Security Requirements for Non-political Internet Voting

This paper describes the development of security requirements for non-political Internet voting. The practical background is our experience with the Internet voting within the Gesellschaft für Informatik (GI – Informatics Society) 2004 and 2005. The theoretical background is the international state-of-the-art of requirements about electronic voting, especially in the US and in Europe. A focus of this paper is on the user community driven standardization of security requirements by means of a Protection Profile of the international Common Criteria standard. 1 Starting with legal voting principles At first sight, online-voting seems to be yet another security sensible Internet application like online-banking, online-shopping or online-auctions. But there is an important difference. Elections are a constitutional part of democracy. Therefore, the election process (paper or electronic) has to satisfy a specific set of technical requirements and especially of security requirements very strictly. In order to specify technical requirements for Internet voting, we proceed as follows. We start with the constitutional and legal aspects of elections in general, we refer to their origin and background, and from these legal aspects we deduce the requirements for online-voting. While election laws are country specific, their principles and values are similar in all democracies. In Germany the constitution („Grundgesetz”) and electoral laws demand elections to satisfy these five basic voting principles: elections have to be universal, equal, free, secret and direct. But what is the meaning of these five important terms? There are several interpretations with respect to online-voting, for example by Mitrou et al. (2003) and Volkamer/Hutter (2004). The meaning of the principles is as follows. The principle of universal elections guarantees that every eligible voter can participate in the election. Moreover, no eligible voter can– directly or Security Requirements for Non-political Internet Voting, Fachbereich Informatik, Nr. 6/2007 2 indirectly – be excluded from the election. Thus, the technology must ensure access to the election for every eligible voter. The principle of equality requires that all voters have equal voting rights. All cast ballots must have the same influence on the result, according to the principle „one voter, one vote”. Moreover, all voters are able to vote in the same formal way. In particular, voters must have equal access to the election technology. Votes must be protected against loss and against unauthorized change or submission. On the side of the candidates, the principle of equality guarantees equal chances for all candidates. The registration, authentication, submission and counting mechanisms have to support this equality principle. The principle of free elections requires that every voter casts his or her ballot free of duress and without unlawful and undue influence. This can be controlled only by casting the ballots in a polling booth. Nevertheless, in some countries postal voting is allowed (e.g. in Switzerland and in Germany) in order to ensure the universal election principle. Thereby the constitution accepts that voters may be observed or even forced (see Krimmer/Volkamer (2005) for a deeper discussion of this issue). Moreover, the election freedom requires that a voter is not influenced by leaking intermediate results of an ongoing election. The principle of secret elections demands that only the voter is aware of his voting decision, which may never revealed to anybody else. Thus, nobody involved in the voting process will ever be able to link an identified voter to his ballot. Thereby the principle of secret elections is an essential precondition for free voting. In addition, to prevent external forces like blackmail, it must be ensured that a voter cannot prove his voting decision. The principle of direct elections prevents someone from voting on behalf of other eligible voters and it forbids the use of an electoral college. This principle is not constitutional for every election system, e.g. the presidential elections in the USA are indirect. The next step is to deduce technical requirements for an Internet voting system from these five legal principles, in order to comply with electoral laws. These requirements can be divided into functional and organizational requirements. A special subset of these requirements addresses security issues. Security requirements are particularly important for electronic voting and are thus in the focus of this paper. Functional requirements for the services and tasks of an online-voting system are designed to support specific forms of elections and may change for each election. In general, functional requirements refer to the following issues: the form and appearance of the electronic ballots, the voting period, the Security Requirements for Non-political Internet Voting, Fachbereich Informatik, Nr. 6/2007 3 calculation and evaluation of the result, the supported voting clients, and the form of the electoral register. Organizational requirements do not aim at the software or hardware technology but at the whole online-voting process. They contain the process instructions for the initiation and operation of the voting servers, the information policy for the voters, and the preparation of the electoral register. The orderly progress as well as the formal end of an election is also supported by organizational means. Security requirements are related to the system structure and architecture. They are partly organizational and partly functional. Security requirements have two aims: they specify the undisturbed functioning of the voting process and they support the legal rights of all participants of an election. In some cases, security requirements have to take a balance between different (if not incompatible) rights such as the anonymity of voters versus the identification (and refusal) of unauthorised voters. Security requirements with respect to the undisturbed functioning are often invisible for the voters (but not for the administrators). Security requirements which support user rights, on the other hand, are not always invisible to voters, for example in that voters have to understand and explicitly use authentication mechanisms. Security requirements are, in general, common for all online-voting systems, in that they are determined by the democratic election principles. Four security requirements can be deduced from the principles of an equal and universal election: First of all the voter must be identified and authenticated unambiguously to ensure that only eligible voters have the possibility to cast a vote. Moreover, the system must ensure that every voter can only cast one vote. The second requirement covers the integrity and authentication of the ballot. The online-voting system must ensure that any manipulation of an election such as the deletion and creation of ballots is detected. This requirement includes the casting, the transport and the storage of the ballots. Thirdly, ballots must not disappear in case of a server or client breakdown or in case of communication problems. The fourth requirement, which is mainly derived from the equality principle, refers to the correctness of the result calculation. In particular, it must be ensured that all cast ballots are counted. Another class of requirements complies with the principles of a secret and free election: Security Requirements for Non-political Internet Voting, Fachbereich Informatik, Nr. 6/2007 4 The secrecy must hold for the casting and transfer of ballots, as well as for the collection and tabulation of votes (ideally forever). It must also hold if a voting system offers receipts to voters. Neither the organizers, nor the election officials, nor any trusted third party, nor any voter should be able to link the content of a vote to an identifiable voter. Even with respect to the voter himself, the system must not give the voter any information which he can use to prove his vote. The voting system should not calculate or even reveal intermediary results. All secrecy requirements must be unconditionally ensured regardless of ongoing technological improvements. The fifth principle of direct elections does not require any technical support by online voting systems. Indirect elections may be performed by an online system, as well. As a matter of course, however, any form of direct or indirect elections must be supported by organizational means. The rest of the paper is organized as follows. Chapter 2 describes an early requirements work in Germany by the national metrology institute PTB. Chapter 3 is the main part of this paper and discusses the development of the requirements catalogue of the Gesellschaft für Informatik (GI – Informatics Society) during the real experience of Internet elections 2004 and 2005. In Chapter 4 we look at international initiatives on electronic voting. In chapter 5 we argue in favour of an international standard in order to formulate security requirements. We find the method of a protection profile according to the Common Criteria appropriate, which is described in chapter 6. In the last chapter 7 we draw conclusions from the work done so far and sketch our future work. 2 A first experience: the German PTB catalogue In 1998 the German Ministry of Economics (BMWi) started the funding of the project „Wählen via Internet“ (Internet voting). The goals of the project were to tackle technical and legal problems and to develop a prototype of an Internet voting system called „i-vote“, in analogy to postal voting. During the project some test elections with i-vote were carried out, as well as the first legally binding election over the Internet at the University of Osnabrück in February 2000. After the „i-vote“-project the BMWi funded the follow-up project „W.I.E.N. (2002-04) – Wählen in elektronischen Netzen“ (voting in electronic networks) starting in 2002. Main aspects of „W.I.E.N.“ were organisational Security Requirements for Non-political Internet Voting, Fachbereich Informatik, Nr. 6/2007 5 configuration, legal questions and acceptance research, as well as the further development of the technology. It was the aim to provide tested voting systems which allow safe and simple voting over open communication networks, networked polling places and portable devices. During the W.I.E.N. project further test elections with i-vote were executed, for example at a provincial state agency (Landesamt für Datenverarbeitung und Statistik, Brandenburg, LDS 2000) and at the Telecom branch T-Systems CSM. To explore possibilities of quality enforcement for online voting systems in 2003 a project called „Development of concepts for testing and certification of online voting systems” was started at the national metrology institute (Physikalisch-Technische Bundesanstalt, PTB) also funded by the Federal Ministry of Economics. This project was to accompany the „W.I.E.N.“ project and had the explicit task to examine the i-vote system thoroughly. One of the first steps in the project was to develop a catalogue of requirements for online voting systems. During the project the requirements were discussed in two expert groups, namely „Testing and certification of online voting systems“ and „Legal framework conditions for online voting“ established by the funding Ministry of Economics. In April 2004 the „Catalogue of Requirements of Online Voting Systems for Non-parliamentary Elections“ was published (Hartmann/Meißner/Richter, PTB 2004). The scope of the requirements catalogue covers legally prescribed, nonparliamentary elections such as, e.g., staff and workers council elections and shareholder elections. As a first step, the requirements assume that elections take place exclusively at networked polling stations under the organisational control of the elections administration. Applications allowing voting from home or any other private place are not included in the definition. In the catalogue the entire voting procedure has been divided into election phases: preparation of an election, the casting of ballots, the counting of votes. The requirements are defined independently of any system concepts. The requirements list includes the aspects IT quality and ergonomics, as well. However, these aspects are not visible as special categories. The PTB catalogue was a first step to a requirements catalogue for e-voting. It didn’t address the submission of votes across the Internet from home PCs. As this was the project aim of the GI, the PTB catalogue had to be extended. In the following chapter 3, the GI project for Internet voting will be described. Security Requirements for Non-political Internet Voting, Fachbereich Informatik, Nr. 6/2007 6 3 Practical experience with the GI (Informatics Society) 3.1 General Information about the GI and its elections The Gesellschaft für Informatik (GI) is a society for computer science with presently about 24.000 members mainly from Germany. There are also associated memberships in Austria and Switzerland. It was set up in 1969 in Bonn. The rules for elections of the bodies of the GI are formally specified by the GI (GI 2003/2004). Since July 2003, the article 3.5.4 of the constitution of the GI allows the application of Internet voting. Here the precondition is that the Internet voting system provides the same security level as postal voting. In all cases where postal voting is admitted the election committee can decide to give members also the possibility to use an Internet voting system – as long as it is comparably secure. In summer 2004, the chairmanship (Präsidium) decided unanimously to offer both, postal voting and Internet voting for the chairmanship elections in December 2004. In order to generate a legally binding election, the GI adapted the election regulations (GI 2003/2004, 2109-2004). The election was successful. As a consequence the persons in charge decided to apply Internet voting again in 2005 for the election of the chairmanship and of the executive board of the GI. Until now the GI has voted online twice and plans to do so again in 2006.