Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

Citizen engagement and compliance with the legal, technical ational measur

advertisement 
Citizen engagement
and compliance with the
legal, technical
and operational measures
in iVoting
Michel Chevallier
Geneva State Chancellery
Chancellerie d'Etat
Setting the stage

Turnout is low in many modern democracies

Does easy voting mean more voting?

Postal vote (introduced 1995) increased
turnout by 20 percentage points

After 5 years of postal voting,
95% of votes come in by post

Yet, 40%-45% of citizens still do not vote

Can we reach for them through a new delivery channel?
To see it for ourselves, we began iVoting in 2003

We run 3 channels: postal vote, iVote and polling station
Chancellerie d'Etat
Our perimeter of compliance

As we are handling protected data – the voters'
register, the votes – we must comply with strict rules

iVoting must be at least as secure as postal voting:
this is the benchmark set by the federal authorities

It has legal translations in the federal
constitution, in the federal law
on political right and its ordinance
and in the Geneva cantonal
constitution and legislation

These texts define
our perimeter of compliance
Chancellerie d'Etat
What are the rules?

The law states technically neutral
yet very specific security rules to be implemented:





One citizen, one vote
Impossibility to capture or alter a substantial amount of votes (protection
of the citizens'
All ballots must be counted for the final result
choice)
No third party must see a vote (protection of the vote secrecy)
Ballots must be encrypted in the voter's PC, for the transmission procedure
(anonymity of the votes)




IT application linked to vote process must be split from all other IT apps.
During ballot opening time, interventions on the IT system must be
performed jointly by at least two persons and recorded in a log book
Before every ballot, authorities must check the hardware, software,
organisation and procedures according to the current best practices
An independent 3rd party endorsed by the Confederation must confirm
that all safety measures are met and that the system works properly
Chancellerie d'Etat
Defining the right perspective

Like notes on a score, laws must be interpreted

In most people's view, the security of electronic voting is
associated with voter ID protection and vote secrecy

It boils down to a user-centric approach: "I want
to be protected from my neighbour sniffing on me"

The correct approach is a society-wide one

The society requires trust and certainty, i.e. accurate
ballot results that reflect correctly the voters' intent

Protecting the community against iVoting misuse
means therefore protecting the data integrity
Chancellerie d'Etat
Tales of two worlds


Two worlds unite in iVoting, the real one and the virtual one
We have to manage both harmoniously
Chancellerie d'Etat
The real world
Chancellerie d'Etat
Physical identity
It is tempting to use a token
based on the X509 norm
to identify the voter
 This would raise more problems
than it would bring solutions




The identity control would be delegated to the browser
We would not be able to know who is behind the keyboard
Therefore, we combine something that the voter owns
(the Pin code reproduced on his voting card)
with something he knows
(his birth date and municipality of origin)

The voting card is a numerical ID with time-limited validity
Chancellerie d'Etat
The voting card
iVoting
Paper-based ballot
Chancellerie d'Etat
The virtual world
Chancellerie d'Etat
Three contexts – three features

There are three contexts or environments
that we must take into account in the virtual world
The voter's PC
 The internet
 The State's IT system
(electoral register and vote processing application)

We only control one of these: the State's IT system
 Our challenge is to ensure
data protection in
uncontrolled environments

Chancellerie d'Etat
Change of paradigm
In our approach to security, we have changed paradigm
 In the past, we operationalized the legal rules one by one
 This imposed trade-offs between usability and security
 This illustrates our old approach The world as it is
 We have now adopted
A simple case:
the relationship
a systemic approach
security/
user friendliness
 We view the system as a platform
to be secured – including the web
Security
and the voters' device
 The voting application is "plugged" into this platform
 Security is our main business, voting is a side-offer
User friendliness

Chancellerie d'Etat
A word about the procedures

Auditing by the Confederation

Systematic splitting of crucial data:
 Anonymisation of the
voters' register – you are but a number in our files
 Anonymisation of the vote by splitting the vote from the voter's
authentication parameters

Permanent electoral commission, created when online
voting was introduced in the law as additional watchdog

ISO 27001 certification process achieved – for budgetary
reasons, we will not seek the actual certification

ISO 27001 means that all procedures are documented
and their implementation can be checked
by the electoral commission
Chancellerie d'Etat
The secure channel

The SSL protocol is vulnerable on two accounts:



The secure channel (a java applet) fulfils a triple function:




Because it is activated by the browser,
it can be easily compromised
It can be broken by brute force attack
It provides an second encryption layer on top of the SSL,
without having any link to the browser
It checks whether the messages we receive from the voters
are coherent with a normal voting procedure
By doing this, it keeps the malware that might have infected
your PC away from our IT system
The secure channel encryption key is made of
true random numbers generated by a quantum generator
Chancellerie d'Etat
SSL without secure channel
Wahlgang | Scrutin | Scrutinio | Scrutini | Poll

Ja | Oui| Si | Gea| Yes
Nein | Non | No | Na| No
Wahlgang | Scrutin | Scrutinio | Scrutini | Poll

Ja | Oui| Si | Gea| Yes
Nein | Non | No | Na| No
Hacker
Chancellerie d'Etat
SSL with secure channel
Wahlgang | Scrutin | Scrutinio | Scrutini | Poll
DEMK3A2#3KKJLJN
J{@3*BSÉ1=DEMK3
A2#3KKJLJNJ{@3*B
SÉ1=
????
?
Hacker
Chancellerie d'Etat
Guaranteed ballot box integrity

The coherence control
performed by the applet
guarantees the integrity
of the ballot box's content
 We know for sure


that it is possible to read the ballots
We know for sure it does not contain any incoherent result
A second control is provided by the test ballot box
 The
electoral commission owns the ballot box's encryption keys
in application of the principle of segregation of duties
 Its members vote in a imaginary constituency
and also record their votes on paper
 Comparing this constituency's electronic ballots with the paper notes
provides a confirmation that the system does not introduce a bias
Chancellerie d'Etat
A large controlled perimeter

The strength of the polling station resides in the control
by the State of the voting and ballot counting premises

Postal voting weakens this control

The secure channel contributes re-establishing
State control over the full voting perimeter

The hardening of all IT levels (vote application, OS, hardware
and network) also contributes recreating conditions
close to the polling station's

We are already past our government defined benchmark,
postal voting
Chancellerie d'Etat
A large controlled perimeter: illustration
Controlled perimeter with secure channel
(in this case, port 80 is being used instead of port 443)
consoles
voters' register
citizen
browser
internet
443
IDS/IPS
IDS/IPS
firewall
web server
Controlled perimeter
without secure channel
application server
electronic ballot box
Cryptographic factory
quantum
generator
Chancellerie d'Etat
The control code

The control code fulfils two functions:

It confirms the voter that she is connected to the
State of Geneva voting web site (as we know that hardly
anybody ever checks the site's certificate)

It allows us to embed the voters' choices in an image,
thus adding noise to the message

This code is different
for each citizen

It changes for each ballot

You find it on the voting card
Chancellerie d'Etat
The control code (followed)
Chancellerie d'Etat
A few other measures







No connection electronic ballot box/voters' register
Voters' register only contains voting cards numbers
eBallot box has a built-in encrypted device to record the
number of cast votes
This device is off-limits for the database administrator;
no vote can be subtracted without us noticing
Altering the votes is impossible: the ballot box's
encryption key is owned by the electoral commission
The ballot box is shaken before being decrypted
in order to alter the ballots' reading order
Helpdesk calls are screened for feedbacks
Chancellerie d'Etat
The iVote users
Chancellerie d'Etat
Two publics

There are two publics for iVoting:
The Swiss living abroad
 The Swiss residents

iVoting offers the expatriates an effective way
to exercise their political rights (at last)
 For them, iVoting makes a qualitative difference
 Between 35% and 50% of all votes cast from abroad
are electronic votes
 Consider in valuating this figure that the border
is 5 km away and that "abroad" begins 5 km from here

Chancellerie d'Etat
Residents: iVoting appeals to young voters
Weight of the
different age groups
among active voters
with eVote
100%
Weight of the
different age groups
among active voters
without eVote
Demographical
weight of age
groups
18-29 30-39 40-49 50-59 60-69 70-79

With eVote, the younger voters cast their ballot
according to their demographic weight
Chancellerie d'Etat
No men/women digital divide
Demographical
weight of age
groups
100%
18-29
30-39
40-49 50-59 60-69 70-79

Until 50,
weight

Their behavior through age is similar to the
Online
voting
behavior
by
Men
Women
vote online according to their demographic
(parallel lines)
Chancellerie d'Etat
Two voting channels, two styles
60%
52%
50%
44%
Postal vote
40%
eVote
36%
44%
30%
23%
20%
52%
25%
20%
10%
0%
Semaine
1
1st ballot
week
2ndSemaine
ballot2week
Semaine
3 week
3rd
ballot
Chancellerie d'Etat
The search for a driver

Why do some voters use iVote?

Do the iVote users have anything in common?

Multifactor analysis shows that socio-demographic and
political preference variables have no explanatory value

I can't anticipate your voting channel based on your age,
gender, income or education

I can't anticipate your voting channel based on your
political opinion
Chancellerie d'Etat
What eVote users have in common

Subjectively
They
assess positively their own IT skills
They
trust online information,
communication and transactions

Objectively
They
use the web on a daily basis
They
have a broadband access
Chancellerie d'Etat
A broken barrier

While 22%-25% of all voters use internet
 55.5% of usual abstainers use it
 18.7% of regular voters use it

Online voting breaks
an invisible barrier that keeps
many voters away from politics

Internet voting reaches further,
it touches citizens more distant from politics

Internet voting makes a paradigmatic difference,
it appeals to one's subjectivity or way of life
Chancellerie d'Etat
The hosting process

The conception of our platform allows
a great deal of versatility

We took advantage of this to propose
other Swiss cantons to host their citizens on our system

We are currently working with three cantons, hosting
their expatriates (some 25'000 citizens altogether)

To manage this project and keep these cantons in-line,
we have set up a user group

The user group is an added security factor because
it forces us to rethink and optimise our procedures
Chancellerie d'Etat
Hosting illustrated
Hosting canton
Hosted canton
Ballot type (date, topic, etc).
Ballot description
1
Voters id / authentication
Electoral
register
2
3
Voting material
4
Voters
Electoral register
of the hosted
canton
electronic ballot
box
Voting cards
6
5
Results – Turnout
Postal voting recording
Publication
Chancellerie d'Etat
A last word

iVoting is totally different from any other "e" project

It cannot live on without trust

How did we achieve it? By a very careful project
management approach

We went on slowly, never forcing the politicians

As we would like to capitalize on our achievements,
we licensed two private companies to commercialize
our system outside of Switzerland
Chancellerie d'Etat
Thank you for your attention
www.ge.ch/evoting
michel.chevallier@etat.ge.ch
Chancellerie d'Etat
Related documents
Government
Government
US Government Chapter 5-6-7 Test Study Guide Be sure to study
US Government Chapter 5-6-7 Test Study Guide Be sure to study
Midterm Review - AP European History at University High School
Midterm Review - AP European History at University High School
STUDY GUIDE FOR UNIT 2 (VOTING, ELECTIONS, CAMPAIGNS
STUDY GUIDE FOR UNIT 2 (VOTING, ELECTIONS, CAMPAIGNS
Unit 2 Exam Review
Unit 2 Exam Review
Download
advertisement