Chancellerie d'Etat

Michel ChevallierGeneva State Chancellery

Citizen engagementCitizen engagementand compliance with the and compliance with the

legal, technicallegal, technicaland operational measuresand operational measures

in iVotingin iVoting

Chancellerie d'Etat

Turnout is low in many modern democracies Does easy voting mean more voting? Postal vote (introduced 1995) increased

turnout by 20 percentage points After 5 years of postal voting,

95% of votes come in by post Yet, 40%-45% of citizens still do not vote Can we reach for them through a new delivery channel?

To see it for ourselves, we began iVoting in 2003 We run 3 channels: postal vote, iVote and polling station

Setting the Setting the stagestage

Chancellerie d'Etat

As we are handling protected data – the voters' register, the votes – we must comply with strict rules

iVoting must be at least as secure as postal voting: this is the benchmark set by the federal authorities

It has legal translations in the federal constitution, in the federal law on political right and its ordinance and in the Geneva cantonal constitution and legislation

These texts define our perimeter of compliance

Our perimeter of Our perimeter of compliancecompliance

Chancellerie d'Etat

The law states technically neutralyet very specific security rules to be implemented: One citizen, one vote Impossibility to capture or alter a substantial amount of votes All ballots must be counted for the final result No third party must see a vote (protection of the vote secrecy) Ballots must be encrypted in the voter's PC, for the transmission procedure

(anonymity of the votes) IT application linked to vote process must be split from all other IT apps. During ballot opening time, interventions on the IT system must be

performed jointly by at least two persons and recorded in a log book Before every ballot, authorities must check the hardware, software,

organisation and procedures according to the current best practices An independent 3rd party endorsed by the Confederation must confirm that

all safety measures are met and that the system works properly

What are the rules?What are the rules?

(protectionof the citizens' choice)

Chancellerie d'Etat

Like notes on a score, laws must be interpreted In most people's view, the security of electronic voting is

associated with voter ID protection and vote secrecy It boils down to a user-centric approach: "I want

to be protected from my neighbour sniffing on me" The correct approach is a society-wide one The society requires trust and certainty, i.e. accurate

ballot results that reflect correctly the voters' intent Protecting the community against iVoting misuse

means therefore protecting the data integrity

Defining the right perspectiveDefining the right perspective

Chancellerie d'Etat

Tales of two worldsTales of two worlds

Two worlds unite in iVoting, the real one and the virtual one We have to manage both harmoniously

Chancellerie d'Etat

The real worldThe real world

Chancellerie d'Etat

Physical identity It is tempting to use a token

based on the X509 normto identify the voter

This would raise more problemsthan it would bring solutions The identity control would be delegated to the browser We would not be able to know who is behind the keyboard

Therefore, we combine something that the voter owns(the Pin code reproduced on his voting card)with something he knows(his birth date and municipality of origin)

The voting card is a numerical ID with time-limited validity

Chancellerie d'Etat

iVoting Paper-based ballot

The voting cardThe voting card

Chancellerie d'Etat

The virtual worldThe virtual world

Chancellerie d'Etat

Three contexts – three featuresThree contexts – three features There are three contexts or environments

that we must take into account in the virtual world The voter's PC The internet The State's IT system

(electoral register and vote processing application) We only control one of these: the State's IT system Our challenge is to ensure

data protection inuncontrolled environments

Chancellerie d'Etat

In our approach to security, we have changed paradigm In the past, we operationalized the legal rules one by one This imposed trade-offs between usability and security This illustrates our old approach We have now adopted

a systemic approach We view the system as a platform

to be secured – including the weband the voters' device

The voting application is "plugged" into this platform Security is our main business, voting is a side-offer

Change of paradigmChange of paradigm

Use

r frie

ndlin

ess

Security

A simple case:the relationship

security/user friendliness

The world as it is

Chancellerie d'Etat

Auditing by the Confederation Systematic splitting of crucial data:

Anonymisation of the voters' register – you are but a number in our files Anonymisation of the vote by splitting the vote from the voter's authentication parameters

Permanent electoral commission, created when online voting was introduced in the law as additional watchdog

ISO 27001 certification process achieved – for budgetary reasons, we will not seek the actual certification

ISO 27001 means that all procedures are documented and their implementation can be checked by the electoral commission

A word about the A word about the proceduresprocedures

Chancellerie d'Etat

The secure channelThe secure channel The SSL protocol is vulnerable on two accounts:

Because it is activated by the browser, it can be easily compromised

It can be broken by brute force attack The secure channel (a java applet) fulfils a triple function:

It provides an second encryption layer on top of the SSL, without having any link to the browser

It checks whether the messages we receive from the voters are coherent with a normal voting procedure

By doing this, it keeps the malware that might have infected your PC away from our IT system

The secure channel encryption key is made oftrue random numbers generated by a quantum generator

Chancellerie d'Etat

Ja | Oui| Si | Gea| Yes

Nein | Non | No | Na| No

Wahlgang | Scrutin | Scrutinio | Scrutini | Poll

Hacker

Ja | Oui| Si | Gea| Yes

Nein | Non | No | Na| No

Wahlgang | Scrutin | Scrutinio | Scrutini | Poll

SSL without secure channelSSL without secure channel

SSL onlySSL only

Chancellerie d'Etat

DEMK3A2#3KKJLJNJ{@3*BSÉ1=DEMK3A2#3KKJLJNJ{@3*BSÉ1=

Wahlgang | Scrutin | Scrutinio | Scrutini | Poll

Hacker

SSL with secure channelSSL with secure channel

What you seeWhat you see

is unreadableis unreadable

??????????

Chancellerie d'Etat

GuaranteedGuaranteed ballot box integrityallot box integrity The coherence control performed by the applet guarantees the integrity of the ballot box's content

We know for sure that it is possible to read the ballots We know for sure it does not contain any incoherent result

A second control is provided by the test ballot box The electoral commission owns the ballot box's encryption keys in application of the principle of segregation of duties Its members vote in a imaginary constituency and also record their votes on paper Comparing this constituency's electronic ballots with the paper notes provides a confirmation that the system does not introduce a bias

Chancellerie d'Etat

A large controlled perimeterA large controlled perimeter The strength of the polling station resides in the control

by the State of the voting and ballot counting premises Postal voting weakens this control The secure channel contributes re-establishing

State control over the full voting perimeter The hardening of all IT levels (vote application, OS, hardware

and network) also contributes recreating conditions close to the polling station's

We are already past our government defined benchmark, postal voting

Chancellerie d'Etat

firewall web server

voters' registerconsoles

browser internet

443 IDS/IPS IDS/IPS

application server

Cryptographic factory quantumgenerator

Controlled perimeterwithout secure channel

citizen

electronic ballot box

A large controlled perimeter: A large controlled perimeter: illustrationillustration

Controlled perimeter with secure channel(in this case, port 80 is being used instead of port 443)

Chancellerie d'Etat

The control codeThe control code The control code fulfils two functions:

It confirms the voter that she is connected to the State of Geneva voting web site (as we know that hardly anybody ever checks the site's certificate)

It allows us to embed the voters' choices in an image, thus adding noise to the message

This code is differentfor each citizen

It changes for each ballot You find it on the voting card

Chancellerie d'Etat

The control code (followed)The control code (followed)

Chancellerie d'Etat

A few other measures No connection electronic ballot box/voters' register Voters' register only contains voting cards numbers eBallot box has a built-in encrypted device to record the

number of cast votes This device is off-limits for the database administrator;

no vote can be subtracted without us noticing Altering the votes is impossible: the ballot box's

encryption key is owned by the electoral commission The ballot box is shaken before being decrypted

in order to alter the ballots' reading order Helpdesk calls are screened for feedbacks

Chancellerie d'Etat

The iVote usersThe iVote users

Chancellerie d'Etat

Two publicsTwo publics There are two publics for iVoting:

The Swiss living abroad The Swiss residents

iVoting offers the expatriates an effective wayto exercise their political rights (at last)

For them, iVoting makes a qualitative difference Between 35% and 50% of all votes cast from abroad

are electronic votes Consider in valuating this figure that the border

is 5 km away and that "abroad" begins 5 km from here

Chancellerie d'Etat

Residents: iVoting appeals to young Residents: iVoting appeals to young votersvoters

100%

Weight of thedifferent age groups among active voters

without eVote

Weight of the different age groups among active voters

with eVote

18-29 60-6950-59 70-7940-4930-39

With eVote, the younger voters cast their ballotaccording to their demographic weight

Demographical weight of age

groups

Chancellerie d'Etat

No men/women digital divideNo men/women digital divide

100%

Demographical weight of age

groups

18-29 60-6950-59 70-7940-4930-39

Until 50, vote online according to their demographic weight

Their behavior through age is similar to the (parallel lines)

Online voting behavior byMenWomen

Chancellerie d'Etat

Postal votePostal vote eVoteeVote

44% 52%

3rd ballot week2nd ballot week1st ballot week

Two voting channels, two stylesTwo voting channels, two styles

Chancellerie d'Etat

The search for a driverThe search for a driver Why do some voters use iVote? Do the iVote users have anything in common? Multifactor analysis shows that socio-demographic and

political preference variables have no explanatory value I can't anticipate your voting channel based on your age,

gender, income or education I can't anticipate your voting channel based on your

political opinion

Chancellerie d'Etat

What eVote users have in commonWhat eVote users have in common Subjectively

They assess positively their own IT skillsThey trust online information, communication and transactions

ObjectivelyThey use the web on a daily basisThey have a broadband access

Chancellerie d'Etat

A broken barrierA broken barrier While 22%-25% of all voters use internet

55.5% of usual abstainers use it18.7% of regular voters use it

Online voting breaksan invisible barrier that keepsmany voters away from politics

Internet voting reaches further,it touches citizens more distant from politics

Internet voting makes a paradigmatic difference,it appeals to one's subjectivity or way of life

Chancellerie d'Etat

The conception of our platform allowsa great deal of versatility

We took advantage of this to proposeother Swiss cantons to host their citizens on our system

We are currently working with three cantons, hosting their expatriates (some 25'000 citizens altogether)

To manage this project and keep these cantons in-line, we have set up a user group

The user group is an added security factor becauseit forces us to rethink and optimise our procedures

The hosting processThe hosting process

Chancellerie d'Etat

Ballot type (date, topic, etc). 1

Voting cards

Voting material

Voters

Publication

Postal voting recording

Voters id / authentication

2

Print file3

4

5

electronic ballot box

Electoral register of the hosted

canton

Ballot description

Hosted canton Hosting canton

Results – Turnout

6

Electoral register

Hosting illustratedHosting illustrated

E-voting

Chancellerie d'Etat

A last wordA last word iVoting is totally different from any other "e" project

It cannot live on without trust

How did we achieve it? By a very careful project management approach

We went on slowly, never forcing the politicians

As we would like to capitalize on our achievements, we licensed two private companies to commercialize our system outside of Switzerland

Chancellerie d'Etat

Thank you for your attention

www. g e. ch/ evotin g

m ich el. chev allier @ et at . ge. c h