2 - Elections: Basic principles |
  |
2 ELECTIONS: BASIC PRINCIPLES |
This chapter focuses on the basic principles of democratic elections.
These principles are laid down in International Convents and Declarations, and in numerous National Constitutions.
For implementing an online voting system, two basic principles are mainly important:
· The principle of non-discrimination, laid down in article 2 of the International Convent on the Civil and Political Rights, article 2 of the Universal Declaration of Human Rights, article 14 of the International Convent on the Protection of Human Rights and Fundamental Freedoms and for instance article 11 of the Belgian Constitution
· The principle of democratic elections, laid down in article 15 of the International Convent on the Civil and Political Rights, article 21.3 of the Universal Declaration of Human Rights, article 3 of the protocol of 20th of Mars 1952 to the International Convent on the Protection of Human Rights and Fundamental Freedoms and for instance articles 61, 62 and 63 of the Belgian Constitution.
2.1 The Principle of Non-discrimination |
|
The right not to be discriminated is a basic right in a democratic society. In general this means that every citizen has the right to enjoy his rights and freedoms without discrimination.
This rule inter alia obliges the government to certify equal access, without discrimination, to public elections.
The right not to be discriminated is laid down in various international and national regulations.
Article 2.1. of the International Convent on Civil and Political Rights states: " Each State Party to the present Covenant undertakes to respect and to ensure to all individuals within its territory and subject to its jurisdiction the rights recognised in the present Covenant, without distinction of any kind, such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status."
Article 2 of the Universal Declaration of Human Rights states: "Everyone is entitled to all the rights and freedoms set forth in this Declaration, without distinction of any kind, such as race, colour, sex, language, religion, political or other opinion, national or social origin, property, birth or other status. Furthermore, no distinction shall be made on the basis of the political, jurisdictional or international status of the country or territory to which a person belongs, whether it be independent, trust, non-self-governing or under any other limitation of sovereignty."
Article 7 of the same Declaration provides the following: " All are equal before the law and are entitled without discrimination to equal protection of the law. All are entitled to equal protection against discrimination in violation of this Declaration and against any incitement to such discrimination".
Article 14 of the International Convent on the Protection of Human Rights and Fundamental Freedoms: " The enjoyment of the rights and freedoms set forth in this Convention shall be secured without discrimination on any ground such as sex, race, colour, language, religion, political or other opinion, national or social origin, association with a national minority, property, birth or other status."
For example, article 10 of the Belgian Constitution prescribes the following: "There are no class distinctions in the State. Belgians are equal before the law; they are the only ones eligible for civil and military service, but for the exceptions that could be made by law for special cases."
Article 11 of the same Constitution states: "Enjoyment of the rights and freedoms recognized for Belgians should be ensured without discrimination. To this end, laws and decrees guarantee notably the rights and freedoms of ideological and philosophical minorities."
The right of non-discrimination and equality is generally and internationally recognised.
These rights are laid down in International convents and therefore have absolute priority over national law.
The Convents on the European Union do not contain general provisions concerning equality and non-discrimination. However, the European Court of Justice has derived a general equality-principle. This general principle of law has priority over all Community and national law.
When enabling online voting in national or Community law, the principle of equality and non-discrimination thus should be observed. Therefore, it is important to accurately describe the content of this principle.
In general, the principle of equality and non-discrimination prescribes that equal situations should be treated equally and unequal situations should be treated unequally, if that would be necessary to enable everyone to enjoy his/her rights and freedoms without discrimination.
This principle however does not exclude certain categories of people to be treated distinctly, but only if the criterion for the distinction is objective and reasonable. This has to be judged from the viewpoint of the goal and consequences of the proposed treatment. The principle of equality is violated, if the distinct treatment is not reasonably proportional to the aimed goal.
So what is the obligation for governments? In general, the prohibition to discriminate implies a prohibition to unreasonably limit the rights and freedoms of a category of persons than those rights and freedoms of other categories. The principle of equality implies an obligation to take certain positive actions to ensure an equal treatment.
We should apply these principles to public elections and to the implementation of an Internet voting system in particular.
In general, the application of the non-discrimination and equality principles means that everyone should be equally able to participate in public elections. Therefore, the government not only has to avoid enacting laws, which unreasonably discriminate against certain categories of persons, but also has to ensure equal accessibility to the voting process. Government thus has to take active measures to enable absents, ill and disabled people to vote.
Does the non-discrimination and equality principle pose problems when implementing an Internet voting system?
This question has to be subdivided: polling place Internet voting and remote Internet voting.
When Internet voting is allowed at (any) existing polling places (polling place Internet voting), there is no difference in accessibility in comparison with traditional voting at a polling place. Polling places are equally accessible for all citizens. There could however be discrimination if the polling place Internet voting system co-exists with traditional polling place voting, if the former does not comply with the standards for democratic elections6: then there is indeed an unreasonable discrimination between those who have access to a system that complies with the requirements for democratic elections and those who do not have access to such a system. But if both systems equally comply with these standards, this situation will not be discriminative.
The implementation of a remote Internet voting system could prove to be more problematic. In these systems, the voting would not take place at a traditional polling place, but at any location.
The California Internet Voting Task Force proposes a two-phased implementation of remote Internet voting: Internet voting from a public place and Internet voting from a PC at home or work (or mobile phone). Four situations should therefore be distinguished:
1. A system ONLY allowing voting from a PC at home or work (or mobile phone);
2. A system ONLY allowing voting from an informal public polling place;
3. A system allowing voting from an informal voting kiosk AND from an official polling place;
4. A system allowing voting from a PC at home or work (or mobile phone) AND from a public (official or informal) polling place.
1. Undoubtedly it would be discriminative if voting in public elections were allowed ONLY from a PC at home or at work or from a mobile phone, and not at public (polling) places. This would eliminate a great number of people who do not have access to a computer or mobile phone, without a reasonable cause.
2. Would it be discriminative ONLY to allow voting in public places, which are informal and not official polling places with official staff? If these places are easily accessible to the whole of the population, at least equally as it is today, this cannot be considered to be discriminative. Accessibility however also means user friendliness of the system: the system should be easy to use for every citizen, without discrimination. Therefore, it also might be necessary to provide each voting place with someone able to assist people who are not familiar with using a computer.
3. What if a system of remote Internet voting at an informal public voting place co-exists with a polling place Internet voting system? If both systems are equally accessible, and equally comply with the standard for democratic elections (see later), such a situation would not be discriminative. There can however be discrimination if the polling place Internet voting system does comply with the standards for democratic elections and the remote Internet voting system does not.
4. It becomes more difficult to decide on equal treatment when the system of remote Internet voting at home or at work co-exists with the system of Internet voting from an official polling place or informal public kiosk. Though all voters are equal, they are treated differently: people who have (at home or at work) Internet access or access to a mobile phone, are allowed to vote from there; people who do not have that access, have to vote at a kiosk or polling station.
First of all, we should look at the purpose of this distinct treatment. The purpose of implementing Internet voting is generally circumscribed as the enlargement of people's participation by enlarging accessibility to the voting process. This purpose (enlarging the base of democracy) certainly is legitimate.
But is enabling remote Internet voting from a PC at home or work for only a limited category a reasonable measure to achieve this purpose? This is an important discussion from which the outcome can actually not be predicted.
In order the question to be answered positively, the Internet voting system should make every effort to grant very easy access to the public voting machines to all citizens, without distinction. Extending the voting period from only one day to more consecutive days and the placement of voting machines all over the county (libraries, supermarkets, groceries, post offices, banks, etc.) could serve this purpose.
An Internet voting system should - and we believe that in fact it can - comply with the non-discrimination right: every citizen should equally have access to the election process.
Therefore, at least the following rules should be taken into account when developing and implementing an Internet voting system:
(1) Every citizen should have equal access to the ballot box, be it a PC at home or work, a PC at a kiosk or other public place, a PC in an official polling place or a traditional, paper-based system;
(2) The system should be friendly for every user, independent his education, age, intelligence, physical condition, etc.; therefore a user-friendly interface is of mayor importance;
(3) A kind of system of assistance could be developed, in order equal access to be guaranteed;
(4) When implementing the Internet voting system, every (stage of the) system has to comply equally with the basic principles of democratic elections7;
(5) An adapted system should be developed for:
a. Ill and disabled voters
b. Absent voters
We believe that, if these requirements are met, the implementation of an Internet voting system should pose no problems concerning non-discrimination and equal treatment.
2.2 The Principle of Democratic Elections |
|
The right to democratic elections (without discrimination8) is another basic principle for a democratic society.
A political system is indeed only democratic to the extent in which decision makers are under effective popular control, which in practice means that democratic rulers are chosen, or rejected through periodically held elections.
The numerous international, regional and national regulations however do not describe the right to free and fair elections very accurately and quite vague terms are used: "genuine elections", "secret ballot", "free expression", "secret vote or equivalent free voting procedure", etc.
How these vague principles are concretised in the jurisprudence of the competent courts and how an Internet voting system can comply with these concretised standards is investigated below.
Numerous International and national legislations prescribe the right to democratic elections.
Article 25 of the International Covenant on Civil and Political Rights prescribes the following: "Every citizen shall have the right and the opportunity, without any of the distinctions (...) and without unreasonable restrictions:(...) To vote and to be elected at genuine periodic elections which shall be by universal and equal suffrage and shall be held by secret ballot, guaranteeing the free expression of the will of the electors; (...)"
Article 21 of the Universal Declaration of Human Rights states the following: "(1) (2) (...) (3) The will of the people shall be the basis of the authority of government; this shall be expressed in periodic and genuine elections which shall be by universal and equal suffrage and shall be held by secret vote or by equivalent free voting procedures."
Article 3 of this Protocol to the Convention for the Protection of Human Rights and Fundamental Freedoms deals with the right to free elections: "The High Contracting Parties undertake to hold free elections at reasonable intervals by secret ballot, under conditions which will ensure the free expression of the opinion of the people in the choice of the legislature."
For instance, the Belgian Constitution states in article 61: "The members of the Chamber of Representatives are elected directly by citizens who have completed the age of eighteen and who do not fall within the categories of exclusion stipulated by law. Each elector has the right to only one vote."
Article 62 of the same Constitution: "The establishing of the constituencies or electoral colleges is governed by law. Elections are carried out by the system of proportional representation that the law determines. The ballot is obligatory and secret. (...)"
Art. 63 §4 of the Constitution: "The law determines the electoral circumscriptions; it also determines the conditions required to be an elector as well as those for the carrying out of electoral operations."
2.2.3.1 Introduction
In order to have a first impression of the range of these provisions, we can take look at a following comment of the Committee on Human Rights, adopted at its 1510th meeting (57th session) on July 12, 1996.
"19. In conformity with paragraph (b), elections must be conducted fairly and freely on a periodic basis within a framework of laws guaranteeing the effective exercise of voting rights.
Persons entitled to vote must be free to vote (...) without undue influence or coercion of any kind, which may distort or inhibit the free expression of the elector's will. Voters should be able to form opinions independently, free of violence or threat of violence, compulsion, inducement or manipulative interference of any kind. (...)
20. An independent electoral authority should be established to supervise the electoral process and to ensure that it is conducted fairly, impartially and in accordance with established laws which are compatible with the Covenant. States should take measures to guarantee the requirement of the secrecy of the vote during elections, including absentee voting, where such a system exists. This implies that voters should be protected from any form of coercion or compulsion to disclose how they intend to vote or how they voted, and from any unlawful or arbitrary interference with the voting process. Waiver of these rights is incompatible with article 25 of the Covenant. The security of ballot boxes must be guaranteed and votes should be counted in the presence of the candidates or their agents. There should be independent scrutiny of the voting and counting process and access to judicial review or other equivalent process so that electors have confidence in the security of the ballot and the counting of the votes.
Assistance provided to the disabled, blind or illiterate should be independent. Electors should be fully informed of these guarantees.
21. Although the Covenant does not impose any particular electoral system, any system operating in a State party must be compatible with the rights protected by article 25 and must guarantee and give effect to the free expression of the will of the electors. The principle of one person, one vote, must apply, and within the framework of each State's electoral system, the vote of one elector should be equal to the vote of another. (...).
22. State reports should indicate what measures they have adopted to guarantee genuine, free and periodic elections and how their electoral system or systems guarantee and give effect to the free expression of the will of the electors. (...)
Reports should also describe the laws and procedures, which ensure that the right to vote can in fact be freely exercised by all citizens and indicate how the secrecy, security and validity of the voting process are guaranteed by law. The practical implementation of these guarantees in the period covered by the report should be explained."9
It is clear that all requirements interfere with each other. In the following analysis, we will treat the subject in the following way:
1. Free and secret
2. One person, one vote
3. Reliable, secure and verifiable
2.2.3.2 Analysis
2.2.3.2.1 Free and secret
In order elections to be free and fair, it must be possible to freely cast a vote, without influence or coercion of any kind, which may distort or inhibit the free expression of the elector's will. Voters should be able to form opinions independently, free of violence or threat of violence, compulsion, inducement or manipulative interference of any kind and without any pressure of any kind.
Freedom and secrecy are closely related.
Secrecy could be seen as a conditio sine qua non for the non-coercibility of a voter. It can only be guaranteed that one is not coerced in casting his vote, when he voted in secret and the ballot remains secret during the voting process.
2.2.3.2.1.1 Secrecy
The very first requirement for democratic elections thus must be the secrecy of the vote. Not only it has to be possible to cast a secret vote, government also has to guarantee - as far as possible - the secrecy of the vote during elections, including absentee voting, where such a system exists. This implies that voters should be protected from any form of coercion or compulsion to disclose how they intend to vote or how they voted, and from any unlawful or arbitrary interference with the voting process.
In traditional elections, secrecy is - inter alia - guaranteed as follows: the voter can freely fill out his ballot, in the secrecy of the voting booth and the voter can put his ballot in the ballot box, folded, in such a way that the names for the candidates for who he has voted cannot be seen, and his vote remains anonymous. 10
But can the ballot-secrecy be observed with Internet elections? Which requirements should the system observe?
Secrecy should be observed in three steps of the voting procedure: (1) the transfer of the vote, (2) after the transfer and (3) before the transfer.
Particularly the guarantee of secrecy before the transfer of the vote will in some cases prove to be a problem.
(1) CyberVote will be able to provide state of the art technical solutions for the secrecy of the vote from the moment of the encryption and transfer, receipt, collecting, storage and tabulating of the ballot. During the voting procedure (this is, from the moment the encrypted ballot goes "online" to be transferred), no one (not even official staff) may be able to relate a particular vote with a particular content to a particular voter.
This issue is closely related to the security of the voting system: the system should implement secure technical measures, which make it impossible the secrecy of the vote to be breached.
(2) CyberVote should also make sure that it will be technically impossible to find out, after the ballot has been sent by the voter and received by the system, how the voter has voted. If this would be possible, votes could be bought, sold or coerced. Indeed, from the moment it would become possible to prove one voted in a certain way, influence and pressure become enforceable. This should be avoided.
Therefore, once the vote has been cast, encrypted, sent and received by the system, it would be the safest never, in any way, to reveal the content of the vote, not even to the voter himself.
One could however decide to provide the system to send a confirmation of the receipt of the vote by the CyberVote server, including the content of the vote cast. This would certainly enhance verifiability and reliability of the system11:voters can verify that the system does not change the vote cast during and after its transfer.
However the sending of a confirmation containing the content of the vote is dangerous: the confirmation could be used to enforce illegitimate influence.
First of all, this confirmation may never be communicated on a kind of durable medium, like a printed receipt, or in a digital form, which could be saved on a carrier of any kind.
Even if the confirmation is not communicated on a durable medium, confirmation could however prove to be problematic. Distinction should be made between polling place Internet voting and remote Internet voting.
In the former, a confirmation of receipt of the vote by the central server, including the content of the vote, could be communicated to the voter without the danger of violating the secrecy of the vote, if the voter receives the confirmation in the secrecy of the voting booth.
In the latter, there is no guarantee whatsoever that the confirmation could not be seen or consulted by a third person other than the voter himself.
About this aspect of secrecy, see (3).
It will have to be investigated (on a technical level) if it is possible to provide a confirmation, including the content of the vote cast, but without offering the possibility this confirmation to be shared with others, at the moment of receipt of the confirmation, or at a later moment, by recording the confirmation.
Voters could for example be provided with the possibility to consult their vote in an online directory, which can only be accessed by using the personal digital signature. However, here the same problems occur as with the secrecy of the vote before encryption and transfer of the vote: it cannot be guaranteed, even when a digital signature is used, that the online register is not consulted in the presence of other persons.
The only 100% safe solution will be the mere confirmation of the receipt of the vote, which could maybe also include some other relevant information (time of receipt, duration of the transfer, etc.). On a technical level, a confirmation at the time of voting stating that the information submitted has been recorded by the voting server is well possible. The voting client only needs to check that the confirmation states the same encryption as sent by the voter. The voting client may then store this signed confirmation. (There are "threshold" techniques where a signed confirmation is only produced if a majority of servers (say 6 out of 10) acknowledges receipt of the encrypted vote. In that case the voter need not check anything once the signed confirmation has been received.) Note that, if digital signatures are used, the server cannot create additional signed encrypted ballots, but it could still omit some in the election result. Using the signed confirmation a voter may then file a complaint. The voter does not lose privacy or anything in releasing the signed confirmation.
This however does not mean that the system may not provide a confirmation before the vote has been sent by the voter. This in principle does not violate secrecy requirements and allows the voter to correct mistakes before sending his vote. It also enhances verifiability and reliability of the system12: voters can verify that the system does not change the vote cast before transferring it.
(3) When implementing an Internet voting system, the secrecy-requirement will give rise to difficult questions as to the secrecy before the encryption and transfer of the ballot. This however is part of the broader requirement the election to be free, without coercion or undue influence of any kind. Therefore, we refer to the next paragraph about the requirement the elections to be free.
2.2.3.2.1.2 Freedom
As explained above, the freedom to vote can be seen to be a broader condition than the secrecy of the vote.
It means that undue influence of the voter should be prevented.
In traditional elections, it is for example not allowed to influence electors at the polling place or in its vicinity.
2.2.3.2.1.2.1.1 Coercion
As described above, CyberVote will develop a system, which will be able to guarantee the secrecy of the ballots, using state of the art encryption methods. But cryptography can only guarantee secrecy from the moment the vote is encrypted. It cannot guarantee the secrecy of the vote, prior to the moment of encryption. Neither can the System prevent the secrecy of the vote to be violated when an elector votes from a PC at home or work, from a computer at an informal public place or kiosk, or from a mobile phone.
Therefore, freedom and non-coercibility can only be fully guaranteed if the material circumstances in which the vote is cast can be controlled. These material circumstances can be established when Internet voting is only allowed from official polling places (phase one, stage one and two13), possibly - if certain measures are taken - also when it will be allowed from unofficial public places and kiosks (phase two, stage three).
But when Internet voting will be possible from home or work or from a mobile phone, these material circumstances cannot be implemented or enforced. This can lead to abusive practices: the buying and selling of votes, coercion by family members or by employers or colleagues, etc.
It could be questioned if such remote Internet elections (stage four) can therefore be considered to be free and thus to comply with the basic requirements for democratic elections.
Secrecy and non-coercibility are closely related to the problem of the authentication of the voter: as a 100% secure electronic authentication based on physical characteristics (finger prints, eye structure, etc.) is actually not yet possible, it can technically not be guaranteed that the voter who casts the vote is also the voter, authenticated by the system, unless compulsive material circumstances are created. This problem will be addressed under the chapter dealing with the "one person, one vote"-principle.
Are these requirements however not to be circumscribed less absolutely? Are there really no exceptions? And does the freedom of the vote not have to be interpreted in light of contemporary society?
First of all, there are indeed exceptions to the requirement of absolute secrecy. The requirement is for example weakened in traditional electoral systems, which allow voters, ill, disabled or residing abroad, to cast an absentee ballot through ordinary mail. In such a system, non-coercibility is not guaranteed in the phase of the casting of the vote. The only - doubtable? - guarantee is provided during the transfer of the vote, after the vote has been put in the envelope.
This is partially avoided in a system in which absentee ballots are cast through mandates (proxy-voting). But in essence, when one gives a proxy, he in fact also loses control over the content of his vote.
We should however take into account that these systems are exceptions: they can only be used if a voter is physically unable to vote. It is an exceptional possibility, created to enable a category of people to equally exercise their right to vote. The non-coercibility has been compromised, in order to serve a higher purpose, being the right to be able to vote. As it is an exception, which serves a legitimate purpose, it can in principle not be generalised in order to become the general rule.
However, this exception also indicates that there would be no legal obstacle to introduce a remote Internet voting system (stage four), which would only be open for absent, ill or disabled persons. The only requirement for such a system would in principle be to be at least as safe as the existing absentee balloting system.
The conditions for absentee balloting will be examined later in this report.14
Secondly, the specific filling-in of the abstract principle is influenced by changes in society. Is, in today's society, freedom of the vote not experienced to be less absolute? We should however remark that, however people have less scruples about their political preferences, the requirement of freedom mainly exists to avoid anomalies (illegitimate influence), which will always exist.
To conclude, we believe that laws should be enacted to provide obligatory and enforceable rules as to the material circumstances in which a vote has to be cast, and as to the sanctioning of illegitimate influencing a voter.
The former rules could for example provide that a vote at home or at work has to be cast on a computer in a separate room without the presence of persons other than the voter himself.
The latter rules could provide serious sanctioning of whatsoever acts concerning for example the buying and selling of votes, the threat with and use of violence, etc. It is to be remarked that in today's election laws, these acts are already defined to be illegal.
The compliance to these rules should be systematically controlled and violation thereof should give rise to heavy penalties. Complaints concerning violation should seriously be considered and investigated accordingly.
2.2.3.2.1.2.1.2 Political propaganda
The role of the Internet might be double concerning political advertisement and propaganda.
On the one hand, the Internet is an ideal medium to enable people to cast an "informed vote". The Internet offers enormous possibilities to diffuse the opinion of candidates and their parties and therefore becomes a major source of information on which electors can base their preference. The Internet can therefore enhance the "quality" of the vote and therefore also the quality of democracy.
It is however to be investigated how these new possibilities relate to the requirement the elections to be conducted freely.
It will be particularly important to know how national election laws fill in the requirement the elections to be conducted freely.15
In principle, we do however not see as a problem the fact that voters are able to surf the Internet for information on political parties and candidates prior to casting their vote. Today it is also not prohibited to consult political advertisement prior to going to the polling place.
The situation is however different when voters are on the Internet voting website, and, without their prior demand, political advertisement pops on their screen. In traditional elections it is neither allowed to advertise in (the vicinity of) the polling place. CyberVote should make it technically impossible such advertisement to be shown on the Voting website.
Finally, it is clear that undue influence of a voter can also be exercised in numerous other ways than through the Internet itself. These types of influencing can however not be technically prevented. Therefore, it is of major importance to provide compelling rules, which prohibit such illicit behaviour and accordingly provide serious sanctions and penalties.
2.2.3.2.1.3 Conclusion
In order CyberVote to comply with the standard of free and secret elections, the following should be observed:
(1) Guarantees as to the secret casting of the vote, before the vote is encrypted. The fulfilment of this requirement however mainly depends on the stage of the Internet voting system and more specifically on the material circumstances in which the vote is cast: in an official polling place, from a kiosk, or at home/work.
(2) As to point (1), we believe that CyberVote does not have the possibility itself to provide a technical solution for the situation in which the secrecy of the vote cannot be technically guaranteed in a remote Internet voting system, unless measures are taken on policy level and laws are drafted and enacted which impose compelling and enforceable measures and which sanction illicit behaviour.
(3) If CyberVote implements a voting system alternatively to existing mail-in voting systems, this remote Internet voting systems should have at least the same level of guarantees as to the secrecy of the vote.
(4) The secrecy of the vote has to be guaranteed, after encryption, during transfer, reception, collection and tabulation: no-one, not even official election staff may be able to relate a particular vote with a particular content to a particular voter. This procedure has to be secure, reliable and verifiable.16
(5) Confirmation of the vote after the ballot has been transferred and received by the CyberVote central server, enforces the confidence in the system, but can in principle not relate to the content of the vote. Confirmation of the content, before the voter gives command to encrypt and transfer the vote, does however not violate the secrecy of the vote, on the condition a confirmation is never given in any durable way, or in a way allowing saving or copying the confirmation.
(6) Guarantee that, once online connected to the website of CyberVote, no advertisement for political parties or candidates can be made without the prior demand of the voter.
(7) Strong legal framework as to the prohibition and sanctioning of any illegitimate influence which could restrict the voter's freedom to vote in any way.
2.2.3.2.2 One person, one vote
2.2.3.2.2.1 Introduction
The universal and equal suffrage is another basic principle of democratic elections: each elector has the right to only one vote. Therefore, it should be made impossible a person to vote more than once. This principle also provides that every vote counts equally and therefore measures have to be taken in order to avoid a valid vote to get lost and consequently not to be counted. Finally, the principle is closely related to the security-requirement: a validly cast vote may not be able to be altered or removed in the course of the voting process.
2.2.3.2.2.2 Analysis
Four principles should be analysed: (1) only legitimate voters can be allowed to vote; (2) each legitimate voter can vote only once; (3) every legitimately cast vote has to be counted once (votes may not be lost or multiplied); (4) a legitimately cast vote may not be able to be altered in the course of the voting process.
Particularly important will be to see how these requirements are implemented in traditional and electronic elections.17
In general, it is of primary importance the voter to be authenticated in order to decide whether she is allowed to vote and whether she has already cast a valid vote. Authentication thus is first key-element, which concerns points (1) and (2).
As already mentioned, security and reliability are a second key-element, which will be treated under the next paragraph, and mainly concern number (3) and (4).
(1) - (2) In order only legitimate voters to be allowed to vote, voters should be authenticated.
The authentication procedure to be applied depends on the stage of the Internet voting system. In a polling place Internet voting system, voters are authenticated physically. In a remote Internet voting system, voters are mainly (or exclusively) identified digitally.
In general, physical authentication means that a voter is identified, based upon one or more physical characteristics: gender, face, fingerprint, eye-structure, signature, handwriting, DNA-structure, etc.
Digital authentication is performed by using a personal, secret code, which can be a number incorporated in a magnetic or chip-card, or a simple letter and/or figure combination, etc.
Physical authentication is the traditional way to identify voters. In traditional elections, voters usually go to the polling place in person, where they present themselves before an election official who controls the identity between the voter (his face, his fingerprint, his signature) and the identification material (a picture on an identity-card or election card, a fingerprint or signature on an official registration card, etc.). This physical identification procedure guarantees - at least should guarantee - that only eligible voters vote and vote only once.
The digital authentication is in fact an indirect way to identify voters: the identity between a name and a code (for instance the digital signature, which can only be used in combination with a personal and secret password) is controlled.
Before it can be used, in a preliminary phase, the code (and the matching password) has to be provided to the voter. Basically, this can be done in two ways: offline or online.
Offline, the code is provided after physical authentication of the voter: based on the person's physical characteristics, it is controlled that she is indeed the person she claims to be and that she has not yet received a code. In the future, it would for example be possible to provide every citizen, after physical authentication, with an identity card with a chip or magnetic stripe built in, containing the personal code (his "private key"), which can be used for authentication in public and private life, in combination with a secret, personal password. This private key could then also be used for authentication for Internet elections.
The personal identification code can also be provided online. However, authentication then is dubious, because based on non-verifiable elements.
It is in any case essential the private key to be kept on a safe carrier. A magnetic stripe is not safe enough, because its content can be read easily. Therefore, the private/public key pair authentication should be used according the methods and standards of the existing and future Public Key Infrastructures18.
Finland is the first country in the world to introduce an electronic identity card for all citizens, for the purpose of communication with the authorities. The electronic identity card is a little, plastic card, with a little chip built in. That chip contains a number of personal data, like name, birth date, social security number, sex, photo and period of validity of the card. The card also contains invisible information like a secret key (a code) and a certificate. In order to be able to use the card, one has to have a card reader and a personal pin code (a password). In the future, the card reader will be standard with every new computer sold in Finland. The Finnish central register of births, deaths and marriages acts as the certification authority for electronic information exchange.19
CyberVote intends to use the digital authentication method. But can this identification method comply with the requirement one person to be able to vote only once?
There is a difference in reliability between physical and digital authentication. The former in principle does not allow someone to present himself and vote instead of the legitimate voter, because physical characteristics are in fact (in principle anyway) hard to change. The latter however does not prevent a voter to pass on his code and reveal his password to someone else (under pressure, against payment, etc.), who consequently can vote instead of the legitimate voter.
This is a problem for which exist few technical solutions. A part of the solution would be the use of an electronic authentication system, based on physical characteristics: eye-scan, fingerprint-scan, electronic signature ("smart pen" or scanned signature), etc. These techniques however have today not developed adequately in order to be as reliable as the state of the art digital authentication procedures which CyberVote will apply.
Electronic Signature Directive
From a legal point of view, it is to be remarked that the authentication method using a digital signatures is legally recognised to have the same value as a handwritten signature. This is explicitly provided in the Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures, which states in article 5 that Member States shall ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a secure-signature-creation device: (a) satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a hand-written signature satisfies those requirements in relation to paper-based data; and, (b) are admissible as evidence in legal proceedings.
There thus is a tendency to recognise the digital signature technique as a legally valid authentication method.
For the moment however the digital signature is only seen as satisfying the "legal requirements of a signature in relation to data in electronic form". However, except for absentee ballots through mail, election laws in general do demand a physical presentation of the voter in person.
Therefore, it will mainly be a policy issue to decide on whether to enable authentication of voters by a digital signature or not.
For instance, it seems like the Netherlands have expressively chosen to legally provide this possibility for public elections in the near future.20
2.2.3.2.2.3 Conclusion
At least the following should be observed:
(1) Use of a secure and reliable digital authentication method, which guarantees only legitimate voters to vote, only once.
(2) Offline provision of the personal digital signature, after physical authentication.
(3) Legal acceptance of the digital signature as a legitimate alternative for the physical authentication requirement for binding public elections.
(4) Strong legal framework as to the prohibition and sanctioning of any illegitimate use of a digital signature.
2.2.3.2.3 Reliable, secure, verifiable and voter's confidence
It is legally required that an electoral system is reliable ("genuine"). Reliability, security and verifiability are closely related. An Internet voting system will only be reliable if it is secure and if this security can be verified. A reliable system is likely to enhance voter's confidence.
Reliability, security and verifiability relate to the other aspects of democratic elections: secrecy and the "one person, one vote"-principle.
The Internet voting system has to secure that the votes remain secret and that every voter is able to vote, but only once.
2.2.3.2.3.1 Reliability
The system has to be reliable. This means that it can be relied upon that the result of the voting process corresponds with the votes cast and in consequence reflects the will of the people.
Therefore, the architecture of the system must guarantee that:
· The vote remains secret;
· Only legitimate voters can vote;
· Every legitimate voter can vote only once;
· Every legitimately cast vote is counted once (votes can not get lost or multiplied);
· Legitimately cast votes are not altered in the course of the voting process.
Reliability is mainly a matter of technical architecture of the voting system. In order to be applicable on a large scale - for binding public elections - the reliability of the system will have to be accurately tested, monitored and evaluated.
Security and reliability are closely related. The system will have to prove to be reliable, not only in normal situations, but also when problems arise. In order to be reliable, the system thus also has to be secure.
2.2.3.2.3.2 Security
The reliable functioning of the system must be secured against internal malfunctioning (programming mistakes, etc.) and external threats (electrical disturbance, hardware failures (central server, intermediate hardware, user hardware, etc.), network disturbance, server breakdown, hacking attacks, etc.).
While much emphasis has been placed on hackers and "cyber terrorism" (outside attacks), an equal threat to Internet voting is that an insider who has been "bought" could compromise the election. An Internet voting system must protect against both types of attack.
CyberVote will make use of special-purpose cryptographic protocols in order to secure the voting system.
2.2.3.2.3.3 Verifiability
Finally, it is required the voting system not only to be reliable and secure, but also to be verifiable. Verifiability of the voting process is a third important element.
Voters, independent officers, representatives of the political parties in competition, and independent observers, including media reporters, must be able to control polling and tabulation.
In a public election, the outcome of the election is of great importance. It must be made impossible to "fix" an election outcome by influencing someone on the "inside." Therefore, a public election must be overseen by a number of designated persons.
The individual ballots must also be permanently recorded on indelible media to allow for a recount should that be necessary.
Finally, it will probably be required the source code of the CyberVote software to be made publicly available, in order citizens to be able to study the software and verify the reliability and security of the system. On the other hand however, open sources can make the election system more vulnerable to hacking attacks and therefore compromise the security of the system. A solution may be to "open" the source to only a select group of expert people, like for instance the election committee that manages the election and/or independent advisors.
Further in this report, we shall investigate which procedures are provided in today's traditional elections and electronic elections in order to make the voting process verifiable.
CyberVote will have to comply with at least the following requirements:
(1) One has to be able to rely upon that the result of the voting process corresponds with the votes cast;
(2) The functioning of the system must be secured against internal malfunctioning and external threats;
(3) The entire voting process has to be able to be verified independently;
(4) The source code should be made available, at least to a limited number of expert people, in order to be able to be verified.
2.3 Summary: Legal requirements for CyberVote |
|
Based on the analysis above, and based on several reports on online voting, the following requirements for a public online voting system should be taken into account.
(a) Every eligible voter should have equal access to the voting process
(b) The voter has to be able to cast his vote with a minimum of required instruments and special skills
(c) The voter has to be able to know exactly which procedure he has to follow to cast his vote
(d) Every voter has to be able to vote for all candidates on the list he is eligible to vote for
(e) When a hybrid system is used (off- and online, different stages), each system has to comply equally with election standards
(f) An adapted system has to exist for ill, disabled voters and absent voters
(g) Nobody should be able to relate a vote cast with an identifiable voter
(h) The voter should not be able to prove the content of the vote he cast
2.3.2.1.2 Freedom
(i) No advertisement for political parties should be made "within the polling station"
(j) The voter has to be able to freely cast his vote, without undue influence
2.3.2.2 "one person, one vote"
(k) Only eligible voters should be able to cast a vote for the election concerned
(l) Every voter can vote only once for the election concerned
2.3.2.3 Accuracy, verifiability, security
(m) It should not be possible to alter a vote cast
(n) It should not be possible to exclude a valid vote of the tabulation
(o) It should not be possible to integrate a non-valid vote in the tabulation
(p) The voter has to be able to know if his vote is actually received by the voting authority
(q) Everybody has to be able to determine, independently and unequivocally that all votes cast are tabulated correctly
(r) The source code of the CyberVote software should be made available, at least to a limited number of expert people
(s) Development of a strong legal framework as to the sanctioning of any illicit behaviour concerning online voting
9 For the entire text, see http://humanrights.about.com/newsissues/humanrights/msub23.htm
10 For the existing election regulations, see 3;
13 For a description of the different stages of Internet voting, see 1.2
18 About Public Key Infrastructures (PKI), see for instance "Public Key Infrastructure and the Law", http://www.pkilaw.com
