INSPIRE
Council of Europe’s Conference on E-voting and Use of ICT in Elections
“Taking stock and moving forward”
On Friday, June 15, Scytl was invited to attend the Council of Europe’s Conference on “E-voting and use of Information and Communication Technologies (ICT) in elections: taking stock and moving forward”. We had the opportunity to share our insights in the context of a debate on “Tackling challenges related to implementation of e-voting solutions”.
Scytl’s contribution revolved around the following issues:
Secrecy of the Vote in Internet Voting
On the one hand, secret suffrage is understood as:
“the voter has the right to vote secretly as an individual, and the State has the duty to protect that right.”
This key principle of democratic elections has three underlying standards:
- Individuality, meaning that each voter makes an individual choice.
- Confidentiality, meaning that only the voter should know how they have voted, and they should be able to make their choices in private.
- Anonymity, meaning that there should not be a link between the contents of the vote cast and the identity of the voter who has cast it.
Whereas concerns about the secrecy of the vote are said to be one of the main obstacles to adopting Internet voting, there are already several measures to ensure the principle of secret suffrage is respected when voters can cast their votes online.
Data Protection and ICT in Elections
Personal data protection is, by contrast, much broader than the principle of secret suffrage. It is important to understand that personal data protection applies to any processing of personal data, understood under European data protection law as any information relating to an identified or identifiable individual. This understanding of personal data is shared between both the European Union’s General Data Protection Regulation (GDPR) as well as the Council of Europe’s Convention 108 for the Protection of Individuals with Regard to the Processing of Personal Data, which has been signed and ratified by 55 countries, including countries in Latin America (Argentina, Mexico, Uruguay) and Africa (Cabo Verde, Mauritius, Morocco, Senegal).
In practice, data protection regulations apply throughout the electoral cycle where personal data is processed from different stakeholders, even if voting is not digitized: for example, of voters included in the electoral roll or if they are sent targeted voter information or campaign materials; of candidates during the candidate registration process, when their data is included in ballots or in voting information portals, or when the tabulation procedures rely on digital technology; but also of poll workers in training platforms or electoral management systems; of election administrators, of judges, and even of individual technology auditors if their credentials are to be subject to public scrutiny.
Unfortunately, the current wording in the Council of Europe’s standards on e-voting and ICT and elections do not seem to set a clear distinction. For example, in the Recommendation CM/Rec(2017)5 of the Committee of Ministers to member States on standards for e-voting, the majority of standards on data protection are located under the umbrella of the principle of secret suffrage. In fact, the Explanatory Memorandum to the Recommendation, paragraph 65 on standard №20 reads that “[d]ata minimisation aims at ensuring data protection and is part of vote secrecy.”
The recently adopted Committee of Ministers’ Guidelines on the use of information and communication technology (ICT) in electoral processes in Council of Europe member States do seem to aim at mitigating this problem slightly. For example, in Guideline 1 it is acknowledged that “there might be a real or perceived conflict between principles (between secrecy and data protection on one side and transparency on the other).”
Notwithstanding, in Guideline 6, confidentiality, secrecy and data protection continue to overlap (and data protection is understood only in terms of confidentiality). According to this Guideline, which prescribes that “Member States should ensure the secrecy and confidentiality of information stored within the ICT solution, as required by election and data-protection laws”:
“Member States should ensure the secrecy and confidentiality of information stored within the ICT solution, as required by election and data-protection laws.” In this regard, this Guideline reads that “Secrecy and confidentiality requirements derived from the relevant legal principles should be ensured, taking into account the assumptions, which should also be defined, as discussed in Guideline 1. […]
Data-protection principles such as privacy by design or data minimisation are minimum requirements and should be considered whenever ICT is used in the electoral process. Furthermore, for each specific ICT solution used, member States should consider whether additional, suitable, and specific measures that go beyond data-protection measures are needed to safeguard the fundamental rights of the data subject, as required, for instance, by Article 6, paragraph 1, of the Council of Europe Convention for the Protection of Individuals with regard to the Processing of Personal Data (ETS №108). If the member State identifies a need for such specific measures, they should become part of the electoral regulations.
Conflicts between transparency on the one hand and confidentiality and secrecy on the other should be carefully considered (see also Guideline 7).”
Transparency and Trust Assumptions
But if there is anything that both the principle of secret suffrage and data protection regulations have in common -and in spite of the potential challenges between transparency and confidentiality acknowledged in the Council of Europe’s standards- it is that compliance is ascertained through public scrutiny or -as it is usually referred to in personal data protection regulations- by means of proactive accountability.
Even if, at first, it could seem that secret suffrage and personal data protection should be satisfied by obscurity, it is necessary that those responsible for data processing and for ensuring that votes are cast individually, confidentially, and anonymously, do so in a way that they are “responsible for, and [are] able to demonstrate compliance with” the law, data protection regulations, and its principles (art. 5.2 of the GDPR).
In the Council of Europe standards, and according to the recently adopted guidelines, “solutions, be they on paper and manual or based on ICT, usually rely on assumptions (such as assumptions about users’ interactions with each other or with the ICT, or assumptions about the capability of potential attackers). Only if these assumptions hold true can the principles and derived requirements be ensured. If the assumptions are not realistic, it is very likely that the principles will be compromised and/or violated.”
We could not agree more with this new requirement that trust assumptions underlying the security of ICT in elections should be disclosed. This is helpful for several reasons:
- It contributes to fulfilling the risk-based approach for ICT and elections that has been at the core of the update in CM/Rec(2017)5.
- It raises transparency in elections, from software design to the operation of the system.
- It helps frame a healthier debate on the risks, challenges and shortcomings of ICT in elections, by grounding concepts or ideas that tend to be too general (i.e., “is Internet voting secure?”).
However, and in the spirit of Election Management Bodies’ accountability principle -another issue at the core of the updated Recommendation on e-voting- law-makers and the election administrator should define their system requirements based on their trust assumptions: it should be the public administrations responsible for organising elections who define which risks are accepted and which ones are not, as well as which parties or components of the system are to be trusted. Based on these requirements, providers (private or public) should implement their protocols and then build the software.
Lastly, it is also important to mention that this novel approach could be extended to other voting channels and phases of the electoral cycle, in order to pinpoint existing shortcomings or vulnerabilities (for example, in postal voting or -to follow my previous contribution- to identify which parties process personal data and ensure that they process it securely).
