Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chancellerie d'Etat Michel Chevallier Geneva State Chancellery Citizen engagement and compliance with the legal, technical and operational measures in.

Similar presentations


Presentation on theme: "Chancellerie d'Etat Michel Chevallier Geneva State Chancellery Citizen engagement and compliance with the legal, technical and operational measures in."— Presentation transcript:

1 Chancellerie d'Etat Michel Chevallier Geneva State Chancellery Citizen engagement and compliance with the legal, technical and operational measures in iVoting

2 Chancellerie d'Etat  Turnout is low in many modern democracies  Does easy voting mean more voting?  Postal vote (introduced 1995) increased turnout by 20 percentage points  After 5 years of postal voting, 95% of votes come in by post  Yet, 40%-45% of citizens still do not vote  Can we reach for them through a new delivery channel? To see it for ourselves, we began iVoting in 2003  We run 3 channels: postal vote, iVote and polling station Setting the stage

3 Chancellerie d'Etat  As we are handling protected data – the voters' register, the votes – we must comply with strict rules  iVoting must be at least as secure as postal voting: this is the benchmark set by the federal authorities  It has legal translations in the federal constitution, in the federal law on political right and its ordinance and in the Geneva cantonal constitution and legislation  These texts define our perimeter of compliance Our perimeter of compliance

4 Chancellerie d'Etat  The law states technically neutral yet very specific security rules to be implemented:  One citizen, one vote  Impossibility to capture or alter a substantial amount of votes  All ballots must be counted for the final result  No third party must see a vote (protection of the vote secrecy)  Ballots must be encrypted in the voter's PC, for the transmission procedure (anonymity of the votes)  IT application linked to vote process must be split from all other IT apps.  During ballot opening time, interventions on the IT system must be performed jointly by at least two persons and recorded in a log book  Before every ballot, authorities must check the hardware, software, organisation and procedures according to the current best practices  An independent 3rd party endorsed by the Confederation must confirm that all safety measures are met and that the system works properly What are the rules? (protection of the citizens' choice)

5 Chancellerie d'Etat  Like notes on a score, laws must be interpreted  In most people's view, the security of electronic voting is associated with voter ID protection and vote secrecy  It boils down to a user-centric approach: "I want to be protected from my neighbour sniffing on me"  The correct approach is a society-wide one  The society requires trust and certainty, i.e. accurate ballot results that reflect correctly the voters' intent  Protecting the community against iVoting misuse means therefore protecting the data integrity Defining the right perspective

6 Chancellerie d'Etat Tales of two worlds  Two worlds unite in iVoting, the real one and the virtual one  We have to manage both harmoniously

7 Chancellerie d'Etat The real world

8 Chancellerie d'Etat Physical identity  It is tempting to use a token based on the X509 norm to identify the voter  This would raise more problems than it would bring solutions  The identity control would be delegated to the browser  We would not be able to know who is behind the keyboard  Therefore, we combine something that the voter owns (the Pin code reproduced on his voting card) with something he knows (his birth date and municipality of origin)  The voting card is a numerical ID with time-limited validity

9 Chancellerie d'Etat iVoting Paper-based ballot The voting card

10 Chancellerie d'Etat The virtual world

11 Chancellerie d'Etat Three contexts – three features  There are three contexts or environments that we must take into account in the virtual world  The voter's PC  The internet  The State's IT system (electoral register and vote processing application)  We only control one of these: the State's IT system  Our challenge is to ensure data protection in uncontrolled environments

12 Chancellerie d'Etat  In our approach to security, we have changed paradigm  In the past, we operationalized the legal rules one by one  This imposed trade-offs between usability and security  This illustrates our old approach  We have now adopted a systemic approach  We view the system as a platform to be secured – including the web and the voters' device  The voting application is "plugged" into this platform  Security is our main business, voting is a side-offer Change of paradigm

13 Chancellerie d'Etat  Auditing by the Confederation  Systematic splitting of crucial data:  Anonymisation of the voters' register – you are but a number in our files  Anonymisation of the vote by splitting the vote from the voter's authentication parameters  Permanent electoral commission, created when online voting was introduced in the law as additional watchdog  ISO certification process achieved – for budgetary reasons, we will not seek the actual certification  ISO means that all procedures are documented and their implementation can be checked by the electoral commission A word about the procedures

14 Chancellerie d'Etat The secure channel  The SSL protocol is vulnerable on two accounts:  Because it is activated by the browser, it can be easily compromised  It can be broken by brute force attack  The secure channel (a java applet) fulfils a triple function:  It provides an second encryption layer on top of the SSL, without having any link to the browser  It checks whether the messages we receive from the voters are coherent with a normal voting procedure  By doing this, it keeps the malware that might have infected your PC away from our IT system  The secure channel encryption key is made of true random numbers generated by a quantum generator

15 Chancellerie d'Etat   Ja | Oui | Si | Gea | Yes Nein | Non | No | Na | No Wahlgang | Scrutin | Scrutinio | Scrutini | Poll Hacker   Ja | Oui | Si | Gea | Yes Nein | Non | No | Na | No Wahlgang | Scrutin | Scrutinio | Scrutini | Poll SSL without secure channel SSL only

16 Chancellerie d'Etat DEMK3A2#3KKJLJN SÉ1= Wahlgang | Scrutin | Scrutinio | Scrutini | Poll Hacker SSL with secure channel What you see is unreadable What you see is unreadable ???? ?

17 Chancellerie d'Etat Guaranteed allot box integrity Guaranteed b allot box integrity  The coherence control performed by the applet guarantees the integrity of the ballot box's content  We know for sure that it is possible to read the ballots  We know for sure it does not contain any incoherent result  A second control is provided by the test ballot box  The electoral commission owns the ballot box's encryption keys in application of the principle of segregation of duties  Its members vote in a imaginary constituency and also record their votes on paper  Comparing this constituency's electronic ballots with the paper notes provides a confirmation that the system does not introduce a bias

18 Chancellerie d'Etat A large controlled perimeter TThe strength of the polling station resides in the control by the State of the voting and ballot counting premises PPostal voting weakens this control TThe secure channel contributes re-establishing State control over the full voting perimeter TThe hardening of all IT levels (vote application, OS, hardware and network) also contributes recreating conditions close to the polling station's WWe are already past our government defined benchmark, postal voting

19 Chancellerie d'Etat firewallweb server voters' register consoles browserinternet 443 IDS/IPS application server Cryptographic factory quantum generator Controlled perimeter without secure channel citizen electronic ballot box A large controlled perimeter: illustration Controlled perimeter with secure channel (in this case, port 80 is being used instead of port 443)

20 Chancellerie d'Etat The control code  The control code fulfils two functions:  It confirms the voter that she is connected to the State of Geneva voting web site (as we know that hardly anybody ever checks the site's certificate)  It allows us to embed the voters' choices in an image, thus adding noise to the message  This code is different for each citizen  It changes for each ballot  You find it on the voting card

21 Chancellerie d'Etat The control code (followed)

22 Chancellerie d'Etat A few other measures  No connection electronic ballot box/voters' register  Voters' register only contains voting cards numbers  eBallot box has a built-in encrypted device to record the number of cast votes  This device is off-limits for the database administrator; no vote can be subtracted without us noticing  Altering the votes is impossible: the ballot box's encryption key is owned by the electoral commission  The ballot box is shaken before being decrypted in order to alter the ballots' reading order  Helpdesk calls are screened for feedbacks

23 Chancellerie d'Etat The iVote users

24 Chancellerie d'Etat Two publics  There are two publics for iVoting:  The Swiss living abroad  The Swiss residents  iVoting offers the expatriates an effective way to exercise their political rights (at last)  For them, iVoting makes a qualitative difference  Between 35% and 50% of all votes cast from abroad are electronic votes  Consider in valuating this figure that the border is 5 km away and that "abroad" begins 5 km from here

25 Chancellerie d'Etat Residents: iVoting appeals to young voters 100% Weight of the different age groups among active voters without eVote Weight of the different age groups among active voters with eVote  With eVote, the younger voters cast their ballot according to their demographic weight Demographical weight of age groups

26 Chancellerie d'Etat No men/women digital divide 100% Demographical weight of age groups  Until 50, vote online according to their demographic weight  Their behavior through age is similar to the (parallel lines) Online voting behavior by Men Women

27 Chancellerie d'Etat Postal vote Postal vote eVote eVote 44% 52% 3rd ballot week2nd ballot week1st ballot week Two voting channels, two styles

28 Chancellerie d'Etat The search for a driver  Why do some voters use iVote?  Do the iVote users have anything in common?  Multifactor analysis shows that socio-demographic and political preference variables have no explanatory value  I can't anticipate your voting channel based on your age, gender, income or education  I can't anticipate your voting channel based on your political opinion

29 Chancellerie d'Etat What eVote users have in common  Subjectively  They assess positively their own IT skills  They trust online information, communication and transactions  Objectively  They use the web on a daily basis  They have a broadband access

30 Chancellerie d'Etat A broken barrier  While 22%-25% of all voters use internet  55.5% of usual abstainers use it  18.7% of regular voters use it  Online voting breaks an invisible barrier that keeps many voters away from politics  Internet voting reaches further, it touches citizens more distant from politics  Internet voting makes a paradigmatic difference, it appeals to one's subjectivity or way of life

31 Chancellerie d'Etat  The conception of our platform allows a great deal of versatility  We took advantage of this to propose other Swiss cantons to host their citizens on our system  We are currently working with three cantons, hosting their expatriates (some 25'000 citizens altogether)  To manage this project and keep these cantons in-line, we have set up a user group  The user group is an added security factor because it forces us to rethink and optimise our procedures The hosting process

32 Chancellerie d'Etat Ballot type (date, topic, etc). 1 Voting cards Voting material Voters Publication Postal voting recording Voters id / authentication 2 Print file electronic ballot box Electoral register of the hosted canton Ballot description Hosted canton Hosting canton Results – Turnout 6 Electoral register Hosting illustrated E-voting

33 Chancellerie d'Etat A last word  iVoting is totally different from any other "e" project  It cannot live on without trust  How did we achieve it? By a very careful project management approach  We went on slowly, never forcing the politicians  As we would like to capitalize on our achievements, we licensed two private companies to commercialize our system outside of Switzerland

34 Chancellerie d'Etat Thank you for your attention


Download ppt "Chancellerie d'Etat Michel Chevallier Geneva State Chancellery Citizen engagement and compliance with the legal, technical and operational measures in."

Similar presentations


Ads by Google