost effective, media-independent dialogues in public sector and for non-profit or commercial organisations.
They make available information, organise individual interaction and help their customers to put issues to the vote.
The company's objective is to help municipalities, political parties, trade unions and other interest organizations to build credibility and long-term relationships with citizens, members, and others.
3.1.7.3 System overview
No information available.
3.1.7.4 Example Trials
3.1.7.4.1 Municipality of Kalix, spring 2000
Kalix commune is situated in the very north of Sweden. About 18 000 citizens live there permanently.
In 1999, it was decided to organise a project with the aim to collect the priorities and views of the citizens, concerning certain societal matters. The project was named the "Kalix deliberation". A catalogue with 25 suggested areas of concern was defined and distributed publicly. Among these topics it was found that the topic of inner communal environment attracted the most citizen interest. Therefore, this subject of interest was chosen for further study.
All citizens of this town in Northern Sweden were included in the discussion of the new city plan for the down town area. This is done through information, debate and finally a vote.
During the period of two weeks in spring 2000, a series of channels for collection of citizen opinions were opened.
This included mail, telephone, fax, voice and the Internet. In summary, 1200 statements were received. This is to be compared to a few dozen, the normal amount earlier.
Collaboration with Votia Empowerment was defined. The choice of Votia built on the fact that this company had its roots in Kalix, and that the company offered technological participation in the project at a low economic rate.
Information about the "Kalix Deliberation" was spread via local mass media and the communal Internet site. Costs for this campaign could be held very low, only about 10,000 Euro was used.
The software that Votia developed and used, was based on available standard packages, expanded with specific presentation modules, created for the purpose of this project. Users were registered, in order to avoid multiple answers.
The result from the deliberation showed a clear environmental interest on the part of the Kalix citizens. This interest was unexpectedly clear, and was later used as input for political decisions. However, there was no well-defined and exact connection between the citizen view and the political decision-making. This was on purpose, the Kalix commune wanted to keep its democratically representative decision structure. This was a decision that was taken by the political majority.
At the end of the year 2000, it is considered in the commune to continue the deliberation process, making the citizen will more precise by repeating the process. However, at the time of the end of the year 2000, no clear decisions have yet been taken about this. A discussion is going on concerning the possibilities to enhance to sharpness of the "citizen voice", via the Internet and with other means.
Although being carried out on a low technical level, politicians and concerned citizens consider the Kalix deliberation a success. It has been said that the technology in this project is not as important as the citizen views presented.
3.1.7.4.2 Other trials, 2000-2001
Votia Empowerment has also initiated discussions with Region Skåne, and with Norrmalm's city council in Stockholm, about arranging a citizen dialogue regarding the traffic situation.
"Today, the local democracy is built, at best, on the citizen's right to say yes or no to the building of a new mall in the district after looking at a given suggestion. Instead of this, the political leaders could open a dialogue with the citizens. They can do this without limited and expensive old voting procedures, and also with increased effectiveness compared to having the discussion every four years", says Niklas Nordström, who is a partner and a member of the company's advisory board, and adds: "We are not leaving anyone out since our service works with Internet, fax, letters, and soon with phone."
Other Votia clients are the Social Democratic Youth Organization, Region Skåne, and the Swedish Union of Insurance Employees.
In the beginning of 2001, further dialogues will be initiated.
3.1.7.5 Cost of the system
No information available.
In the next two tables the available information on the commercial solutions is summarized. The first table contains more general information, whereas the second table lists the more technical information.
3.1.8.1 General
Table 1: General information on commercial solutions
System |
Country |
Start |
Certification |
Trial-elections |
Election.com
|
USA |
1996 |
No |
- American Pharmaceutical Association - binding
|
Safevote.com
|
USA |
199 |
No |
Internet Voting Test, Contra Costa County, (30/10 - 3/11/00) - non-binding |
Trueballot.com
|
USA |
1995 |
No |
No information available |
Validity Systems
|
USA |
1998 |
Aim to gradually integrate with existing legal systems. |
Presidential Nominating Primary Reform Party (7-9/8/2000) - binding |
Votehere.net
|
USA |
1996 |
Pursuing (for public binding elections in more than 40 U.S. states) |
- Iowa Municipal Election, Woodbury and Johnson Counties, Iowa (2/11/99) - non-binding
|
Votia Empowerment
|
Sweden |
2000 |
No |
Kalix Community (spring 2000) - non-binding |
The column `Certification' lists whether the commercial solution is pursuing certification of its system(s) for binding public elections.
3.1.8.2 Technical
Table 2: Technical information on commercial solutions
System |
Voting protocol |
Authentication |
Client platforms |
Tool or service |
Election.com
|
"Trusted server" approach |
No information. |
Widest range of platforms available.
|
A complete election service provider. |
Safevote.com
|
"Trusted server" approach |
No information. |
PC with Internet access.
|
Technology for secure Internet voting. |
Trueballot.com
|
No information. |
No information. |
No information |
WebVote system |
Validity Systems
|
No special-purpose cryptographic protocols known to be used. |
PIN and Voter Registration Number. |
PC with Internet access.
|
vBallot system |
Votehere.net
|
Homomorphic threshold scheme. |
Digital certificate on floppy disk. |
PC with Internet access.
|
VoteHere Platinum and VoteHere Gold. |
Votia Empowerment
|
No information. |
No information. |
No information. |
Services for effective information, dialogues, and media-independent decision-making. |
3.2 Project developments for online voting systems |
|
In Europe, a number of e-democracy projects have recently been initiated, which among others investigate the possibilities of developing online voting systems.
It is typical for these projects to investigate compliance with (legal and user) requirements for public elections, as well on national as on European level.
3.2.1.1 Introduction
The CHOOSE project is run by a group of students of the Technical University of Delft, under supervision of Pieter G. Maclaine Pont, who is affiliated with TNO TPD. One of the main goals of the project is to develop an electronic voting system suitable for use over open networks, such as the Internet. It has been applied in student elections held at the TU Delft in May 2000.
3.2.1.2 Scope
The project aims at obtaining a functional specification of an electronic voting system, which can be used over open networks, such as the Internet. Due to historic connections with a group within IBM, it was decided to only use symmetric cryptography in the system, such that relatively cheap smart cards (equipped with the DES algorithm) can be used. Of course, this limits the level of security that can be reached, e.g., it is impossible to implement digital signatures with non-repudiation.
A prototype implementation of the system was used in a student election. The students needed a smart card to complete the voting process. The students had to visit a polling station to cast their votes; voting from a remote location was not supported.
3.2.1.3 System overview
3.2.1.3.1 Techniques
The system is based on the Master's thesis by Herman Robers, a student of the TU Delft. The thesis is entitled "Electronic elections employing DES smart cards" and was completed in December 1998. We have not found any publications based on the thesis, so the election system has not been subjected to any form of peer review.
The voting process consists of at least two stages. In one stage the voter's smart card is loaded with a certain token. In the second stage the actual vote is cast. Like some other systems, the vote should actually be cast over an anonymous channel, but this is not implemented.
A more extensive review of the protocols is deferred to D6, vol.1 [13]. At this point, we note that the parties holding the master key(s) must be trusted not to use these keys to break the security/privacy of the system.
3.2.1.3.2 Platforms
There is not much information available on this aspect. It is mentioned that it should work with major browsers, but this is not so much of an issue for elections from polling stations. Furthermore, the system uses the "Studentenchipkaart", an existing smart card issued to Dutch students.
3.2.1.3.3 Global architecture
The server side of the system is split into two parts: the election committee controls one part and the other part processes the votes during the election. At the client side of the system a smart card is used owned by the voter in combination with a PC connected to the Internet. The system seems to allow both public PCs and privately owned PCs.
The part of the server handling the votes is said to buffer the incoming votes, removing references to the sender of the vote and the time the vote was received. This is an attempt to create an anonymous channel, but clearly this requires full trust in the server to "buffer" the incoming votes as described. Note that even if this part of the server follows the protocol, this is no guarantee no other parts in the system keep track of the links between voters and votes.
3.2.1.3.4 Communication
Any Internet connection suffices. An SSL connection is probably used to authenticate the information sent by the server to the client (e.g., the ballot form).
3.2.1.3.5 Interface
No specific information was found.
3.2.1.3.6 Validation
The system was used in a campus-wide election at TU Delft on May 30-31, 2000, after a couple of test with smaller elections. The system performed well, and will probably be used in future elections at the university. It was also possible to vote using paper-based ballots. The electronic votes were cast from public PCs spread over the campus.
3.2.1.4 Evaluation
Given the fact that the system is based solely on symmetric cryptography, the result is quite good. Also, the voting protocol is rather efficient, only requiring a minimum amount of resources for the smart cards used. The steps to be performed by the server are a bit cumbersome though as it involves the processing and storage of a long list of values before the elections starts.
The security of the system is, however, completely based on trust in the server. The server manages the master keys, by which votes can be linked easily to voters. The master key is required to be present only in a tamperproof "cryptofacility"; but this does not exclude the existence of copies of the master keys. The server must also be trusted to not keep track of the voters when they cast their vote, as described above, because of the lack of an anonymous channel. Several security measures have been incorporated to decrease the required level of trust in the server, but the effect of such measures is ultimately limited. We will consider these aspects further in D6, vol.1 [13].
3.2.2.1 Introduction
E-poll: Electronic polling system for remote voting operations (www.e-poll-project.net).
E-Poll is an IST project (N° IST-1999-21109) relating to Administrations. It concerns the subject of online democracy (Action line 1.1.2-1.4.2).
The partners of the consortium are:
· Siemens Informatica (prime partner) (Italy): management of the overall project, creation of the kiosk software, management of the security aspects of the voting
· The Italian Ministry of Interior (Italy): validation and evaluation of the feasibility of every aspect of the new processes, software and methodology, check and evaluation of all the regulatory issues
· Ancitel (Italy): a service company owned by ANCI, the National Association of Italian Municipalities; user, analysis of multilevel information flows (citizens, Local and National Authorities).
· Sopra/Municipium (Poland): Polish organism responsible for the promotion of Internet to the Polish local communities; suitable training of local government partners for implementing the project in the Polish test area
· AEC - Aquitaine Europe Communication (France): French Aquitaine area; user; definition of requirements, definition of the functional and technical specifications
· France Telecom R&D (France); contribution to description, specification, development and deployment, general security problems and terminal specifications and field testing.
The total cost is 1,7 million Euro.
The project started on 4 September 2000 and will end on August 2002.
Trials will begin on October 2001.
Figure 1: Planning of the E-Poll project
3.2.2.2 Scope of the system
Extract from the E-Poll web site:
"The E-Poll system will build and test a network based electronic vote system. The project will begin with an analysis requirements, system design and selection of technologies. The project will be defined as to be suitable for large scale deployment. Security aspects will also be highlighted, the project intends to publish a complete vote protocol draft, describing the information flows and the security solutions emphasising the cryptography used to protect the vote. The protocol draft will be submitted to academic institutions for peer reviews. When the requirements have been finished three different workgroups will respectively develop a network suitable for electronic votes, a set of databases and servers to support electronic voting and a secure voting booth including a biometrics capable smart-card."
3.2.2.3 System overview
3.2.2.3.1 Security
France Telecom R&D has a relevant expertise about cryptography and electronic authentication. It especially concerns an algorithm of blind signature developed by France Telecom within a previous European research project.
The network designed for E-Poll will provide all the security attributes needed.
The smart card with an embedded biometric fingerprint reader (provided by Siemens) will perform the voter recognition.
3.2.2.3.2 Global architecture
The system is based on electronic ballot boxes, a server dedicated to the count and a secured network for the transmission.
The voter will use a smart card with an embedded biometric fingerprint reader, which performs voter recognition.
Extract from the E-Poll web site:
"The core of the E-Poll system is the EVBN (European Virtual Ballot Network), based on the new voting process. The network is a functional system allowing communication between administrations at different level. The information flow includes: normative harmonisation support, consultation/election information publishing, procedures support, training sessions, vote operations, virtual booth management. From the technical point of view, the VIS (Voting Information Server) provides high services and configuring the thin-client application. The NETW (NETWork infrastructure) designed around e-poll is the infrastructure which supports all the system functionalities providing all the security attributes needed. The e-poll network infrastructure provides also resources both from the storage and services provision. [...] The recognition system is completely separated from the VS (Voting System). The VS is based on a specific kiosk developed to address also elderly and disable people needs in term of usability. It works as the thin client of e-poll system; the kiosk itself is the base of the virtual booth operation and the project will investigate the adoption of mobile broadband communication to connect them, in order to insure the highest level of security without poor performances. The VCS (Vote Collection System) is the secure storage of encrypted ballots which guarantees the arrival of all cast ballots and their consistency. The system hosts all virtual booths creating a secure environment for votes anonymity. The BS (Ballot System) is the system performing activities in the final phase of the voting process."
Figure 2: Overview of the E-poll system
3.2.2.3.3 Techniques
No information available at this stage of the project.
3.2.2.3.4 Platforms
Public terminals (mobile electronic ballot boxes called kiosks). No other terminal and no mobile phone.
3.2.2.3.5 Communication
IP protocol.
3.2.2.3.6 MMI
Extract from the E-Poll web site:
"Common citizens and voters will also be involved in user groups both to determine the ergonomics of the voting hardware, particularly concerning impaired and elderly people, and to find ways to increase trust in the electronic vote process amongst the general public."
The electronic ballot box will have a tactile screen.
3.2.2.4 Example Trials
Experimental mobile voting booths will be deployed in hospitals and old people's homes over two pilot sites in France and eight in Italy. 8000 people will participate in public binding elections in 2002. Non-political consultation and political election or consultation are aimed at in each country.
3.2.2.5 Further development
Extract from the E-Poll web site:
"The project investigates broadband mobile communications based on the UMTS standard for providing the E-Poll network with the required bandwidth and security."
The press release of the project adds that the ADSL standard is considered too. The creation of virtual rooms of candidates presentation and of electoral program are some of the possible next issues of the project.
3.2.2.6 Evaluation of the online voting system
E-Poll considers the following security-related problems:
· Secure transactions through Internet,
· Storage of ballots on a server,
· Encryption of ballots,
· Authentication and anonymity of voters.
Universal verifiability is apparently not considered by E-poll
Furthermore the E-Poll project will gather citizens and voters in a user group to identify the requirements of the voting system.
Finally the E-Poll project will recommend legislative changes.
3.2.3 InternetStem (Netherlands)
3.2.3.1 Introduction
The InternetStem project consisted of a shadow election held in conjunction with the Dutch national elections on May 6, 1998. The project ran for a few weeks only, the goal being to investigate the viability of voting over the Internet in public elections. A major requirement was that the system achieved an advanced level of security and privacy.
The project was initiated by Cap Gemini Netherlands, and involved the following companies:
· Cap Gemini Netherlands (coordination and system integrator);
· NLsign: TTP, provider of server-certificate and responsible for issuing client certificates to the voters;
· DigiCash: provider of the voting engine (client and server part);
· BitIC: design of website;
· Compaq: provided Proliant servers;
· UUNET: provided fast connection with Internet backbone;
· Van Rossum & Partners: responsible for public relations;
· D66: Dutch political party supporting the initiative.
Despite some technical problems, the project was considered a success. About 500 people successfully cast their vote, and the result of the shadow election was presented right after the deadline passed, at D66's after-election party on May 6, 1998.
3.2.3.2 Scope
The goal of the project was to show that Internet voting in public elections is a viable alternative to existing methods (in the Netherlands, voting is mainly done by means of electronic voting machines from polling stations). Apart from being accessible to a large population of users, the major requirement was that a high level of security and privacy was achieved.
Anyone was allowed to take part in the election, and there were no precautions taken to prevent the same person registering under different names (in fact, email addresses were used to distinguish voters). To each voter (email address) at most one client certificate was issued, which is required to authenticate the ballot. Of course, in a real election the client certificates must be distributed to the voters, such that each eligible (and only eligible) voter gets exactly one certificate.
The shadow election was preceded by a referendum, which consisted of five questions. The voters could take part in this referendum in the final week before the election. During the same period people were able to register for the shadow election. Registration was also required for the referendum. The certificate obtained during registration could be used both for the referendum and the shadow election. Registration on May 6, the election day, was not allowed.
3.2.3.3 System overview
3.2.3.3.1 Techniques
Figure 3 gives an overview of the InternetStem system. Both the client and the server part of the voting engine were implemented in Java, the voting client as a Java applet and the voting server as a Java application. The client PC was allowed to be behind a firewall or proxy, which causes no problem unless the firewall is very restrictive. On the server side actually two servers were used to do the work (not counting the firewall). The front-end was formed by an SSL-enabled webserver and the back-end consisted of the actual voting server.
Figure 3: Overview of the InternetStem system
The voting engine used a universally verifiable protocol for the referendum part of the election and a weaker variant for the shadow election itself (for performance reasons). In CyberVote we envision the use of similar protocols, which are essential for achieving ballot secrecy and verifiability of the election result.
Client-side certificates were used for voter authentication. Client-side certificates are supported by all major browsers, and are used in conjunction with the SSL protocol. The SSL protocol is usually used with server-side certificates only. The client certificates were issued to the voters by NLsign, using software similar to for instance VeriSign's software for issuing this type of certificates. The certificates issued are from the lowest class (w.r.t. security); for this class only an email address is required. Still, as NLsign included one manual step in the issue process, obvious abuses were prevented. For instance, it would have been noted if many certificates requests originated from email addresses with the same domain name.
Once the client-side certificate has successfully been downloaded to the voter's PC (which implies that a password-protected public/private key pair has been created on the client's PC), the user could enter the vote section of the webserver. When accessing the vote section, an SSL connection is automatically set up between the voter's PC and the webserver. This ensures mutual authentication (and encryption) of the data exchanged between the PC and the webserver.
The vote section contains the voting applet which is downloaded to the PC. The applet cannot be changed by outsiders since it is sent over the SSL connection. The applet allows the voter to cast a vote, which is encrypted according to the voting protocol, and returned over the SSL connection. Note that the encrypted vote is not digitally signed, but authenticated because of the SSL connection. The web server then delegates the response of the voter to the voting server.
Once the deadline was reached, the votes were tallied using the voting server, and the result was published on the webserver.
3.2.3.3.2 Platforms
Being a software-only solution, any Java 1.0 enabled browser could be used. Hence, not only Windows-based PCs but also PCs/workstations running Unix or Linux, and Macs. Here's a table of the combinations actually used during the shadow election:
Table 3: Client platforms used in InterStem
Browser |
Operating system |
Java Virtual Machine |
Microsoft Internet Explorer 3.0 |
Windows 95 x86 4.0 |
Java 1.0.2 |
Microsoft Internet Explorer 4.0 |
Windows 95 x86 4.0 |
Java 1.1 |
Microsoft Internet Explorer 4.0 |
Windows 95 x86 4.10 |
Java 1.1 |
Microsoft Internet Explorer 4.0 |
Windows NT x86 4.0 |
Java 1.1 |
Netscape Communicator 4.0 |
16-bit Windows x86 3.1 |
Java 1.1.2 |
Netscape Communicator 4.0 |
FreeBSD i386 2.2.6 STABLE |
Java 1.1.2 |
Netscape Communicator 4.0 |
HP UX 9000/720 B.10.10 |
Java 1.1.2 |
Netscape Communicator 4.0 |
IRIX mips 5.3 |
Java 1.1.2 |
Netscape Communicator 4.0 |
Linux i486 2.0.27 |
Java 1.1.2 |
Netscape Communicator 4.0 |
Mac OS PowerPC 7.5 |
Java 1.1.2 |
Netscape Communicator 4.0 |
SunOS sparc 5.4 |
Java 1.1.2 |
Netscape Communicator 4.0 |
Windows 95 x86 4.0 |
Java 1.1.2 |
Netscape Communicator 4.0 |
Windows 95 x86 4.0 |
Java 1.1.4 |
Netscape Communicator 4.0 |
Windows 95 x86 4.10 |
Java 1.1.2 |
Netscape Communicator 4.0 |
Windows 95 x86 4.10 |
Java 1.1.5 |
Netscape Communicator 4.0 |
Windows NT x86 3.51 |
Java 1.1.2 |
Netscape Communicator 4.0 |
Windows NT x86 4.0 |
Java 1.1.2 |
Netscape Communicator 4.0 |
Windows NT x86 4.0 |
Java 1.1.5 |
Netscape Navigator 3.0 |
HP UX 9000/777 B.10.20 |
Java 1.02 |
Netscape Navigator 3.0 |
IRIX mips 6.2 |
Java 1.02 |
Netscape Navigator 3.0 |
Mac OS PowerPC 7.5 |
Java 1.02 |
Netscape Navigator 3.0 |
OS/2 x86 20.40 |
Java 1.1.4 |
Netscape Navigator 3.0 |
OSF1 alpha V4.0 |
Java 1.02 |
Netscape Navigator 3.0 |
SunOS sparc 5.5 |
