building an e-voting system technical requirement analysis · building an e-voting system –...
TRANSCRIPT
i
BUILDING AN E-VOTING SYSTEM
– TECHNICAL REQUIREMENT
ANALYSIS
STUDENT NAME: Michal Musial, Nadine Friend STUDENT NUMBER: 07-113-756, 06-209-928 COURSE NAME: Seminar Electronic Government DEPARTMENT: Department of Informatics COURSE CODE: 53534 SUPERVISOR: Prof. Andreas Meier, Luis Teràn DATE OF SUBMISSION: 01 December 2011
ii
Abstract The trend in society today is towards political absenteeism and digital depend-
ence. Some governments combined these two societal developments to electronic vot-
ing. But to jump from paper ballot into internet voting requires a lot of intermediate
steps, through voting machines, remote paper ballot and then remote e-voting. During
these steps it is important to design and engineer the security of these new systems,
make them easy to use for voters and assure their performance through audit to en-
sure trust.
The focus of this paper leans on the technical requirements of the Council of Eu-
rope, which were established in 2004 and are continuously revised with help of the par-
ticipating governments. Switzerland is for example delivering reports to the Council of
Europe about the evolution of e-voting. Switzerland is one of the pioneers in e-voting.
The paper describes the required technical standards under discussion of different au-
thors and their opinions.
Keywords: e-voting, internet voting, security, usability, audit
iii
List of Tables
Figure 1 : Sensus Protocol Overview …………………………………………………… 14
Figure 2 : Norman’s interaction model ………………………………………………….. 19
iv
Table of Contents Table of Contents ............................................................................................. iv
1 Introduction ............................................................................................... 1
1.1 Background and motivation ............................................................................... 2 1.2 Problem statement and research questions ..................................................... 2 1.3 Procedure and methodology .............................................................................. 4
2 E-Voting system ........................................................................................ 5
2.1 E-Voting vision .................................................................................................... 5 2.2 Different kinds of e-Voting systems .................................................................. 5 2.3 E-Voting vs. traditional voting ? ........................................................................ 7 2.3.1 Paper voting ......................................................................................................... 7 2.3.2 Electronic voting ................................................................................................. 7 2.3.3 Other effects on the choice of the voting channel ........................................... 9 2.3.4 The choice of Switzerland ................................................................................ 10
3 Security issues ....................................................................................... 12
3.1 Why is security important? .............................................................................. 12 3.2 User data protection .......................................................................................... 13 3.3 Hacker types of attacks .................................................................................... 15 3.4 Security in Switzerland ..................................................................................... 15
4 Usability issues ....................................................................................... 17
4.1 Why is usability important? .............................................................................. 17 4.2 Achieving usability ............................................................................................ 18 4.3 Measuring usability ........................................................................................... 20
5 Performance and reliability issues ....................................................... 21
5.1 Why are performance and reliability important? ............................................ 21 5.2 Performance and reliability in Switzerland ..................................................... 23
6 Conclusions ............................................................................................ 25
Bibliography .................................................................................................... 28
1
1 Introduction “Voting is an important part of the democratic process” [Castellà-Roca 2010,
p.1]. It is a well known truth that the voter participation is decreasing, above all among
the younger generation [MoLGaRD 2006, p. 19]. The number of voters in general has
been decreasing in Europe for years (2,37% between 2004 and 2009) [EB 2009]. Since
voting strengthens the principles of democracy, it is important that people in all coun-
tries vote [CoE 2011a]. People in today’s society use information and communication
technologies more frequently in every day life, therefore the European countries have
started to “take into account of these developments in their democratic practice”
[ibidem]. At the same time, the Council of Europe decided to increase the democracy
amongst others through an electronic voting system in a project called Good Govern-
ance in the Information Society. The aim of this project was to “provide governments
and other stakeholders with new instruments and practical tools in this field and to
promote the application of existing instruments and of good and innovatory policy prac-
tice” [CoE 2011b]. The main points were legal and operational standards as well as
technical requirements [ibidem]. These requirements are followed by many European
countries, who submit frequently reports of their trials.
These requirements are adopted by many European countries and one of them
is Switzerland. Switzerland is a small country with a direct democracy, composed of 26
cantons which have large autonomy [Chevallier et al. 2006, p.1]. This multilingual soci-
ety (German, French, Italian, and Romansh) votes “every three to four months” which
is very convenient for developing e-voting systems [ibidem]. This was also the reason
to introduce internet voting because citizens had to vote too often and so the absentee-
ism rate was relatively high [MoLGaRD 2006, p. 34f]. After a survey, how a Swiss feels
about internet voting, the results showed a strong support of this new voting system.
This Federal State introduced e-voting (here: internet voting) in 1998 under the
project called Information Society, on the grounds that the right to vote should be made
accessible to everyone through the new technologies [Chevallier et al. 2006, p.1].
Since then Switzerland participated in the project of the Council of Europe and after
starting several pilot projects and it delivers form time to time reports about the pro-
gress [CoE 2010a]. The report in 2007 contained subjects like the “adoption of the
necessary legal amendments to allow the progressive introduction of electoral registers
of Swiss abroad” [ibidem]. Later, between 2009 and 2010 Switzerland even reported
about three new pilot projects and nine trial projects with revolutionary voting periods of
three weeks [CoE 2010a; MoLGaRD 2006, p. 34f]. Today Switzerland practices inter-
net voting even on the level of national elections, which is quite rare. The results of the
2
national e-elections are expected in 2013 [ibidem]. Even though the development
seems to be very positive, a representative of Switzerland at a conference at the
Council of Europe “stressed that the guidelines needed to be viewed as work in pro-
gress since the practical experiences in the field of e-voting were in constant evolution”
[CoE 2010b].
This paper is about the very big subject: the e-voting. The structure of the paper
is always separated in two parties, firstly a general introduction of a topic of choice fol-
lowed by a brief discussion about the case Switzerland at the end of each part. The se-
cond part of the paper will introduce the e-voting, different types are presented and
then discussed concerning the advantages and disadvantages. In the third part the se-
curity issues are analyzed, focusing on user data protection with the special case of
hacker attacks. The fourth part will outline the usability of e-voting systems, how it is
achieved and measured. In the fifth part the performance and reliability of an e-voting
system will be discussed. To conclude some remarks and recommendations are sug-
gested.
1.1 Background and motivation
As we live in a modern and advanced world, it is beneficial to discuss the exist-
ing elements of the future, like e-voting, to keep up-to-date [CoE 2005, p.7]. Up to this
point the society has always had mistrust in e-voting which slowed down the prolifera-
tion of these technologies [Bryans et al. 2006]. It appears to us that this subject is of a
current interest because all countries who recently participated in the Project of Good
Governance in the Information Society have delivered their reports concerning their
experiences and their further actions in e-voting [CoE 2011c]. This project Good Gov-
ernance ended in 2010 and the countries are about to develop and implement the nec-
essary technologies on their own [CoE 2011a]. It is interesting to know how exactly e-
voting is defined, what the most important subjects are, what are its pros and cons and
what are the motivations of the countries to develop e-voting.
1.2 Problem statement and research questions
The Council of Europe encourages countries to submit national reports to en-
courage information flow. Each country experiences success but is also confronted
with problems concerning e-voting. They had to test a lot of different requirements re-
garding the main points pointed out by the Council of Europe in its recommendations
for e-voting: legal, operational and technical standards [CoE 2011b]. Due to the re-
stricted size of the paper, we decided to concentrate on the most important topics of
3
the technical requirements. Another reason for choosing this specification is because
we want to focus on the user experience which is exactly the part that is replaced by
paper voting, which is different for the user.
First of all the e-voting is a big subject, discussed internationally [CoE 2008,
p.20]. Paper voting was a reliable way, proved its value over the centuries and is now
replaced by electronic voting [Lombardi 2011]. What exactly is it and what makes the
governments choose these new voting channels?
Construction of the system to vote may cause many difficulties. On one hand,
such a system should be consistent with the relevant national legal system and protect
the fundamental features of democracy [LGA 2002]. An example of the problem can
be given by the constitution, which guarantees that the elections should be secret so
the e-Voting system must ensure that no one can access voter data. Another example
could be that the Federal Constitutional Court of Germany in 2009 decides that "deter-
mination of the result can be examined by the citizen reliably and without any specialist
knowledge of the subject" [BVG 2011a]. This decision ruled out the use of currently
operating voting machines because they do not satisfy this assumption [BVG 2011b].
It is not always clear which security requirements are satisfied by e-Voting system and
which not and try to characterize them. So it is the question why the security is so im-
portant.
On the other hand e-voting system must be transparent to its users. Implemen-
tation of the system, especially one which offers a remote methods to cast votes,
should take into account user preferences and allow the user to select the method of
voting, that most suits their lifestyle and preferences. It turns out that usability of the
system can have a significant impact on increasing turnout election [Everett 2007]. In
our study we will try to specify what affects the usability of voting systems and why it is
important to take care of this aspect.
Also, performance and reliability of the system plays a major role. It assures the
functioning and suggests improvements, so that all little changes are reported, ana-
lyzed and dealt with, so that the future elections can evolve on the basis of the past
[MoLGaRD 2006, p. 14].
In this paper we discuss the most recent studies about implementation and
problems encountered by the researchers in the field of e-voting. As a guide for the pa-
pers structure serve the Recommendations of the Council of Europe from 2004, to be
exact the technical part. As technological requirements of an “e-voting systems are to-
tally independent of the situation of a particular country,” this study will precede with its
4
analysis on a general level, each part concluded with the options Switzerland has cho-
sen [Haenni et al. 2008, p.10].
1.3 Procedure and methodology
In this research paper study we will discuss the different stages the technologi-
cal requirements of the e-voting system, explain its fundamental function and give ex-
amples of successful implementations in the chosen country Switzerland. The sample
consists of a sufficient number of research papers found on internet. In the selection
process, we include the reliability and published data, because we are interested in the
recent developments of e-voting processes from serious publishers. The data consists
of articles which are found through online search machines, such as Google, web pag-
es such as EJEG and the electronic databases of the University of Fribourg, like IEEE
or Web of Knowledge.
5
2 E-Voting system E-voting stands for electronic voting. The Council of Europe defines e-voting as
followed: “An election or referendum that involves the use of electronic means in at
least the casting of the vote” [CoE 2011d, p.10].
Meier suggests that e-voting implies a lower personal involvement of the voter
than the e-election. While e-voting is more about voting for a political subject, e-
elections are about voting for a member of parliament [Meier 2009, p. 164f]. However,
in this paper the focus is on the electronic part of the voting in general and specially on
the technical requirements.
2.1 E-Voting vision
A brief introduction to the evaluation of the electronic voting should give a better
insight in the present state. The Competence Center for Electronic Voting and Partici-
pation has created a visual map of the history of e-voting in which the most important
stages of the e-voting evolution are mentioned [CCfEVaP 2011]. The very fast techno-
logical development in information technologies as we know it today, started 10 years
ago. Years ago many states started to implement e-voting, but didn’t think everything
through, so that a lot of failures were reported. The mistakes were analyzed and only
afterward these experience of failures e-voting really matured. In 2002, UK starts a trial
phase where they want to identify advantages and disadvantages of internet voting.
Estonia introduces in 2005-2007 “legally-binding internet voting” [ibidem]. Germany
verifies in 2008 the transparency issues concerning e-voting. After a bad experience
Netherlands ban the voting machines from the elections in 2008. In Austria internet vot-
ing was exercised under special conditions in 2009. The document of the Competence
Center for Electronic Voting and Participation shows, that in Estonia internet voting is a
huge success, Norway plans to introduce it and Switzerland even proposes for Swiss
living abroad. The success stories leads the society more and more towards electronic
means of voting, but as it is still not perfect, a lot of analyses and improvements must
be done to assure democratic values of the voting [ibidem].
2.2 Different kinds of e-Voting systems
The literature distinguishes between the electronic tools and further between
controlled and uncontrolled environment.
6
The International Institute for Democracy and Electoral Assistance (International
IDEA) defined four major types of these electronic means [IIDEA 2011, p.9].
Direct recording electronic (DRE) voting machines: Vote is done at a voting machine.
This type of voting can be accompanied by a paper trail or not. These paper trails have
the function to “provide physical evidence of the votes cast” [ibidem, p.12].
Optimal mark recognition systems (OMR): Machine-readable ballot papers are
scanned either at a counting centre or in the polling station.
Electronic ballot printers (EBPs): A machine prints the choice of the voter and then this
paper is inserted in the actual voting counting machine.
The e-voting handbook of the Council of Europe describes the fourth tool more in detail
than the International IDEA.
Internet voting systems: The voter is connected to an official central counting server
and sends his vote to the central counting station [CoE 2010c].
The first three tools are only used in a controlled environment. This could be at
a polling station, a polling kiosk or also schools, offices, malls but “under the control of
election officials” [IPI 2001, p.2]. Internet voting can not only be used under official su-
pervision but also at a private site, for example at home or school [ibidem]. This kind of
voting can be operated even from abroad. Such unsupervised internet voting is often
called remote internet voting or sometimes also VOI (voting over the internet) [IPI 2001,
p.2; MoLGaRD 2006, p. 25f].
To conclude on the various means of voting, remote voting is mainly used in
small countries with a conflict-free history and electronic voting in a controlled environ-
ment is used in highly developed democracies. But these e-voting technologies hold
dangers because they are not perfect [IIDEA 2011, p.9].
It depends on the country which solution it prefers. Each country has its own
history and special departments where it wants to improve. E-voting machines are very
much used for example in the US and Brazil [MoLGaRD 2006, p. 25f]. However, in
Germany they were declared as unconstitutional and are no longer in use [DW 2011].
Internet voting is, for example, used in Estonia with the goal to increase participation
[MoLGaRD 2006, p. 33]. Other countries like Sweden, thought that they have already a
perfect voting system and don’t need it. Other Nordic countries are either planning it in
future or have discrete trials [ibidem, p. 25].
7
2.3 E-Voting vs. traditional voting ?
The development from traditional paper voting towards electronic voting is in
progress. Al-Jarrah et al. (2008) says that relying on e-voting would reduce counterfeit-
ing, but “would not have the capacity to block any attempted abuse of the voting sys-
tem” [Al-Jarrah et al., p.2]. Both voting channels have general chances and challenges,
but there are also specific risks which can be reduced through e-voting.
2.3.1 Paper voting
Firstly, general chances and challenges in paper voting should be introduced.
Paper voting remained until today a reliable way to vote and is well-proven after centu-
ries of years of application [MoLGaRD 2006, p. 25f]. This vote method created also the
tradition of the voting day, which showed symbolic acting as role model. The voting
process was made visible and even solemn [IIDEA 2011, p.13].
Some disadvantages of paper voting is the postal voting from abroad. It holds
dangers like the unreliability concerning speed and secrecy of the postal system of the
host country. If the voter has to go to an embassy or council in the host country, the
travel way may be very long [CoE 2010c, p.44]. These disadvantages are not subject
to the power of the voting authorities and therefore it cannot be changed.
On the other hand two specific problems of paper voting can be solved by the
authorities. One problem is for example the selling or buying the voting papers [MoL-
GaRD 2006, p. 20]. As the Norwegian Working Committee suggests in its report, this
can be hindered through e-voting technologies using “better identification and authenti-
cation procedures” [ibidem, p. 23].
Jardì-Cedò et al. comment on paper voting, explaining that paper voting en-
counters problems related to human errors. These are, for example, counting errors or
cheating in the case of illiterate people and telling them the wrong information [Cas-
tellà-Roca 2010, p.2; MoLGaRD 2006, p. 20]. Also here the electronic voting could find
a remedy. Due to reduced human intervention, like manual counting, human errors
would be reduced [IIDEA 2011, p.10].
2.3.2 Electronic voting
Now some characteristics concerning e-voting. In contrary to paper voting there
are many distinct/particular advantages about e-voting. The International Institute for
Democracy and Electoral Assistance (International IDEA) conclude in the book, that
publishing of e-voting results is faster, gives the opportunity to vote from home, is up-
8
to-date with the increasingly mobile society and can increase the participation, as well
as turnout. Of course there is the argument of the reduction of printed paper for voting
and as a result cost savings through saving paper and distribution of ballot papers. A
new feature added to the advantages of e-voting is that the time can be extended
[ibidem].
E-voting would provide easier access for physically disabled and illiterate citi-
zens. First of all remote e-voting would reduce or eliminate distance to the voting place
“for housebound voters and voters from abroad” [ibidem]. Further Cross at al. states
that voters with disabilities, “cannot vote without additional assistance” and have “to rely
on the integrity of others” [ibidem]. In this study they propose technical solutions using
electronic voting to help “voters, who can’t see, hear, read, use their hands, read
Braille” [ibidem]. Their “multimodal electronic voting system [should provide] equity in
access, privacy and security in electronic voting” [ibidem].
Of course there is always a dark side and here the majority of the concern is
about the technical aspects. There are fears that data can get lost in a computer and
that already one person can harm the whole system (i.e. hackers) [MoLGaRD 2006, p.
20]. These troubles will be developed in the section three of this paper.
Other troubles suggested by the International IDEA concern e-voting technolo-
gies at the polling station, for example expensive acquiring, establishment and mainte-
nance of the e-voting systems, as well as different infrastructure requirements (“power
supply, communication technology, temperature, humidity”) [IIDEA 2011, p.10ff]. In ad-
dition it is seen as problematic if the environment is uncontrolled and the secrecy of the
vote is not assured, or family voting occurs where family members are put into pres-
sure. In the case of intimidation there is nobody to protect the real choice of the voter
and of course there is also the fear of vote-buying, which would influence the voting re-
sults [ibidem, p.13]. But here little revolutionary help can be provided. On the contrary
there is help concerning deficient technical requirements like transparency or certifica-
tion. This subject will be treated in the part of performance and reliability issues as well
as the following topic [ibidem, p.11].
Another problem, which cannot even be abolished, is the selling or buying of e-
votes, above all that they can occur in uncontrolled environment without ever being de-
tected [MoLGaRD 2006, p. 20]. Dubois et al. argues that this can be reduced by a very
special technique, the so called hybrid system where for example the voter can revoke
the previous electronic vote at a polling station in a controlled environment [Dubuis et
al. 2010, p.6]. They suggest that the “encrypted vote [should stay] attached to infor-
9
mation that publicly identifies the voter” but should never be decrypted [ibidem]. That
means that the choice of the vote stays attached to the individual and so can be
changed later. This procedure should diminish the fear from e-voting by preserving the
secrecy of the vote. Although this idea is completely the opposite of the Recommenda-
tions of the Council of Europe, where they strongly recommend to separate the voter’s
choice and his identity: “Authentication information shall be separated from the voter’s
decision at a pre-defined stage in the e-election or e-referendum” [CoE 2005, p.12:35].
Additionally Al-Jarrah et al. (2008) assert that incorporation of biometrics could
better prevent counterfeit and malice because they would verify voter’s fingerprints, iris
scanning, voice patterns and other biological and physiological characteris-
tics/properties, to assure the identity of the individual [Al-Jarrah et al., p.2]. This tech-
nique would it make more difficult to sell or buy a vote compared to paper voting.
Lastly, digital divide is a problem, but can be solved relatively easily. In this dis-
advantage of internet voting, it is argued that not everybody have access the internet or
can operate with a computer [MoLGaRD 2006, p. 20]. Nevertheless this argument
doesn’t apply to all the countries. In the report about the election in Estonia this argu-
ment was disproved/mitigated. There the internet access rate is very high and also el-
der generations use it more and more so that the gap gets smaller [Trechsel et al.
2010, p.11].
Another form of digital divide is when information is suddenly provided only via
internet and then only people who have internet access can inform themselves about
the parties. Within all these voting possibilities the voting channel should be neutral,
which means that the manner of the cast “should not influence the content” of the vote
[CoE 2010c, p.9]. However, Trechsel realized in his report “discrepancies between tra-
ditional voters and e-voters in how they vote for one party, and not the other” Though,
during his further analysis of other variables, this effect completely disappeared [Trech-
sel et al. 2010, p.7].
2.3.3 Other effects on the choice of the voting channel
Not only the technical and practical advantages and disadvantages can influ-
ence the choice of the voting channel but also the way e-voting is perceived by the so-
ciety. It is important that the voting channel should be an additional option for the citi-
zens and not imposed as the only one. The best situation is when the voter can decide
his voting channel [IIDEA 2011, p.14]. This is the case of Switzerland and Austria
[MoLGaRD 2006, p.35]. Krimmer et al. states report that the e-voting project in 2009 in
10
Austria “was to complement the paper based voting with an electronic voting channel in
order to create new opportunities to vote” [Ehringfeld et al. 2010].
The choice of the voting channel depends, among other things also on trust,
which can be publicly destroyed through political debates by commuting on technical
requirements of present e-voting systems [Hall et al. 2010, p.6]. Hall and Loeber state
in their research paper the case of Netherlands, where an action group “started a me-
dia campaign against the voting machines,” so that they destroyed trust in this system
with the consequence of abolition of voting machines in 2006 [ibidem].
In America, Hall and Loeber determined that “when voting technologies are po-
liticized, they can undermine confidence in the voting process” [ibidem]. However, it
seems that if a country has a very good developed idea of the e-voting technology, this
country has also more trust in these technologies. This is the case of Estonia, where e-
voting is prosperous because the government provides a great deal of information
about it and put a lot of effort in “strengthening the information society as to enable e-
voting to be come a permanent […] landscape” [Trechsel 2007, p.6]. So if there is not
enough positive management of public opinion, it can become a problem to enforce
e-voting.
2.3.4 The choice of Switzerland
In their research paper, Gerlach and Gasser explain that one of the main rea-
sons from 1998, was the hope to increase the voters number. In general they coincide
with findings of Brown that Switzerland’s hope was to enhance all the advantages men-
tioned before as well as decrease the disadvantages. In addition through the introduc-
tion of internet voting the Swiss post will be released from the pressure to deliver the
votes by the polling deadline [Gasser 2009, p.4]. They also mention problems related
to the loss of the ritual of physically voting, which should be seriously considered in a
country with rural parts. The digital divide in their opinion is about to diminish, for the
same reason as mentioned in the part before, namely the high Internet penetration.
Secondly as the today’s generation is growing up in a digital world, the gap of less digi-
tally skilled and elder citizens is about to decrease [ibidem, p.14]. They also remark
that the success of e-voting relies on the trust in technology as well as in the democrat-
ic system. The government manages the trust through, the choice of another voting
way and through the constant feedback between citizens and the state. A very interest-
ing difference to other countries is that Switzerland considers internet voting as more
private, because “traditional voting in public spaces [leaves] little room for [secrecy]”
[ibidem]. A very important point is also that the Switzerland offers internet voting as an
11
additional channel, so that not yet accustomed voters can vote in their preferred way
[MoLGaRD 2006, p.35].
12
3 Security issues Following the idea of the Council of Europe, the third part of the analysis is the
security of a e-voting system. In the general requirements it is stated that for example
data loss should be prevented, the privacy of voters should be respected, to carry out
regular checks, to protect authentication data, to respect one person one vote, to pro-
vide all data necessary for auditing the system, so that observers always can check the
system. It is also stated that the electoral authorities have the responsibility for the
whole system, and not for example a supplier [CoE 2005, p.17].
Achieving the e-voting vision may cause many difficulties, since it involves
many different subjects of different domains, like software engineering, cryptography,
politics, law, economics or social science [Cetinkaya 2007]. Implementation will refer to
a number of complementary tasks. Relating to security, on one hand systems have to
be secure and protect the election from hackers but on the other hand any system that
supports e-voting should be distributed under an open source license, which makes it
easier for hackers to abuse the election process [UK 2002].
3.1 Why is security important?
In e-voting the information carried by the system is of a highly sensitive nature.
Once elections are conducted using e-voting, the prevention against any kind of at-
tacks on the e-voting system has the upmost importance with national security. Securi-
ty requirements on an e-voting system should ensure that the system is consistent with
the law, will guarantee the just and reliable process of elections as well as being re-
sistant to all kinds of attacks which may influence a final tally [CoE 2005]. [Cetinkaya
2007] formulated the security requirements given on the e-voting system as a set of
core requirements and additional requirements. Core requirements are defined to satis-
fy law aspects of elections, which are:
• Voter’s privacy during and after the election.
• Eligibility to cast a vote.
• Fairness which ensures that all candidates are given a fair decision.
• Uniqueness of the vote.
Core requirements corresponds also to technical aspects of computer system, those
requirements are:
• Accuracy of the results.
13
• Robustness of the system which ensures that no one can disrupt or influence
the election and also that the system works efficiently and is protected against
passive and active types of attacks.
The core requirements are mandatory and have to be supported by all e-voting sys-
tems. [Cetinkaya 2007] states that, without satisfying core requirements, the people
cannot trust the system and use it without suspicion of breaking the constitution. Hav-
ing those requirements defined, it is possible to evaluate the system by party repre-
sentatives or trusted third parties.
3.2 User data protection
Independently two sets of authors, [Cetinkaya 2007; Cranor/Cytron 1997] iden-
tify the same procedure of conducting a democratic election. This procedure
can be divided into four tasks:
• Registration of voters – defining a collection of users, which have the right to
cast a vote.
• Validation – during the election registration authorities have to verify that a voter
which is requesting an ballot, will only get one if they are eligible.
• Collecting votes – from all registered voters.
• Tallying – computing the final result of the election based on collected votes.
It is easy to imagine scenarios in which any of above tasks can be corrupted, for
example, ineligible voters are able to cast their votes. [Cetinkaya 2007; Cranor et al.
1997], claim that the prevention of election fraud is made more difficult by the require-
ment of voter’s privacy, which states that it is impossible to link a vote to a particular
voter. A variety of cryptographic election protocols have been developed, most of them
tend to minimize the risk of election fraud and maximize the privacy of the voter. The
traditional protocols relay on the trusted parties, which are either trustworthy and thus
no conspiracy takes place.
One of the major security issues is the problem of verifying the voter’s identity.
The very first, but still actual protocol, which proposes a solution for this issue was pro-
posed by Cranor and Cytron [ibidem]. They proposed the Sensus Polling Protocol,
which is a protocol for internet voting that supports all four tasks of election procedure.
The protocol asks the voter to prepare a voted ballot, which is then encrypted with a
secret key and blinded. In the next step the voter signs the ballot and send it to the val-
idator, which verifies that the voter is eligible to vote. After successful validation, the
14
validator signs the ballot and sends it back to the voter. The voter encrypts the ballot
and sends it to the tallier. The tallier checks if the ballot is signed by the validator and if
yes, then sends the receipt to voter. The voter can be sure that the tailler received the
vote and can respond with the encryption key, which tells the tallier how to decrypt the
vote. Having decrypted the vote the tallier is able to count the vote and add it to the tal-
ly. The sequence diagram below shows the interactions between objects building the
Sensus Polling Protocol.
15
3.3 Hacker types of attacks
The main objective of the attacker is the identity theft of the voters. Therefore,
the implementation of the e-voting system should put the emphasis on the identity au-
thentication [ISB 2011]. We can distinguish two main risks that carries the identity theft
by the hacker. First, an unauthorized person can see our data (violation of the confi-
dentiality of information). Second, an unauthorized person can modify our data (viola-
tion of the integrity of information). Other attacks that do not require voter identity theft
are those which are directed against availability of the data which prevents legitimate
users to use the system. We can distinguish between two types of attacks: active and
passive. The difference between them is that for a passive attack, the attacker eaves-
drops but does not modify the transmitted message stream. For an active attack, the
attacker may transmit, replay, modify or delete selected messages [Kaufman et al.
2002]. A typical example of a active attack is a situation in which the attacker imper-
sonates one end of the conversation.
Burmester and Magkos [Burmester et al. 2002] defined for each stage of the e-voting
system kinds of attacks which can occur.
• At the voting client - by using Worm viruses the attacker may alter the vote
before the data is encrypted and sent to the election server.
• At the communication level - the attacker performs a spoofing attack, in which
he sends the voter a fake webpage, on which the voter tries to casts his vote
and so the attacker can acquire voter’s authentication data and misuse it.
• At the election server - the attacker can perform the same attack as at the
voting client or perform the Denial of Service (DOS) attack, which overloads the
infrastructure of the system, in the worst case scenario the e-voting system will
not work for a certain period of time.
3.4 Security in Switzerland
Informatikstrategieorgan Bund (ISB) has presented in [ISB 2006] the strategy of
how the use of information and communication technologies should be developed in
the Federal Administration until 2011. The document states that a key requirement of
any administrative system, including e-voting system, is the security. This document
states that, security services and mechanisms to authenticate, encrypt or for digital
16
signature, have to be reusable by all e-Gov systems and have to be developed with the
consideration of international standards like ISO/IEC[ibidem].
ISB describes in the document [ibidem] that, the problem of user authentication
is solved by introducing of the public key infrastructure which is managed by the gov-
ernment. Identification services provided for each user unique identifier. Using this
identifier, the users can reliably identify himself in any of the e-Gov system. Authoriza-
tion services decides which rights have the identified user in the system and so ensure
that a participant can only view data and related services, if he is entitled to do that.
The provision of digital identity (SuisseID) for authentication in electronic Government
is a cornerstone for the future development. The ISB believes that, electronic certifi-
cates are an effective means to provide secure transactions in internet [ibidem].
17
4 Usability issues
4.1 Why is usability important?
When designing e-voting systems it is clear that security issues, performance of
the system and accuracy of the results are of the highest importance. However, it can-
not be omitted, that the usability of the system has the same importance. [Everett 2007]
identified the most important requirements and risks given on the usability:
• Ensure that the vote was casted as intended and for the candidate selected by
the voter.
• Detection and prevention of overvotes (a situation in which someone uses more
than the maximum number of selections which are allowed).
• Detection and prevention of undervotes (a situation in which someone does not
use the maximum number of selections allowed).
• Ensure that the user is not confused when using the system and also is sure
that their vote was casted and recorded properly.
• Ensure that the system can be used by many users efficiently i.e. users do not
block the polling stations unnecessary causing queues to DREs or overloading
the voting system.
• Ensure that the system can be used easily by anyone including user’s prefer-
ences and abilities.
• Ensure that no digital divide occurs.
The author believes that satisfying above requirements is critical for each e-voting
system, since it significantly reduces the risk of election fraud. Everett also presents the
results of studies that show that not meeting these requirements will lead to a de-
creased voter turnout among older people, like in the case of the elections in Georgia,
where after introduction of touch screens at the polling stations elder people were not
attracted to it [Everett 2007].
The significance of the usability of each system, also the voting systems, is also
motivated by the fact that voters differ in many aspects such as age, education, lan-
guage skills, experience in voting, the incidence of handicap. The usability is designed
to ensure that no one who is eligible to vote is excluded from using the system [Abowd
et al. 2004].
18
4.2 Achieving usability
Donald Norman's model of interaction [ibidem] between a human and machines
contains seven stages which are repeated continuously until the end of interaction. The
model presents the user’s view of the interface and is a universal model of any interac-
tion between human and machines. In the first step, the user defines the objective of
interaction, in the case of e-voting systems it is to cast the vote (goal). In the next step
the user defines the steps which have to be taken to achieve the goal and then tries to
execute those steps (execution). The user input is processed by the system and the
result is presented to the user (system). The user receives and interprets the state of
the system to evaluate whether the objective has been achieved (evaluation). If it is
so, the user can define a new goal and start interacting again, but if the evaluation is
negative, the user does not perform any progress and remains at the same objective
being confused about the result of interaction. The usable systems allow the user to es-
tablish new goals and to perform a progress after each cycle of iteration. The worst
case which can happen during the iteration is when the user stays at the same goal
and falls into an endless loop without any progress. The Norman’s interaction model is
presented in figure 2. An important element in the design of the system is that during
the phase of execution user will not have doubts about the actions he has to perform to
achieve the goal [ibidem]. The interface of the system should be designed in such a
way to allow the user to perform actions in user-friendly manner, taking into account his
preferences and abilities. Also, the system must prepare the output in such a way that
the user is sure that his goal was achieved. The goal of the usable system is to achieve
a right balance between how the user defines the action and actions that are allowed
by the system (Gulf of Execution) and also a right balance between user’s expectation
of meaning of the changed system state and actual presentation of the system state
(Gulf of Evaluation) [ibidem].
19
[Everett 2007] and [Mercuri 2002] present many factors that affect the
achievement of the usability. Voting must be available for all those who do not use their
native language or have some disability. The solution to this problem would be to intro-
duce into the system multi language interface or voice user interface. Both authors be-
lieve that when the electoral ballot is presented, the user should be able to adjust the
following factors according to his preference: font size and type, text and background
color, amount of the light level, ballot layout. This concept of both authors is consistent
with the general idea of achieving usability, presented by Dix, Finlay, Abowd and
Beale, which states that the user should be able to choose possibility of interactions
with the system, that best suits his preferences [Abowd et al. 2004].
Another aspect touched by both [Everett 2007] and [Mercuri 2002] is how to
deal with errors which occur during the voting process. Abowd et al. distinguish be-
tween two types of errors slips and mistakes. By slips the user understand the system
and its goal but took the wrong action. By mistakes the user may not understand the
goal or the system at all. Everett notes that the errors that occur during the voting are
slips errors [Abowd et al. 2004].The results of such an errors can be overvote, un-
dervote or vote on the wrong candidate [Everett 2007]. The usability principles [Mercuri
2002] states that every error has to be able to be reversed. [Everett 2007] and [Mercuri
2002] agree that it is not always possible to reverse the error since it is not possible to
detect the voter’s intention for which candidate he wants to cast a vote [Everett 2007].
The solution to avoid unintended votes suggested by [Everett 2007] and [Mercuri
2002], is to introduce the previews with data entered by the user and warnings for over
and undervotes which informs the voter about his choice and ask him to confirm his in-
put. Then the user is able to detect the error and correct it, if necessary.
20
4.3 Measuring usability
Creating a useful system is not just about implementing well-known practices
that come from experience, but any system which tends to be usable must be carefully
tested for usability to be sure that the implemented features really help voters in the ef-
fective and efficient use of the system [Mercuri 2002]. The same opinion is also pre-
sented by Everett in her work [Everett 2007]. She writes that different types of metrics
need to be introduced in order to assess the usability of the system. Everett distin-
guishes between three types of metrics:
• Metrics for efficiency – measure the relationship between the level of effective-
ness and load of the resources needed [Abowd et al. 2004]. This kind of metrics
can answer the question if the voter can cast a vote in optimal amount of time.
Simple metric of this kind would be how long the voter need in average to cast a
vote [Everett 2007].
• Metrics for effectiveness – measure the relationship between the goal of the in-
teraction and achieved accuracy and completeness of the achieved result
[Abowd et al. 2004]. This kind of metrics can help to understand critical aspects
like whether the voter needs assistance to cast their vote, or whether the voice
has been filled in accordance to the intention of the voter. The example of met-
rics measuring effectiveness would be the error rate (unintended votes divided
by all votes) or the number of situations in which the voter need assistance [Ev-
erett 2007].
• Metrics for satisfaction – measure the level of the subjective assessment of the
system, issued by the voter. This metric will help to discover whether the voter
is satisfied with how the system works, what may affect the future voter turnout.
Dix, Finlay, Abowd and Beale [Abowd et al. 2004]. propose to conduct the sur-
vey, in which the voter responds to questions concerning satisfaction about the
progress of the various parts of the voting process [Everett 2007].
As we see usability plays a very important role in the construction of the voting sys-
tem, and therefore all factors which have an influence on it must be carefully identified
and then appropriate solutions can be presented and evaluated. As studies have
shown [Everett 2007] disregard for the importance of the usability can have a signifi-
cant impact on the decrease in voter turnout and election's accuracy.
21
5 Performance and reliability issues One of the parts of the technical requirements is about the success of e-voting.
The Council of Europe recommends to control the performance and to assure the reli-
ability at the whole e-voting process. They refer to it as audit which is composed of four
features, namely recording of all encountered changes to make the process transpar-
ent, monitoring the correctness of the procedure and the possibility of cross-check,
verifiability of the results and protection against attacks and frauds as well as ensur-
ing the anonymity of the voters during the audit [CoE 2005, p.19f]. It “allows a third par-
ty to analyze what happened before, during, and after the vote was cast” [Castellà-
Roca 2010, p.6].
An audit is very important because having problems can “become particularly
sensitive and controversial if the overall integrity of the electoral system is a topic of
public debate” [CoE 2010c, p. 51]. If not correctly carried out the trust in the system can
be endangered. Therefore an audit trail must integrate all aspects of the system in or-
der to monitor the whole procedure. The objective of the audit is to report all changes
which occur in the system during all phases and to be able to react adequately and in
an extreme case even to defend it. To provide more trustfulness, independent bodies
should make an additional audit and the audit information should be accessible in an
easily readable form [ibidem].
5.1 Why are performance and reliability important?
Performance is important to increase trust in the e-voting system and partici-
pate in the new technology. It is “required to provide a wide socially recognized guaran-
tee of security and transparency for the new systems and processes” [Carravilla et al.
2006, p.10]. “Democracy depends in part on the trust of the citizenry, trust in public in-
stitutions such as elections” [Lauer 2004, p.1]. But building trust is only possible with
appropriate audit systems and analyses. Therefore, Lauer holds that the requirements
of a fair voting system comprehend protections with respect to the voter, the data and
the system, which can be “audited, inspected, is available [and] reliable” [ibidem]. Even
if audit is applied, still the results must be positive in order to be able to speak about
performance. There are some concerns about still undefined errors in the system.
Alleppuz and Castellò argue that the main problem of the audit is the transpar-
ent audit process. They compare the “auditability of the traditional elections, where in-
dependent auditors and observers can directly oversee the election process” to e-
22
voting where the process is encrypted and cannot be controlled by average citizens
easily [Allepuz et al. 2010, p.9]. To have a reliable audit system takes sometimes a lot
of time and is in the end inefficient for the purpose, some specialists try to reduce the
computation cost and risk accuracy or the protection level of the voter. Alleppuz and
Castellò discuss ideas of how to make the system more transparent. For example, to
assure the counting of the votes, a parallel recounting could take place. If it’s without
paper trail, then the votes need to be opened –decrypted-, which is a very difficult pro-
cess. Additional caution needs to be taken during the process, because the system is
vulnerable to attacks and the decrypted information needs to be limited to preserve the
privacy of the voter. To solve the problem with the privacy and integrity they suggest
their own technique called mixnet [ibidem, p.2].
Tiella et al. advises to use “digital recording electronics with printed audit trails”
[Tiella et al. 2009, p.1]. At a polling station are touch screen-based machines that prints
”physical and verifiable record of the votes cast,” which can be controlled directly by the
voter [ibidem]. This is an alternative to recounting idea with encrypted data of Alleppuz
and Castellò.
Davtyan et al. state that while election results depend on machine-generated
countings, the result of the counting depends on the machine-generated audit reports.
So without audit, the voting results won’t be trusted [Davtyan et al. 2007, p.2]. In their
study the audit system was manipulated to simulate an attack. To combat attacks they
recommend random audits after the elections, combined with manual counts, which
could help to identify disturbances and errors of the e-voting machine [ibidem, p.8].
The biggest problem which arises if something is wrong with the e-voting pro-
cess is the loss in trust. A solution could be to make people understand the procedures
of the audit process, so that citizens feel more secure. In a simple study with students
concerning a coffee machine, Kalchgruber and Weippl analyzed how training, centered
on the electronic voting system, could influence their trust. Trust was positively related
to degree of understanding technical protocols [Kalchgruber et al. 2009, p.1ff].
“The more information is withheld, the less the public will appreciate the added
value gained by applying the remaining measures” [Koenig et al. 2011, p.5]. The less
transparency, the less the public will use the new measures. Koenig et al. identify an-
other source of trust, the trust to the auditor. The more a voter beliefs in the system in-
dependency of the auditor the more trust he will have in the integrity of the final voting
results[ibidem]. In other words it is good to have independent auditors.
This is also recommended by Gibson and McGalex. Additionally they point out
that this Independent Testing Authority (ITA) should be trustworthy. This means that it
23
should fulfill the required high quality standards and verify the system in detail. When
an audit system is admitted by the ITA but delivers inaccurate results, question arise
about who should be blamed; the poor verifying standards or the insufficient perfor-
mance of the ITA [Gibson et al. 2008, p. 302].
McGalley and Gibson realized in their study of the Requirements of the Council
of Europe that there are some inconsistencies amongst others in audit [Gibson et al.
2005]. For example, it is stated that “the audit system shall be publicly verifiable (184)”
[CoE 2005, p.61]. But this is in contrast with other standards, like number 24, which
states that the “components of the e-voting system shall be disclosed, at least to the
competent electoral authorities.” So, they leave a possibility that it is not completely
disclosed. Another possibility to bypass standard 184 it’s not publish certain system
program for security reasons (69) and access for unauthorized people should be de-
nied (105) [ibidem]. But then it is difficult to determine who is authorized and who is not.
With all these contradictions, incompleteness and repetition the specialists will meet
problems whether something is according to the requirements or not. McGalley and
Gibson propose that this document of the Council of Europe is always updated and
adapted to the new reality in order to assure the well functioning and so the perfor-
mance of the system [Gibson et al. 2005].
So why is performance important? As already suggested at the beginning of this
part, it is to promote trust. Looking at all these imperfections makes one realize that
there is a lot to do to improve the system in order to perform as it is suggested. And as
the democracy is endangered if the problems are not eliminated, the pressure is very
high. Performance and reliability are important because there are so many obstacles to
overcome but the trust must remain the same or get bigger, but it is excluded that the
trust gets lost.
5.2 Performance and reliability in Switzerland
Switzerland has started e-voting trials over 10 years ago and is improving its
system at each voting. Their ambition allowed them to introduce remote e-voting. But it
also means that the security measures needed to meet the highest standards, other-
wise the trust in the democracy will be damaged for a long time. Lauer denounce that
no common idea exists concerning the perfect e-voting system, that causes a waste of
resources invested in academic analyses [Lauer 2004, p.11].
It is very difficult to find data about audit in Switzerland because it is an integral
component of the system. Whenever a problem is detected, all the research papers
analyzed in this paper talk about the problems but not about the audit. But as an official
24
web page about e-voting says, it is obvious that the e-voting is successful in Switzer-
land, which means that the audit system works well. Furthermore the page states the
e-voting system in Geneva is subject to regular audits [SKB 2011]. As the statistical of-
fice Zurich describes in its report about a e-voting performed at the university of Zurich,
the system in there is audited by the Swiss government and the Federal Chancellery
annually. Also “external parties perform security audits” [Beroggi 2008, p.4]. These ex-
ternal audits tried for example tried to hack into the e-voting system but without suc-
cess. The audit seem to show that the e-voting system in Zurich was robust [ibidem].
25
6 Conclusions
Voting is an important factor in a democratic society, but it appears that there is
more and more abstention. To remedy this e-voting appeared and confront all partici-
pants with challenges. E-voting meets also the expectations of the younger generation
which is growing up in a digital world. Switzerland was taken by this hype and collabo-
rates with the Council of Europe, which is responsible for the development of e-voting
in Europe.
In this paper we presented the basic requirements that must be fulfilled by the
system to vote. As we see, the implementation of such a system poses many challeng-
es and risks for its developers. The first lesson is that before you start designing a sys-
tem, carefully consider whether we are able to meet all these requirements and wheth-
er the cost to be incurred during the implementation is proportional to the expected
benefits. You may find that it is better to stay with the existing paper based solution. As
shown in the examples not all countries have succeeded in creating a successful voting
system. The second lesson is when the decision is made to create an e-voting system,
it is important to learn from mistakes and successes made by others.
E-voting - E-voting refers to a way to vote where technical means are used. The
mechanical way can be used at polling stations or at home. The choice to change from
paper voting to electronic voting has on the whole more advantages than challenges,
even though the challenges are sophisticated. Switzerland as a small and conflict free
country exactly suits to the description of countries which have the best success [Che-
vallier 2008, p.2f]. It chose the way of internet voting for all the advantages and be-
cause it is one of the advanced countries and wants to be a leader [Haenni et al. 2008,
p.11]. Additionally, Braun recalls one requirement from the Recommendations of the
Council of Europe for e-voting which should ensure the trust of people: “Voters shall be
provided with an opportunity to practice any new method of e-voting before, and sepa-
rately from, the moment of casting an electronic vote” [CoE 2005, p.11:22]. Braun ar-
gues that the three pilot projects meet these requirements and in this way assure one
step forwards the internet voting [Braun 2004]. Nevertheless, the problems that can oc-
cur should make even Switzerland careful, because they have a lot of trust to lose. In
the paper choices of countries were mentioned, so whether e-voting is introduced or
not, it depends on the countries characteristics and how is the proportion of ad-
vantages and disadvantages.
26
Usability - Designing voting interfaces is a complex task that involves many dif-
ferent disciplines of the science in the entire election process. Achieving usability its
critical to any voting system and has to be implemented carefully with emphasis on the
details and tests which will prove the effectiveness, efficiency and user's satisfaction of
the offered solution. All authors agree on the importance of usability in electoral sys-
tems and provide solutions in accordance with the guidelines created by the usability
precursors (Dix, Finlay, Abowd and Beale) and warn that the omission of aspects of
usability can result in reduced voter turnout or even election fraud. Referring to the
research questions regarding the relevance of usability requirements, we believe that
they play a key role in the whole voting process. They ensure the proper conduct of
elections and guarantee that everyone who has voting rights can fully use them,
avoiding digital-divide. The lesson gained regards the usability is to identify, analyze
and evaluate human factors affecting e-voting which can vary for different participants.
Security - Many different methods have been designed to achieve security
during the elections conducted by the e-voting systems. Referring to the research
questions regarding the relevance of security requirements, we are confident that
without meeting the requirements for the safety any e-voting system cannot be
implemented and functioning properly. The task of security is to ensure the control over
proper conduct of elections. On that consists the privacy of voters and their choice,
make sure that the vote was casted by an eligible voter as well as to calculate the
correct result and check that no one can influenced it. As we see the fulfillment of
safety requirements is the basis for the construction of the voting system and the
guarantee of trust between the government and voters. The authors are agreed that
the main task of the security is to ensure trust between the government and voters.
However, with rapidly changing standards of safety and new kinds of attack, finding a
permanent standard solution for the security seems to be impossible. In this situation,
the only reasonable solution is to observe the changes in the security standards and
successful implementation and based on that continuously improve the offered
solution.
Reliability - After discussing all the requirements for a perfect e-voting system, it
is of utmost importance not to forget to assure the performance and the reliability of the
system through audit. An audit is a system which surveys all processes in order to
assure errorless functioning of e-voting. But it is a controversial subject concerning
transparency, because while in the official requirements is an obligation that everybody
should be able to understand the process, it is still impossible for non-specialists. In
addition there exists the possibility to exclude come people from the control of the audit
27
system. It might be a solution that the government creates workshops with specialists
from the government and others like from universities, to train the interested people in
the functioning of the system and then let them try for themselves. The variety of
specialists should provide the most different views of the system. Another idea is to
make the audit process as clear as possible, for example with graphics. Alternatively,
schools courses could be introduced about the basic knowledge, so that the general
lever of informatics education increases.
When the audit requirements are met, the performance can be evaluated, coun-
try reports can be delivered and the citizens can rely on the reliability of the e-voting
system. If for example one of the four features, like recording, is not detailed enough,
the audit would be accordingly superficial and less useful.
There are very few research papers about the audit in Switzerland. Switzerland
delivers reports to the Council of Europe, talks about its achievements, but doesn’t talk
about its audit system, only that an audit is employed. Here a recommendation would
be to make it more transparent which system, so that research studies may arise and
contribute to the improvements.
Concerning the forecast, Switzerland itself predicts in its report to the Council of
Europe, that the trials with e-voting will continue, that new cantons should be attracted.
Switzerland is satisfied with its possibility to give people who have difficulties to vote;
for example for those who are abroad, or disabled. The authorities are determined to
have all national languages be adapted in all e-voting systems [CoE 2008, p.20]. Apart
from the trials in Zurich, Neuchâtel and Geneva, the critical authors don’t expect that
internet voting will be imposed soon, due to the too many disadvantages discussed in
previous parts [Gasser 2009, p.14].
It is easy to answer the question why all these requirements are important. Be-
cause it is all about trust, trust in the e-voting system, trust in the democracy and there-
fore trust in the future. When these conditions are fulfilled the whole system will work
and the trust in democracy will get stronger.
28
Bibliography [Al-Jarrah et al.]
Al-Jarrah, Omar; Barakat, Laith; Ebaid,Munzer S.; Hayajneh, Thaier S.; Khasawneh, Mohammed; Malkawi, Mohammad; A Biometric-Secure e-Voting System for Election Processes, Proceeding of the 5th International Symposium on Mechatronics and its Applications (ISMA08), Amman, Jordan, May 27-29 (2008).
[Allepuz et al. 2010] Allepuz, Jordi Puiggalí; Castell,ó Sandra Guasch: Universally Verifiable Efficient Re-encryption Mixnet. Grimm, Rüdiger (Eds.); Krimmer, Robert: Electronic Vot-ing 2010. 4th International Conference, No. 167 (2010), pp. 241-254.
[Beroggi 2008] Beroggi, Giampiero E.G.: Secure and Easy Internet Voting. IEEE Computer So-ciety (2008), pp. 52-56.
[Braun 2004] Braun, Nadja: E-Voting: Switzerland's Projects and their Legal Framework – in a European Context. Krimmer, Robert(Eds.); Prosser, Alexander: Electronic Voting in Europe – Technology, Law, Politics and Society., No. 47 (2004), pp. 43-52.
[Bryans et al. 2006] Bryans, J.W.; Littlewood, B.; Ryan, P.Y.A.; Strigini, L.: E-voting: dependability requirements and design for dependability. IEEE Computer Society Press (2006), pp. 988-995.
[Burmester et al. 2002] Burmester, Mike; Magkos, Emmanouil: Towards secure and practical e-elections in the new era. Department of Computer Science, Florida State Uni-versity, available: http://di.ionio.gr/~emagos/overview_voting_2002.pdf, ac-cessed 30 November 2011.
[BVG 2011a] BVerfG: Bundesverfassungsgericht. Use of voting computers in 2005 Bundes-tag election unconstitutional, 2011, available: http://www.bundesverfassungsgericht.de/en/press/bvg09-019en.html, accessed 30 November 2011.
[BVG 2011b] BVerfG: Bundesverfassungsgericht, 2 BvC 3/07 vom 3.3.2009, Absatz-Nr. (1 - 166), 2011, available: http://www.bundesverfassungsgericht.de/entscheidungen/rs20090303_2bvc000307en.html, accessed 30 November 2011.
[Carravilla et al. 2006] Carravilla, Maria Antónia; Cunha, João Falcão; Faria, João Pascoal; Leitão, Mário Jorge; Monteiro, Miguel Pimenta: A Methodology for Auditing e-Voting Processes and Systems used at the Elections for the Portuguese Parliament. Krimmer, Robert (Eds.): Electronic Voting 2006. 2nd International Workshop, No. 86 (2006), pp. 145-154.
[Castellà-Roca 2010] Castellà-Roca, Jordi; Jardí-Cedó, Roger ; Pujol-Ahulló, Jordi: Verification Sys-tems for Electronic Voting: A Survey, 2010. Grimm, Rüdiger (Eds.); Krimmer, Robert: Electronic Voting 2010. 4th International Conference, No. 167 (2010), pp. 163-177.
[Cetinkaya 2007] Cetinkaya, Orhan: Towards Secure E-Elections in Turkey: Requirements and Principles, available: http://www.ceng.metu.edu.tr/~corhan/Papers/desegov07.pdf, accessed 30 No-vember 2011.
29
[Chevallier 2008] Chevallier, Michel: Internet Voting, Tournout and Deliberation: A Study. Elec-tronic Journal of e-Government, Vol. 7, Nr. 1 (2009), pp.29-44.
[CCfEVaP 2011] CCfEVaP: Competence Center for Electronic Voting and Participation: History of E-Voting, 2011, available: http://www.e-voting.cc/files/modem_1_2011_history, accessed 30 November 2011.
[Chevallier et al. 2006] Chevallier, Michel, Sandoz, Alain; Warynski, Michel: Success Factors of Gene-va’s e-Voting System. Electronic Journal of e-Government, Vol. 4, Issue 2 (2006), pp.55 – 62.
[CoE 2005] CoE: Council of Europe: Legal, Operational and Technical Standards for E-Voting, 2005, available: http://www.coe.int/t/dgap/democracy/Activities/GGIS/E- voting/Key_Documents/Rec(2004)11_Eng_Evoting_and_Expl_Memo_en.pdf, accessed 30 November 2011.
[CoE 2008] CoE: Council of Europe. : National Reports on Developments, 2008, available: http://www.coe.int/t/dgap/democracy/Source/EVoting/Evoting2008/National%20reports%20E.pdf, accessed 30 November 2011.
[CoE 2010a] CoE: Council of Europe: Contribution by Switzerland, 2010, available: http://www.coe.int/t/dgap/democracy/Activities/GGIS/E-voting/E-vot-ing%202010/Biennial_Nov_meeting/GGIS(2010)19%20E%20corr.%20Meeting%20Report%20e-voting%20review%202010%2021%2012%2010.asp, ac-cessed 30 November 2011.
[CoE 2010b] CoE: Council of Europe: Meeting Report, 2010, available: http://www.coe.int/t/dgap/democracy/Activities/GGIS/E-voting/E-vot-ing%202010/Biennial_Nov_meeting/GGIS(2010)19%20E%20corr.%20Meeting%20Report%20e-voting%20review%202010%2021%2012%2010.asp, ac-cessed 30 November 2011.
[CoE 2010c] CoE: Council of Europe: E-voting handbook. Key steps in the implementation of e-enabled elections, Council of Europe Publishing, 2010.
[CoE 2011a] CoE: Council of Europe: Recommendation Rec(2004)11 of the Committee of Ministers to member states on legal, operational and tech-nical standards for e-voting, 2011, available: https://wcd.coe.int/wcd/ViewDoc.jsp?id=778189&Site=CM&BackColorInternet=C3C3C3&BackColorIntranet=EDB021&BackColorLogged=F5D383, accessed 30 November 2011.
[CoE 2011b] CoE: Council of Europe: Good Governance in the Information Society, 2011, available: http://www.coe.int/t/dgap/democracy/Activities/GGIS/Default_en.asp, accessed 30 November 2011.
[CoE 2011c] CoE: Council of Europe: National Reports Presented, 2011, available: http://www.coe.int/t/dgap/democracy/Activities/GGIS/E-voting/E-voting%202010/Biennial_Nov_meeting/National_reports_en.asp#TopOfPage, accessed 30 November 2011.
[CoE 2011d, p.10]
30
CoE: Council of Europe: Certification of E-Voting Systems, available: http://www.coe.int/t/dgap/democracy/Activities/GGIS/E-voting/E-voting%202010/Biennial_Nov_meeting/Guidelines_certification_EN.pdf, ac-cessed 30 November 2011.
[Cranor et al. 1997] Cranor, L; Cytron,R.: Sensus: A security-consciouselectronic polling system for the Internet. Proceedings of the Hawaii International Conference on System Sciences. Wailea, Hawaii, 1997.
[Cross II et al. 2010] Cross II, E. Vincent; Gilbert, Juan E.; Gupta, Priyanka; Rogers, Gregory; McClendon, Jerome; McMillian, Yolanda; Mitchell, Winfred; Mkpong-Ruffin, Idong; Rouse, Ken; Williams, Philicity: Universal access in e-voting for the blind. Universal Access in the Information Society, Vol. 9, No. 4 (2010) 357-365.
[Davtyan et al. 2007] Davtyan, Seda; Kiayias, Aggelos; Michel, Laurent; Russell, Alexander; See, Andrew; Shashidhar,Narasimha; Shvartsman, Alexander: Tampering with Spe-cial Purpose Trusted Computing Devices: A Case Study in Optical Scan E-Voting. Institute of Electrical and Electronics Engineers. 23rd Annual Computer Security Applications Conference (2007), pp. 30-39.
[Abowd et al. 2004] [MICHAL: im Text fehlt immer d Seitenangabe] Alan Dix; Janet Finlay; Gregory D. Abowd; Russell Beale: Human-Computer In-teraction, 3rd edition, Pearson Education, 2004.
[Dubuis et al. 2010] Dubuis, Eric; Haenni, Rolf; Spycher, Oliver: Coercion-Resistant Hybrid Voting Systems. Grimm, Rüdiger (Eds.); Krimmer, Robert: Electronic Voting 2010. 4th International Conference, No. 167 (2010), pp. 269-282.
[DW 2011] DW : Deutsche Welle : German Court Rules E-Voting Unconstitut, 2011, avail-able : http://www.dw-world.de/dw/article/0,,4069101,00.html, accessed 30 No-vember 2011.
[EB 2009] Europa Barometer: Nachwahl Umfrage. Bericht. Befragung Juni-Juli 2009, available: http://ec.europa.eu/public_opinion/archives/ebs/ebs_320_de.pdf, ac-cessed 30 November 2011.
[Ehringfeld et al. 2010] Ehringfeld, Andreas; Krimmer, Robert; Traxl, Markus: The Use of E-Voting in the Austrian Federation of Students Elections 2009.Grimm, Rüdiger (Eds.); Krimmer, Robert: Electronic Voting 2010. 4th International Conference, No. 167 (2010), pp.33-44.
[Everett 2007] Everett, Sarah P.: The Usability of Electronic Voting Machines and How Votes Can Be Changed Without Detection, available: http://chil.rice.edu/research/pdf/EverettDissertation.pdf, accessed 30 November 2011.
[Gasser 2009] Gasser, Urs; Gerlach, Jan: Internet and Democracy Case Study Series. Three Case Studies from Switzerland: E-Voting, available: http://cyber.law.harvard.edu/sites/cyber.law.harvard.edu/files/Gerlach-Gasser_SwissCases_Evoting.pdf, accessed 30 November 2011.
[Gibson et al. 2005] Gibson, Paul; McGaley Margaret: A critical analysis of the council of Europe recommendations on e-voting. EVT'06 Proceedings of the USENIX/Accurate Electronic Voting Technology. Workshop 2006 on Electronic Voting Technology Workshop.
[Gibson et al. 2008]
31
Gibson, Paul; McGaley, Margaret: Verification and Maintenance of e-Voting Systems and Standards. In: Remenyi, Dan: 8th European Conference on e-Government Ecole Polytechnique, Switzerland (2008), Academic Publishing International, 2008, pp. 283-290.
[Haenni et al. 2008] Haenni, Rolf; Dubuis, Eric; Ultes-Nitsche, Ulrich: Research on E-Voting Tech-nologies. A Survey. Research report BFH-TI Nr. 5, 2008, available: http://www.ti.bfh.ch/fileadmin/data/forschung/publikationen/0005_research_on_e-voting_technologies.pdf, accessed 30 November 2011.
[Hall et al. 2010] Hall, Thad; Loeber, Leontine: Electronic Elections in a Politicized Polity. Grimm, Rüdiger (Eds.); Krimmer, Robert: Electronic Voting 2010. 4th International Con-ference, No. 167 (2010), pp. 193-212.
[IIDEA 2011] IIDEA: International Institute for Democracy and Electoral Assistance: Introduc-ing Electronic Voting. Essential Considerations, Bulls Graphics, Sweden, 2011.
[IPI 2001] IPI: Internet Policy Institute: Report of the National Workshop on Internet Vot-ing. Issues and Research Agenda, 2001, available: http://fl1.findlaw.com/news.findlaw.com/cnn/docs/voting/nsfe-voterprt.pdf, ac-cessed 30 November 2011.
[ISB 2006] ISB: Informatikstrategieorgan Bund. IKT-Strategie der Bundesverwaltung 2007-2011, available: http://www.isb.admin.ch/themen/strategien/00070/index.html?lang=de&download=NHzLpZeg7t,lnp6I0NTU042l2Z6ln1acy4Zn4Z2qZpnO2Yuq2Z6gpJCDdoB8gGym162epYbg2c_JjKbNoKSn6A--&t=.pdf, accessed 30 November 2011.
[ISB 2011] ISB: Informatikstrategieorgan Bund. e-Government Strategie Schweiz : Priori-sierter Vorhaben, available: http://www.egovernment.ch/dokumente/katalog/E-Gov-CH_Katalog_2011-10-24_D.pdf, accessed 30 November 2011.
[Kalchgruber et al. 2009] Kalchgruber, Peter; Weippl, Edgar R.: Can End-to-End Verifiable E-Voting be Explained Easily? iiWAS2009 (2009), pp. 572-576.
[Kaufman et al 2002] Kaufman, Charlie; Perlman, Radia; Speciner, Mike: Network Security: Private Communication in a Public World, 2nd edition, Prentice Hall Copyright, 2002.
[Koenig et al. 2011] Koenig, Reto; Spycher, Oliver; Volkamer, Melanie: Transparency and Technical Measures to Establish Trust in Norwegian Internet Voting, available: http://www.regjeringen.no/upload/KRD/Prosjekter/e-valg/vedlegg/paper_transparency_and_technical_measures.pdf, accessed 30 November 2011.
[Lauer 2004] Lauer, Thomas W. : The Risk of e-Voting. Electronic Journal of e-Government, Vol. 2, No. 3, Art. 34 (2004), pp. 169-178.
[LGA 2002] LGA: Local Government Association: Implementation of local voting in the UK. Research summary, 2002, available: http://www.communities.gov.uk/documents/localgovernment/pdf/133544.pdf, accessed 30 November 2011.
[Lombardi 2011]
32
Lombardi, Emanuele : Electronic Voting and Democracy, 2011, available: http://www.electronic-voting.org/TERMINI/whatswrong_en.php, accessed 30 November 2011.
[Mercuri 2002]
Mercuri, Rebecca: Usability Professionals Association Conference, Humanizing Voting Interfaces, Orlando, 2002.
[Meier 2009] Meier, Andreas: eDemocracy und eGovernment. Entwicklungshilfen einer de-mokratischen Wissensgesellschaft, Heidelberg, 2009.
[MoLGaRD 2006] MoLGaRD: Ministry of Local Government and Regional Development: Electron-ic voting – challenges and opportunities. Report, available: http://www.umic.pt/images/stories/publicacoes1/evalg_rapport_engelsk.pdf, ac-cessed 30 November 2011.
[SKB 2011] SKB: Staatskanzlei des Kantons Bern, available: http://www.sta.be.ch/sta/de/index/wahlen-abstimmungen/wahlen-abstimmungen/e-voting/Sicherheit.html, accessed 30 November 2011.
[Tiella et al. 2009] Tiella, Roberto; Weldemariam, Komminist; Villafiorita, Adolfo: Development, Formal Verification, and Evaluation of an E-Voting System With VVPAT. IEEE Transactons on Information Forencics and Security, Vol. 4, No. 4 (2009), pp. 651-661.
[Trechsel 2007] Trechsel, Alexander H.: Report for the Council of Europe. Internet Voting in the March 2007 Parliamentary Elections in Estonia, available: http://vvk.ee/public/dok/CoE_and_NEC_Report_E-Voting_2007.pdf, accessed 30 November 2011.
[Trechsel et al. 2010] Trechsel, Alexander H.; Vassil, Kristjan: Internet Voting in Estonia. A Compara-tive Analysis of Four Elections since 2005, 2010, available: http://www.coe.int/t/dgap/democracy/Activities/GGIS/E-vot-ing/EVoting_Documentation/GGIS_2010_15_Internet_voting%20_in%20_Estonia%202005-2009%20E%20_2_.pdf, accessed 30 November 2011.