|
GGIS(2010)10
Strasbourg, 5 November 2010 Third meeting to review developments in the field
Palais de l’Europe, Strasbourg
Developments in electronic voting in Norway since 2008 Contribution by Norway Developments in electronic voting in Norway since 2008 The Government initiated the E-vote 2011-project in 2008. The stated goal is to perform small scale trials of electronic voting both in controlled environments and remotely prior to a limited pilot of remote electronic voting (Internet) for the municipal and county elections in September 2011. Pilots are planned for 10 municipalities and one county. As the Norwegian electoral system is largely based on voter confidence, transparency is of the outmost importance in the e-voting system. This is why it has been decided that anyone who so wishes shall have full access to information on the inner workings of the system. The source code and system design documentation will be freely available for anyone to download and examine. The project will also deliver an open source elections administration support system. The September 2011-pilot will allow approximately 160.000 voters in 10 municipalities to vote remotely or in advance polling stations, in the advance voting period (Aug. 10 to Sep. 9). To reduce risk, there will be no electronic voting on Election Day (Sep. 12). Remote electronic voting will only be used to supplement traditional paper voting. As an anti coercion measure, voters who cast their ballot via remote e-voting will be allowed to re-vote on paper, or even cast a paper ballot prior to e-voting which will cancel all subsequent e-votes. A vote cast in a controlled environment will cancel any other vote. No political decision has been made on how to progress with e-voting beyond the 2011 pilots, as the experiences garnered from the pilots will form a basis for any decision in Stortinget (the Parliament) on whether to move for forwards, and eventually at what speed. The pilots will be evaluated both in terms of technical and procedural success, as well as the success of the system in upholding fundamental principles of free and secret elections. However, from the outset the E-vote 2011-project has aimed to procure an e-voting system with the properties deemed necessary for a system to be used also for parliamentary elections in Norway. This necessitates a strong focus on security, using the ALARP-principle (As Low as Reasonably Possible) in the approach to risk, while at the same time maintaining a focus on the usability and accessibility of the system. For the specification of the system, the CoE Recommendation on e-voting provided a useful source of guidance and input. It must be noted that while the recommendation could not always be applied literally, the spirit in which the recommendation were written, and it’s supposed intention, could always be taken as useful guidance. At the time of writing, ten limited trials are planned for the autumn/winter of 2010-11, of which two have been completed successfully and one is under way. The first two were direct elections for youth councils in the municipalities of Ålesund and Bodø, while the remaining eight will be non binding referenda. The greatest risk of e-voting in terms of impact identified by the E-vote 2011-project, is the danger of the system being manipulated in such a way that it undetectably produces an incorrect result, and hence an illegitimate government. In order to mitigate this risk, a great deal of emphasis has been placed on the verifiability of the system. This means using a cryptographic protocol where each step produces a mathematical proof of integrity, which is independently verifiable. The protocol provides the voter with a proof via SMS text message that the vote is received as intended (ie. has not been altered in transport), while the system internally provides auditable proofs that all votes are recorded as intended and decrypted correctly. The SMS text message returned to the voter contains a return code, which allows the voter to check the message against codes distributed on the voter’s poll card to verify that the vote is received as intended. This return code is generated by the use of a cryptographic technique, where the contents of the encrypted ballot are not revealed to the government, thereby guaranteeing the secrecy of the ballot. Because the voter can change his or her vote an unlimited number of times, as well as cancel an electronic ballot by casting a paper ballot, the return code does not serve as proof to a coercer of the voter’s final vote. The voter’s anonymity is also protected by splitting the decryption key among several persons with competing interests in the outcome of the election. The decryption key is not introduced to the system before all votes have been anonymized. |