i

BUILDING AN E-VOTING SYSTEM

– TECHNICAL REQUIREMENT

ANALYSIS

STUDENT NAME: Michal Musial, Nadine Friend STUDENT NUMBER: 07-113-756, 06-209-928 COURSE NAME: Seminar Electronic Government DEPARTMENT: Department of Informatics COURSE CODE: 53534 SUPERVISOR: Prof. Andreas Meier, Luis Teràn DATE OF SUBMISSION: 01 December 2011

ii

Abstract The trend in society today is towards political absenteeism and digital depend-

ence. Some governments combined these two societal developments to electronic vot-

ing. But to jump from paper ballot into internet voting requires a lot of intermediate

steps, through voting machines, remote paper ballot and then remote e-voting. During

these steps it is important to design and engineer the security of these new systems,

make them easy to use for voters and assure their performance through audit to en-

sure trust.

The focus of this paper leans on the technical requirements of the Council of Eu-

rope, which were established in 2004 and are continuously revised with help of the par-

ticipating governments. Switzerland is for example delivering reports to the Council of

Europe about the evolution of e-voting. Switzerland is one of the pioneers in e-voting.

The paper describes the required technical standards under discussion of different au-

thors and their opinions.

Keywords: e-voting, internet voting, security, usability, audit

iii

List of Tables

Figure 1 : Sensus Protocol Overview …………………………………………………… 14

Figure 2 : Norman’s interaction model ………………………………………………….. 19

iv

Table of Contents Table of Contents ............................................................................................. iv

1 Introduction ............................................................................................... 1

1.1 Background and motivation ............................................................................... 2 1.2 Problem statement and research questions ..................................................... 2 1.3 Procedure and methodology .............................................................................. 4

2 E-Voting system ........................................................................................ 5

2.1 E-Voting vision .................................................................................................... 5 2.2 Different kinds of e-Voting systems .................................................................. 5 2.3 E-Voting vs. traditional voting ? ........................................................................ 7 2.3.1 Paper voting ......................................................................................................... 7 2.3.2 Electronic voting ................................................................................................. 7 2.3.3 Other effects on the choice of the voting channel ........................................... 9 2.3.4 The choice of Switzerland ................................................................................ 10

3 Security issues ....................................................................................... 12

3.1 Why is security important? .............................................................................. 12 3.2 User data protection .......................................................................................... 13 3.3 Hacker types of attacks .................................................................................... 15 3.4 Security in Switzerland ..................................................................................... 15

4 Usability issues ....................................................................................... 17

4.1 Why is usability important? .............................................................................. 17 4.2 Achieving usability ............................................................................................ 18 4.3 Measuring usability ........................................................................................... 20

5 Performance and reliability issues ....................................................... 21

5.1 Why are performance and reliability important? ............................................ 21 5.2 Performance and reliability in Switzerland ..................................................... 23

6 Conclusions ............................................................................................ 25

Bibliography .................................................................................................... 28

1

1 Introduction “Voting is an important part of the democratic process” [Castellà-Roca 2010,

p.1]. It is a well known truth that the voter participation is decreasing, above all among

the younger generation [MoLGaRD 2006, p. 19]. The number of voters in general has

been decreasing in Europe for years (2,37% between 2004 and 2009) [EB 2009]. Since

voting strengthens the principles of democracy, it is important that people in all coun-

tries vote [CoE 2011a]. People in today’s society use information and communication

technologies more frequently in every day life, therefore the European countries have

started to “take into account of these developments in their democratic practice”

[ibidem]. At the same time, the Council of Europe decided to increase the democracy

amongst others through an electronic voting system in a project called Good Govern-

ance in the Information Society. The aim of this project was to “provide governments

and other stakeholders with new instruments and practical tools in this field and to

promote the application of existing instruments and of good and innovatory policy prac-

tice” [CoE 2011b]. The main points were legal and operational standards as well as

technical requirements [ibidem]. These requirements are followed by many European

countries, who submit frequently reports of their trials.

These requirements are adopted by many European countries and one of them

is Switzerland. Switzerland is a small country with a direct democracy, composed of 26

cantons which have large autonomy [Chevallier et al. 2006, p.1]. This multilingual soci-

ety (German, French, Italian, and Romansh) votes “every three to four months” which

is very convenient for developing e-voting systems [ibidem]. This was also the reason

to introduce internet voting because citizens had to vote too often and so the absentee-

ism rate was relatively high [MoLGaRD 2006, p. 34f]. After a survey, how a Swiss feels

about internet voting, the results showed a strong support of this new voting system.

This Federal State introduced e-voting (here: internet voting) in 1998 under the

project called Information Society, on the grounds that the right to vote should be made

accessible to everyone through the new technologies [Chevallier et al. 2006, p.1].

Since then Switzerland participated in the project of the Council of Europe and after

starting several pilot projects and it delivers form time to time reports about the pro-

gress [CoE 2010a]. The report in 2007 contained subjects like the “adoption of the

necessary legal amendments to allow the progressive introduction of electoral registers

of Swiss abroad” [ibidem]. Later, between 2009 and 2010 Switzerland even reported

about three new pilot projects and nine trial projects with revolutionary voting periods of

three weeks [CoE 2010a; MoLGaRD 2006, p. 34f]. Today Switzerland practices inter-

net voting even on the level of national elections, which is quite rare. The results of the

2

national e-elections are expected in 2013 [ibidem]. Even though the development

seems to be very positive, a representative of Switzerland at a conference at the

Council of Europe “stressed that the guidelines needed to be viewed as work in pro-

gress since the practical experiences in the field of e-voting were in constant evolution”

[CoE 2010b].

This paper is about the very big subject: the e-voting. The structure of the paper

is always separated in two parties, firstly a general introduction of a topic of choice fol-

lowed by a brief discussion about the case Switzerland at the end of each part. The se-

cond part of the paper will introduce the e-voting, different types are presented and

then discussed concerning the advantages and disadvantages. In the third part the se-

curity issues are analyzed, focusing on user data protection with the special case of

hacker attacks. The fourth part will outline the usability of e-voting systems, how it is

achieved and measured. In the fifth part the performance and reliability of an e-voting

system will be discussed. To conclude some remarks and recommendations are sug-

gested.

1.1 Background and motivation

As we live in a modern and advanced world, it is beneficial to discuss the exist-

ing elements of the future, like e-voting, to keep up-to-date [CoE 2005, p.7]. Up to this

point the society has always had mistrust in e-voting which slowed down the prolifera-

tion of these technologies [Bryans et al. 2006]. It appears to us that this subject is of a

current interest because all countries who recently participated in the Project of Good

Governance in the Information Society have delivered their reports concerning their

experiences and their further actions in e-voting [CoE 2011c]. This project Good Gov-

ernance ended in 2010 and the countries are about to develop and implement the nec-

essary technologies on their own [CoE 2011a]. It is interesting to know how exactly e-

voting is defined, what the most important subjects are, what are its pros and cons and

what are the motivations of the countries to develop e-voting.

1.2 Problem statement and research questions

The Council of Europe encourages countries to submit national reports to en-

courage information flow. Each country experiences success but is also confronted

with problems concerning e-voting. They had to test a lot of different requirements re-

garding the main points pointed out by the Council of Europe in its recommendations

for e-voting: legal, operational and technical standards [CoE 2011b]. Due to the re-

stricted size of the paper, we decided to concentrate on the most important topics of

3

the technical requirements. Another reason for choosing this specification is because

we want to focus on the user experience which is exactly the part that is replaced by

paper voting, which is different for the user.

First of all the e-voting is a big subject, discussed internationally [CoE 2008,

p.20]. Paper voting was a reliable way, proved its value over the centuries and is now

replaced by electronic voting [Lombardi 2011]. What exactly is it and what makes the

governments choose these new voting channels?

Construction of the system to vote may cause many difficulties. On one hand,

such a system should be consistent with the relevant national legal system and protect

the fundamental features of democracy [LGA 2002]. An example of the problem can

be given by the constitution, which guarantees that the elections should be secret so

the e-Voting system must ensure that no one can access voter data. Another example

could be that the Federal Constitutional Court of Germany in 2009 decides that "deter-

mination of the result can be examined by the citizen reliably and without any specialist

knowledge of the subject" [BVG 2011a]. This decision ruled out the use of currently

operating voting machines because they do not satisfy this assumption [BVG 2011b].

It is not always clear which security requirements are satisfied by e-Voting system and

which not and try to characterize them. So it is the question why the security is so im-

portant.

On the other hand e-voting system must be transparent to its users. Implemen-

tation of the system, especially one which offers a remote methods to cast votes,

should take into account user preferences and allow the user to select the method of

voting, that most suits their lifestyle and preferences. It turns out that usability of the

system can have a significant impact on increasing turnout election [Everett 2007]. In

our study we will try to specify what affects the usability of voting systems and why it is

important to take care of this aspect.

Also, performance and reliability of the system plays a major role. It assures the

functioning and suggests improvements, so that all little changes are reported, ana-

lyzed and dealt with, so that the future elections can evolve on the basis of the past

[MoLGaRD 2006, p. 14].

In this paper we discuss the most recent studies about implementation and

problems encountered by the researchers in the field of e-voting. As a guide for the pa-

pers structure serve the Recommendations of the Council of Europe from 2004, to be

exact the technical part. As technological requirements of an “e-voting systems are to-

tally independent of the situation of a particular country,” this study will precede with its

4

analysis on a general level, each part concluded with the options Switzerland has cho-

sen [Haenni et al. 2008, p.10].

1.3 Procedure and methodology

In this research paper study we will discuss the different stages the technologi-

cal requirements of the e-voting system, explain its fundamental function and give ex-

amples of successful implementations in the chosen country Switzerland. The sample

consists of a sufficient number of research papers found on internet. In the selection

process, we include the reliability and published data, because we are interested in the

recent developments of e-voting processes from serious publishers. The data consists

of articles which are found through online search machines, such as Google, web pag-

es such as EJEG and the electronic databases of the University of Fribourg, like IEEE

or Web of Knowledge.

5

2 E-Voting system E-voting stands for electronic voting. The Council of Europe defines e-voting as

followed: “An election or referendum that involves the use of electronic means in at

least the casting of the vote” [CoE 2011d, p.10].

Meier suggests that e-voting implies a lower personal involvement of the voter

than the e-election. While e-voting is more about voting for a political subject, e-

elections are about voting for a member of parliament [Meier 2009, p. 164f]. However,

in this paper the focus is on the electronic part of the voting in general and specially on

the technical requirements.

2.1 E-Voting vision

A brief introduction to the evaluation of the electronic voting should give a better

insight in the present state. The Competence Center for Electronic Voting and Partici-

pation has created a visual map of the history of e-voting in which the most important

stages of the e-voting evolution are mentioned [CCfEVaP 2011]. The very fast techno-

logical development in information technologies as we know it today, started 10 years

ago. Years ago many states started to implement e-voting, but didn’t think everything

through, so that a lot of failures were reported. The mistakes were analyzed and only

afterward these experience of failures e-voting really matured. In 2002, UK starts a trial

phase where they want to identify advantages and disadvantages of internet voting.

Estonia introduces in 2005-2007 “legally-binding internet voting” [ibidem]. Germany

verifies in 2008 the transparency issues concerning e-voting. After a bad experience

Netherlands ban the voting machines from the elections in 2008. In Austria internet vot-

ing was exercised under special conditions in 2009. The document of the Competence

Center for Electronic Voting and Participation shows, that in Estonia internet voting is a

huge success, Norway plans to introduce it and Switzerland even proposes for Swiss

living abroad. The success stories leads the society more and more towards electronic

means of voting, but as it is still not perfect, a lot of analyses and improvements must

be done to assure democratic values of the voting [ibidem].

2.2 Different kinds of e-Voting systems

The literature distinguishes between the electronic tools and further between

controlled and uncontrolled environment.

6

The International Institute for Democracy and Electoral Assistance (International

IDEA) defined four major types of these electronic means [IIDEA 2011, p.9].

Direct recording electronic (DRE) voting machines: Vote is done at a voting machine.

This type of voting can be accompanied by a paper trail or not. These paper trails have

the function to “provide physical evidence of the votes cast” [ibidem, p.12].

Optimal mark recognition systems (OMR): Machine-readable ballot papers are

scanned either at a counting centre or in the polling station.

Electronic ballot printers (EBPs): A machine prints the choice of the voter and then this

paper is inserted in the actual voting counting machine.

The e-voting handbook of the Council of Europe describes the fourth tool more in detail

than the International IDEA.

Internet voting systems: The voter is connected to an official central counting server

and sends his vote to the central counting station [CoE 2010c].

The first three tools are only used in a controlled environment. This could be at

a polling station, a polling kiosk or also schools, offices, malls but “under the control of

election officials” [IPI 2001, p.2]. Internet voting can not only be used under official su-

pervision but also at a private site, for example at home or school [ibidem]. This kind of

voting can be operated even from abroad. Such unsupervised internet voting is often

called remote internet voting or sometimes also VOI (voting over the internet) [IPI 2001,

p.2; MoLGaRD 2006, p. 25f].

To conclude on the various means of voting, remote voting is mainly used in

small countries with a conflict-free history and electronic voting in a controlled environ-

ment is used in highly developed democracies. But these e-voting technologies hold

dangers because they are not perfect [IIDEA 2011, p.9].

It depends on the country which solution it prefers. Each country has its own

history and special departments where it wants to improve. E-voting machines are very

much used for example in the US and Brazil [MoLGaRD 2006, p. 25f]. However, in

Germany they were declared as unconstitutional and are no longer in use [DW 2011].

Internet voting is, for example, used in Estonia with the goal to increase participation

[MoLGaRD 2006, p. 33]. Other countries like Sweden, thought that they have already a

perfect voting system and don’t need it. Other Nordic countries are either planning it in

future or have discrete trials [ibidem, p. 25].

7

2.3 E-Voting vs. traditional voting ?

The development from traditional paper voting towards electronic voting is in

progress. Al-Jarrah et al. (2008) says that relying on e-voting would reduce counterfeit-

ing, but “would not have the capacity to block any attempted abuse of the voting sys-

tem” [Al-Jarrah et al., p.2]. Both voting channels have general chances and challenges,

but there are also specific risks which can be reduced through e-voting.

2.3.1 Paper voting

Firstly, general chances and challenges in paper voting should be introduced.

Paper voting remained until today a reliable way to vote and is well-proven after centu-

ries of years of application [MoLGaRD 2006, p. 25f]. This vote method created also the

tradition of the voting day, which showed symbolic acting as role model. The voting

process was made visible and even solemn [IIDEA 2011, p.13].

Some disadvantages of paper voting is the postal voting from abroad. It holds

dangers like the unreliability concerning speed and secrecy of the postal system of the

host country. If the voter has to go to an embassy or council in the host country, the

travel way may be very long [CoE 2010c, p.44]. These disadvantages are not subject

to the power of the voting authorities and therefore it cannot be changed.

On the other hand two specific problems of paper voting can be solved by the

authorities. One problem is for example the selling or buying the voting papers [MoL-

GaRD 2006, p. 20]. As the Norwegian Working Committee suggests in its report, this

can be hindered through e-voting technologies using “better identification and authenti-

cation procedures” [ibidem, p. 23].

Jardì-Cedò et al. comment on paper voting, explaining that paper voting en-

counters problems related to human errors. These are, for example, counting errors or

cheating in the case of illiterate people and telling them the wrong information [Cas-

tellà-Roca 2010, p.2; MoLGaRD 2006, p. 20]. Also here the electronic voting could find

a remedy. Due to reduced human intervention, like manual counting, human errors

would be reduced [IIDEA 2011, p.10].

2.3.2 Electronic voting

Now some characteristics concerning e-voting. In contrary to paper voting there

are many distinct/particular advantages about e-voting. The International Institute for

Democracy and Electoral Assistance (International IDEA) conclude in the book, that

publishing of e-voting results is faster, gives the opportunity to vote from home, is up-

8

to-date with the increasingly mobile society and can increase the participation, as well

as turnout. Of course there is the argument of the reduction of printed paper for voting

and as a result cost savings through saving paper and distribution of ballot papers. A

new feature added to the advantages of e-voting is that the time can be extended

[ibidem].

E-voting would provide easier access for physically disabled and illiterate citi-

zens. First of all remote e-voting would reduce or eliminate distance to the voting place

“for housebound voters and voters from abroad” [ibidem]. Further Cross at al. states

that voters with disabilities, “cannot vote without additional assistance” and have “to rely

on the integrity of others” [ibidem]. In this study they propose technical solutions using

electronic voting to help “voters, who can’t see, hear, read, use their hands, read

Braille” [ibidem]. Their “multimodal electronic voting system [should provide] equity in

access, privacy and security in electronic voting” [ibidem].

Of course there is always a dark side and here the majority of the concern is

about the technical aspects. There are fears that data can get lost in a computer and

that already one person can harm the whole system (i.e. hackers) [MoLGaRD 2006, p.

20]. These troubles will be developed in the section three of this paper.

Other troubles suggested by the International IDEA concern e-voting technolo-

gies at the polling station, for example expensive acquiring, establishment and mainte-

nance of the e-voting systems, as well as different infrastructure requirements (“power

supply, communication technology, temperature, humidity”) [IIDEA 2011, p.10ff]. In ad-

dition it is seen as problematic if the environment is uncontrolled and the secrecy of the

vote is not assured, or family voting occurs where family members are put into pres-

sure. In the case of intimidation there is nobody to protect the real choice of the voter

and of course there is also the fear of vote-buying, which would influence the voting re-

sults [ibidem, p.13]. But here little revolutionary help can be provided. On the contrary

there is help concerning deficient technical requirements like transparency or certifica-

tion. This subject will be treated in the part of performance and reliability issues as well

as the following topic [ibidem, p.11].

Another problem, which cannot even be abolished, is the selling or buying of e-

votes, above all that they can occur in uncontrolled environment without ever being de-

tected [MoLGaRD 2006, p. 20]. Dubois et al. argues that this can be reduced by a very

special technique, the so called hybrid system where for example the voter can revoke

the previous electronic vote at a polling station in a controlled environment [Dubuis et

al. 2010, p.6]. They suggest that the “encrypted vote [should stay] attached to infor-

9

mation that publicly identifies the voter” but should never be decrypted [ibidem]. That

means that the choice of the vote stays attached to the individual and so can be

changed later. This procedure should diminish the fear from e-voting by preserving the

secrecy of the vote. Although this idea is completely the opposite of the Recommenda-

tions of the Council of Europe, where they strongly recommend to separate the voter’s

choice and his identity: “Authentication information shall be separated from the voter’s

decision at a pre-defined stage in the e-election or e-referendum” [CoE 2005, p.12:35].

Additionally Al-Jarrah et al. (2008) assert that incorporation of biometrics could

better prevent counterfeit and malice because they would verify voter’s fingerprints, iris

scanning, voice patterns and other biological and physiological characteris-

tics/properties, to assure the identity of the individual [Al-Jarrah et al., p.2]. This tech-

nique would it make more difficult to sell or buy a vote compared to paper voting.

Lastly, digital divide is a problem, but can be solved relatively easily. In this dis-

advantage of internet voting, it is argued that not everybody have access the internet or

can operate with a computer [MoLGaRD 2006, p. 20]. Nevertheless this argument

doesn’t apply to all the countries. In the report about the election in Estonia this argu-

ment was disproved/mitigated. There the internet access rate is very high and also el-

der generations use it more and more so that the gap gets smaller [Trechsel et al.

2010, p.11].

Another form of digital divide is when information is suddenly provided only via

internet and then only people who have internet access can inform themselves about

the parties. Within all these voting possibilities the voting channel should be neutral,

which means that the manner of the cast “should not influence the content” of the vote

[CoE 2010c, p.9]. However, Trechsel realized in his report “discrepancies between tra-

ditional voters and e-voters in how they vote for one party, and not the other” Though,

during his further analysis of other variables, this effect completely disappeared [Trech-

sel et al. 2010, p.7].

2.3.3 Other effects on the choice of the voting channel

Not only the technical and practical advantages and disadvantages can influ-

ence the choice of the voting channel but also the way e-voting is perceived by the so-

ciety. It is important that the voting channel should be an additional option for the citi-

zens and not imposed as the only one. The best situation is when the voter can decide

his voting channel [IIDEA 2011, p.14]. This is the case of Switzerland and Austria

[MoLGaRD 2006, p.35]. Krimmer et al. states report that the e-voting project in 2009 in

10

Austria “was to complement the paper based voting with an electronic voting channel in

order to create new opportunities to vote” [Ehringfeld et al. 2010].

The choice of the voting channel depends, among other things also on trust,

which can be publicly destroyed through political debates by commuting on technical

requirements of present e-voting systems [Hall et al. 2010, p.6]. Hall and Loeber state

in their research paper the case of Netherlands, where an action group “started a me-

dia campaign against the voting machines,” so that they destroyed trust in this system

with the consequence of abolition of voting machines in 2006 [ibidem].

In America, Hall and Loeber determined that “when voting technologies are po-

liticized, they can undermine confidence in the voting process” [ibidem]. However, it

seems that if a country has a very good developed idea of the e-voting technology, this

country has also more trust in these technologies. This is the case of Estonia, where e-

voting is prosperous because the government provides a great deal of information

about it and put a lot of effort in “strengthening the information society as to enable e-

voting to be come a permanent […] landscape” [Trechsel 2007, p.6]. So if there is not

enough positive management of public opinion, it can become a problem to enforce

e-voting.

2.3.4 The choice of Switzerland

In their research paper, Gerlach and Gasser explain that one of the main rea-

sons from 1998, was the hope to increase the voters number. In general they coincide

with findings of Brown that Switzerland’s hope was to enhance all the advantages men-

tioned before as well as decrease the disadvantages. In addition through the introduc-

tion of internet voting the Swiss post will be released from the pressure to deliver the

votes by the polling deadline [Gasser 2009, p.4]. They also mention problems related

to the loss of the ritual of physically voting, which should be seriously considered in a

country with rural parts. The digital divide in their opinion is about to diminish, for the

same reason as mentioned in the part before, namely the high Internet penetration.

Secondly as the today’s generation is growing up in a digital world, the gap of less digi-

tally skilled and elder citizens is about to decrease [ibidem, p.14]. They also remark

that the success of e-voting relies on the trust in technology as well as in the democrat-

ic system. The government manages the trust through, the choice of another voting

way and through the constant feedback between citizens and the state. A very interest-

ing difference to other countries is that Switzerland considers internet voting as more

private, because “traditional voting in public spaces [leaves] little room for [secrecy]”

[ibidem]. A very important point is also that the Switzerland offers internet voting as an

11

additional channel, so that not yet accustomed voters can vote in their preferred way

[MoLGaRD 2006, p.35].

12

3 Security issues Following the idea of the Council of Europe, the third part of the analysis is the

security of a e-voting system. In the general requirements it is stated that for example

data loss should be prevented, the privacy of voters should be respected, to carry out

regular checks, to protect authentication data, to respect one person one vote, to pro-

vide all data necessary for auditing the system, so that observers always can check the

system. It is also stated that the electoral authorities have the responsibility for the

whole system, and not for example a supplier [CoE 2005, p.17].

Achieving the e-voting vision may cause many difficulties, since it involves

many different subjects of different domains, like software engineering, cryptography,

politics, law, economics or social science [Cetinkaya 2007]. Implementation will refer to

a number of complementary tasks. Relating to security, on one hand systems have to

be secure and protect the election from hackers but on the other hand any system that

supports e-voting should be distributed under an open source license, which makes it

easier for hackers to abuse the election process [UK 2002].

3.1 Why is security important?

In e-voting the information carried by the system is of a highly sensitive nature.

Once elections are conducted using e-voting, the prevention against any kind of at-

tacks on the e-voting system has the upmost importance with national security. Securi-

ty requirements on an e-voting system should ensure that the system is consistent with

the law, will guarantee the just and reliable process of elections as well as being re-

sistant to all kinds of attacks which may influence a final tally [CoE 2005]. [Cetinkaya

2007] formulated the security requirements given on the e-voting system as a set of

core requirements and additional requirements. Core requirements are defined to satis-

fy law aspects of elections, which are:

• Voter’s privacy during and after the election.

• Eligibility to cast a vote.

• Fairness which ensures that all candidates are given a fair decision.

• Uniqueness of the vote.

Core requirements corresponds also to technical aspects of computer system, those

requirements are:

• Accuracy of the results.

13

• Robustness of the system which ensures that no one can disrupt or influence

the election and also that the system works efficiently and is protected against

passive and active types of attacks.

The core requirements are mandatory and have to be supported by all e-voting sys-

tems. [Cetinkaya 2007] states that, without satisfying core requirements, the people

cannot trust the system and use it without suspicion of breaking the constitution. Hav-

ing those requirements defined, it is possible to evaluate the system by party repre-

sentatives or trusted third parties.

3.2 User data protection

Independently two sets of authors, [Cetinkaya 2007; Cranor/Cytron 1997] iden-

tify the same procedure of conducting a democratic election. This procedure

can be divided into four tasks:

• Registration of voters – defining a collection of users, which have the right to

cast a vote.

• Validation – during the election registration authorities have to verify that a voter

which is requesting an ballot, will only get one if they are eligible.

• Collecting votes – from all registered voters.

• Tallying – computing the final result of the election based on collected votes.

It is easy to imagine scenarios in which any of above tasks can be corrupted, for

example, ineligible voters are able to cast their votes. [Cetinkaya 2007; Cranor et al.

1997], claim that the prevention of election fraud is made more difficult by the require-

ment of voter’s privacy, which states that it is impossible to link a vote to a particular

voter. A variety of cryptographic election protocols have been developed, most of them

tend to minimize the risk of election fraud and maximize the privacy of the voter. The

traditional protocols relay on the trusted parties, which are either trustworthy and thus

no conspiracy takes place.

One of the major security issues is the problem of verifying the voter’s identity.

The very first, but still actual protocol, which proposes a solution for this issue was pro-

posed by Cranor and Cytron [ibidem]. They proposed the Sensus Polling Protocol,

which is a protocol for internet voting that supports all four tasks of election procedure.

The protocol asks the voter to prepare a voted ballot, which is then encrypted with a

secret key and blinded. In the next step the voter signs the ballot and send it to the val-

idator, which verifies that the voter is eligible to vote. After successful validation, the

14

validator signs the ballot and sends it back to the voter. The voter encrypts the ballot

and sends it to the tallier. The tallier checks if the ballot is signed by the validator and if

yes, then sends the receipt to voter. The voter can be sure that the tailler received the

vote and can respond with the encryption key, which tells the tallier how to decrypt the

vote. Having decrypted the vote the tallier is able to count the vote and add it to the tal-

ly. The sequence diagram below shows the interactions between objects building the

Sensus Polling Protocol.

15

3.3 Hacker types of attacks

The main objective of the attacker is the identity theft of the voters. Therefore,

the implementation of the e-voting system should put the emphasis on the identity au-

thentication [ISB 2011]. We can distinguish two main risks that carries the identity theft

by the hacker. First, an unauthorized person can see our data (violation of the confi-

dentiality of information). Second, an unauthorized person can modify our data (viola-

tion of the integrity of information). Other attacks that do not require voter identity theft

are those which are directed against availability of the data which prevents legitimate

users to use the system. We can distinguish between two types of attacks: active and

passive. The difference between them is that for a passive attack, the attacker eaves-

drops but does not modify the transmitted message stream. For an active attack, the

attacker may transmit, replay, modify or delete selected messages [Kaufman et al.

2002]. A typical example of a active attack is a situation in which the attacker imper-

sonates one end of the conversation.

Burmester and Magkos [Burmester et al. 2002] defined for each stage of the e-voting

system kinds of attacks which can occur.

• At the voting client - by using Worm viruses the attacker may alter the vote

before the data is encrypted and sent to the election server.

• At the communication level - the attacker performs a spoofing attack, in which

he sends the voter a fake webpage, on which the voter tries to casts his vote

and so the attacker can acquire voter’s authentication data and misuse it.

• At the election server - the attacker can perform the same attack as at the

voting client or perform the Denial of Service (DOS) attack, which overloads the

infrastructure of the system, in the worst case scenario the e-voting system will

not work for a certain period of time.

3.4 Security in Switzerland

Informatikstrategieorgan Bund (ISB) has presented in [ISB 2006] the strategy of

how the use of information and communication technologies should be developed in

the Federal Administration until 2011. The document states that a key requirement of

any administrative system, including e-voting system, is the security. This document

states that, security services and mechanisms to authenticate, encrypt or for digital

16

signature, have to be reusable by all e-Gov systems and have to be developed with the

consideration of international standards like ISO/IEC[ibidem].

ISB describes in the document [ibidem] that, the problem of user authentication

is solved by introducing of the public key infrastructure which is managed by the gov-

ernment. Identification services provided for each user unique identifier. Using this

identifier, the users can reliably identify himself in any of the e-Gov system. Authoriza-

tion services decides which rights have the identified user in the system and so ensure

that a participant can only view data and related services, if he is entitled to do that.

The provision of digital identity (SuisseID) for authentication in electronic Government

is a cornerstone for the future development. The ISB believes that, electronic certifi-

cates are an effective means to provide secure transactions in internet [ibidem].

17

4 Usability issues

4.1 Why is usability important?

When designing e-voting systems it is clear that security issues, performance of

the system and accuracy of the results are of the highest importance. However, it can-

not be omitted, that the usability of the system has the same importance. [Everett 2007]

identified the most important requirements and risks given on the usability:

• Ensure that the vote was casted as intended and for the candidate selected by

the voter.

• Detection and prevention of overvotes (a situation in which someone uses more

than the maximum number of selections which are allowed).

• Detection and prevention of undervotes (a situation in which someone does not

use the maximum number of selections allowed).

• Ensure that the user is not confused when using the system and also is sure

that their vote was casted and recorded properly.

• Ensure that the system can be used by many users efficiently i.e. users do not

block the polling stations unnecessary causing queues to DREs or overloading

the voting system.

• Ensure that the system can be used easily by anyone including user’s prefer-

ences and abilities.

• Ensure that no digital divide occurs.

The author believes that satisfying above requirements is critical for each e-voting

system, since it significantly reduces the risk of election fraud. Everett also presents the

results of studies that show that not meeting these requirements will lead to a de-

creased voter turnout among older people, like in the case of the elections in Georgia,

where after introduction of touch screens at the polling stations elder people were not

attracted to it [Everett 2007].

The significance of the usability of each system, also the voting systems, is also

motivated by the fact that voters differ in many aspects such as age, education, lan-

guage skills, experience in voting, the incidence of handicap. The usability is designed

to ensure that no one who is eligible to vote is excluded from using the system [Abowd

et al. 2004].

18

4.2 Achieving usability

Donald Norman's model of interaction [ibidem] between a human and machines

contains seven stages which are repeated continuously until the end of interaction. The

model presents the user’s view of the interface and is a universal model of any interac-

tion between human and machines. In the first step, the user defines the objective of

interaction, in the case of e-voting systems it is to cast the vote (goal). In the next step

the user defines the steps which have to be taken to achieve the goal and then tries to

execute those steps (execution). The user input is processed by the system and the

result is presented to the user (system). The user receives and interprets the state of

the system to evaluate whether the objective has been achieved (evaluation). If it is

so, the user can define a new goal and start interacting again, but if the evaluation is

negative, the user does not perform any progress and remains at the same objective

being confused about the result of interaction. The usable systems allow the user to es-

tablish new goals and to perform a progress after each cycle of iteration. The worst

case which can happen during the iteration is when the user stays at the same goal

and falls into an endless loop without any progress. The Norman’s interaction model is

presented in figure 2. An important element in the design of the system is that during

the phase of execution user will not have doubts about the actions he has to perform to

achieve the goal [ibidem]. The interface of the system should be designed in such a

way to allow the user to perform actions in user-friendly manner, taking into account his

preferences and abilities. Also, the system must prepare the output in such a way that

the user is sure that his goal was achieved. The goal of the usable system is to achieve

a right balance between how the user defines the action and actions that are allowed

by the system (Gulf of Execution) and also a right balance between user’s expectation

of meaning of the changed system state and actual presentation of the system state

(Gulf of Evaluation) [ibidem].

19

[Everett 2007] and [Mercuri 2002] present many factors that affect the

achievement of the usability. Voting must be available for all those who do not use their

native language or have some disability. The solution to this problem would be to intro-

duce into the system multi language interface or voice user interface. Both authors be-

lieve that when the electoral ballot is presented, the user should be able to adjust the

following factors according to his preference: font size and type, text and background

color, amount of the light level, ballot layout. This concept of both authors is consistent

with the general idea of achieving usability, presented by Dix, Finlay, Abowd and

Beale, which states that the user should be able to choose possibility of interactions

with the system, that best suits his preferences [Abowd et al. 2004].

Another aspect touched by both [Everett 2007] and [Mercuri 2002] is how to

deal with errors which occur during the voting process. Abowd et al. distinguish be-

tween two types of errors slips and mistakes. By slips the user understand the system

and its goal but took the wrong action. By mistakes the user may not understand the

goal or the system at all. Everett notes that the errors that occur during the voting are

slips errors [Abowd et al. 2004].The results of such an errors can be overvote, un-

dervote or vote on the wrong candidate [Everett 2007]. The usability principles [Mercuri

2002] states that every error has to be able to be reversed. [Everett 2007] and [Mercuri

2002] agree that it is not always possible to reverse the error since it is not possible to

detect the voter’s intention for which candidate he wants to cast a vote [Everett 2007].

The solution to avoid unintended votes suggested by [Everett 2007] and [Mercuri

2002], is to introduce the previews with data entered by the user and warnings for over

and undervotes which informs the voter about his choice and ask him to confirm his in-

put. Then the user is able to detect the error and correct it, if necessary.

20

4.3 Measuring usability

Creating a useful system is not just about implementing well-known practices

that come from experience, but any system which tends to be usable must be carefully

tested for usability to be sure that the implemented features really help voters in the ef-

fective and efficient use of the system [Mercuri 2002]. The same opinion is also pre-

sented by Everett in her work [Everett 2007]. She writes that different types of metrics

need to be introduced in order to assess the usability of the system. Everett distin-

guishes between three types of metrics:

• Metrics for efficiency – measure the relationship between the level of effective-

ness and load of the resources needed [Abowd et al. 2004]. This kind of metrics

can answer the question if the voter can cast a vote in optimal amount of time.

Simple metric of this kind would be how long the voter need in average to cast a

vote [Everett 2007].

• Metrics for effectiveness – measure the relationship between the goal of the in-

teraction and achieved accuracy and completeness of the achieved result

[Abowd et al. 2004]. This kind of metrics can help to understand critical aspects

like whether the voter needs assistance to cast their vote, or whether the voice

has been filled in accordance to the intention of the voter. The example of met-

rics measuring effectiveness would be the error rate (unintended votes divided

by all votes) or the number of situations in which the voter need assistance [Ev-

erett 2007].

• Metrics for satisfaction – measure the level of the subjective assessment of the

system, issued by the voter. This metric will help to discover whether the voter

is satisfied with how the system works, what may affect the future voter turnout.

Dix, Finlay, Abowd and Beale [Abowd et al. 2004]. propose to conduct the sur-

vey, in which the voter responds to questions concerning satisfaction about the

progress of the various parts of the voting process [Everett 2007].

As we see usability plays a very important role in the construction of the voting sys-

tem, and therefore all factors which have an influence on it must be carefully identified

and then appropriate solutions can be presented and evaluated. As studies have

shown [Everett 2007] disregard for the importance of the usability can have a signifi-

cant impact on the decrease in voter turnout and election's accuracy.

21

5 Performance and reliability issues One of the parts of the technical requirements is about the success of e-voting.

The Council of Europe recommends to control the performance and to assure the reli-

ability at the whole e-voting process. They refer to it as audit which is composed of four

features, namely recording of all encountered changes to make the process transpar-

ent, monitoring the correctness of the procedure and the possibility of cross-check,

verifiability of the results and protection against attacks and frauds as well as ensur-

ing the anonymity of the voters during the audit [CoE 2005, p.19f]. It “allows a third par-

ty to analyze what happened before, during, and after the vote was cast” [Castellà-

Roca 2010, p.6].

An audit is very important because having problems can “become particularly

sensitive and controversial if the overall integrity of the electoral system is a topic of

public debate” [CoE 2010c, p. 51]. If not correctly carried out the trust in the system can

be endangered. Therefore an audit trail must integrate all aspects of the system in or-

der to monitor the whole procedure. The objective of the audit is to report all changes

which occur in the system during all phases and to be able to react adequately and in

an extreme case even to defend it. To provide more trustfulness, independent bodies

should make an additional audit and the audit information should be accessible in an

easily readable form [ibidem].

5.1 Why are performance and reliability important?

Performance is important to increase trust in the e-voting system and partici-

pate in the new technology. It is “required to provide a wide socially recognized guaran-

tee of security and transparency for the new systems and processes” [Carravilla et al.

2006, p.10]. “Democracy depends in part on the trust of the citizenry, trust in public in-

stitutions such as elections” [Lauer 2004, p.1]. But building trust is only possible with

appropriate audit systems and analyses. Therefore, Lauer holds that the requirements

of a fair voting system comprehend protections with respect to the voter, the data and

the system, which can be “audited, inspected, is available [and] reliable” [ibidem]. Even

if audit is applied, still the results must be positive in order to be able to speak about

performance. There are some concerns about still undefined errors in the system.

Alleppuz and Castellò argue that the main problem of the audit is the transpar-

ent audit process. They compare the “auditability of the traditional elections, where in-

dependent auditors and observers can directly oversee the election process” to e-

22

voting where the process is encrypted and cannot be controlled by average citizens

easily [Allepuz et al. 2010, p.9]. To have a reliable audit system takes sometimes a lot

of time and is in the end inefficient for the purpose, some specialists try to reduce the

computation cost and risk accuracy or the protection level of the voter. Alleppuz and

Castellò discuss ideas of how to make the system more transparent. For example, to

assure the counting of the votes, a parallel recounting could take place. If it’s without

paper trail, then the votes need to be opened –decrypted-, which is a very difficult pro-

cess. Additional caution needs to be taken during the process, because the system is

vulnerable to attacks and the decrypted information needs to be limited to preserve the

privacy of the voter. To solve the problem with the privacy and integrity they suggest

their own technique called mixnet [ibidem, p.2].

Tiella et al. advises to use “digital recording electronics with printed audit trails”

[Tiella et al. 2009, p.1]. At a polling station are touch screen-based machines that prints

”physical and verifiable record of the votes cast,” which can be controlled directly by the

voter [ibidem]. This is an alternative to recounting idea with encrypted data of Alleppuz

and Castellò.

Davtyan et al. state that while election results depend on machine-generated

countings, the result of the counting depends on the machine-generated audit reports.

So without audit, the voting results won’t be trusted [Davtyan et al. 2007, p.2]. In their

study the audit system was manipulated to simulate an attack. To combat attacks they

recommend random audits after the elections, combined with manual counts, which

could help to identify disturbances and errors of the e-voting machine [ibidem, p.8].

The biggest problem which arises if something is wrong with the e-voting pro-

cess is the loss in trust. A solution could be to make people understand the procedures

of the audit process, so that citizens feel more secure. In a simple study with students

concerning a coffee machine, Kalchgruber and Weippl analyzed how training, centered

on the electronic voting system, could influence their trust. Trust was positively related

to degree of understanding technical protocols [Kalchgruber et al. 2009, p.1ff].

“The more information is withheld, the less the public will appreciate the added

value gained by applying the remaining measures” [Koenig et al. 2011, p.5]. The less

transparency, the less the public will use the new measures. Koenig et al. identify an-

other source of trust, the trust to the auditor. The more a voter beliefs in the system in-

dependency of the auditor the more trust he will have in the integrity of the final voting

results[ibidem]. In other words it is good to have independent auditors.

This is also recommended by Gibson and McGalex. Additionally they point out

that this Independent Testing Authority (ITA) should be trustworthy. This means that it

23

should fulfill the required high quality standards and verify the system in detail. When

an audit system is admitted by the ITA but delivers inaccurate results, question arise

about who should be blamed; the poor verifying standards or the insufficient perfor-

mance of the ITA [Gibson et al. 2008, p. 302].

McGalley and Gibson realized in their study of the Requirements of the Council

of Europe that there are some inconsistencies amongst others in audit [Gibson et al.

2005]. For example, it is stated that “the audit system shall be publicly verifiable (184)”

[CoE 2005, p.61]. But this is in contrast with other standards, like number 24, which

states that the “components of the e-voting system shall be disclosed, at least to the

competent electoral authorities.” So, they leave a possibility that it is not completely

disclosed. Another possibility to bypass standard 184 it’s not publish certain system

program for security reasons (69) and access for unauthorized people should be de-

nied (105) [ibidem]. But then it is difficult to determine who is authorized and who is not.

With all these contradictions, incompleteness and repetition the specialists will meet

problems whether something is according to the requirements or not. McGalley and

Gibson propose that this document of the Council of Europe is always updated and

adapted to the new reality in order to assure the well functioning and so the perfor-

mance of the system [Gibson et al. 2005].

So why is performance important? As already suggested at the beginning of this

part, it is to promote trust. Looking at all these imperfections makes one realize that

there is a lot to do to improve the system in order to perform as it is suggested. And as

the democracy is endangered if the problems are not eliminated, the pressure is very

high. Performance and reliability are important because there are so many obstacles to

overcome but the trust must remain the same or get bigger, but it is excluded that the

trust gets lost.

5.2 Performance and reliability in Switzerland

Switzerland has started e-voting trials over 10 years ago and is improving its

system at each voting. Their ambition allowed them to introduce remote e-voting. But it

also means that the security measures needed to meet the highest standards, other-

wise the trust in the democracy will be damaged for a long time. Lauer denounce that

no common idea exists concerning the perfect e-voting system, that causes a waste of

resources invested in academic analyses [Lauer 2004, p.11].

It is very difficult to find data about audit in Switzerland because it is an integral

component of the system. Whenever a problem is detected, all the research papers

analyzed in this paper talk about the problems but not about the audit. But as an official

24

web page about e-voting says, it is obvious that the e-voting is successful in Switzer-

land, which means that the audit system works well. Furthermore the page states the

e-voting system in Geneva is subject to regular audits [SKB 2011]. As the statistical of-

fice Zurich describes in its report about a e-voting performed at the university of Zurich,

the system in there is audited by the Swiss government and the Federal Chancellery

annually. Also “external parties perform security audits” [Beroggi 2008, p.4]. These ex-

ternal audits tried for example tried to hack into the e-voting system but without suc-

cess. The audit seem to show that the e-voting system in Zurich was robust [ibidem].

25

6 Conclusions

Voting is an important factor in a democratic society, but it appears that there is

more and more abstention. To remedy this e-voting appeared and confront all partici-

pants with challenges. E-voting meets also the expectations of the younger generation

which is growing up in a digital world. Switzerland was taken by this hype and collabo-

rates with the Council of Europe, which is responsible for the development of e-voting

in Europe.

In this paper we presented the basic requirements that must be fulfilled by the

system to vote. As we see, the implementation of such a system poses many challeng-

es and risks for its developers. The first lesson is that before you start designing a sys-

tem, carefully consider whether we are able to meet all these requirements and wheth-

er the cost to be incurred during the implementation is proportional to the expected

benefits. You may find that it is better to stay with the existing paper based solution. As

shown in the examples not all countries have succeeded in creating a successful voting

system. The second lesson is when the decision is made to create an e-voting system,

it is important to learn from mistakes and successes made by others.

E-voting - E-voting refers to a way to vote where technical means are used. The

mechanical way can be used at polling stations or at home. The choice to change from

paper voting to electronic voting has on the whole more advantages than challenges,

even though the challenges are sophisticated. Switzerland as a small and conflict free

country exactly suits to the description of countries which have the best success [Che-

vallier 2008, p.2f]. It chose the way of internet voting for all the advantages and be-

cause it is one of the advanced countries and wants to be a leader [Haenni et al. 2008,

p.11]. Additionally, Braun recalls one requirement from the Recommendations of the

Council of Europe for e-voting which should ensure the trust of people: “Voters shall be

provided with an opportunity to practice any new method of e-voting before, and sepa-

rately from, the moment of casting an electronic vote” [CoE 2005, p.11:22]. Braun ar-

gues that the three pilot projects meet these requirements and in this way assure one

step forwards the internet voting [Braun 2004]. Nevertheless, the problems that can oc-

cur should make even Switzerland careful, because they have a lot of trust to lose. In

the paper choices of countries were mentioned, so whether e-voting is introduced or

not, it depends on the countries characteristics and how is the proportion of ad-

vantages and disadvantages.

26

Usability - Designing voting interfaces is a complex task that involves many dif-

ferent disciplines of the science in the entire election process. Achieving usability its

critical to any voting system and has to be implemented carefully with emphasis on the

details and tests which will prove the effectiveness, efficiency and user's satisfaction of

the offered solution. All authors agree on the importance of usability in electoral sys-

tems and provide solutions in accordance with the guidelines created by the usability

precursors (Dix, Finlay, Abowd and Beale) and warn that the omission of aspects of

usability can result in reduced voter turnout or even election fraud. Referring to the

research questions regarding the relevance of usability requirements, we believe that

they play a key role in the whole voting process. They ensure the proper conduct of

elections and guarantee that everyone who has voting rights can fully use them,

avoiding digital-divide. The lesson gained regards the usability is to identify, analyze

and evaluate human factors affecting e-voting which can vary for different participants.

Security - Many different methods have been designed to achieve security

during the elections conducted by the e-voting systems. Referring to the research

questions regarding the relevance of security requirements, we are confident that

without meeting the requirements for the safety any e-voting system cannot be

implemented and functioning properly. The task of security is to ensure the control over

proper conduct of elections. On that consists the privacy of voters and their choice,

make sure that the vote was casted by an eligible voter as well as to calculate the

correct result and check that no one can influenced it. As we see the fulfillment of

safety requirements is the basis for the construction of the voting system and the

guarantee of trust between the government and voters. The authors are agreed that

the main task of the security is to ensure trust between the government and voters.

However, with rapidly changing standards of safety and new kinds of attack, finding a

permanent standard solution for the security seems to be impossible. In this situation,

the only reasonable solution is to observe the changes in the security standards and

successful implementation and based on that continuously improve the offered

solution.

Reliability - After discussing all the requirements for a perfect e-voting system, it

is of utmost importance not to forget to assure the performance and the reliability of the

system through audit. An audit is a system which surveys all processes in order to

assure errorless functioning of e-voting. But it is a controversial subject concerning

transparency, because while in the official requirements is an obligation that everybody

should be able to understand the process, it is still impossible for non-specialists. In

addition there exists the possibility to exclude come people from the control of the audit

27

system. It might be a solution that the government creates workshops with specialists

from the government and others like from universities, to train the interested people in

the functioning of the system and then let them try for themselves. The variety of

specialists should provide the most different views of the system. Another idea is to

make the audit process as clear as possible, for example with graphics. Alternatively,

schools courses could be introduced about the basic knowledge, so that the general

lever of informatics education increases.

When the audit requirements are met, the performance can be evaluated, coun-

try reports can be delivered and the citizens can rely on the reliability of the e-voting

system. If for example one of the four features, like recording, is not detailed enough,

the audit would be accordingly superficial and less useful.

There are very few research papers about the audit in Switzerland. Switzerland

delivers reports to the Council of Europe, talks about its achievements, but doesn’t talk

about its audit system, only that an audit is employed. Here a recommendation would

be to make it more transparent which system, so that research studies may arise and

contribute to the improvements.

Concerning the forecast, Switzerland itself predicts in its report to the Council of

Europe, that the trials with e-voting will continue, that new cantons should be attracted.

Switzerland is satisfied with its possibility to give people who have difficulties to vote;

for example for those who are abroad, or disabled. The authorities are determined to

have all national languages be adapted in all e-voting systems [CoE 2008, p.20]. Apart

from the trials in Zurich, Neuchâtel and Geneva, the critical authors don’t expect that

internet voting will be imposed soon, due to the too many disadvantages discussed in

previous parts [Gasser 2009, p.14].

It is easy to answer the question why all these requirements are important. Be-

cause it is all about trust, trust in the e-voting system, trust in the democracy and there-

fore trust in the future. When these conditions are fulfilled the whole system will work

and the trust in democracy will get stronger.

28

Bibliography [Al-Jarrah et al.]

Al-Jarrah, Omar; Barakat, Laith; Ebaid,Munzer S.; Hayajneh, Thaier S.; Khasawneh, Mohammed; Malkawi, Mohammad; A Biometric-Secure e-Voting System for Election Processes, Proceeding of the 5th International Symposium on Mechatronics and its Applications (ISMA08), Amman, Jordan, May 27-29 (2008).

[Allepuz et al. 2010] Allepuz, Jordi Puiggalí; Castell,ó Sandra Guasch: Universally Verifiable Efficient Re-encryption Mixnet. Grimm, Rüdiger (Eds.); Krimmer, Robert: Electronic Vot-ing 2010. 4th International Conference, No. 167 (2010), pp. 241-254.

[Beroggi 2008] Beroggi, Giampiero E.G.: Secure and Easy Internet Voting. IEEE Computer So-ciety (2008), pp. 52-56.

[Braun 2004] Braun, Nadja: E-Voting: Switzerland's Projects and their Legal Framework – in a European Context. Krimmer, Robert(Eds.); Prosser, Alexander: Electronic Voting in Europe – Technology, Law, Politics and Society., No. 47 (2004), pp. 43-52.

[Bryans et al. 2006] Bryans, J.W.; Littlewood, B.; Ryan, P.Y.A.; Strigini, L.: E-voting: dependability requirements and design for dependability. IEEE Computer Society Press (2006), pp. 988-995.

[Burmester et al. 2002] Burmester, Mike; Magkos, Emmanouil: Towards secure and practical e-elections in the new era. Department of Computer Science, Florida State Uni-versity, available: http://di.ionio.gr/~emagos/overview_voting_2002.pdf, ac-cessed 30 November 2011.

[BVG 2011a] BVerfG: Bundesverfassungsgericht. Use of voting computers in 2005 Bundes-tag election unconstitutional, 2011, available: http://www.bundesverfassungsgericht.de/en/press/bvg09-019en.html, accessed 30 November 2011.

[BVG 2011b] BVerfG: Bundesverfassungsgericht, 2 BvC 3/07 vom 3.3.2009, Absatz-Nr. (1 - 166), 2011, available: http://www.bundesverfassungsgericht.de/entscheidungen/rs20090303_2bvc000307en.html, accessed 30 November 2011.

[Carravilla et al. 2006] Carravilla, Maria Antónia; Cunha, João Falcão; Faria, João Pascoal; Leitão, Mário Jorge; Monteiro, Miguel Pimenta: A Methodology for Auditing e-Voting Processes and Systems used at the Elections for the Portuguese Parliament. Krimmer, Robert (Eds.): Electronic Voting 2006. 2nd International Workshop, No. 86 (2006), pp. 145-154.

[Castellà-Roca 2010] Castellà-Roca, Jordi; Jardí-Cedó, Roger ; Pujol-Ahulló, Jordi: Verification Sys-tems for Electronic Voting: A Survey, 2010. Grimm, Rüdiger (Eds.); Krimmer, Robert: Electronic Voting 2010. 4th International Conference, No. 167 (2010), pp. 163-177.

[Cetinkaya 2007] Cetinkaya, Orhan: Towards Secure E-Elections in Turkey: Requirements and Principles, available: http://www.ceng.metu.edu.tr/~corhan/Papers/desegov07.pdf, accessed 30 No-vember 2011.

29

[Chevallier 2008] Chevallier, Michel: Internet Voting, Tournout and Deliberation: A Study. Elec-tronic Journal of e-Government, Vol. 7, Nr. 1 (2009), pp.29-44.

[CCfEVaP 2011] CCfEVaP: Competence Center for Electronic Voting and Participation: History of E-Voting, 2011, available: http://www.e-voting.cc/files/modem_1_2011_history, accessed 30 November 2011.

[Chevallier et al. 2006] Chevallier, Michel, Sandoz, Alain; Warynski, Michel: Success Factors of Gene-va’s e-Voting System. Electronic Journal of e-Government, Vol. 4, Issue 2 (2006), pp.55 – 62.

[CoE 2005] CoE: Council of Europe: Legal, Operational and Technical Standards for E-Voting, 2005, available: http://www.coe.int/t/dgap/democracy/Activities/GGIS/E- voting/Key_Documents/Rec(2004)11_Eng_Evoting_and_Expl_Memo_en.pdf, accessed 30 November 2011.

[CoE 2008] CoE: Council of Europe. : National Reports on Developments, 2008, available: http://www.coe.int/t/dgap/democracy/Source/EVoting/Evoting2008/National%20reports%20E.pdf, accessed 30 November 2011.

[CoE 2010a] CoE: Council of Europe: Contribution by Switzerland, 2010, available: http://www.coe.int/t/dgap/democracy/Activities/GGIS/E-voting/E-vot-ing%202010/Biennial_Nov_meeting/GGIS(2010)19%20E%20corr.%20Meeting%20Report%20e-voting%20review%202010%2021%2012%2010.asp, ac-cessed 30 November 2011.

[CoE 2010b] CoE: Council of Europe: Meeting Report, 2010, available: http://www.coe.int/t/dgap/democracy/Activities/GGIS/E-voting/E-vot-ing%202010/Biennial_Nov_meeting/GGIS(2010)19%20E%20corr.%20Meeting%20Report%20e-voting%20review%202010%2021%2012%2010.asp, ac-cessed 30 November 2011.

[CoE 2010c] CoE: Council of Europe: E-voting handbook. Key steps in the implementation of e-enabled elections, Council of Europe Publishing, 2010.

[CoE 2011a] CoE: Council of Europe: Recommendation Rec(2004)11 of the Committee of Ministers to member states on legal, operational and tech-nical standards for e-voting, 2011, available: https://wcd.coe.int/wcd/ViewDoc.jsp?id=778189&Site=CM&BackColorInternet=C3C3C3&BackColorIntranet=EDB021&BackColorLogged=F5D383, accessed 30 November 2011.

[CoE 2011b] CoE: Council of Europe: Good Governance in the Information Society, 2011, available: http://www.coe.int/t/dgap/democracy/Activities/GGIS/Default_en.asp, accessed 30 November 2011.

[CoE 2011c] CoE: Council of Europe: National Reports Presented, 2011, available: http://www.coe.int/t/dgap/democracy/Activities/GGIS/E-voting/E-voting%202010/Biennial_Nov_meeting/National_reports_en.asp#TopOfPage, accessed 30 November 2011.

[CoE 2011d, p.10]

30

CoE: Council of Europe: Certification of E-Voting Systems, available: http://www.coe.int/t/dgap/democracy/Activities/GGIS/E-voting/E-voting%202010/Biennial_Nov_meeting/Guidelines_certification_EN.pdf, ac-cessed 30 November 2011.

[Cranor et al. 1997] Cranor, L; Cytron,R.: Sensus: A security-consciouselectronic polling system for the Internet. Proceedings of the Hawaii International Conference on System Sciences. Wailea, Hawaii, 1997.

[Cross II et al. 2010] Cross II, E. Vincent; Gilbert, Juan E.; Gupta, Priyanka; Rogers, Gregory; McClendon, Jerome; McMillian, Yolanda; Mitchell, Winfred; Mkpong-Ruffin, Idong; Rouse, Ken; Williams, Philicity: Universal access in e-voting for the blind. Universal Access in the Information Society, Vol. 9, No. 4 (2010) 357-365.

[Davtyan et al. 2007] Davtyan, Seda; Kiayias, Aggelos; Michel, Laurent; Russell, Alexander; See, Andrew; Shashidhar,Narasimha; Shvartsman, Alexander: Tampering with Spe-cial Purpose Trusted Computing Devices: A Case Study in Optical Scan E-Voting. Institute of Electrical and Electronics Engineers. 23rd Annual Computer Security Applications Conference (2007), pp. 30-39.

[Abowd et al. 2004] [MICHAL: im Text fehlt immer d Seitenangabe] Alan Dix; Janet Finlay; Gregory D. Abowd; Russell Beale: Human-Computer In-teraction, 3rd edition, Pearson Education, 2004.

[Dubuis et al. 2010] Dubuis, Eric; Haenni, Rolf; Spycher, Oliver: Coercion-Resistant Hybrid Voting Systems. Grimm, Rüdiger (Eds.); Krimmer, Robert: Electronic Voting 2010. 4th International Conference, No. 167 (2010), pp. 269-282.

[DW 2011] DW : Deutsche Welle : German Court Rules E-Voting Unconstitut, 2011, avail-able : http://www.dw-world.de/dw/article/0,,4069101,00.html, accessed 30 No-vember 2011.

[EB 2009] Europa Barometer: Nachwahl Umfrage. Bericht. Befragung Juni-Juli 2009, available: http://ec.europa.eu/public_opinion/archives/ebs/ebs_320_de.pdf, ac-cessed 30 November 2011.

[Ehringfeld et al. 2010] Ehringfeld, Andreas; Krimmer, Robert; Traxl, Markus: The Use of E-Voting in the Austrian Federation of Students Elections 2009.Grimm, Rüdiger (Eds.); Krimmer, Robert: Electronic Voting 2010. 4th International Conference, No. 167 (2010), pp.33-44.

[Everett 2007] Everett, Sarah P.: The Usability of Electronic Voting Machines and How Votes Can Be Changed Without Detection, available: http://chil.rice.edu/research/pdf/EverettDissertation.pdf, accessed 30 November 2011.

[Gasser 2009] Gasser, Urs; Gerlach, Jan: Internet and Democracy Case Study Series. Three Case Studies from Switzerland: E-Voting, available: http://cyber.law.harvard.edu/sites/cyber.law.harvard.edu/files/Gerlach-Gasser_SwissCases_Evoting.pdf, accessed 30 November 2011.

[Gibson et al. 2005] Gibson, Paul; McGaley Margaret: A critical analysis of the council of Europe recommendations on e-voting. EVT'06 Proceedings of the USENIX/Accurate Electronic Voting Technology. Workshop 2006 on Electronic Voting Technology Workshop.

[Gibson et al. 2008]

31

Gibson, Paul; McGaley, Margaret: Verification and Maintenance of e-Voting Systems and Standards. In: Remenyi, Dan: 8th European Conference on e-Government Ecole Polytechnique, Switzerland (2008), Academic Publishing International, 2008, pp. 283-290.

[Haenni et al. 2008] Haenni, Rolf; Dubuis, Eric; Ultes-Nitsche, Ulrich: Research on E-Voting Tech-nologies. A Survey. Research report BFH-TI Nr. 5, 2008, available: http://www.ti.bfh.ch/fileadmin/data/forschung/publikationen/0005_research_on_e-voting_technologies.pdf, accessed 30 November 2011.

[Hall et al. 2010] Hall, Thad; Loeber, Leontine: Electronic Elections in a Politicized Polity. Grimm, Rüdiger (Eds.); Krimmer, Robert: Electronic Voting 2010. 4th International Con-ference, No. 167 (2010), pp. 193-212.

[IIDEA 2011] IIDEA: International Institute for Democracy and Electoral Assistance: Introduc-ing Electronic Voting. Essential Considerations, Bulls Graphics, Sweden, 2011.

[IPI 2001] IPI: Internet Policy Institute: Report of the National Workshop on Internet Vot-ing. Issues and Research Agenda, 2001, available: http://fl1.findlaw.com/news.findlaw.com/cnn/docs/voting/nsfe-voterprt.pdf, ac-cessed 30 November 2011.

[ISB 2006] ISB: Informatikstrategieorgan Bund. IKT-Strategie der Bundesverwaltung 2007-2011, available: http://www.isb.admin.ch/themen/strategien/00070/index.html?lang=de&download=NHzLpZeg7t,lnp6I0NTU042l2Z6ln1acy4Zn4Z2qZpnO2Yuq2Z6gpJCDdoB8gGym162epYbg2c_JjKbNoKSn6A--&t=.pdf, accessed 30 November 2011.

[ISB 2011] ISB: Informatikstrategieorgan Bund. e-Government Strategie Schweiz : Priori-sierter Vorhaben, available: http://www.egovernment.ch/dokumente/katalog/E-Gov-CH_Katalog_2011-10-24_D.pdf, accessed 30 November 2011.

[Kalchgruber et al. 2009] Kalchgruber, Peter; Weippl, Edgar R.: Can End-to-End Verifiable E-Voting be Explained Easily? iiWAS2009 (2009), pp. 572-576.

[Kaufman et al 2002] Kaufman, Charlie; Perlman, Radia; Speciner, Mike: Network Security: Private Communication in a Public World, 2nd edition, Prentice Hall Copyright, 2002.

[Koenig et al. 2011] Koenig, Reto; Spycher, Oliver; Volkamer, Melanie: Transparency and Technical Measures to Establish Trust in Norwegian Internet Voting, available: http://www.regjeringen.no/upload/KRD/Prosjekter/e-valg/vedlegg/paper_transparency_and_technical_measures.pdf, accessed 30 November 2011.

[Lauer 2004] Lauer, Thomas W. : The Risk of e-Voting. Electronic Journal of e-Government, Vol. 2, No. 3, Art. 34 (2004), pp. 169-178.

[LGA 2002] LGA: Local Government Association: Implementation of local voting in the UK. Research summary, 2002, available: http://www.communities.gov.uk/documents/localgovernment/pdf/133544.pdf, accessed 30 November 2011.

[Lombardi 2011]

32

Lombardi, Emanuele : Electronic Voting and Democracy, 2011, available: http://www.electronic-voting.org/TERMINI/whatswrong_en.php, accessed 30 November 2011.

[Mercuri 2002]

Mercuri, Rebecca: Usability Professionals Association Conference, Humanizing Voting Interfaces, Orlando, 2002.

[Meier 2009] Meier, Andreas: eDemocracy und eGovernment. Entwicklungshilfen einer de-mokratischen Wissensgesellschaft, Heidelberg, 2009.

[MoLGaRD 2006] MoLGaRD: Ministry of Local Government and Regional Development: Electron-ic voting – challenges and opportunities. Report, available: http://www.umic.pt/images/stories/publicacoes1/evalg_rapport_engelsk.pdf, ac-cessed 30 November 2011.

[SKB 2011] SKB: Staatskanzlei des Kantons Bern, available: http://www.sta.be.ch/sta/de/index/wahlen-abstimmungen/wahlen-abstimmungen/e-voting/Sicherheit.html, accessed 30 November 2011.

[Tiella et al. 2009] Tiella, Roberto; Weldemariam, Komminist; Villafiorita, Adolfo: Development, Formal Verification, and Evaluation of an E-Voting System With VVPAT. IEEE Transactons on Information Forencics and Security, Vol. 4, No. 4 (2009), pp. 651-661.

[Trechsel 2007] Trechsel, Alexander H.: Report for the Council of Europe. Internet Voting in the March 2007 Parliamentary Elections in Estonia, available: http://vvk.ee/public/dok/CoE_and_NEC_Report_E-Voting_2007.pdf, accessed 30 November 2011.

[Trechsel et al. 2010] Trechsel, Alexander H.; Vassil, Kristjan: Internet Voting in Estonia. A Compara-tive Analysis of Four Elections since 2005, 2010, available: http://www.coe.int/t/dgap/democracy/Activities/GGIS/E-vot-ing/EVoting_Documentation/GGIS_2010_15_Internet_voting%20_in%20_Estonia%202005-2009%20E%20_2_.pdf, accessed 30 November 2011.