Internet Voting in Geneva
Etopia Media Voting News
Geneva, Switzerland
December 9, 2004
By Marc Strassman
Reporter
With the demise in early February, 2004, of the Pentagon's Secure Electronic Registration and Voting System (SERVE), the new legal requirement that the Election Assistance Commission (EAC) create Remote Internet Voting System Standards (RIVSS) before the Defense Department can conduct any Internet voting, and the failure of the EAC to move forward to create these standards, the development of a system for secure remote Internet voting has reached a dead-end in the United States.
But "democracy" is not necessarily the same thing as the political culture of the United States, and, both as an ideal and a practical reality, it is not limited to what is being done, or not being done, in that country to foster it.
Long a bastion of democracy and the flagship municipality of humanitarianism, Geneva, Switzerland is also the home of CERN (Organisation Europ?enne pour la Recherche Nucl?aire/ European Organization for Nuclear Research), where the World Wide Web was born. Drawing on, combining, and extending these separate threads, Geneva has now taken the lead in the development of a modern, secure, technodemocratic solution to ascertaining the collective popular will over the Internet.
Driven by the political needs of the State of Geneva and implemented through the cooperation of an indigenous start-up company and the transnational technogiant Hewlett-Packard, the citizens of this Swiss state have already been able to use the most modern of technologies to exercise their most ancient democratic rights.
You can read about this development in the article "E-business moves to elections," by Dan Blacharski, in ITworld.com.
As reported in that article, this new and innovative system for collecting ballots on line was developed through the combined efforts of the state government of Geneva, the local/global company WISeKey, and the Swiss component of the world-wide operations of Palo Alto, California-based Hewlett-Packard.
Etopia Media Voting News (EMVN) was able to contact and remotely and asynchronously interview Michel Chevallier, Secr?taire adjoint, Chancellerie d'Etat, Geneva, on the subject of that jurisdiction's use of the latest in secure, remote Internet voting systems. The responses of Mr. Chevallier are featured below in bold text.
In a subsequent asynchronous interview, EMVN was also able to get some answers about the Geneva State e-voting system from officials at HP Switzerland. The HP responses, featured below in italic text, were provided jointly by Jean-Max Arbez, GM HP Suisse Romande (or "General Manager of HP Switzerland, for the French speaking regions of the country") and Maryse Rebillot, HP Switzerland PR manager and communications lead for the Geneva State e-voting project.
The comments of Mr. Chevallier in this interview make it clear that the main differences between the Swiss context for Internet voting and the American one is that the Swiss seem to trust each other a lot more than Americans these days do and that the structure of official Swiss data collection and control lends itself more readily to the identification protocols used in their remote Internet voting system.
Importing a version of the system now in use in this eurodemocracy into the United States might require either or both more mutual trust and more suitable public data policies. It's even possible that the institution of a sufficiently-robust public data architecture could in itself contribute significantly to the creation of a level of public trust sufficient to support remote Internet voting in the United States.
Here are the questions posed to and the answers provided by the most-knowledgeable people regarding the creation and operation of the Geneva State e-voting solution:
1. How did Hewlett-Packard Switzerland get together with WISeKey? What was the nature of the commercial relationship between the two for the purposes of this project? Which of them owns (or do they own jointly) the technologies developed and used in this election?
Geneva State actually recommended WISekey company to HP to cover all the authentication aspects of the solution. Geneva State wanted to benefit from WISekey?s expertise in this field in order to make the system still more secured. HP and WISekey are then just partners within the framework of this project, each company bringing up its own technology and knowledge.
2. What existing means were there before this project for electronically identifying and securing the identity of Swiss voters? Was a means of electronically identifying them for the purposes of voting already in place or was it necessary to start from scratch? Or did the voting system rely on and expand or deepen means already in place?
You must not see this system as purely technical. There are technical bits, procedures, a legal basis and the trust the public has for its authorities and election department. Actually, the trust is high in Switzerland, that?s a facilitating factor. When we generalised postal voting in 1995 (meaning everybody could chose between postal voting and polling station voting), we made a first step towards internet voting by introducing remote voting. Since we couldn?t anymore check the voters? ID at the polling station, we introduced a voting card you must sign and where you must add your birth date (there is no public registry of birth dates, so no-one outside your relatives can know it), before sending it back with your postal ballot sealed in a second envelope. We keep theses cards from one ballot to another, to check the signatures and the birth dates. We phone routinely 2,000 persons who vote by post to check that they voted themselves and freely. We monitor retirement houses. In 10 years, we couldn?t detect a single case of fraud.
When we introduced internet voting, we went along the same lines. We simply added a pin code to the voting card. Now, you have to the voting card number into our system to be transferred to the secure server. There you vote and you authenticate your vote by ing your pin code, your birth date and your municipality of origin (= where your citizen rights come from, you inherit it from your father, normally, but you can change it over your lifetime, by wedding, divorce, etc? Here too, there is no public registry available.) That?s how we check your ID online.
3. How was the system developed? Together by the two parties or did WISeKey simply use HP networking and user device equipment as a platform for their software and processes?
The State of Geneva issued a tender that already foresaw the system?s architecture and imposed that the server be on the State?s premises and that all legal constraints be taken into account (no legal change to adapt the law to the web. The web had to adapt itself to the law). The development was a common work of the State?s IT department and HP. The State of Geneva owns the solution. The source code is available on our premises.
4. Does the system now exist as files on a CD that can be easily ported to other implementations?
No.
5. What operating system does this application run on?
HP Virtual Vault.
6. What kind(s) of user interfaces does and can it support?
Standard HTML interfaces.
7. How many voters used it? What was their reaction to the system? How easily did it collect and tabulate the votes? Were there any problems in the operation of the system? Was it available only on Election Day or for a longer period?
As for postal voting, the system is open for three weeks for federal and cantonal ballots and two weeks for municipal ballots. We are currently having our 7th ballot online (ending on November the 28th). It is a federal ballot, where 8 municipalities totaling 41,000 registered voters can vote online, by post or at the polling station on the 28th only. We also run a consultation for the Council of Europe in October, with 16,700 votes on the system.
If I make a total of all votes received during all ballots, there must be 10,000 or so, plus the 16,700 I just mentioned. The system worked fine on all occasions. We tested its resistance to load by simulating 100,000 votes a day over several days and it worked fine too. As any new and relatively complex system, we had to fine-tune it in the beginning. That?s why we had a first test with 10,000 voters before the first official ballot and that?s why we are gradually implementing it in larger constituencies. The first ballot took place in a village of 1,200 voters, we are now at 41,000 and we?ll jump next year to 80,000 and then to the whole State of Geneva (210,000 voters).
8. How does the system deal with the issue of "anonymous authentication," making it possible to unambiguously identify a voter (and remove them from the list of eligible voters after they vote) while simultaneously maintaining the privacy of that voter's electoral choices?
See above ?existing means of authentication?. The eBallot box and the voters register are separated and there is no connection between them. We mix the content of the eBallot box before emptying it, in order to prevent any matching of the entry order of a ballot and the order of cancellation of a voter from the list.
9. How did the voters identify themselves to the network/voting system?
See above ?existing means of authentication?.
10. Is the application proprietary or open source?
The solution required a specific development and therefore by default is proprietary.
11. Is or can it be made accessible to the visually- or physically-challenged in ways that would satisfy the relevant U.S. election codes?
We don?t know the US election code but we will soon adapt it for visually impaired.
12. How much did it cost to develop the system? How was that cost divided among HP, WISeKey, and any Swiss government jurisdiction?
The public authorities paid all the cost, since they ordered the solution and bought its copyright. It costs so far 2 million Swiss francs (roughly 1.5 million US dollars).
13. How did the cost of operating the system, overall and on a cost-per-vote basis, compare with in-poll voting and mail balloting?
The application is not about saving money. We never asked ourselves this question. Moreover, the answer, if we had it, would change over time. But the fact that a US journalist is interested in this solution (not to mention the many European and US media that already wrote about it) means that we made a sound investment in the Geneva goodwill.
14. How satisfied with the system were those who used it, both voters and election officials?
After the first ballots, we submitted a questionnaire to the voters. More than 90% said they liked the system. They found it user-friendly. We had of course conducted ergonomic tests before going public.
Election officials helped design it, so they can?t blame their own work!
15. What steps were taken by its creators to assure the security and integrity of the system, including in-house tests and the hiring of outside hackers to try to break it? What were the results of these controlled hacking attempts? Were there actual hacking attempts during the time the system was in use? How were they responded to? Did they crack the system?
We made all the necessary security audits and tests in order to make the solution secured. But we want to underline that the vulnerability of a system is a function of the length of time it is available online. We are never online for more than 3 weeks in a row. We upgrade steadily the system, but it is transparent to the user. We commissioned hackers outside voting period (it would be irresponsible to do otherwise) who were give up to 2 months to crack the system. They couldn?t. There were no hacking attempts, neither ?savage? nor commissioned, during the ballots. Actually, the main problem is not to build a safe central system, since the weak point in any online application is the client?s PC (your PC, my PC). The real threat is there, but then it would affect only one vote at a time.
16. Could the system be made accessible through wireless networks? What additional security would need to be added or how would the system need to be modified to ensure security in a wireless environment? Would it be HP or WISeKey or both who would need to be involved in making the system wirelessly-secure?
Wireless technology could be a possible extension and use but it implies a high level of security. HP and WISekey are however not needed to make the system wirelessly-secured.
17. Are there any particularly innovative aspects to the way this system addresses and solves the challenges of providing secure remote Internet voting? If so, how were those solutions found?
We thank you for this question. This is one of the very first real life internet voting systems and you ask whether it is innovative. All in there is innovative! In 2001, when we began development, we were alone! We couldn?t copy no-one! When we designed the architecture in 2000 (remember, it was in the call to tender), no example was available!
What we did is simple: take postal voting, reproduce it online. Then, compare the security measures that already exist in the physical world and the possibilities you have to check the accuracy of the process and then see where in comparison you?re weak online. Than, close the holes online. It takes a bit of creativity!
18. Or does it work simply by doing what others have done more elegantly or efficiently?
See above. Just keep in mind that no government did it before.
19. How scalable is the system? Could it support millions of voters at a time?
You never have millions of voters at the same time. I mentioned the load tests with 100,000 votes a day. The real question is how many servers would you have to receive these millions votes? Not all USA voters would vote on one server, would they?
It might have been a good help 4 years ago to solve the problem of the Florida vote for the presidential polling...
20. Were all its component parts, apart from the WISeKey software, sourced from HP?
No.
21. Could the system be used in other applications besides elections, including polling? Does it have other commercial applications?