C OMP U T ING PR AC T ICE S
Internet Voting: An Empirical Evaluation Giampiero E.G. Beroggi, Spring Analytica
The results of testing an Internet voting system, introduced as a pilot program in the Canton of Zurich in 2004, provide hard evidence of attitudes toward electronic voting and underline the need to rely on more advanced technology and centralized infrastructure.
F
ew would argue that Internet voting is controversial, often with heated debates and polarized articles about both its security and potential benefits. The “Topics of Debate” sidebar gives a flavor of the range of issues many are raising in the halting steps toward large-scale Internet voting. With controversy and complicating political concerns often in the forefront, the literature has provided little empirical evidence on the pluses and minuses of a voting option that will be in more demand as increasing numbers of the digital generation become eligible to vote. Recognizing the importance of providing an electronic voting option, in 2004, the Statistical Office of the Canton of Zurich (STAT) developed a pilot system (http://evotingdemo.zh.ch) for the Canton of Zurich, which is the most populated Swiss canton. The same year, the Government Council of the Canton of Zurich agreed to introduce the pilot system to select communities within the region over the next two years.
26
COMPUTER
After successful initial tests from 2004 to 2006, we devised a thorough test phase that ran from 2008 to 2011 aimed at proving that Internet voting is a viable alternative to the traditional postal and ballot voting. In all, the pilot system was operational for seven years,1 and during the three-year test period, voters in the select communities used the system to cast approximately 100,000 votes. In November 2011, the Canton of Zurich government decided to end the tests with the current Internet voting system and to investigate possible development and use of a system that would include more cantons as well as the federal government, which is responsible for defining Internet voting safety standards in Switzerland. The new system is identical except that the hardware was replaced, and there was no longer an option to vote by SMS. In February 2012, the federal government reported the results of a study on the implications of a verifiable Internet voting system.2 The report, as well as the implementation plans of all the cantons, each of which will be responsible for the proper operation of its Internet voting system, will determine if and when Internet voting becomes available for all Swiss voters. The findings of our three-year testing, which involved 11 separate evaluations of system use, have yielded insights into realizing large-scale Internet voting. The findings raise concerns about practical implementation, for example, how to establish trust by making the system verifiable individually and universally, and how to ensure transparency by making the source code available. Clearly, the
Published by the IEEE Computer Society
0018-9162/14/$31.00 © 2014 IEEE
road to large-scale implementation relies on a sensitive balance of political, economic, and technological ambitions and concerns. Even so, any concrete step forward in scaling Internet voting must start with voter buy-in. In this, our test results provided the much-needed hard evidence of voter acceptance and behavior when Internet voting is an option as well as insights into why voters decide to use or not use an Internet system.
TEST REGION AND VOTE CASTING The Canton of Zurich has approximately 850,000 voters divided among 171 communities, and each must deliver voting material to its voters, collect the votes, and count the votes on voting day. After tallying the postal, ballot, and Internet votes, the communities enter the results into an electronic system—which is not the Internet-voting system--and send them to STAT, which is the canton election center. Once STAT has the results of all 171 communities, including the 13 Internet-voting test communities, it totals them to determine the overall Canton result. STAT then sends the Canton result by fax (not electronically) to the federal government, which combines the Canton of Zurich results with results from the other 25 cantons to arrive at the overall Swiss result. Because the Canton of Zurich government wanted the sample size for the test to be at least 10 percent of the eligible electorate, approximately 87,000 citizens living in the Canton of Zurich and 4,000 Swiss citizens living abroad but registered in the Canton of Zurich participated in the test. Citizens could participate in Internet voting only if their community was connected to the Internet voting system, so the sample had to be stratified over the 171 communities to avoid connecting all 171 communities. Figure 1 shows the 13 representative communities in the sample. Their selection was based on the community’s province, its major software provider, its population, and a balance of rural and urban communities. Over the three years of testing, STAT conducted 11 tests. Internet voting was one of the three options, as shown in Figure 2; the others were the well-established postal and ballot voting methods. When the voters in the sample population received their voting material, they selected one of the three options. Regardless of voting option, voters always received their election material by postal mail, mainly for security. The communities mailed voting material four weeks before voting day. To ensure sufficient time to generate the high-security voting material with the appropriate login and identification codes, seven weeks before the voting date, the 13 test communities sent STAT the personal data—name, address, date of birth, and so on—so that it could generate the codes; after the codes are generated, STAT sends the codes to the communities so that
Topics of Debate
T
he literature has no shortage of opinions on the feasibility of making Internet voting both trustworthy and an attractive voter option. Some authors advocate the use of cryptographic protocols that allow full verifiability;1,2 others focus on strengthening trust in the systems themselves.3-6 Still others argue that maximum security compromises userfriendliness, pointing out that a formally sound system could work against maximum voter participation.7 Indeed, security and reliability issues in Internet voting are often the result of interactions among people, processes, physical phenomena, and poorly understood human–computer interfaces.8 Some naysayers believe that Internet voting can never be secure. Scott Wolchok and colleagues reported that it took them only two days to gain nearly complete control of the election server in the Washington, DC, Internet voting system.9 They then successfully managed to change every vote and to reveal nearly every secret ballot—an election commissioner’s worst nightmare. Barbara Simons and Douglas W. Jones10 conclude that Internet voting is fundamentally insecure and, more important, that most people do not realize the consequences; for example, they fail to grasp that Internet voting could result in computer viruses and worms. The authors point out that vendors, election officials, and others with the best intentions are pushing Internet voting without understanding the risks.
References 1. T.R. Andel and A. Yasinsac, “Secure Internet Voting Protocol for Overseas Military Voters,” Security Protocols XX. Lecture Notes in Computer Science, vol. 7622, 2012, pp. 3-14. 2. X. Yia and E. Okamotob, “Practical Internet Voting System,” J. Network and Computer Applications, vol. 36, no. 1, 2013, pp. 378–387. 3. M. Volkamer and R. Grimm, “Determine the Resilience of Evaluated Internet Voting Systems,” Proc. 1st Int’l Workshop Requirements Eng. for e-Voting Systems (RE-VOTE), 2010, pp. 47-54. 4. M. Volkamer, O. Spycher, and E. Dubuis, “Measures to Establish Trust in Internet Voting,” Proc. 5th Int’l Conf. Theory and Practice of Electronic Governance (ICEGOV 11), 2011, pp. 1-10. 5. L.H. Nestås and K.J. Hole, “Building and Maintaining Trust in Internet Voting,” Computer, vol. 45, no. 5, 2012, pp. 74–80. 6. L. Carter and R. Campbell, “Internet Voting Usefulness: An Empirical Analysis of Trust, Convenience and Accessibility,” J. Organizational and End-User Computing, vol. 24, no. 3, 2012, pp. 1–17. 7. M. Prandini and M. Ramilli, “Internet Voting: Fatally Torn Between Conflicting Goals?” Proc. 6th Int’l Conf. Theory and Practice of Electronic Governance (ICEGOV 12), 2012, pp. 58–61. 8. J. Epstein. “Can We Be Too Careful?” IEEE Security & Privacy, vol. 10, no. 2, 2012, pp. 3–5. 9. S. Wolchok et al., “Attacking the Washington, D.C. Internet Voting System,” Financial Cryptography and Data Security, Lecture Notes in Computer Science, vol. 7397, 2012, pp. 114–128. 10. B. Simons and D.W. Jones, “Internet Voting in the US,” Comm. ACM, vol. 55, no. 10, 2012, pp. 68–77.
APRIL 2014
27
C OMP U T ING PR AC T ICE S
Kleinandelfingen
Bertschikon
Bülach Winterthur Altstadt Boppelsen
Schlieren
Zürich, Kreis, 1 and 2
Fehraltorf
Maur
mail it to the voting center. Those choosing Internet voting must first detach the security lash on the voting sheet, scratch off the cover sheet to find their personal ID, access the Internet voting site, enter the appropriate identification codes, and finally cast their vote. True Internet voting should be based fully on digital communication, which means delivering the voting material electronically as well as casting votes. To avoid a digital divide, at present, election law requires that every citizen receive the voting material by postal mail.3
EXPECTED VERSUS OBSERVED BENEFITS
Before starting the Internet voting test, the Swiss governThalwil ment commissioned a survey on the expected benefits of InBubikon Mannendorf ternet voting, with the aim of Mettmenstetten comparing expectations to observable results. Our findings often contradicted the survey results, which was not entirely surprising, since voting depends less on individual preferences for a voting mode Figure 1. The 13 communities (green) in the Canton of Zurich that participated in the Internet voting test from 2008 to 2011. Collectively, these communities represented 91,000 or technology and more on voters. political interest. In this context, surveys can be helpful in understanding individual pref4 erences, they can print the voting material and send the voting but interpreting results can be tricky because material to their citizens. Once the Internet voting system each survey respondent has a different expectation about generated the appropriate material, the Canton of Zurich voting, which influences the survey response. government delivered it to 13 communities so it could be Indeed, we found discrepancies from the survey results mailed to their voters. Appropriate security mechanisms in media shift, voting participation, ease of use, and politiwere in place to ensure that no one could cast multiple cal preference. votes using different options. As Figure 2 shows, only 20 percent of the votes cast Media shift were through the Internet system; postal voting was the Most respondents stated that they would likely or very most widely used method at 65 percent, with in-person likely use Internet voting instead of postal or ballot voting. ballot voting being the least favorite at 15 percent. The However, results show that voters preferred postal voting. low ranking of Internet voting might be due in part to its cumbersome nature. After opening the mailed mateVoter participation rial, the easiest option for the voter is to mark the voting We expected increased voter participation because people sheet, put it in the postage-provided return envelope, and might be curious to vote using the new system. This was not
28
COMPUTER
the case, and the flat participation curve is actually consistent Ballot voting with the results of introducing (15% of casted votes) postal voting 30 years ago. Obviously, voting participation does in fact depend on the Postal voting degree of interest in political (15% of casted votes) issues, not on the media used to cast the vote. Voting material received by We also expected to see Internet voting mail 4 weeks in advance greater numbers of younger (20% of casted votes) voters--in this case, the average age of the Internet voter is about 45 years, thus we Figure 2: Three voting alternatives available for Canton of Zurich voters in the 13 electorexpected to see more voters ates. Postal voting is still the most popular, in part because it is more straightforward for under 45, but the results voters to continue working with materials that the government mails to them. Electronic delivery might increase the Internet voting percentage. showed no change in age distribution or average overall voter age. However, the average age of voters using the Internet system was lower than the system could then cast their vote directly into the ballot the average age of postal and ballot voters. box in their community on voting day. We also expected more urban voters to opt for Internet Problems with Internet voting occurred during preparation voting because they might have had more exposure to and vote counting, login and connection, and vote casting. Internet use and thus be more technically proficient. As Figure 3 shows, just the opposite occurred, with more rural Materials preparation and vote counting voters using the system. As the voting process is organized Those preparing the voting material and counting votes and promoted at the community level, and some of the made a variety of mistakes, including incorrectly entering smaller communities (some with less than 1,000 voters) ballot items into the Internet system, incorrectly selectemphasized the selectiveness and exclusivity of being “an ing eligible voters, manually merging Internet votes with Internet voting community,” might have skewed toward postal and ballot votes, and rendering access codes unhigher Internet voting use. readable in the printing the voting material.
Ease of use
Login and connection
We expected Internet voting to be much easier to use than postal and ballot voting. However, the cumbersome steps to log into the Internet voting system made Internet voting more complex than postal voting.
Some voters interchanged month and day when entering their birth date; others destroyed the login code by rubbing the cover paper too hard. Still others could not find their password to log on to the site, or they had problems with the user interface. Occasionally, the Internet site was down, and on one day, a newly released browser version kept voters from accessing the system.
Political divide We could not confirm the concern (expressed mainly in conservative circles) that Internet voting would attract more progressive and liberal voters. Results indicate that Internet voting is largely politically neutral.
TECHNOLOGICAL AND ORGANIZATIONAL ISSUES On each of the 11 test (voting) days, unexpected technological or organizational problems occurred, prompting voters to call the help hotline. When hotline operators could not resolve the problem, they advised voters to resort to postal or ballot voting. To ensure that all voters who planned to use Internet voting could cast their vote, the Canton of Zurich government closed the Internet voting system a day before the final voting day. Voters who had problems with
Vote casting As the legislation on how to present and count votes changed, we had to adapt the system accordingly. For some types of votes, we detected a logical error only after the election, but fortunately, it did not affect the overall voting results. One example was the city government election. The city government consists of nine ministers, one of whom is the mayor. The voting law for city governments states that a vote for a candidate to become the mayor counts only if the voter also votes for that candidate to become a minister. Because the canton doesn’t have this rule, the elected mayor also received votes, which should
APRIL 2014
29
C OMP U T ING PR AC T ICE S
32
Internet voting voices (%)
30 28 26 24 22
Total Urban Rural
we provided frequent communication and training to community officials in the 13 communities participating in the Internet voting test.
COST–BENEFIT ANALYSIS
Despite problems with the Internet system, no citizen was 18 ever prevented from prop16 erly casting a vote, although 14 in some cases, the Internet 1 2 3 4 5 6 7 8 9 10 11 system voter had to go to Number of internet voting usage the ballot box. Overall, the benefits were mostly to the decentralized communityFigure 3. Internet system use by rural and urban voters during 11 tests (voting days). The spike in the second test is an “early-adopter” effect, after Internet voting was heavily probased voting offices and the moted by the media after the first successful test. The dip in the ninth test is not statistically central cantonal office, which significant. The increase in urban Internet voters in test 10 and 11 is perhaps because of were relieved of manually promedia coverage that the Internet voting tests were ending, so voters might have been mocessing and counting votes. tivated to try it once before it ended. Although the prediction from survey results was that Even that benefit was small urban voters would find the Internet system more attractive, rural voters ended up favoring it. The “percentage of Internet-votes” calculated for the 13 test communities, is computed because of the low percentas follows: “number of votes submitted through the Internet” divided by “number of all age of Internet voters and the votes submitted (postal, ballot, or Internet) by voters who could have submitted their vote need to offer postal and ballot by Internet-voting”; on average this is just above 20 percent. voting as alternatives. Our results show that Internet voting continues to face overwhelming competition from the highly trusted, not have been counted, since some voters did not vote for and intensely used postal voting option. As long as the that person to become a minister. Swiss postal service remains reliable, arguments to proAnother somewhat unexpected development arose in a mote Internet voting as a viable voting supplement must different mayoral election. Elections for city mayors are mabe more convincing. jority elections, in which eligible citizens can be candidates. Cost also remains a formidable obstacle. Even though The Internet system must thus show all these potential security concerns limit the use of Internet voting to 10 candidates and detailed information about them. However, percent of the electorate, the decentralized voting strucbecause of the need to protect privacy, candidates had to ture makes costs far more than 10 percent of the costs give explicit permission to post detailed information about of a fully accessible voting system. The cost of Internet them on the Internet site. Canton officials thus gave those voting is difficult to justify as long as it remains just anrunning for mayor the option to publish their information other voting option along with ballot and postal voting. The on the Internet system. Voters could then choose those canalternative—making voting exclusively Internet-based—is didates from a pull-down menu. certainly not feasible either politically or practically. In this case, only the current mayor asked to be included on that list, so voters had to resort to postal or ballot voting if they wanted to vote for someone else for mayor. Even NEXT STEPS though canton officials pointed out this limitation promiThe test phase prompted a number of measures to modnently on the Internet voting system, some voters thought ernize the pilot system and voting infrastructure, including that only the current mayor was running for office and no adding defensive security measures, implementing proother candidate could be or was available to be elected. cedures based more heavily on electronic exchange, To minimize technological problems, we installed a expanding the availability of Internet voting, verifiability, separate test system in 2010. Any changes, whether due and centralizing voting registers. to changes in the voting procedure or to fix technological problems, could first be run on the test system, which Additional security measures was useful because the running voting system was almost The test phase underlined the need for measures to prevent constantly in use. To minimize organizational problems, the manipulation of the electronically stored votes or the
30
20
COMPUTER
vote counting program. One strategy might be to doublecount votes or use more approaches based on public-key infrastructure protocols. Security measures are also needed to prevent denial-ofservice attacks (load balancing). Although the pilot system never encountered such an attack, DoS is arguably one of the most prevalent Internet attacks and would be a serious threat once full-scale Internet voting becomes available.
Toward e-citizens People interacting with government functions—such as voting, filing tax forms, attending to social security matters, and so on—solely over electronic media is the idea behind the “e-citizen.” E-citizens enable Internet voting to go completely paperless, along with its integration into the government’s electronic systems. As with electronic banking, electronic government or e-government enables some or all interactions with government agencies to be conducted through the Internet. Thus, instead of sending voting material by postal mail, the community or canton government would e-mail people the window for an upcoming vote. Through their e-government account, they could then cast their vote electronically at their convenience. The e-citizen concept raises authentication concerns, which might be addressed by certifying voters through SuisseID or even biometric identity systems, such as fingerprint, voiceprint, and iris. For this degree of authentication, voters would need to connect special hardware to their computers or mobile devices—yet another technical obstacle to large-scale Internet voting. Bringing back code voting, which is more practical with the widespread use of smart phones, is another area for consideration. Classical code voting, code voting with return codes, or CAPTCHA-based (to prevent non-human voting attempts) code voting are all much more feasible than they were in 2004, when code voting was initially available for mobile phones.
Safety and verifiability No matter how safe the Internet voting system becomes, trust will always depend on how verifiable and transparent the system is to its users. The ultimate goals are to make the system individually and universally verifiable and provide transparency by making the source code available. Such goals work against practical implementation. Even so, the Swiss government is willing to attempt universal verifiability. The 2012 government report proposes the idea of optimizing safety requirements, while simultaneously assuring the verifiability of election results by publishing all data collected during the election and counting process. Anyone can then verify the correctness of all steps in the election and counting process. The cryptographic protocol for transmitting encrypted data from the voter’s computer to the electronic ballot is
tightly linked to a separate device, which provides sufficient security even if the voters’ computers are infected with malware. The federal government concluded that it will take these results into account when presenting its own report on Internet voting in 2013. In December 2013, the federal government decided that as of 2014, any Internet-voting system in Switzerland must be both: •• verifiable--so voters control when their vote is submitted to the electronic ballot and any manipulation, or intentional or systematic malfunction can be detected; and •• certified—thus bearing official endorsement by federally appointed institutions.
Pull Quote Here
Based on these two prerequisites, the federal government plans to successively increase the access to Internet-voting. In the first phase, the federal government plans to allow up to 50 percent of the voters of each canton (up to 30 percent of the Swiss voters) to have access to Internet voting, without specifying a time horizon. The philosophy is still “security before speed.” At the same time, politicians from all parties have submitted a motion prevent Internet-voting tests where the two prerequisites are not met. Although the Canton of Zurich ended its tests in 2011, 12 of the 26 cantons are still conducting tests with Internet voting; of these, 7 use a copy of the Zurich system. Overall, Switzerland is testing three different Internet-voting systems and giving Internet voting access to 3.3 percent of Swiss voters.
Expanded coverage and centralization To achieve a reasonable economy of scale, the voter population (electorate) would have to be extended far beyond the current small-scale federal structures prevalent in Switzerland. This raises the psychological problem inherent in social engineering, as some political systems would have to trust other governing bodies to run their voting system. Moreover, different governmental units have different voting regulations. To make an Internet voting system viable and maintainable, these different laws and processes would first
APRIL 2014
31
C OMP U T ING PR AC T ICE S have to be harmonized. But the idea of harmonizing legal and constitutional premises for the sake of optimizing a technological system is very counterintuitive to political decision making. In the short term, Internet voting should be available to more people, which means including cantons in addition to the Canton of Zurich. The ultimate goal would be a single system across Switzerland. One step toward making expansion easier is to centralize voting registers within a canton. Each of the 171 communities in the Canton of Zurich maintains its own voting register, which is not only impractical for organizing Internet voting, but also presents a major security challenge. It is difficult and costly to track voters’ community affiliations while keeping them anonymous.
T
o be taken seriously, Internet voting must exploit state-of-the-art technology to the degree that it can become a purely digital process integrated into a broader e-government framework. The design, realization, and maintenance of the system must be in accordance with proper systems engineering concepts—a goal that is not always straightforward in a political environment. In Switzerland, Internet voting is not yet a preferred alternative over the well-established postal voting system. Limiting the number of Internet voters could make it more successful, for example, confining its use to citizens
abroad. However, an Internet voting system restricted to this degree will not be able to realize sufficient economy of scale to justify its cost. Trust is a major issue; voters must accept Internet voting as a secure and trusted option equivalent to postal and ballot voting. At present, voters seem more afraid of largescale electronic vote falsification than of manually falsified paper votes at post offices or polls. Therefore, even with state-of-the-art security measures and full verifiability and transparency, voters will still wonder if those working directly with the Internet voting system are manipulating it in some way. This social engineering aspect can never be fully monitored, regardless of how transparent the complex technology of Internet voting becomes. Despite these obstacles, some of which are universal in secure communications, Internet voting is destined to become a viable option in a digital society. Traveling the road to large-scale implementation will ultimately rely on a sensitive balance between political, economic, and technological ambitions and concerns.
References 1. G. Beroggi, “Secure and Easy Internet Voting,” Computer, vol. 41, no. 2, 2008, pp. 52-56. 2. E. Dubuis et al., “Konzept und Implikationen eines verifzierba ren Vote Électronique Systems,” (in German), Feb. 21, 2012; www.bk.admin.ch/themen/ pore/evoting/07977/index.html. 3. F. Belanger and L. Carter, “The Digital Divide and Internet Voting Acceptance,” Proc. 4th Int’l Conf. Digital Society (ICDS 10), Digital Society, 2010, pp. 307-310. 4. L. Carter and F. Bélanger, “Internet Voting and Political Participation: An Empirical Comparison of Technological and Political Factors,” ACM SIG on Management Information Systems (SIGMIS) Database, 2012, vol. 43, no. 3, pp. 26-46.
IEEE Open Access Unrestricted access to today’s groundbreaking research via the IEEE Xplore® digital library
IEEE offers a variety of open access (OA) publications: • Hybrid journals known for their established impact factors • New fully open access journals in many technical areas • A multidisciplinary open access mega journal spanning all IEEE fields of interest Discover top-quality articles, chosen by the IEEE peer-review standard of excellence.
Giampiero E.G. Beroggi is a professor at the Zurich Business School, a private lecturer at the University of Zurich and a guest lecturer at the University of Cologne on decision support systems. He was also the election commissioner and project director of the Internet voting system of the Canton of Zurich from 2006 to 2012. Beroggi received a PhD in urban and environmental studies from Rensselaer Polytechnic Institute, Troy, NY. He is a senior member of the IEEE and a member of the IEEE Computer Society. Contact him at
[email protected].
Learn more about IEEE Open Access
www.ieee.org/open-access
12-TA-0424-Open Access 3.25x4.75 Final .indd 1
32
COMPUTER
9/24/12 10:06 AM
Selected CS articles and columns are available for free at http://ComputingNow.computer.org.
