Next: Voter assurance
Up: Proposal for restructuring
Previous: Secret suffrage
Direct suffrage
The committee did not categorise any of their standards under ``direct
suffrage'' saying that it ``does not call for special attention'' [7].
We contend that, since direct suffrage (as defined by the CoE) requires that
``the ballots cast by the voters directly determine the person(s) elected''
[7], any measure used to protect the votes from tampering falls into
this category, as does any measure to ensure that the results are tabulated
correctly.
14) The e-voting system shall accurately record votes (95)
- It shall be ensured that the voter is presented with an authentic
ballot (90a)
- The vote cast by a voter shall be the vote recorded within the
system (92) [10, guideline 42]
15) The e-voting system shall prevent recorded votes from being changed or deleted
(15, 34a, 92)
16) The e-voting system shall accurately calculate the result based solely on the
votes cast (7, 98)
- There shall be a secure and reliable method to aggregate all votes.
(8)
In order to support these requirements:
17) Provision shall be made for the observation of all stages of elections to
the extent permitted by law. (23, 56)
- Reliable, accurate, detailed observation data shall be produced.
(83)
- Observers shall be educated about the expected behaviour of the
system and its operators so that they can make informed judgements about the
reliability of election results [14]
18) There shall be a comprehensive audit system designed into the e-voting
system to provide information about the functioning of the system at all
levels. (59, 100, 101, 102, 103, 104, 107, 108) Audit information recorded
shall, at a minimum, include:
- The number of votes cast,
- Count information (including personnel involved, and enough information
to reproduce the count results),
- Any suspicious activities which may indicate some kind of attack on the
system (including votes affected, if applicable),
- System failures and malfunctions,
- Logs of authorised access to the system (including user identity and
activities undertaken). (57, 58)
19) Software engineering best practice shall be followed, including:
- A comprehensive risk assessment shall underpin the decision to
introduce e-voting in general, and any system in particular. This
assessment shall be carried out by individuals with a suitable level of
expertise. (III) 4
- Components' access to time sources shall be strictly limited on a
``need to know'' basis [14,20]. (contrast with 84, see section 6.4)
- Change management for the system shall be open and transparent. In
particular:
- All components of the system shall be subject to version control.
(69b)
- It shall be possible to accurately and reliably determine whether
a given component is the version tested and approved for use.
- Any updates of software, including third-party software such as
operating systems, shall be justified before installation [14].
- There shall be a bug-tracking system.
- All of these measures shall follow best practices.
- Compliance with suitable open standards is recommended. (66)
5
- At least one competent, independent body (certification authority)
shall be appointed to assess and certify the system's operation and
compliance with these standards. (111)
- The certification authority shall develop a test plan which covers
testing to be carried out: before the system is introduced, at regular
intervals, and triggered by specific events (for example software updates,
upcoming elections) as well as the timing of such tests. (25, 31,
73)
- All components of the system and software used, and all audit
information, shall be publicly disclosed. Exceptions to this rule shall
only be allowed where it can be shown that such a disclosure would either
endanger the security of the system or genuinely endanger the
intellectual property of the vendor. In either of these cases, full
disclosure shall be made to the certification authority for verification
and certification purposes. (contrast with 24, 69a, 105, 110)
- The system shall be fault tolerant and fail safe.
- Any backup system shall conform to the same standards and requirements
as the original system. (70b)
- Technical and organisational measures shall be taken to ensure that
no data will be permanently lost in the event of a breakdown or a fault
affecting the e-voting system. (27 - see point 65 in [8] , 77)
20) Security measures shall be employed (28) to protect the system from
fraud and error. (29)
- Where data must be transmitted and/or stored electronically its origin
shall be verifiable and its integrity shall be protected. Currently this is
likely to require the use of cryptography. (26, 75c, 89, 97, 99, 109)
(Such data may include votes, voter registers, lists of candidates
(86), and audit information.)
- Where access to data must be restricted (for example authentication
data), its secrecy shall be protected. Currently this is likely to require
the use of cryptography. (81)
- The system shall be monitored during operation for compliance with
requirements. (72a, 79a)
- Security arrangements shall ensure that, for the duration of
operation, each component is the version tested and approved for use.
- Incident levels shall be defined and appropriate responses
identified. (76)
- All technical operations shall be subject to a formal control
procedure. (74a) In particular:
- The principle of separation of duty shall be applied wherever
applicable. [2]
- Physical and electronic access to equipment used in elections shall be
limited via a comprehensive authentication system which complies with best
practice, including the principle of least privilege. (32a, 80)
- Clear rules shall be developed for determining access privileges of
individuals, and for the appointment of personnel to sensitive positions.
(32a)
- All personnel who have been assigned a cryptographic key for
authentication shall be educated about key management.
- The physical security of equipment used in elections shall be
protected during (75a) and between elections. Access shall be
restricted according to the formal control procedure.
- Any changes to key equipment shall be notified to the authorities
identified in the control procedure. (74b)
- Critical technical activities shall be carried out by teams of at
least two people. The composition of the teams shall be regularly changed.
All such activities shall be the subject of a report. As far as possible,
such activities shall be carried out outside election periods. (32b,
33a)
- Where such activities must be undertaken during an election period,
they shall be monitored by election observers. (33b)
Next: Voter assurance
Up: Proposal for restructuring
Previous: Secret suffrage
margaret
2006-05-25