You are on page 1of 29

Seminar Thesis

eGovernment
Departement of Informatics
University of Fribourg

E-Voting : Why Can Citizens Trust It ?

PROJECT PAPER

Author:
Géraldine Rüede
Route du Mont 4
1789 Lugnorre
Matriculation number : 08-213-316

Examiner :
Prof. Andreas Meier

Supervisor :
Luis Terán

Date :
Lugnorre, 29th November 2011

1
Executive Summary
E-voting is a new voting system possibility which could be developed thanks to the
development of Internet. Designing and implementing such a process is not an easy
task, because many constraints have to be fulfilled. This Thesis will present some of
these constraints which have to be respected by the online application. The first
constraint is the respect of constitutional principles.

Another constraint is security, because this system involves personal data and a high
level of confidentiality. For this reason the Thesis will present some countries
examples where e-voting was implemented or where attempts have been done.

The last aspect the Thesis will treat is communication, because of complex
technologies, communication has a key function to obtain citizen’s trust. Government
has to explain how the system works and why some decisions have been taken.
Citizens will only use the application if they trust it. The communication strategy has
to be well elaborated.

Having an e-voting conform to the constitutional principle with not only the same level
of security as traditional vote, but also a good thought communication strategy could
be some important aspects to lead to success.

Key words: e-voting, eGovernment, requirements, security, trust, explanation.

2
Table of content
Executive Summary .................................................................................................... 2

1 Introduction.......................................................................................................... 5

1.1 Motivation ...................................................................................................... 5

1.2 Problem statement and research question .................................................... 6

2 Necessary requirements to obtain trust ............................................................... 7

2.1 Constitutional requirements and e-voting principles ...................................... 7

2.1.1 Eligibility .................................................................................................. 7

2.1.2 Equality ................................................................................................... 8

2.1.3 Freedom.................................................................................................. 9

2.1.4 Secrecy ................................................................................................. 10

2.1.5 Democracy ............................................................................................ 10

2.2 Requirements capturing methodology ......................................................... 11

3 Implementing technologies developed to try to fulfill all these requirements ..... 12

3.1.1 The SERVE system .............................................................................. 13

3.1.2 The Estonian e-voting system ............................................................... 13

3.1.3 The Polish e-voting system ................................................................... 14

3.1.4 The Canton of Geneva e-voting system ................................................ 14

4 What is important to obtain citizen’s trust? ........................................................ 19

4.1 Explanation .................................................................................................. 19

4.2 Trust ............................................................................................................ 20

4.3 Explanation and trust in e-voting and e-election .......................................... 21

4.4 Case study: Geneva .................................................................................... 22

4.4.1 Newsletter ............................................................................................. 23

4.4.2 Other communication channels............................................................. 24

4.4.3 Communication strategy ....................................................................... 24

5 Conclusion......................................................................................................... 26

3
6 Literature ........................................................................................................... 28

Table of figures
Figure 1: Use Case for an e-voting model ................................................................ 12
Figure 2: Ballot life cycle of the Canton of Geneva ................................................... 16
Figure 3: Flow of data ............................................................................................... 17

4
1 Introduction
E-voting is an alternative voting possibility to traditional vote which appeared with the
increasing use of computer networks. The voting possibilities are traditional vote,
correspondence vote and e-voting. Traditional vote means that each paper votes are
physically casted by citizens in the ballot box. Correspondence vote is similar to
traditional vote, instead of bringing the ballot, citizens send it by post. E-voting is the
last and new voting possibility. In this Thesis, e-voting means that ballots are casted
through Internet. E-voting is considered as a complementary voting channel that
does not supersede existing channels. This channel includes many advantages. With
the possibility by voting at home the participation quote could increase, because it is
easier and faster for citizens who live abroad to cast their ballots over a networks
than by post. This would not only be attracting for citizens living abroad, but also for
demographic groups who feel confident with Internet and use this technology.

E-voting has not only advantages, risks of attacks and security threats still exist. The
system should have a secure level similar to paper vote and assure confidentiality,
integrity, anonymity and different constitutional requirements.

1.1 Motivation
With the development of IT Technologies, citizens are becoming even more
independent and want to do their transaction and activities on their own. Thanks to
the increasing computer networks, this freedom is now possible. It seems natural that
Governments also want to design and implement online applications. E-voting and e-
election are a perfect example where Governments have to adapt themselves and
follow users demand. Both applications could not only reduce election’s cost, but also
increase citizen’s participation. This is not without danger, the system has to be
secure against malicious voters and assure personal data, integrity, confidentiality
and anonymity. For this reason and from a constitutional point of view, e-voting
needs to satisfy various requirements which also respect democracy. Some countries
have developed e-voting system conform to human rights and democratic election
principles while assuring security, and found solutions for vulnerabilities that still
exist. Government has to be conscientious that not only security and constitutional
requirements have to be in the heart of discussion, but also the necessity of
developing a communication plan. Citizens would only vote online if they are

5
convince from the system and trust it. Government has to obtain citizen’s trust and
maintain it. If security requirements are assured and voters trust it by voting online,
the application will be a success.

The aim of this Thesis is to show which constitutional and functional requirements
should be assured by implementing an e-voting system. The existing e-voting
systems which try to be conformed to these requirements will be presented. As soon
as the system is in accordance with the requirements and is secured, the
Government has to obtain voter’s trust. In this Thesis, the communication aspect will
be developed and be illustrated with a concrete case.

1.2 Problem statement and research question


The main problematic “e-Voting: Why Can Citizens Trust It” can be separated in 3
parts.

First of all, the system should be in accordance not only with law, but also with
human rights and democratic principles. E-Voting is a new voting channel, after
paper voting and correspondence voting, and democratic principles have to be
guarantee no matter which channel is chosen. Therefore, it is important to remind
which constitutional and functional requirements are necessary. This Thesis will
answer to the following question:

1. Which requirements are necessary in an e-voting system?

Secondly, implementing an e-voting process from a technical point is not too difficult,
but it is really hard to implement and design a process that fill up all constitutional
requirements and at the same time has the same secure level as the traditional
voting and election. Different attempts have been developed by the USA (SERVER),
Estonia, Poland and the canton of Genève. This aspect will be answered with this
following question:

2. Which implementing technologies have been developed in order to fulfill all


these requirements?

Finally, while an e-voting system is designed and implemented, a communication


plan has to be elaborated to inform and explain to voters how the system is running.
Opposed to traditional voting paper which also involves personal data; e-voting

6
security measures are invisible. Users cannot test the system in advance or share
their experiences to make themselves an opinion. For this reason, Government has
to persuade and obtain voter’s trust through communication. This lead to the third
research question:

3. What is important to obtain trust?

These 3 parts will be answered and treated through existing literature.

2 Necessary requirements to obtain trust


Like explained in the introduction, e-voting allows citizens to cast a secure and secret
vote through Internet. E-voting is considered as a new and complementary means to
the traditional voting process. This induce that e-voting should not only have the
same secure level, but also comply with the democratic voting principles and rights
and be conformed to the legislation. For this reason, this chapter aims to identify the
set of requirements and principles which should be met to design and implement an
e-voting system. Then a methodology which captures these requirements will be
presented.

2.1 Constitutional requirements and e-voting principles


To guarantee a democratic vote, a set of requirements have be defined, because e-
voting should comply with the principles and values of democracy. Like traditional
election e-voting should guarantee, equality, equity and secrecy. This section will
describe the most important constitutional requirement: eligibility, equality, freedom,
secrecy and democracy which should be met to design and implement an e-voting
system.

2.1.1 Eligibility
The first requirement is eligibility. This requirement means that each eligible voter has
the right to participate and vote. To guarantee such requirement, every voter should
have access to the voting ballot. With traditional vote the accessibility is easier to
guarantee, because the government has only to send via post the voting material.
With e-voting, this induces that the technology has to be accessible for every voter.
To be sure that every eligible voter has such access, one solution could be for the
government to propose public infrastructures like internet kiosks and internet voting in

7
state offices, where every citizen should be allowed to go and exercise his rights
[Gritzalis 2002, pp. 541-542].

To respect the eligibility principle, the e-voting system needs to have various
procedures: registration and authentication. In democratic election only eligible voter
are allowed to participate. This induces that voter’s eligibility should be controlled and
identified before votes are casted. For this reason, the e-voting system should have a
registration procedure. After verified voter’s eligibility, thank to registration, the
system should control that each voter could only vote once. This should be
guarantee with the authentication procedure [Gritzalis 2002, pp. 541-542].

In conclusion, to respect eligibility requirement, the system should have a registration


and authentication procedure. These measures are taken to reduce fraud and
support voter’s integrity, because only eligible voters can participate and vote only
once [Gritzalis 2002, pp. 541-542].

2.1.2 Equality
Equality is an important requirement in democratic country. This requirement includes
equality in various voting channels, procedures and infrastructure for voters and
political parties and candidates. For this reason it is possible to divide equality in 3
major points: equality in the procedures, equality for political parties and candidates
and the third point is voter’s equality [Gritzalis 2002, pp. 542-543].

At first, it is important to mention that voting channels, paper or e-voting ballot should
be edited and displayed in a similar way. Votes independently from the voting
channel should be transmitted, recorded and counted the same way manner and
without any changes This measure is taken to be equal in the procedure; not only for
voter who choose a specific channel, but also for political parties and candidates. To
guarantee the equality in the procedure another criterion should be mentioned. Every
voter is not allowed to cast more than one ballot and the voting period until the
election days should be the same for everybody [Gritzalis 2002, pp. 542-543].

To guarantee the equality for political parties, the display of the ballots on the voting
website is an important factor. The placement of the ballots should not discriminate
any of the parties or candidates. In democratic countries, political parties and
candidates are equal and should be treated equally. Governments are not allowed to

8
favorite any political parties by displaying their ballots in a strategic place [Gritzalis
2002, pp. 542-543].

The third equality principle which should be respected is voter’s equality. Voter’s
equality has various consequences. At first, it is important to mention that
independently from the voting possibility chosen by citizens, ballots should have the
same weight in the procedures. That means that it is forbidden to favoring e-voting or
another voting possibility. A second important consequence is the equality in the
voting accessibility. Voting accessibility encompass two different aspects:
accessibility to the technology and the system should be easy to use. As mentioned
under 2.1.1, every voter should have the same technological access, this could be
respected if the government proposes publicly available infrastructure [Gritzalis 2002,
pp. 542-543].

But it is important to mention that every voter should use and understand the e-
voting process. This induces that the system should be easy and user friendly. Every
eligible voter independently from his age, education or physical state should be able
to exercise his rights [Gritzalis 2002, pp. 542-543].

2.1.3 Freedom
The third requirement is freedom. Freedom means that voters should exercise their
rights without pressure, violence, coercion, influence of a third part or manipulation.
That means that propaganda message or political advertisement should not appear
on the computer screen while citizens are fulfilling their ballots. The system should
guarantee that it is not possible to implement advertisement from the political parties.
This measure is taken to protect voters, because they have to fell free in their
decision and not manipulated by propaganda messages. To guarantee this principle,
freedom in their decision, Government often discourages citizens to vote from their
working place to avoid pressure of a third part. For example, the boss could influence
his staff member, force them to vote a candidate or control their vote [Gritzalis 2002,
p. 542].

Another criterion to guarantee freedom is the traceability aspect to prevent vote


buying. For this reason, it is important that voter cannot prove what they have voted,
because it is possible to imagine citizens buying other eligible’s vote. A solution to

9
avoid this problem is, as mentioned above, by offering public infrastructure [Gritzalis
2002, p. 542].

2.1.4 Secrecy
Secrecy and freedom are closely linked, because as mentioned, voters should not
have a proof of their votes. This induces that votes are anonymous and it should not
be possible to make a relation between a vote and his elector. The consequences
deriving from this point are the following: the ballot should be transmitted, receipted,
collected and counted secretly and nobody in the voting process could link the vote
to his voter. That means that the registration and authentication procedures, that are
necessary to verify the eligibility of the voter, should be distinct and separated from
the counting. It should also be possible to recount the ballots, always by keeping
voter’s name secret [Gritzalis 2002, pp. 543-544].

2.1.5 Democracy
The last requirement is democracy. To respect this requirement 3 different criterions
have to be guarantee: the first one is security, the second one is audit and the last
one is transparence

Security is also an important aspect for democracy which encompasses various


technological notions like confidentiality and integrity, but also availability. To
guarantee confidentiality and integrity, the system has to be well secured to resist to
attacks and malicious voters. The third notion, availability, induces that breakdowns
and bugs have to be limited as much as possible. If it is not the case the equality
requirement would be violated, because citizen’s procedures and the technology
availability would not be equal [Gritzalis 2002, pp. 544-545].

To be conformed to the democratic requirement, independent auditors should check


that all votes were correctly counted for and that no malpractices have been
experienced. Government should be open to inspections. The system should also
keep election results secret until the end of the voting period [Gritzalis 2002, pp. 544-
545].

In a democratic e-voting system, the procedures have to be transparent, because


voters and other actors should understand how votes are leaded. In e-voting system,
the procedures are not transparent as traditional voting, because voters have not the

10
knowledge to understand how the system is conducted. It is important to mention that
not only voters, but also the other election actors should trust the implemented
technology. This induces that every citizen, no matter which voting possibility they
have chosen can trust the e-voting system. Because if it is not the case the
fundamental trust in the democratic process will be compromised. [Gritzalis 2002, pp.
544-545].

2.2 Requirements capturing methodology


To implement correctly a system like e-voting it is important to have a rigorous
methodology. In IT technology two methods are dominating the market: this first one
is “waterfall” (like Hermes) and the second one is “agile” methodology (RUP, Scrum).
Agile methodologies have various advantages compared to waterfall. They are more
flexible, iterative with different life cycles, results are more frequent and very
importantly it is an object oriented methodology. These different characteristics are
important to design and implement an e-voting system, because frequently results
permit to reduce risks (for example user requirements and goals are not clearly
established and understood). With e-voting, not only regular results are important, but
functional user requirements elicitation too. An important process which permits
functional user requirements is Rational Unified Process (RUP). This methodology
gives 5 different views; one of this is a user view. This view identifies which end user
functionalities have to be implemented. As seen in the chapter 2.1, e-voting has to
fulfill an important number of requirements. The best requirement capturing methods
could be use case where each use case refers to a system functional requirement.

Use cases identify which requirements have to be implemented but also by whom
and the goals. This induces that each use case have a clear description with the
actors participating in the use case, the related business Use Case (from which
system a use case has to be driven and the purpose. When each use case and
actors involved have been involved, designers could have an overview of all the
requirements which have to be implemented and by whom. Figure 1 gives an
example of a Use case. People represent actors who are involved and the circles are
the different requirements which have to be fulfilled by the e-voting system. It is
important to elaborate a complete and detailed Use Case, because all the
requirements should be identified in these steps [Gritzalis 2002, pp. 545-548],
[Hüsemann 2009, pp. 3-19].
11
Figure 1: Use Case for an e-voting model
[Gritzalis 2002, p. 547]

After having identified with a proper methodology which requirements have to be


fulfilled, designers have to identify which technology is best to respect and implement
the online voting system.

3 Implementing technologies developed to try to fulfill all these requirements


After describing the different requirements which general voting should respect, the
Thesis will analyze important attempts to implement e-voting. At first the SERVE
system will be presented, then the Estonian e-voting system and the Polish Internet
voting system. At last, the Thesis will explain the Canton of Geneva e-voting system
which was a success. By the first vote, in May 2011, where every citizens living in the
Canton of Geneva and abroad could vote online, the e-voting participation quote was
22.13%. This means that approximately ¼ of the voters used this application
[Chancellerie d’Etat 2011a].

12
3.1.1 The SERVE system
The project SERVE (the Secure Electronic and Voting Experiment) was undertaken
by the US Department of Defense (DoD) in 2003 and the deployment was planned
for the 2004 elections in USA. With this project, the US Government wanted to give a
voting possibility for American citizens who lived abroad.

The application of SERVE worked only on a Windows system. Different servers have
been used for this Voting Application running on a Windows PC. The first Server was
an online Network Server, the second was a Vote Storing Server and the last type of
Server was the Vote Counting Server. Many Counting Servers were developed,
because each local election office had his own server. Every voter received a
password and could only vote once. He could only use a Web browser which runs on
Java or ActiveX. The voting period was for 30 days before Voting until the closing of
voting places. The voter sent his vote where personal data and the ballot were
encrypted by SSL/TLS to the Network Server. Then the Network Server encrypted
again the personal data and the ballot, before sending to the Voting Storing Server.
The role of this Server was to control personal data. When it had finished, a copy of
the personal data and the ballot were saved and only the vote to the respective Vote
Counting Servers was sent. With this voting system the anonymity could be
guarantee, because only the vote were counted and saved in the Vote Counting
Server [Wierzbick &Pierzak 2007, p. 2].

But the SERVE system was never deployed, because the conclusion of a report
about the security wasn’t encouraging. This system was too risky and could be a
threat for the voting security [Wierzbick &Pierzak 2007, pp. 2-3].

3.1.2 The Estonian e-voting system


After the failure of SERVE, other countries started with e-voting projects. Estonia is
one of these countries which also wanted to have a national e-voting system. In
2005, they deployed a successful pilot project for a local election. After this success
they tried to design and implement a national pilot project [Wierzbick &Pierzak 2007,
p. 3].

To solve integrality and authentication problems, voters had to use personal IDs
which were stored on Smartcards and a personal PKI (Public Key Infrastucture). As
soon as the Network Server had controlled the access and authenticated the voter, a

13
list of candidates was sent to the voters. The voter casted the encrypted ballot to the
Votes Storing Server. All data were stored and only in the end they were counted in
an offline Counting Server. For this reason the Estonian e-voting system is not
considered as a true Internet voting system [Wierzbick &Pierzak 2007, pp. 3-4].

The Estonian system had some similarities with the SERVER. For example, the
Estonian project also gave the possibility by voting some days before the Election
Days. An important difference which could be identified is the revote possibility which
wasn’t possible with SERVE. When a citizen revoted, the Estonian system canceled
the first vote. This system was also protected against malicious voters, because if the
system observed attacks against the e-voting procedure, the vote was deleted
[Wierzbick &Pierzak 2007, pp. 3-4]

3.1.3 The Polish e-voting system


In Poland, the idea of e-voting has also been adopted. For this reason an initiative
was proposed to introduce Internet voting. This proposal has not a thorough security
analysis and seems to be naïve. This led not only to a lot of critics, but also to a lot of
media attention. Citizens were interested by the possibility to vote online. This system
would have similar weak point as the SERVE. For example only an ordinary
password would be used and the ballots would be sent in a simple Web Form to a
server, instead to use applets or ActiveX component which is more secured
[Wierzbick &Pierzak 2007, p. 4].

The project description isn’t well elaborated, because the designers have not
developed the counting aspect, or how to assure anonymity or storage votes. The
proposal stopped when the votes is send to the server.

This proposal is not complete and well-elaborated, many aspects have to be defined
and thought, before it could be designed and implemented. For this reason, in the
next step of the Thesis, the Geneva project will be presented. This project has proved
that it is possible to implement an e-voting application [Wierzbick &Pierzak 2007, p.
4].

3.1.4 The Canton of Geneva e-voting system


This part of the Thesis will present a brief summary of the e-voting system which was
implemented in the Canton of Geneva. The Canton of Geneva was one of the

14
Canton, with Neuchâtel and Zürich, chosen by the Confederation to introduce a pilot
e-voting project. The idea was to implement it in the whole country. Online voting
should give a new voting possibility which needs to have the same security level as
traditional vote [Chancellerie d’Etat 2001], [Chancellerie d’Etat 2004b]. It will be
interesting to analyze this successful project: the first online vote happened in
January 2003.

Before the application was implemented for citizens, many schools had to test it.
When the application was secured enough and proved that it was well working the
application was implemented for citizens, but it’s important to notice that at the
beginning only a few numbers of communes had the possibility to vote online. By
each election, more communes had the e-voting possibility [Chancellerie d’Etat
2004b]. Now even more citizens have the possibility to vote online and even more
Swiss cantons (Lucerne, Bern, Basel and Vaud) will use this application for their
citizens living abroad. It’s important to notice that only a Swiss citizen who lives in
one of the 27 European countries and in a country from Wassenaar Arrangement
(South Africa, Argentine, Australia, Canada, South Korea, Croatia, USA, Japan,
Norwegian, Russia, Turkey and Ukraine) could use the e-voting application
[Chancellerie d’Etat 2009].

In order for the project to be successful, a well elaborated and clear methodology and
technology have to be developed. The designers designed a ballot life cycle in 4
main stages: initialization, sealing the ballot box, voting period and counting the vote.
These stages, illustrated in Figure 2, will be analyzed in the following sub-chapters
[Chevalier et al. 2006, p. 18].

15
Figure 2: Ballot life cycle of the Canton of Geneva
[Chevalier et al. 2006, p. 18].

3.1.4.1 Initialization
Initialization is the first phase of the e-voting process. The process begins with the
data collecting. Different data are distinguished:

 electoral data are communes which are allowed to vote online


 object vote includes the list of candidates or voting subjects
 geographic data are lists of countries and cantons
 personal data which are necessary to voters authentication, this includes the
name, address and date of birth.

The flow of these data is presented in the Figure 3.

These data are saved on a secured network. They are mixed to create a random
number and then exported to a printer which prepares voting cards [Chevalier et al.
2006, pp. 18-19].

16
Figure 3: Flow of data
[Chevalier et al. 2006, p. 19].

3.1.4.2 Sealing the ballot box


This phase begins as soon as the voting cards are imported in the system and sent
to citizens. In this phase different actors are present: the Chancelière d’Etat or Vice-
Chancelier, the president and at least two members of the CEC (commission
électorale centrale), a notary, an information system security officer and an e-voting
administrator [Chevalier et al. 2006, p. 19].

Cryptographic means are developed to guarantee that the ballot box couldn’t be
violated. This induces that different keys are generated:

 Public key to encode votes: This key could only encode votes and not
decipher them.
 Private key to decipher votes: This key could decipher votes and obtain ballot
results.
 Symmetric key from the integrity meter: This key could encode and decipher
the integrity meter.

Each key has a distinct and different protection. The private deciphering key is
protected with two passwords. These passwords (secret) should be given by two
different members of the CEC. The security officer gets on a USB key and on a CD a
copy of the 3 keys. And the correspondent passwords for the private decipher key
are given to the notary. To open the ballot box, every actor should be present,

17
because each actor has a different secret/password and this secret should be
connected to the secured infrastructure. The actors with a secret have not access to
the secured infrastructure (computer, server) [Chevalier et al. 2006, pp. 19-21].

3.1.4.3 Voting period


When the ballot is sealed, the voting session could begin and the voting website
(https://www.evote-ch.ch) could be activated. To create a secured connection (with
the use of an https protocol, a communication SSL is established) voters have to
introduce the number of their voting card, and then they receive the ballot. When they
fill it, they have to identify themselves with the date of birth and PIN code which is on
their voting card. This PIN code is hidden by a film which should be scratched
[Chancellerie d’Etat 2004b].

As mentioned above, a SSL communication is established. This communication


encodes the vote and permits an authentication with the server, but some studies
proved that this protocol is sensible to “man in the middle” attacks. It is an attack
where the attacker places himself between the e-voting website and the voter. For
this reason, a second encoding was developed. That means that each data is
encoded twice. This double security is only possible with a Java technology (Java
applet should be downloaded from the e-voting website) [Chevalier et al. 2006, pp.
21-22].

Before ballots are sent, citizens have to authenticate them with their personal data
and the password written on the voting cards. The server checks that the citizens is
allowed to vote and then saves the ballot and the number of the voting card in two
different ballot boxes. This induces that votes and citizens (register with the voting
card) are separated [Chevalier et al. 2006, p. 22].

3.1.4.4 Counting the vote


When citizens have voted and the ballots are casted, the last phase begins. Counting
the votes is an official meeting, where every actor should be present to give his
secret. To be sure that it isn’t possible to make a temporal relation with a vote and an
elector, the ballot box is mixed, before the actors open it [Chevalier et al. 2006, pp.
23-24].

18
3.1.4.5 Some conclusions
The pilot project of the e-voting application lasted 10 years, from the survey to check
if the demand exists and 2011 where every citizens of Geneva could vote online. It
was a long running project while IT technology improved. That means that the project
had to be continually adapted and improved. The project is not finished, because the
goal of the Confederation was to implement it to the whole country. And the
designers have another goal; they want the elector to be able to verify if his vote has
been correctly counted for.

It is an important step not only for citizens which could vote from their own home, but
also for the eGovernment and the democratic voting system. This example shows
that it’s possible to implement a secure e-voting system.

4 What is important to obtain citizen’s trust?


In everyday life, trust is obtained by different ways such as discussing or sharing
experiences with friends and others, or dealing with expert who have experiences in
a specific domain. Most of the time, trust ensues from past experiences or
explanations coming from an expert or from a person who experiment it. Individual
decides if the explanation is accepted or rejected. The explanation has a bigger
impact and is understood as more credible if the source is trustful. Explanation and
trust seem to be closely linked.

In the first part of this chapter the notion of explanation and then trust will be
analyzed. Then the manner how the canton of Geneva communicates with its citizens
will be presented.

4.1 Explanation
In digital environment like e-voting, the communication aspect is very important to
obtain citizen’s trust. Face-to-face discussion is not possible; for this reason one of
the best way to build citizen’s trust is obtained by an intensive and well elaborated
explanation. Because citizens could not measure and have concrete facts or
comparisons on how the system does work and if it is secure enough. Explanation is
maybe in computer network more important than in real life [Pieters 2010, p.53].

19
The term of explanation includes different ideas; it could clarify uncertain aspects, be
a fact or consequences description or be an instruction. In digital environment,
explanation usually means instruction. Agents who developed digital application have
to explain the working process, the measures which assure anonymity, integrality and
confidentiality of personal data. For example, in the e-banking process, bankers and
designers have to explain why clients can do their payments and transactions online
in a safe way. This case is similar to an e-voting process, because e-banking
designers at the beginning also had to persuade how the system was secure, to
obtain and maintain citizen’s trust [Pieters 2010, p. 55].

With explanation five different goals could be distinguished: justification (to give a
reason to something), transparency (in a process for example), relevance (why is
something relevant), conceptualization and learning (by teaching users for example).
Usually in an e-voting process, the interface is easily implemented so users shouldn’t
be taught on how to use it. In the e-voting and e-election process, the main goals are
transparency and justification. Designers have to justify their decision and be
transparent in the process; transparent in the manner how ballot boxes are sealed for
example. Citizens have to understand what designers have developed to protect
them. The other goal, transparency, generates a lot of debates. On one side users
have to be informed on the security that was implemented, but on the other side,
these explanations give too hackers possibility to attack the system [Pieters 2010, p.
55].

Based on these different points, it is essential that a communication plan is


developed. The designers have to think about the way they want to explain how the
system is secured, have to identify the best communication channel and also what
they want to tell. The correct set of information has to be defined and adequate,
because if too much information is given the danger persists that voters might be lost
with the surplus of information and don’t trust the process. Too much information kills
information.

4.2 Trust
In digital environment trust is called e-trust, but the word trust will still be used in the
rest of the Thesis.

20
Trust can be defined as: “One party (trustor) is willing to rely on the actions of another
party (trustee); the situation is directed to the future [Wikipedia 2011]”. The trustor
loses control of an action and gives it to the trustee. In compensation, he expects an
output.

With the fast ITC technological development, trust in complex technology should
increase even more, because the majority of citizens have not any knowledge on IT
technology. Citizens have the choice to use and trust IT technology by using it. That
means that risks and alternatives exist and users have to decide themselves. If users
want to trust it, they need to be well informed and conscious of the dangers that exist.
The notion of risk and self-choice are the main difference with confidence. By
confidence users are not well informed about risks and couldn’t consider alternatives.
This case happens when Government imposes an idea.

 If voters have the choice between voting paper or e-voting by evaluating the
risks, and they choose internet election that means they trust the application.
 If citizens use a well working e-voting system without considering any
alternatives or knowing how the system works that means they are confident
with the system [Pieters 2010, pp. 55-56].

In conclusion to this part it is important to distinguish the difference between trust,


which entails a decision because risks and alternatives are perceived, and
confidence, where no comparison between risks and alternatives has been done
[Pieters 2010, pp. 55-57].

4.3 Explanation and trust in e-voting and e-election


Explanation is a crucial requirement to obtain voter’s trust in an e-voting process,
because this system involves personal data and security is invisible.

As seen in the last paragraph, a distinction has been given between trust and
confidence. Government has to define which communication strategy they want,
because communication wouldn’t be equal if the government wants to obtain trust or
confident. The following part of the Thesis will describe two Government strategies
and how the communication has to be elaborated according to which strategy is
chosen.

21
British and Dutch have two different communication strategies by implementing their
e-voting system. The British Government decided that citizens could use and choose
which voting channel, paper voting, e-voting and correspondence voting, they want.
In the Dutch case, the Government only gave two voting possibilities, paper or online.
Then each local authority had to decide which channel they want to use [Pieters
2010, pp. 58-59].

The communication strategy is totally different in these two e-voting pilot projects. In
the British case, communication has to be focused on how the system works by
giving some internal operation details. For example users need to be informed how
the system is secure and how it works. This information should allow voters to take a
decision. Transparency is one of the main goals by implementing such strategy
where focus is based on getting citizen’s trust. By opposition to the British case the
Dutch government has to communicate external information, voters have to feel
comfortable by using the system. The local authority has to justify their decision. By
choosing the e-voting process, local authorities have to argue why the system is
secure and show that it has been tested. They can also explain that it is faster to
obtain results and more reliable than paper voting. The objective is that voters are
confident with the system. With the Dutch strategy, justification should be in the heart
of the explanation plan [Pieters 2010, pp. 58-59].

This chapter illustrates why explanation is a primordial aspect from a psychological


perspective by developing and implementing an e-voting process, because it is
necessary to obtain public’s trust.

4.4 Case study: Geneva


As mentioned, the Canton of Geneva introduced in 2003 online voting possibility for
the first time. It has been a successful project not only thanks to the safety system,
but also thanks to the well elaborated communication plan. Since the beginning of
the project, the Chancellerie d’Etat of Geneve developed a communication strategy.

The project began in 2001 with a survey. The Chancellerie d’Etat wanted to analyze if
a citizen’s demand for an e-voting system existed. The survey showed that citizens
expected it and a demand existed. In conclusion they were in favor of such a project.
Since then the communication plan began. The following part of the Thesis will
present the communication of the Chancellerie with the different channels used.

22
4.4.1 Newsletter
It is important to know that several times in year the Canton of Geneva publishes a
newsletter to inform citizens about their activities. This channel was intensively used
to inform citizens about the e-voting project. Every important test which has been
done was explained. The Chancellerie d’Etat presented also why the test was
conducted, what was the focus and goal of the test. For example a test was carried
out to verify the resistance on attacks and the system capacity to detect and
signalized them [Chancellerie d’Etat 2002b]. Other tests had been conducted to
verify if the system restituted correctly the votes or if it detected when citizens voted
twice. In the test peak influence was also simulated (when a lot of citizens were
voting in the same time). Not only tests, but also results, what worked well and what
had to be improved were presented. Naturally the Chancellerie focused on
successes of the various tests which have been done and how much they were
happy about the project. [Chancellerie d’Etat 2002a], [Chancellerie d’Etat 2002b] and
[Chancellerie d’Etat 2004b].

Newsletters were used to present various aspects for the e-voting process. It was a
good channel to explain how the voting process and the following steps that had to
be undertaken. Newsletters informed for example that the canton of Geneva was not
the onliest Swiss canton which tried to design and implement an e-voting possibility:
other pilot projects were conducted in the cantons of Neuchâtel and Zürich. This
means that e-voting was not just an idea of the canton of Geneva, but a national
project and that the Chancellerie federal supported the project [Chancellerie d’Etat
2004b].

To convince that the e-voting process for the canton of Geneva was a success, the
newsletter explained that other cantons also used the Geneva voting process where
only the canton flag has been adapted. Another argument to try to persuade citizens
was the explanation about the competition it won. In 2004, the e-voting project won a
competition price in the category Cyberadministration in the SSSA (Société Suisse
des sciences administratives). The project was presented in other countries like the
USA and France and seduced them.

In approximately every newsletter, the words “security”, “test” and the aspect of
“success” were presented. With this focus, the Chancellerie of Geneva tried to obtain

23
citizens trust and maintain it, because the Chancellerie showed that security was at
the heart of designer’s priorities and that a lot of tests were conducted to proof the
effectiveness of the system. 3 or 4 times a year for approximately 10 years, citizens
have been hearing about e-voting. This notion has had time to be implemented in
citizen’s customs. Citizens are now used to this term and know that it was a long
running project which can now be trusted.

4.4.2 Other communication channels


The Chancellerie of Geneva used not only newsletter in their communication plan,
but also other channels. Between 2003 and 2004, they organized information
meetings in the different communes which would be first confronted with the e-voting
project. Then in 2004 and 2005, in these same communes, information stands with
hostesses who had to explain how to vote online had been organized.

Before each vote they put public notices and until 2009 communes which were
involved with the e-voting got not only the voting material, but also e-voting directions
on how to vote online.

An online website was also created (http://www.ge.ch/evoting/) where citizens could


inform themselves. This platform includes published newsletters; e-voting directions
for use and several reports and studies which had been carried out. For example a
report “Voter par Internet? Le projet e-voting dans le canton de Genève dans une
perspective socio-politique et juridique” was carried out to prove the legal reliability
and citizen’s willingness for the e-voting [Chancellerie d’Etat 2001].

4.4.3 Communication strategy


As seen in the two last sub-chapters, communication was very important and
elaborated and many channels had been developed and used. This had the
advantage to reach more or less every citizen. And citizens were regularly informed
and confronted with the information. During 10 years, voters had time to think about it
and to be prepared and informed about the evolution of the project, but also about
the security, the working process and the tests.

The Canton of Geneva had clearly the same communication strategy as the British
Government. Their communication priority was constantly informing citizens. By
informing their citizens as such, the Canton of Geneva wanted to obtain voter’s trust.

24
That means that voters had to be transparent and constantly informed about how
worked the process and how secured it was. Explanation was a crucial aspect of the
communication strategy.

The last vote, in May 2011, was the first time that all citizens could vote online. The
e-voting quote was 22.13%. That means that approximately ¼ of the voters used this
application. For a first time it’s a good performance [Chancellerie d’Etat 2011a].

The success of the Canton of Geneva e-voting application lay not only on security,
but also on a well elaborated communication plan. Since the beginning of the pilot-
project, citizens were informed about the test, security and successes of the online
application.

25
5 Conclusion
The increasing use of IT technology allows developing new applications not only for
Business, like e-banking, but also for Governments. E-voting is a good example of
such application which has to be designed and implemented to satisfy citizen’s
demand. E-voting is an alternative voting channel, which means that various
constraints have to be respected.

First of all, a set of democratic constitutional requirements needs to be fulfilled by the


system. Like traditional voting, the e-voting system has to comply with the democratic
principles and rights, like human rights. This induces that democratic requirements
like eligibility, equality, freedom, secrecy and democracy have to be identified.
Fortunately various methodologies like RUP have been developed to help designers
and Business analysts by collecting all these requirements.

When the requirements have been identified, designers are confronted to another
problem: security. E-voting system should have the same secure level as traditional
voting system and at the same time respect all the requirements. It is not easy to
design and implement such system. For this reason various countries tried different
technologies: the USA with SERVE, Estonia, Poland and Switzerland with the Canton
of Geneva. The last implemented e-voting system, a successful project that still
exists.

Implementing e-voting system is a really complex project, because not only


requirements have to be respected and the level of security has to be assured, but
also a communication plan has to be elaborated. Because technologies are difficult
to understand, this induces citizens have to trust it without testing it. Only when
citizens rely and trust the e-voting system, they will use it. They have to be informed
about how the system works and designers have to justify their decision. Trust can
also be obtained with explanation, but a right level of explanation. If too many
information is given, nobody would understand it and if it is not enough, nobody will
trust it. For this reason, communication plays a major role by obtaining and
maintaining trust. Governments have to clearly define their communication strategy:
obtaining trust or confidence.

26
To design and implement a successful e-voting system is not easy. Respecting
constitutional requirements, secured implemented technology and a well elaborated
communication strategy are some of the key important aspects to lead to success.

27
6 Literature
[Chancellerie d’Etat 2001] Chancellerie d’Etat : adapter le virtuel aux exigences humaines.
Communiqué du 29 novembre 2001.

[Chancellerie d’Etat 2002a] Chancellerie d’Etat: Les élèves des écoles du postobligatoire
testent le vote par internet. Communiqué du 13 mai 2002

[Chancellerie d’Etat 2002b] Chancellerie d’Etat : Test de vote par Internet dans les écoles
secondaires : L’application réussit son examen de passage.
Communiqué du 4 juillet 2002.

[Chancellerie d’Etat 2004a] Chancellerie d’Etat : Genève à la pointe du future.


Communiqué du 21 septembre 2004.

[Chancellerie d’Etat 2004b] Chancellerie d’Etat : Succès du premier scrutin électronique


fédéral. Communiqué du 26 septembre 2004.

[Chancellerie d’Etat 2008] Chancellerie d’Etat : Genève, nouveau vote réussi : un dixième
succès pour le vote en ligne. Communiqué du 30 novembre
2008.

[Chancellerie d’Etat 2009] Chancellerie d’Etat : Pour la première fois, les Genevois de
l’étranger voteront en ligne. Communiqué du 27 septembre
2009.

[Chancellerie d’Etat 2011a] Chancellerie d’Etat : Pour la première fois, tout le canton de
Genève pourra voter en ligne. Communiqué du 15 mai 2011.

[Chancellerie d’Etat 2011b] Chancellerie d’Etat : Vote par Internet : qui l’utilise et quand ?
Communiqué du 30 novembre 2008.

[Chevalier et al. 2006] Chevalier, Michel; Bahèghen-Bradley, Agatha; Vigouroux,


Christophe; Montmasson, François; Villemin, Rémi; Ponchel,
Franck: La solution genevoise de vote électronique à coeur
ouvert. Flash informatique. No. 6 (2011), pp. 18-25.

[Gritzalis 2002] Gritzalis, Dimitris, A : Principles and requirements for a secure


e-voting system. Computers & Security, Vol. 21, No.6 (2002),
pp. 539-556.

[Hüsemann 2009] Hüsemann, Stefan: Informationssystem: Einführung RUP und


UML. Herbstsemester 2009, pp. 1-23.

[Pieters 2011] Wolter, Pieters : Explanation and trust : what to tell the user in
security and AI ? Ethics and Information Technology, Vol. 13,
No. 1 (2011), pp. 53-64.

[République et canton de Genève]


République et canton de Genève:
http://www.ge.ch/evoting/welcome.asp. accessed 20.10.2011.

28
[Wierzbick &Pierzak 2007] Wierzbicki, Adam; Krzystof Pietrzak: Analyzing and Improving
the Security of the Internet Elections. Polish-Japanese Institute
of Information Technology in: N. Pohlmann, H. Reimer,
W.Schneider, ISSE/SECURE 2007 Securing Electronic
Business Processes. Highlights of the Information Security
Solutions Europe/SECURE 2007 Conference, Vieweg,
Wiesbaden 2007, pp. 93-101.

[Wikipedia 2011] Wikipedia 2011,


http://en.wikipedia.org/wiki/Trust_%28social_sciences%29
accessed 24.10.2011.

29

You might also like