E-Voting through the Internet and with Mobile Phones

Transcription

1 E-Voting through the Internet and with Mobile Phones Giampiero E.G. Beroggi, Statistical Office Canton Zurich, Switzerland The Swiss e-voting system, developed and used by the Canton Zurich, is unique world-wide for it accommodates voting on referenda and elections through the Internet and with mobile phones. It provides the basis for secure vote casting, precise vote counting, and rapid result dissemination. The system was successfully tested and used over the past two years for six elections and referenda at the federal, canton, and community level. Keywords: Government, e-voting, privacy, electronic markup language, secure entry server The proper execution of democratic rights has become linked to the availability and reliable functioning of advanced information and communication technology (ICT). While modern societies fully rely on ICT for business, work and leisure time activities, the use of ICT for democratic decision making is still in its infancy. In fact, the outdated technological concepts for voting have been blamed in part for lost and uncounted votes and could therefore be responsible for biased political decisions making 1. On the other hand, Peter G. Neumann suggests that the computer science community seems almost unanimously wary of attempts to enable elections via the Internet 2. Clearly, electronic voting (e-voting) has a high potential for reliable and secure vote casting, precise vote counting, and rapid result dissemination. Countries all over the world are examining e-voting 3, for it has some striking advantages over traditional paper voting, including security for casting votes, accuracy of counting and analyzing votes, options to conduct voting in a centralized and decentralized manner, etc. The reasons why the e-voting technology has not matured to equivalent levels as known for business and leisure time activities lies mostly in an inherent lack of trust and fear of electronic threats. While most countries are still conceptualizing or testing e-voting systems, three cantons in Switzerland have pioneered the development of e-voting to its full technological maturity. The Zurich e-voting system is a unique solution and characterized by its modular and service-oriented architecture (Figure 1), which allows the integration of all types of media for e-voting, including Internet (Figure 2), mobile phone (Figure 3), and even TV, Palm or any other digital technology. It promotes the implementation of e-voting because its architecture can easily be integrated in existing software solutions, without compromising its high security standard. Both national and local authorities have embraced the system because it can be used both in a centralized and in a decentralized manner. The broad range of technologies promotes citizen involvement in public decision making processes, while the full integration of the digital system with the traditional ballot box system prevents the possibility of a digital divide among the population. The Zurich Minister of the Interior, Markus Notter, commented on the successful completion of the Zurich e-voting system, saying that it marks a milestone in Swiss democracy, for it opens the ballot to today s information society. The service-oriented structure is ideal because it covers the full range of voting concepts, including national votes on referenda, votes on citizen initiatives with counter referendum and contingency plan, as well as majority elections and proportional elections with predefined party lists. For majority elections, the system not only accommodates a predefined list of candidates, it even allows for elections where all citizens are eligible to be elected, since the full electorate is stored in the system. Moreover, the system allows individual definition of the opening times of the electronic ballot boxes. Even the decoding of the votes can be done by each community individually. The voting officers receive the decoding keys with all the passwords to decode the votes on voting day. To prevent citizens from casting their vote multiple times (e.g. as e-vote and on site), several safety features have been installed, which are activated centrally or by the local authorities. The Zurich e-voting system has been realized for a total amount of $2.3 project costs, $2.1 m development costs, and annual reoccurring operational costs of $0.4 m, which amounts to approximately $0.5 per e-vote. The Zurich e-voting system has been successfully tested and applied for federal, local and organizational elections and referenda. The chronological development of the e-voting system is summarized in Table 1. The system was first tested for the Zurich University board election in 2005, followed by a national referendum. The testing phase was concluded with a proportional election in April, Since then, e-voting Zurich is in use in three communities in the Canton Zurich; however, all 171 communities could be linked up instantly, as soon as the Swiss Government lifts the 10% electorate restriction for e-voting. Moreover, its service-oriented structure can accommodate any other Swiss canton, or any public and private organization in the world whishing to employ e-voting. 1

2 BACKGROUND The Canton Zurich has the largest population of all 26 Swiss cantons, approximately 1.2 million. The Statistical Office of the Canton Zurich ( belongs to the Ministry of Justice and Interior. It is the authority responsible for planning and conducting federal and local elections and referenda. As part of this responsibility, we must provide the technological means for citizens and local authorities to conduct and participate in elections and referenda. Five years ago, we introduced a fully computerized election and referendum system that connected all 171 communities, allowing us to monitor in real-time the progress and assist the communities on voting days. Two years later, we started the e-voting pilot-project, which was successfully completed in spring of The Swiss parliament created on June 21, 2002 the legal basis for e-voting pilot testing. This legal basis authorizes the Swiss Government, in conjunction with interested cantons, to conduct e-voting tests. Of utmost importance is the assurance of (1) the voting rights, (2) the voting secrecy, (3) the capturing of all votes, and (4) the avoidance of any abuse of the system. At the same time, the parliament required that the tests be monitored scientifically. Special contracts to conduct e-voting tests were signed between the Federal Chancellery and three cantons, one of them being Zurich. The three cantons were required to take into account the following four considerations: (1) electronically cast votes cannot be intercepted, changed or rerouted: (2) no third party can obtain knowledge of the cast vote, (3) only registered citizens can vote, and (4) every registered person can vote only once. After signing the contract for e-voting tests, many of the 171 Zurich communities expressed their strong desire to participate in the test phase. However, the restriction by the Swiss Government to allow only 10% of the electorate to participate in e-voting created quite some disappointment among many communities. Nevertheless, the enthusiasm of the three selected communities was extremely high. PRIORITIES AND PURPOSES Any alternative to the traditional ballot box voting must not compromise the fundamental rights of citizens to express their free political will without any technological, psychological or any other restriction or bias. Moreover, e-voting should be an alternative to ballot box voting that has the potential to encourage more citizens to participate in public policy decision making. Finally, e-voting must comply with the same high security standards defined for traditional voting approaches. Our e-voting system had to be tailored to the Swiss decentralized voting structure, allowing each of the 171 communities of the Canton Zurich to manage their own voting register in a decentralized manner. Moreover, it had to take into account all other relevant features of the Swiss elections and referenda rules. For majority elections, the system not only had to accommodate a predefined list of candidates, it even had to allow for the situation where all citizens are eligible to be elected. Also, the system must allow individual definitions of the opening times of the electronic ballot boxes. Each community individually must be able to decode votes. The election officers must then receive the decoding keys with all the passwords to decode the votes on voting day. To prevent citizens from casting their vote multiple times, several safety features have been installed, which are activated by the communities. STRATEGIES The strategy followed to develop the Zurich e-voting system was fourfold. First, voting through the Internet or mobile phones must provide more flexibility and security without additional restrictions or controls. Security, anonymity, and voting secrecy must be assured. Second, the e-voting system must provide a superior service for citizens and communities responsible for elections and referenda. All the currently employed IT -systems must be able to be integrated in the e-voting system, such that the communities must make only minor changes to their elections and referenda processes. Third, passwords and access codes must be strictly confidential. This implies that the print of the ballot codes must comply with the highest security standards. To assure this, the access codes are being printed at three independent printing companies. Fourth, secure servers and software are essential for e-voting and are thus designed as part of a designated security network. Security had to be considered already as part of the design process, e.g., with respect to the logging mechanisms or the possibility for direct system call up. As a result, the e-voting system satisfies all the requirements specified in the Swiss Federal law for Political Rights. OPERATION AND SECURITY The operational concept is based on the IT Infrastructure Library (ITIL), while the security requirements are based on the Information Security Management System (BS 7799 or higher). Security audits are performed through external parties, including a firm which was hired by the federal government to conduct hacking 2

3 attempts, which all failed. The certification of the hardware and its physical security environment had to be done in compliance with US DoD level of protection of class B2 or lower. The security concept is defined according to ISO/IEC and BS 7799 or higher. The security level is assessed annually by the Swiss government and the Federal Chancellery. Data exchange between the communities and the e-voting system is based on the Secure Data Exchange Platform (SeDAP). SeDAP is based on the OSCI (Online Services Computer Interface) standard, which itself is based on the SOAP (Simple Object Access) protocol. All entries into the e-voting system occur through a Secure Entry Server (SES). These refer to identification and authentification of users and to the anonymous access of users for different user rights (support, administration, citizens, etc.). The e-voting system can process various data formats and transmissions, including XML, EML, ODBC, CSV, SOAP, as well as direct database access. The federal government required that all formats be convertible to EML for import. Each community and organization must have field mapping and field tracing options at all user levels. The harmonization of data, fields and records must be accomplishable according to Swiss e- Government standards ( Two of the three mobile phone companies in Switzerland use a virtual private network (VPN) communications network to link directly into the e-voting system, while the third company uses an IPVPN communications network to link into the Canton Zurich secure network (LeuNet), which is directly linked to the e-voting system. The transmissions of citizens votes through the Internet as well as the voting rights from the communities to the central e-voting system are based on the Secure Sockets Layer (SSL) protocol (Figure 1). To execute the voting process, voters must identify themselves with an access code and password, which are sent to them by mail on their personal voting forms (Figure 1). After successful identification, the voters may cast their vote. The system immediately asks them to validate their vote by requesting them to enter their birth date and a six-digit numerical identification code. The votes are transferred to the e-voting system only after this successful validation. Encryption occurs in two steps (see Figure 1). The first step refers to the encryption of the votes and the identification and authentification characteristics, which happens on the voter s client computer based on a 1024 Bit encryption (through an SSL channel). The incoming votes are then checked, in a second step, for their structure and integrity, before they are once again encrypted (1024 Bit) and passed on to the high-security zone (second firewall). The votes in the e-voting system are stored on two redundant systems. The cast votes are stored on a WORM (write once, read multiple times) data base, which is used to check zero tolerance. The e- voting hardware is installed in a secure place with all the necessary physical access control mechanisms and the appropriate safety precaution measures (Figure 4). The issue of transparency of, and trust in, e-voting has been discussed thoroughly in the literature. As a result, the request for source availability, as a prerequisite to build up trust in e-voting systems, has been abandoned 4, also on the base that attackers with access to the source code would have the ability to modify voting and auditing records 5. With respect to trust, we rely on the ACM Statement on Voting Systems 6, which recommends that e- voting systems embody careful engineering, strong safeguards, and rigorous testing in both their design and operation. To assure proper functioning of the e-voting system, we install, for every election and referenda event, a virtual community for which we cast votes and check their proper recording in the e-voting system. In addition, we analyze the citizens votes and make sure that the sum of the validated codes during e-voting and the sum of received electronic votes are equal. These two plausibility checks must have a zero tolerance; i.e., they must match perfectly for the e-voting procedure to be acceptable. The decoding of the electronically cast votes occurs when the physical ballots are closed, usually on a Sunday at noon. The decoding process passes the e-voting votes to the vote registration software (Figure 5). The decoding process must be supervised by the Federal Chancellery. The ACM Statement on Voting Systems makes one more crucial recommendation, namely that each voter must be able to inspect a physical record to verify that his or her vote has been accurately cast. Clearly, privacy of voting excludes a reproducible recording of each voter s actions (so-called audit trail ). To overcome this major weakness of e-voting, we introduced a code-voting principle. Instead of entering yes or no to a referendum, the voters enter a personally assigned code; e.g., KU4 for yes. In turn, the e-voting system confirms the vote also with a coded statement. Clearly, audit trail is still subject to potential malicious electronic attacks and will never replace paper trail as far as physical inspection of the votes cast is concerned. However, paper trail would provide a receipt to a voter, which makes him or her subject to bribery, providing means to sell or buy votes. This, however, is illegal under Swiss law. CHANGES RESULTING FROM THE ACHIEVEMENTS Extensive technological testing was conducted based on a special algorithm which was developed to simulate vote casting, vote counting, and the reporting of the results. These tests could reveal some gaps, which would not have been detected during regular applications. The gaps were immediately remedied during the testing phase in 3

4 2005. The audit of the system and the internal security audit were done by Swisscom Solutions, the leading telecommunication company in Switzerland. Moreover, the Federal Chancellery conducted its own security audits and proposed some changes regarding the architecture, the user interface, and the password structure. These suggestions have been considered and resulted in an improvement of the e-voting system during the test phase in The adoption of the system has experienced also significant impacts. Due to the high participation in e- voting during the test phase, the university board decided to abolish traditional ballot box voting. As a result, the 2006 elections of the university student board were, for the first time, done solely based on e-voting. This resulted in higher efficiency and lower costs, while not compromising the possibility of the approximately 24,000 students expressing their political preferences. SUSTAINABILITY AND TRANSFERABILITY The Zurich e-voting system is fully extendable and transferable due to its server-oriented and modular concept. Any number of voting districts can be defined, where elections and referenda can be done with all kinds of different media, including Internet, mobile phone, TV, Palm, or the regular ballot box voting. The system s sustainability and transferability is assured through seven unique features: (1) Due to the characteristics of the layout system, communities can define their own electorate districts, allowing them to enter their district-specific data and information. (2) For any voting device that is in place, a standard procedure is defined based on EML (Electronic Markup Language), which assures the modularity of the system. Any additional voting device can thus be integrated, which assures extraordinarily high user friendliness. (3) The list of candidates must be entered only once in the voting system and can then be taken over by the e-voting system. This reduces the possibility of conflicting data input. (4) The identification and control system, together with the Secure Entry Server (SES), make sure that only registered voters can vote. (5) The heart of the e-voting system is the transfer system, which stores the cast e-votes into the e-voting system. Access is given only through SES, which excludes unauthorized access. Since the design of the transfer system is independent of the visualization system, the integration of new applications and input devices can be done quite easily. (6) Votes and voting rights are encrypted and stored separately. This concept assures that all votes are counted correctly and that the voting rights are not corrupted. All data are stored in parallel on a WORM (write once read many times) system. (7) The open system architecture of the e-voting system allows communities to use their own IT -solutions and to integrate the e- voting system into their own IT-architecture, without compromising security. These seven features make the Zurich e-voting solution fully sustainable and transferable to other cantons in Switzerland and any other organization world-wide. LESSONS LEARNED The modular and service-oriented architecture, which allows the integration of all media for e-voting, including Internet, mobile phone, TV, Palm or any other digital technology, has strongly promoted the adoption and implementation of e-voting. Both national and local authorities have embraced the system because it can both be used in a centralized as well as in a decentralized manner, and because its architecture can easily be integrated in existing software solutions, without compromising its high security standard. Even the decoding of the votes can be done by each community individually. The voting officers received the decoding keys with all the passwords to decode the votes on voting day. It turned out that these safety features were crucial, although no malicious attempts have been made to abuse the system. As a result of this integrated approach the voting results could be analyzed independently of the media used to cast the vote. Its service-oriented structure did also promote the use of e-voting because it covers the full range of voting concepts, including national votes on referenda, votes on citizen initiatives with counter referendum and contingency plan, as well as majority elections and proportional elections with predefined party lists. A major advantage was for majority elections. The system not only accommodates a predefined list of candidates, it even works for when all citizens are eligible to be elected, since the full electorate is stored in the system. An additional benefit is that the system allows individual definition of the opening times of the electronic ballot boxes, even though this feature has not yet been used. The broad range of integrated technologies promoted citizen involvement in public decision making processes, while the full integration of the digital system with the traditional ballot box system prevented the possibility of a digital divide among citizens. Clearly, some initial increase of participation in elections and referenda is due to the novelty of the system. However, we are confident that e-voting Zurich will contribute to a higher citizen involvement in public decision making issues. The lessons learned from our testing phase and first year use for regular elections and referenda make us confident of the successful extension of the e-voting system for all 171 communities and to the export to other cantons or any public and private organization that wishes to employ e-voting via Internet and mobile phone. This world-wide unique solution to e-voting, which was developed in conjuncture with Unisys, was awarded the prize for best software in 2005 by the Swiss ICT society. Its compelling features were said to be its flexible 4

5 compliance with complex elections and referenda concepts, its modular structure allowing for extension, and its remarkably high security standard. The actual e-voting system for Internet-based elections and referenda can be found at: A fully working emulation of the Zurich e-voting system for Internet and mobile phone elections and referenda can be tested at: We are grateful for any comments and suggestions. References 1. A.S. Belenky and R.C. Larson, To Queue or not to Queue?, OR/MS Today, June 2006, pp D.W. Jones and P.G. Neumann, Interview: A Conversation with Douglas W. Jones and Peter G. Neumann. ACM Queue, November 2006, pp R. Krimmer (ed.), Electronic Voting, Proceedings of the 2 nd International Workshop, Gesellschaft für Informatik, Bonn, Köllen Druck+Verlag GmbH, Bonn, J. Kitcat, Source Availability and e-voting: An Advocate Recants. Communications of the ACM, October 2004/Vol. 47, No. 10, pp B. Simons, Electronic Voting Systems: the Good, the Bad, and the Stupid. ACM Queue, October 2004, pp J. Grove, ACM Statement of Voting Systems. Communications of the ACM, October 2004/Vol. 47, No. 10, pp Giampiero E.G. Beroggi is director of the Statistical Office of the Canton Zurich, Switzerland. He is also professor at the Zurich School of Business Administration teaching decision support systems. He received a PhD from Rensselaer Polytechnic Institute, Troy, New York. He is senior member of IEEE and member of the IEEE Computer Society. Contact him at gb@fhhwz.ch. 5

6 Chronology of the Zurich e-voting System - February 1998: Swiss Government defines as part of its ICT strategy the need to test the use of ICT for democratic decision making processes. - August 2000: Swiss Government mandates Federal Chancellery to study the feasibility for e-voting - June 2002: Swiss Parliament creates legal basis for e-voting pilot study - February 2002: Federal Chancellery signs contract with Ministry of the Interior of the Canton Zurich to participate in the e-voting pilot study - October 2003: Unisys wins the bid to develop the Zurich e-voting system and starts its development according to strict specifications - December 2004: first e-voting in Canton Zurich through Internet and mobile phone for the election of the 70 members of the university student board with 93% e-voting participation; of the 1767 people participating in the election, 1582 used the Internet and 205 the mobile phone: only one person used the traditional ballot box - October 2005: first e-voting election in the city of Bulach with a 37% e-voting participation - November 2005: first e-voting for federal and regional voting in three communities with 37% of e-voting participation - April 2006: first e-voting through Internet and mobile phone world-wide for proportional election system with 20% e-voting participation - July 2006: end of pilot project and beginning of regular use of e-voting for any upcoming elections and referenda Table 1: The timeframe for the introduction of e-voting in the Canton of Zurich, Switzerland. 6

7 Figure 1: The concept of the Zurich e-voting system. 7

8 Figure 2: e-voting through the Internet. 8

9 Figure 3: e-voting with mobile phones. 9

10 Figure 4: Secure housing of e-voting infrastructure. 10

11 Figure 5: Real-time monitoring of votes cast through e-voting or regular ballot vote. 11