In the year 2000, the State of Geneva began to develop an internet voting application. Geneva is therefore the public entity with the longest experience of internet voting in the world.
The reasons why this project was launched are to be found in two different directions. These reasons have less to do with security or technique, than with cultural factors. Experience shows that one does normally not jump from the wooden ballot box straight to internet voting; the path to remote electronic voting usually goes either through mail vote or the introduction of ICTs in the electoral process.
We are all more and more mobile. Whether we are bankers, nurse or working in the field of tourism, living abroad for a few years has almost become a necessity in a modern career. We maintain cross-border friendships, our relational networks span several countries and we often identify with more than one state.
This tendency has been acknowledged by governments, which more and more grant civil rights to their expatriates. But we still had to invent an effective way of exercising these rights beyond borders and continents. Postal vote offered a first answer.
In Switzerland, postal vote was generalized in the mid-nineties. Geneva was one of the first cantons to offer it, back in 1995.
Postal vote displaced the voting act away from the polling station and moved it into the voters’ homes. Since the early 1990s, the polling material (voting card and ballots) has been sent to the voter’s homes so that they could arrive at the polling station with a pre-filled ballot paper.
Before the introduction of postal voting, ballots were organized over a week-end. Nowadays, citizens can vote over a two to three weeks period, according to the nature of the ballot (municipal vs. cantonal or federal). This has changed the timing and the approach to electoral propaganda as well as the ways to reach out to voters. This imposed a rethinking of the use of financial resources as campaigns are now longer and have several peaks.
Postal voting fulfilled a desire for flexibility that had been expressed by the electorate. This need stems from changing life habits, but also from the Swiss semi-direct democracy system which foresees four to six ballots a year.
The impact of postal voting was immediate: in Geneva, it increased turnout by 20 points (from 30-35% in 1995 to 50-55% on annual average in the early 2000s). Geneva’s turnout is now of the highest in the country and some 95% of the voters cast their ballot by mail (Swiss average: 80 %).
In the year 2000, the situation was favourable to launch the internet voting project. The number of homes connected to the internet had been growing steadily and more than half of all Swiss households were then connected. A national survey conducted every two years showed that two thirds of internet users wished to be able to vote online. Besides, the Geneva law allowed for electronic voting trials and Geneva was the only Swiss canton to have a centralized and computerized voters’ register, an essential requirement to start such a project.
That same year, the Swiss Confederation launched an appeal to the cantons interested in developing an online voting system. Geneva, Neuchâtel and Zurich responded favourably and were able to benefit from federal funds until 2004. In return, they agreed to offer free of charge the sources of their system to any other canton, should they wish it.
The Swiss Confederation aimed at gaining experience and know-how in internet voting. To this end, the federal law on the political rights was modified a first time in 2002 to introduce electronic voting, then a second time in 2008 to allow for the spreading of internet voting in the country.
From the Confederation point of view, the pilot phase came to an end on December 31st, 2007. On this date, Switzerland entered the phase of national rolling out of this voting channel. Internet voting remains however subjected to limitations regarding the share of the electorate it can be offered to. These limitations will last at least until the end of the current federal legislature, in 2011.
In 2008, internet voting began being offered to the Swiss voters living abroad. Geneva offered it to its own expatriates as of September 2009. As cantons have no possibility to develop their own online voting system in the short term, Geneva offered to host voters from any canton on its own system. Several cantons have expressed their interest, with Basel-City being the first one. So the citizens of Basel-City living abroad will be able to vote online on the Geneva application as of the federal ballot of November 2009. Other cantons will follow in 2010 and 2011.
Postal voting was our benchmark during the development of internet voting. But the double nature of online voting, remote voting channel and at the same time electronic and dematerialized voting, raised new challenges which we had to solve.
The Geneva law states that any citizen can attend the ballot counting procedure in his polling place. As postal votes are counted in a centralized manner, we already had to interpret this rule. And so were born the political parties’ controllers, appointed by the government to supervise the postal ballots’ counting.
For electronic voting, these controllers have an increased role. They generate the electronic ballot box’s encryption keys and are thus the only persons able to access this box. The ballot counting is impossible without their presence and collaboration.
On February the 8th, 2009, the Geneva citizens approved with a 70% majority a new amendment which introduced internet voting in the cantonal constitution and created a permanent electoral commission. This commission will replace the party controllers in 2010.
The legitimacy of online voting relies not only on its approval by the parliament, but also on its support by the civil society, as underlined by a study by the Geneva University (http://www.ge.ch/evoting/doc/rapports/legitimite_e-vote.pdf, in French). This support has been given on February the 8th, 2009.
A public community embarking in electronic voting has to have the intellectual property of its system. Black boxes are not conceivable. This requirement can translate in two different forms: either the state uses software whose sources are public (open source software) or it owns the sources it uses (proprietary software whose owner is a public entity). In Geneva, 85% of the software we use (firewall, servers’ operating system, etc.) are open source and the rest is owned by the state, with the exception of the Oracle databases.
The software issue is not a technical question, but a political one. It has more to do with the legitimacy of the project than with its security. A solution completely based on freeware would be auditable from A to Z by any computer specialist, but this would not change anything fundamental; it would only make these computer specialists, most of them unknown to us and with no link to Geneva, the guarantors for the system’s fairness. Is this democracy? Or isn’t democracy rather a set of known and accepted rules, whose implementation is verified by an official commission?
It is often asserted that electronic voting makes it impossible to recount the votes, while paper ballots allow it. This assertion deserves an attentive examination.
What do we recount when we recount paper ballots? The US 2000 presidential election, for example, showed that the existence of paper ballots is no panacea, because paper does not ensure that the voters’ will can be read without ambiguity. And paper ballots do no prevent counting errors.
It is actually almost impossible that two manual counts yield the same result. When the spread between two candidates is large, variations in the recount are not a problem. But when this spread is of some hundreds or even some tens of votes out of several thousands, the limits of manual counting and paper ballots become obvious.
What about electronic voting? In the system we have developed in Geneva, counting the eBallots does not destroy them. It is possible to recount them, from the same source or from one of the four replicas ballot boxes we have built into the system, using the same software (spreadsheet) or another one, to compare the results.
The true issue in remote electronic voting lies upstream: it is the quality and the integrity of the data contained in the electronic ballot box. We have developed a java applet that checks the integrity of each single vote before accepting it into the eBallot box. It rejects any ballot that contains any byte not directly related to the voting process and informs the voter to cast his vote in another way.
The recount issue is moreover similar to the system audit issue and the possibility for third parties (the electoral commission for example) to supervise the system and to order tests.
The Geneva internet voting project went ahead relatively fast, given the complexity that such a system can take on. Why?
At first, we had the advantage to possess already a centralized and computerized voters’ register, what saved us several months work at least.
Our initial choice of a simple system, which is an electronic translation of postal voting and does not impose the voters to purchase any particular infrastructure also contributed to the project’s speed. We did not want a system which would require preliminary registration of the voters wishing to use it or change in the polling stations’ management. This system should allow voting home, from the office, from an internet café or any public internet access.
We have split the voting issue in initiatives and referendum, on one hand, and elections, on the other. This also helped us moving faster, as we only have addressed initiatives and referendum so far. This allowed us testing the validity of our basic concept, as well as the components and the architecture of the system, without taking big political risks since the designation mode of elected representatives was not affected.
Finally, this project moved quickly because it benefited from the support and the know-how of the Swiss Confederation.
We adopted a multidisciplinary approach. We have appointed the University for legal and sociopolitical studies, IT companies to develop some aspects of the application, audit its security and try to hack it.
For the voters, the voting card remains the basis of the voting process (http://www.ge.ch/evoting/carte-de-vote.asp). We have simply added a single-use PIN code to the card.
The voter introduces his card number into the system, fills an online ballot, and confirms his vote by giving his PIN code, his date of birth and his municipality of origin. He then receives a confirmation of the date and time of his vote’s registration.
To prevent voters from casting several votes each using the different voting channel we offer (polling station voting, postal voting and internet voting), we use a single voters’ database. Whatever your voting channel, the fact that you have voted once blocks your voting card number, preventing a duplicate vote.
This procedure allows us to perform the three stages of identification, authentication and proof of vote. Besides, it guarantees that only the registered voters have access to the system. The date of birth and municipality of origin questions protect your voting right as no third party can have access to these information, unless you willingly release it.