2Investigations about the HCI, Web server and application server |
|
2 INVESTIGATIONS ABOUT THE HCI, WEB SERVER AND APPLICATION SERVER |
2.1 Introduction |
|
This section presents a mock-up, which results from investigations and tests conducted about HCI (Human-Computer Interface), web server and application server. This mock-up will be presented in December 2001 at the IST 2001 in Düsseldorf. It runs on a PC platforms, PDA (Personal Digital Assistant) Compaq iPAQ H3600 and mobile phone Nokia 9210 (see Figure 1). The mock-up will also be evaluated by the end users in WP 3.1 - Define ergonomics guidelines (see [11]) in order to have an early feedback from the users.
Figure 1: Mobile devices of the mock-up: Compaq iPAQ H3600 and Nokia 9210
The scenario and the mock-up were built according to the following lines of action:
· To have a didactic mock-up (ie. To give explanation about the goal and the means of the voter actions),
· To avoid technical terms in order to facilitate the voter comprehension of our system.
In the following chapters, the task model of the mock-up is presented first. It is the base of the scenario of the mock-up. The task model summarises the tasks the user can do with the mock-up.
Then the scenario itself is presented. It is composed of 4 steps, which are "voter registration", "voter authentication, vote and confirmation of vote", "consultation about the security along the vote process" and "consultation of help". The scenario describes the necessary displays, the inputs of voters and the responses of the interface. The scenario lays the foundations of the PC CyberVote mock-up. The scenario of the mock-up concerns the voting step only. A PC scenario has been defined first. Then it has been adapted for iPAQ and Nokia devices.
This scenario results from taking into account users requirements [1], discussions among the CyberVote consortium and audit of Internet voting systems [2] and the URLs [4],REF [5], [6] and [7].
Finally, a technical description of the mock-up is given.
2.2 Scenario of the mock-up |
|
This chapter defines the scenarios for the mock-ups and their technical descriptions. Three mock-ups are described in this document: the mock-up which will be displayed on a PC, the mock-up which will be displayed on an iPAQ and the mock-up which will be displayed on a mobile phone (Nokia 9210). These mock-ups will be dynamic and will present the same scenario. A scenario is a particular sequence of interactions between user and system. Another sequence of browsing the same functionality of the mock-up will be another scenario.
In interactive product development, usage scenarios have several purposes:
· to make work practices more concrete : scenarios and sequences on how users or potential users are carrying out their work,
· to identify areas for improvement : scenarios and user tasks as tools for envisioning and concept creation,
· to identify critical tasks (frequent or time context / context-critical tasks), based on these high-level scenarios.
We want the mock-ups didactic therefore we display little windows which explain the goal and the means of voter actions.
In this scenario, we avoid technical terms in order to facilitate the voter comprehension of our system. For instance there is no need to use 'public keys', 'private keys' or 'certificate' to explain the voter the voting procedure itself. The only part in which these terms will be displayed will be in the consultation about the security along the vote process. If we want to introduce these terms, we will have to explain them.
This scenario serves to lay the foundations of the PC CyberVote mock-up. The followed path is not exhaustive but operational and proposes to fix the general dialogue and several sorts of interaction.
It is composed of 4 steps, which are:
1. Voter registration,
2. Voter authentication, vote and confirmation of vote (e.g. Presidential election),
3. Consultation about the security along the vote process,
4. Consultation of help.
Before the scenario itself, we present the task model, which describes tasks a user can perform with this mock-up. A task model is very useful to understand the future activity with the real system.
With this scenario, we chose a way to work but the task model is more global and shows all the possibilities of the mock-up. For example, a user can begin consulting how data of vote is encoded.
After the scenarios, we give ideas to make the system reassuring. Indeed, the trust in the system and this new way of voting must be particularly studied to avoid the rejection of our system by voters. Through the different displays, voters will have the feeling that their votes will be at least as secure as the previous way of voting. That is why, we propose at the end of this scenario to summarise in some rules to accumulate “ergonomic criteria”.
2.3 Task model |
|
We chose to formalise the task model with the GLADIS ++ method because this model binds tasks in a hierarchical tree with temporal relations between each other’s [3].
The task model is presented by Figure 2.
Figure 2: Task model of the HCI mock-up
The details of “consult help” and “consult the security along the vote process” are very easy tasks consisting only in visualisation with very little user actions so they do not appear in the task model but do appear in the scenario.
The task model can be read this way: When a voter enters in CyberVote, he/she can directly consult help or data about security. But to vote, the voter must register before!
The task model is general enough to allow a correspondence with the mobile phone or the PDA too. But each task can be more precisely detailed. We actually chose to be more accurate in the scenario in order to make it easy to follow.
The scenario is written this way:
· In bold; instructions in order to complete different goals which can be reached,
· In italic; actions of interface in response to actions of users defined in instructions,
· In very small; necessary displays for the progression of the mock-up.
2.4 Scenario of the mock-ups |
|
Before registering the voter needs to receive identification and PIN code from election authorities.
1 home page
This home page must contain at least, an access to the registration, an access to the general help, an access to the vote coding process in respect to anonymity and, warranting the secrecy of vote, an access to the voting, which must be inaccessible, if the voter has not already registered and authenticated. In this home page, we display an explanation of the purpose of this system in very few words (for voting you will have to choose a password and an opened election then vote and confirm your vote….). We can add a slogan like “your opinion is important”…
In this mock-up we simulate only one sort of election: presidential election.
1 Click on the registration item in the home page
It induces the opening of the window of the explanation of the registration.
2 home page and window of the voter registration explanation opened
This window displays a short text in order to guide the voter through the next step of the vote. “The registration concerns only people who are in database of the electoral roll. This registration is valid during all the present electoral period. To register you must prepare the PIN code and the ID you had received and you will have to choose a password.” In the technical point of view, this step corresponds to "securely and bindingly assigning a voter's public key (certificate) to his entry in the list of voters". This window has two buttons: “cancel” and “launch the registration now”. The cancel button closes the window and the other button launches the registration procedure.
2 Click on the registration button in this explanation window.
It induces the opening of the window of the voter registration.
3 home page and window of the voter registration opened
This window must contain at least three areas: the first area must contain two fields: the ID and the PIN code. These fields shall pre-format: e.g. two letters and three digits… The second area must contain two fields: the password and the confirmation of the password. We can precise that the voter can do this action “out of the reach of inquisitive eyes”. And the third area is the command area, which must contain two buttons: register and cancel. The register button takes into account this registration and the cancel button cancels the registration and closes this window. This window must have a title, so do the first two areas.
3 Fulfil this window and click on “register” button.
It induces the closing of this window and the opening of an information window.
4 home page and information window
This window displays the confirmation of the voter registration and explains the fact that now the voter could vote with his password. This window has only an OK button. If ID and / or PIN are wrong, another information window displays that the voter must start again his data entry.
2.4.1.2 Vote and confirmation of vote
4 Click on the vote item in the home page
It induces the opening of the window of the explanation of the authentication.
5 home page and window of the voter authentication explanation opened
This window displays a short text in order to guide the voter through the next step of the vote. “The authentication concerns only people who are registered. This authentication allows you to have access to the opened elections compared with your “rights” (region, size of the city,…). To authenticate, you must prepare the PIN code and the password you had chosen at the time of the registration.” This window has two buttons: “cancel” and “launch the authentication now”. The cancel button closes the window and the other button launches the authentication procedure.
5 Click on the authenticate button in this explanation window
It induces the opening of the window of the authentication procedure.
6 authenticate window
This window must contain at least two areas: the first area must contain two fields: the PIN code and the password. We can precise that the voter can do this action “out of the reach of inquisitive eyes” and three wrong passwords invalidate automatically the system. And the second area is the command area, which must contain two buttons: authenticate and cancel. The authenticate button takes into account this authentication and the cancel button cancels the authentication and closes this window. This window must have a title too.
6 Fulfil this window and click on the authenticate button.
It induces the closing of authenticate window and the opening of opened elections list. We can precise that 5 minutes without entry on the keyboard will lead to the disconnection of the system.
7 opened elections list
The opened elections list must present the elections the voter can vote thanks to his password i.e. thanks to his rights. This list proposes several choices clearly labelled and displayed, for example several clickable buttons. In this mock-up, only the presidential election is clickable.
7 Click on the presidential election
It induces the opening of the window of the polling booth. Using the polling booth metaphor, we hope restore the very same secret and solemn that is in a very polling booth.
8 polling booth
This window presents something which reminds the polling booth (in France, a blue curtain for example) and piles of ballots (with a pile of white ballots) and possibly a pile of envelopes. The voter can choose a candidate with a simple click or can have access to the programme of the candidate with a link on a special area on the ballot. Indeed, we are in the situation in which the voters are alone at home for example, and they can want to reread some details of candidate’s programme, so we give them this possibility directly. If the voter clicks on a white ballot, a little window must appear in order to give comments, making this ballot invalid. The voter can vote white without adding a comment.
8 Click on the ballot the voter has chosen and then click on an envelope
It induces the animation of ballot jumping into the envelope. Before clicking on the envelope, the voter can make a mistake and then change his vote. He clicks on another vote and the first vote deselects and the new one becomes highlighted.
9 information window
This window appears and must contain at least two areas: the first area must present the choice of the voter. And the second area is the command area, which must contain three buttons: confirm, change and cancel. The confirm button takes into account the voter’s choice and he/she can no more change his vote and the cancel button cancels the voter’s choice and closes this window. The change button allows the voter to come back to the previous screen and changes his choice. This window must have a title too.
9 Click on confirm button
It induces the closing of confirmation window and the display of a blinking “has voted” for example.
10 animation “has voted”
After this animation, the system requires to sign the register. For that, it waits for the digital signature card or another similar means like an e-token.
10 Enter the card in the case
11 animation signature
This step exists more for the trust that the voter has in this system (the fact to append one's signature), than for the coding process. It is a strategic step that is not useful so far.
Then the explanation of the process of the vote is displayed.
12 encoding of the vote and poll method
We can explain in few words and with a diagram that only one vote is possible per person, that ballots are encoded and never decoded, that ballots in the system are anonymous, that there is an identity control and integrity of data transfer is ensured… in fact that, the system warrants a “general, secret, equal, direct and free” vote. We can also explain that the tabulation will be made by several talliers each doing a sub-tally and then, only one scrutineer checking and validating the final tally.
After this explanation, the system gives the voter a number and thanks him for his vote. This number serves to follow the ballot had been really taken into account and polled.
2.4.1.3 Consultation about the security along the vote process
1 home page
Click on the security about the vote process item in the home page.
It induces the opening of the window of the security along the vote process.
13 security along vote process
This process must be presented as a process control with different steps and few short texts on a diagram. This “page” must be more precise and technical than the little explanation at the end of vote. The technical drawing must reflect high technology and security. We must be able to explain the whole process: only one vote is possible per person, ballots are encoded and never decoded, ballots in the system are anonymous, there is an identity control and integrity of data transfer is ensured.
In this explanation, we must demonstrate the security aspects and the vote process in a technical and security point of view and not with the voter point of view. We can explain in this page we encrypt the vote by using the private key and we can explain all technical terms "public key", "private key" and "certificate". These terms can appear in this description because the use of private/public key encryption is one of the core elements of the CyberVote System.
The technical explanation must be written carefully in order to not complicate and loose the voter “the incorporation of asymmetric encryption into the system and at which steps of the registration/voting scenario public/private keys come into operation.”
We can also explain that the tabulation will be made by several talliers each doing a sub-tally and then, only one scrutineer checking and validating the final tally.
2.4.1.4 Consultation of help
1 home page
Click on the help item in the home page.
It induces the opening of the window of the help.
14 help screen
Tabs can represent the different steps of vote. On the first tab, there is an introduction and how to vote. The second tab explains the registration, the third one explains the vote and the confirmation, the fourth one explains the management and the polling and the last one explains that the voter could have access to the vote coding process and to the help.
2.4.2 Scenario for the iPAQ mock-up
We have already seen the task model remains unchanged because it is general enough to suit to the three mock-ups. We used the same scenario for the iPAQ as for the PC but we are obliged to readapt data display. So in this chapter, we discuss about the differences between PC and iPAQ mock-up keeping in mind that there are the same applications.
We present this scenario in a table, in which the columns are: the scenario steps, the potential display on PC and the potential display on iPAQ.
Scenario steps |
PC |
iPAQ |
Voter registration |
||
|
Home page: This home page must contain at least, an access to the registration, an access to the general help, an access to the vote coding process in respect to anonymity and warranting the secret of vote, an access to the vote which must be inaccessible if the voter has not already registered and authenticated. In this home page, we display an explanation of the purpose of this system in very few words (for voting you will have to choose a password and an opened election then vote and confirm your vote….). We can add a slogan like “your opinion is important” … In this mock-up we simulate only one sort of election: presidential election. |
Each access consists in displaying texts and icons or images with the look and feel defined in guidelines. This home page is supposed to be very attractive and official. It is supposed to be a nice window. |
The same choices must be proposed to voters but it must be reorganised in a menu in which each access will be an icon and a text: registration, opened elections, help, vote coding process. We remove images, most of colours, explanations and slogan. If the slogan is short, we could show it in order to be user-friendly. Opened elections will be inaccessible if the voter has not already register and authenticate (in grey). The voter selects the registration item in this menu with the pen or with his finger. |
|
Window of the voter registration explanation opened: This window displays a short text in order to guide the voter through the next step of the vote. “The registration concerns only people who are in database of the electoral roll. This registration is valid during all the present electoral period. To register you must prepare the PIN code and the ID you had received and you will have to choose a password.” In the technical point of view, this step corresponds to "securely and bindingly assigning a voter's public key (certificate) to his entry in the list of voters". This window has two buttons: “cancel” and “launch the registration now”. The cancel button closes the window and the other button launches the registration procedure. |
Only the size of the text will be different. The voter selects the registration button with the pen or with his finger. |
Scenario steps |
PC |
iPAQ |
|
Window of the voter registration opened: This window must contain at least three areas: the first area must contain two fields: the ID and the PIN code. These fields shall pre-format: e.g. two letters and three digits… The second area must contain two fields: the password and the confirmation of the password. We can precise that the voter can do this action “out of the reach of inquisitive eyes”. And the third area is the command area, which must contain two buttons: register and cancel. The register button takes into account this registration and the cancel button cancels the registration and closes this window. This window must have a title, so do the first two areas. |
Frames delimit the three different areas and are entitled. These fields shall pre-format to facilitate the data entry. |
This window must align these fields on the left and put them under each other’s to minimise the horizontal scroll.
The voter selects the register button. |
|
Information window: This window displays the confirmation of the voter registration and explains the fact that now the voter could vote with his password. This window has only an OK button. If ID and / or PIN are wrong, another information window displays that the voter must start again his data entry. |
We propose an information box. |
Words must be more precise and shorter. The OK button is on the right upper corner of this window. |
Vote and confirmation of vote |
||
|
Window of the voter authentication explanation: This window displays a short text in order to guide the voter through the next step of the vote. “The authentication concerns only people who are registered. This authentication allows you to have access to the opened elections compared with your “rights” (region, size of the city,…). To authenticate, you must prepare the PIN code and the password you had chosen at the time of the registration.” This window has two buttons: “cancel” and “launch the authentication now”. The cancel button closes the window and the other button launches the authentication procedure. |
Scenario steps |
PC |
iPAQ |
|
The authenticate window appears: This window must contain at least two areas: the first area must contain two fields: the PIN code and the password. We can precise that the voter can do this action “out of the reach of inquisitive eyes” and three wrong passwords invalidate automatically the system. And the second area is the command area, which must contain two buttons: authenticate and cancel. The authenticate button takes into account this authentication and the cancel button cancels the authentication and closes this window. This window must have a title too. |
The authenticate window is a pop-up window to block the dialogue but the voter’s goal is the opened elections. |
PIN code and password are asked in the same way as the registration window with the apparition of the keyboard.
The voter selects the authenticate button. |
|
Opened elections list: The opened elections list must present the elections the voter can vote thanks to his password i.e. thanks to his rights. This list proposes several choices clearly labelled and displayed, for example several clickable buttons. In this mock-up, only the presidential election is clickable. |
When we have enough room in the screen, we can use clickable buttons where the name and the deadline of the election can be displayed. |
For iPAQ, this list will be a list of items for example with two columns, the name of elections and the date deadline to vote. |
|
Point the presidential election
|
With using the polling booth metaphor, we place the voter in the “real” context of voting. |
We only keep pile of white ballots and a pile of envelopes and remove all other things representing the metaphor.
The voter selects his ballot and envelope. |
Scenario steps |
PC |
iPAQ |
|
After the animation of the ballot jumping into the envelope, an information window appears: This window must contain at least two areas: the first area must present the choice of the voter. And the second area is the command area, which must contain three buttons: confirm, change and cancel. The confirm button takes into account the voter’s choice and he/she can no more change his vote and the cancel button cancels the voter’s choice and closes this window. The change button allows the voter to come back to the previous screen and changes his choice. This window must have a title too. |
This window is quite the same window as the PC’s one, save the size of the police. The voter selects the confirm button. | |
|
After the animation of a blinking “has voted”, the system requires to “sign”. |
A little animation can be displayed like the animation “has voted”. |
Only the “has voted” will be displayed. |
|
Encoding of the vote and poll method: We can explain in few words and with a diagram that only one vote is possible per person, that ballots are encoded and never decoded, that ballots in the system are anonymous, that there is an identity control and integrity of data transfer is ensured… in fact that, the system warrants a “general, secret, equal, direct and free” vote. We can also explain that the tabulation will be made by several talliers each doing a sub-tally and then, only one scrutineer checking and validationg the final tally.
|
After the animation, an information window is displayed with very little text.
|
Scenario steps |
PC |
iPAQ |
Consultation about the security along the vote process |
||
|
Security about the vote process: This process must be presented as a process control with different steps and few short texts on a diagram. This “page” must be more precise and technical than the little explanation at the end of vote. The technical drawing must reflect high technology and security. We must be able to explain the whole process: only one vote is possible per person, ballots are encoded and never decoded, ballots in the system are anonymous, there is an identity control and integrity of data transfer is ensured. In this explanation, we must demonstrate the security aspects and the vote process in a technical and security point of view and not with the voter point of view. We can explain in this page we encrypt the vote by using the private key and we can explain all technical terms "public key", "private key" and "certificate". These terms can appear in this description because the use of private/public key encryption is one of the core elements of the CyberVote System.
We can also explain that the tabulation will be made by several talliers each doing a sub-tally and then, only one scrutineer checking and validating the final tally. |
For PC, process control with icons, images or diagrams are adapted to be more user-friendlier than using just words. |
Accessible via the menu, we can not propose a big diagram but the different steps like the rubrics of Microsoft Word help. Each step is clickable and displays an explanation : Encoding
|
Scenario steps |
PC |
iPAQ |
Consultation of help |
||
|
Help screen: Tabs can represent the different steps of vote. On the first tab, there is an introduction and how to vote. The second tab explains the registration, the third one explains the vote and the confirmation, the fourth one explains the management and the polling and the last one explains that the voter could have access to the vote coding process and to the help. |
For PC, help with tabs is adapted and user-friendlier than words. |
Accessible via the menu, we can not propose tabs but different rubrics of help. Each step is clickable and displays an explanation: How to vote
|
2.4.3 Scenario for the Nokia 9210 mock-up
Three major differences exist between the display of the iPAQ and the display of the Nokia 9210 mobile phone:
· The orientation of the screen : vertical for iPAQ and horizontal for the phone,
· The entry of data is performed via the keyboard and the four buttons on the right side and a button to move through the screen for the Nokia. For the iPAQ, the entry of data is performed with the pen or finger.
PC |
iPAQ |
Nokia |
Voter registration | ||
|
Home page: This home page must contain at least, an access to the registration, an access to the general help, an access to the vote coding process in respect to anonymity and warranting the secret of vote, an access to the vote which must be inaccessible if the voter has not already registered and authenticated. In this home page, we display an explanation of the purpose of this system in very few words (for voting you will have to choose a password and an opened election then vote and confirm your vote….). We can add a slogan like “your opinion is important” … In this mock-up we simulate only one sort of election: presidential election. | ||
|
Each access consists in displaying texts and icons or images with the look and feel defined in guidelines. This home page is supposed to be very attractive and official. It is supposed to be a nice window. |
The same choices must be proposed to voters but it must be reorganised in a menu in which each access will be an icon and a text: registration, opened elections, help, vote coding process. We remove images, most of colours, explanations and slogan. If the slogan is short, we could show it in order to be user-friendly. Opened elections will be inaccessible if the voter has not already register and authenticate (in grey). The voter selects the registration item in this menu with the pen or with his finger. |
The menu gives the access. The choice of the « CyberVote » leads to a menu in which each access will be an icon and a text: registration, opened elections, help, vote coding process. We remove images, most of colours, explanations and slogan. If the slogan is short, we could show it in order to be user-friendly. Opened elections will be inaccessible if the voter has not already register and authenticate (in grey). These accesses are horizontal The voter selects the registration item in this menu with the button on the keyboard. |
|
Window of the voter registration explanation opened: This window displays a short text in order to guide the voter through the next step of the vote. “The registration concerns only people who are in database of the electoral roll. This registration is valid during all the present electoral period. To register you must prepare the PIN code and the ID you had received and you will have to choose a password.” In the technical point of view, this step corresponds to "securely and bindingly assigning a voter's public key (certificate) to his entry in the list of voters". This window has two buttons: “cancel” and “launch the registration now”. The cancel button closes the window and the other button launches the registration procedure. | ||
|
Only the size of the text will be different. The voter selects the registration button with the pen or with his finger. |
The orientation of the text will be different and the two buttons are chosen and configured among the four buttons on the right side. The voter selects the registration button with his finger. | |
|
Window of the voter registration opened: This window must contain at least three areas: the first area must contain two fields: the ID and the PIN code. These fields shall pre-format: e.g. two letters and three digits… The second area must contain two fields: the password and the confirmation of the password. We can precise that the voter can do this action “out of the reach of inquisitive eyes”. And the third area is the command area, which must contain two buttons: register and cancel. The register button takes into account this registration and the cancel button cancels the registration and closes this window. This window must have a title, so do the first two areas. | ||
PC |
iPAQ |
Nokia |
|
Frames delimit the three different areas and are entitled. These fields shall pre-format to facilitate the data entry. |
This window must align these fields on the left and put them under each other’s to minimise the horizontal scroll.
The voter selects the register button. |
The disposal of the fields is horizontal: the ID and the PIN code next to the password and the confirmation of the password to minimise the vertical scroll.
|
|
Information window: This window displays the confirmation of the voter registration and explains the fact that now the voter could vote with his password. This window has only an OK button. If ID and / or PIN are wrong, another information window displays that the voter must start again his data entry. | ||
|
We propose an information box. |
Words must be more precise and shorter. The OK button is on the right upper corner of this window. |
Words must be more precise and shorter. The OK button is the first of the four buttons on the right side. |
Vote and confirmation of vote | ||
|
Window of the voter authentication explanation: This window displays a short text in order to guide the voter through the next step of the vote. “The authentication concerns only people who are registered. This authentication allows you to have access to the opened elections compared with your “rights” (region, size of the city,…). To authenticate, you must prepare the PIN code and the password you had chosen at the time of the registration.” This window has two buttons: “cancel” and “launch the authentication now”. The cancel button closes the window and the other button launches the authentication procedure. | ||
|
The two buttons are two of the four buttons on the right side. | ||
|
The authenticate window appears: This window must contain at least two areas: the first area must contain two fields: the PIN code and the password. We can precise that the voter can do this action “out of the reach of inquisitive eyes” and three wrong passwords invalidate automatically the system. And the second area is the command area, which must contain two buttons: authenticate and cancel. The authenticate button takes into account this authentication and the cancel button cancels the authentication and closes this window. This window must have a title too. | ||
PC |
iPAQ |
Nokia |
|
The authenticate window is a pop-up window to block the dialogue but the voter’s goal is the opened elections. |
PIN code and password are asked in the same way as the registration window with the apparition of the keyboard.
The voter selects the authenticate button. |
Idem iPAQ |
|
Opened elections list: The opened elections list must present the elections the voter can vote thanks to his password i.e. thanks to his rights. This list proposes several choices clearly labelled and displayed, for example several clickable buttons. In this mock-up, only the presidential election is clickable. | ||
|
When we have enough room in the screen, we can use clickable buttons where the name and the deadline of the election can be displayed. |
For iPAQ, this list will be a list of items for example with two columns, the name of elections and the date deadline to vote. |
The orientation means the list must not exceed four elections or we display this list in two columns. |
|
Point the presidential election
| ||
|
With using the polling booth metaphor, we place the voter in the “real” context of voting. |
We only keep pile of white ballots and a pile of envelopes and remove all other things representing the metaphor.
The voter selects his ballot and envelope. |
Idem iPAQ except we place the ballots on one row. |
PC |
iPAQ |
Nokia |
|
After the animation of the ballot jumping into the envelope, an information window appears: This window must contain at least two areas: the first area must present the choice of the voter. And the second area is the command area, which must contain three buttons: confirm, change and cancel. The confirm button takes into account the voter’s choice and he/she can no more change his vote and the cancel button cancels the voter’s choice and closes this window. The change button allows the voter to come back to the previous screen and changes his choice. This window must have a title too. | ||
|
This window is quite the same window as the PC’s one, save the size of the police. The voter selects the confirm button. |
Idem iPAQ except we use three of the four buttons on the right side. | |
|
After the animation of a blinking “has voted”, the system requires to “sign”. | ||
|
A little animation can be displayed like the animation “has voted”. |
Only the “has voted” will be displayed. |
Idem iPAQ |
|
Encoding of the vote and poll method: We can explain in few words and with a diagram that only one vote is possible per person, that ballots are encoded and never decoded, that ballots in the system are anonymous, that there is an identity control and integrity of data transfer is ensured… in fact that, the system warrants a “general, secret, equal, direct and free” vote. We can also explain that the tabulation will be made by several talliers each doing a sub-tally and then, only one scrutineer checking and validating the final tally.
| ||
|
After the animation, an information window is displayed with very little text.
|
Idem iPAQ | |
PC |
iPAQ |
Nokia |
Consultation about the security along the vote process | ||
|
Security about the vote process: This process must be presented as a process control with different steps and few short texts on a diagram. This “page” must be more precise and technical than the little explanation at the end of vote. The technical drawing must reflect high technology and security. We must be able to explain the whole process: only one vote is possible per person, ballots are encoded and never decoded, ballots in the system are anonymous, there is an identity control and integrity of data transfer is ensured. In this explanation, we must demonstrate the security aspects and the vote process in a technical and security point of view and not with the voter point of view. We can explain in this page we encrypt the vote by using the private key and we can explain all technical terms "public key", "private key" and "certificate". These terms can appear in this description because the use of private/public key encryption is one of the core elements of the CyberVote System.
We can also explain that the tabulation will be made by several talliers each doing a sub-tally and then, only one scrutineer checking and validating the final tally. | ||
|
For PC, process control with icons, images or diagrams are adapted to be more user-friendlier than using just words. |
Accessible via the menu, we can not propose a big diagram but the different steps like the rubrics of Microsoft Word help. Each step is clickable and displays an explanation : Encoding
|
Idem iPAQ except the disposal of the text more horizontal. |
Consultation of help | ||
|
Help screen: Tabs can represent the different steps of vote. On the first tab, there is an introduction and how to vote. The second tab explains the registration, the third one explains the vote and the confirmation, the fourth one explains the management and the polling and the last one explains that the voter could have access to the vote coding process and to the help. | ||
|
For PC, help with tabs is adapted and user-friendlier than words. |
Accessible via the menu, we can not propose tabs but different rubrics of help. Each step is clickable and displays an explanation: How to vote
|
Idem iPAQ except the disposal of the text more horizontal. |
2.5 Technical description of the mock-up |
|
The mock-up is based on a Java code previously developed by TUE as a prototype of a voting protocol.
First the code has been arranged to lighten the download process when the application is running on-line (eg. Separation of the registration and voting part in two applets), and to receive an HCI part. Second the HCI has been developed for the PC devices, and then adapted for the iPAQ and Nokia 9210. Third the mock-up has been installed on the server that supports the CyberVote website. Fourth the election parameters have been set-up.
The mock-up focuses on the voting step only (ie. no tabulation is demonstrated). It allows voting from a PC, an iPAQ or a Nokia 9210.
HTTP and Virtual Connection are used. Apache is used as a Web server. There was no need of an application server. Data was stored in flat files.
The mock-up is based on the following architecture:
Figure 3: Outline of the architecture of the mock-up oriented towards the HCI
.jar files correspond to Java Applet that are downloaded on PC and iPAQ. .sis files contain the Java application that are downloaded on Nokia 9210.
2.5.2 Screenshots and comments
Some screenshots of the current HCI's mock-up for PC are presented below. Reference to the page or the window presented by the scenario for the PC mock-up in section 2.4 is given with the screenshot. The HCI for iPAQ and Nokia 9210 are quite similar to the PC's one, apart from the size and orientation as described in sections 2.4.2 and 2.4.3.
· N°1 - home page: the voter receives an HTML page and clicks on "registration" or "1" to register.
· N°2 - Window of the access to the voter registration: the voter is informed of the procedure by an HTML page. The blue button "register" is a Java Applet. The voter clicks on it. That action opens a virtual connection on a specific port between the client (ie. PC) and the server (ie. Vote server in Toulouse). The Java Applet is downloaded on the voter's PC.
· N°3 - Window of the voter registration: still in a virtual connection, the registration proceeds. The voter gives his ID and PIN code, and then a password. The registration process is done and the virtual connection is closed.
· N°4 Registration information window:
· N°5 - home page and window of the voter authentication explanation opened: the voter clicks on "voting" on the home page. The voter receives then an HTML page with information about the voting procedure. The "vote" blue button is a Java Applet. The voter clicks on it and a virtual connection is opened on a specific port between the client and the server. The Applet is downloaded on the voter's PC.
·
N°6 - authenticate window: first the voter must give his identification (ie. ID+password).
· N°7 - opened elections list: information about the opened elections is displayed. The voter chooses the election he wants to participate to by clicking on its name.
· N° 8 - polling booth: this window has not been implemented
·
N° 9 - information window: an "empty" ballot is displayed and the voter must choose with the scrolling menu the candidate he votes for. Then he clicks on OK to confirm (or back or cancel not to confirm).
The ballot chosen by the voter is displayed and the voter must confirm his choice by clicking on OK. Then the ballot is encrypted and sent to the vote server. Finally the virtual connection is closed. Only the HTTP connection remains.
· N° 10 - "has voted": we did not implement any animation for a matter of time. But this last window ends the voting process and thanks the voters for having voted and used the CyberVote system.
HCIs for iPAQ and Nokia 9210 are quite similar to HCI for PC, except the presentation is smaller as explained in sections 2.4.2 and 2.4.3. An HTTP connection is used for consultation of help and information only. A virtual connection is opened for the whole process.
2.6 Conclusion |
|
The setting up of this mock-up allowed us to draw some conclusions.
The HCI required an adaptation according to the kind of device. PC can afford a classical HCI. iPAQ requires a smaller presentation, with a vertical orientation. Nokia 9210 requires a smaller presentation too, with a horizontal orientation. Navigation on Nokia 9210 is specific to this device especially because of the possible use of the four buttons that are present on the right side of the phone (see Figure 1).
As the TUE's code was written in Java, we chose to continue this way. That means we had to consider the JVM available on the devices. The use of Java swing was not possible on mobile devices because their JVM only supports Personal Java, which does not support the swing components. The choice of Java also implied the use of Java compatible browser (ie. Internet Explorer or Netscape Navigator).
We have chosen the concept of Java Applet, because it normally does not require pre-installation to run. The voter would just need to connect to the server to get the Applet. However Applets proved difficult to be used from the mobile devices, because Applet should be used as application. Therefore they must be installed previously. Furthermore Applets require a long time to be downloaded from PC, not counting the previous download of the JVM. Therefore this choice might be reconsidered (eg. Perl, C, C++).
Contrary to the PC, the mock-up should be pre-installed on mobile device before running the demo. Such an approach should be discussed for the final prototype, because that means CyberVote can not run from any of these devices, but only from those, which have been correctly previously "set up".
There was no need of an application server because there was not many applications to manage. This will likely still be the case of the final prototype. As a Web server, we selected Apache, because it is reliable enough and its licence is free.
The mock-up (PC, iPAQ, Nokia 9210) has been presented at the IST 2001. Here are the lessons we learnt during this exhibition:
1. The CyberVote system needs a reliable Internet connection.
We had several problems during our demonstrations presumably due to the Internet connection set in place by the organisation. Though this connection was sometimes really fast, it was very unpredictable and most of the times very slow. As a result, we were not able to reach the registration/voting server and could not go on our demonstration on the PC.
2. The CyberVote system needs a reliable GSM connection.
Since we had problems with our Internet connections, most of the demonstrations were run successfully from the Nokia 9210. However it happened once that we were not able to set our Internet GSM connection. This was probably due to the fact that the GSM network was too busy at that time.
3. Our mock-up software needs debugging.
If we intend to re-use the current mock-up software, we should have a look in the following directions to make more reliable:
§ Memory consumption. It seems that our software requires a lot of memory causing troubles to our devices (PC being less responsive, Nokia 9210 displaying 2 characters when only one is typed in, etc.)
§ Error messages. Error messages does not take into account the fact that the Internet or GSM connection may be down.
Other ideas resulting from this first mock-up were discussed during internal meetings (e.g. use of Linux, proxy, C++, etc).. The next WP will consider these suggestions (ie. WP2.8 - Define overall system architecture and WP3 - System architecture specification & design).
