INNOVATE
How are voters authenticated in a public online election?
Digital and Electronic Identification in Europe
Both private and public organizations encourage users and citizens to carry out electronic transactions every day. As their use becomes more common, these online processes also become more critical and require stronger security measures . Beyond e-commerce transactions, nowadays we do all kinds of financial operations, paperwork and procedures with public institutions, or even access highly sensitive personal data, such as health data.
While electronic transactions are part of our daily lives, though, remote electronic voting, or online voting, is only available in a small group of countries and within limited contexts. The preference of electoral authorities to maintain voting on paper, either in person or by post, ignores the demands of citizen groups for whom voting entails a variety of difficulties and whose rights are not fulfilled or are even tightened and constrained.
The arguments for and against the use of online voting in the public sphere (and more specifically in the election of public governing bodies or referendums) generate debate among specialists and those passionate about the study of democracy. Besides normative or philosophical discussions, there is a recurring concern among all those involved:
How can an online voting system guarantee that those who casts a vote are who they claim to be? How does it ascertain that they have the right to vote?
Electronic identification (eID) for citizens
Through authentication mechanisms, online voting systems uniquely identify the voters and verify their eligibility. These mechanisms are diverse, and their associated security depends largely on how they are implemented. In this post we will focus on digital identification, also known as eID, and we will look more specifically at the European context. In this sense, strengthening the eIDAS Regulation is of special interest in the context of online voting.
The eIDAS Regulation, an initiative sponsored by the European Union (EU), aims to facilitate secure electronic transactions between economic operators, organizations and institutions within the European Economic Area. More precisely, it allows European citizens to benefit from the availability of highly secure and reliable digital identification solutions that can also be used throughout the EU. Although it is not mandatory for member states to join the initiative, it provides many benefits. Several countries which have their own citizen electronic authentication system have even referred their security schemes to the European Commission for validation.
However, so far the use of the electronic identity document as an authentication mechanism has been hampered by the need to have specific hardware, such as card readers connected to personal computers or laptops, which can be an unfriendly infrastructure and operation for most citizens. Luckily, some countries have gone further and provided their citizens with so-called “mobile” authentication mechanisms, greatly facilitating electronic transactions without diminishing security. This is the case, for example, of Cl@ve in Spain, DigiD in the Netherlands, Chave Móvel Digital (CMD) in Portugal and Digi-ID in Estonia.
Although specifics on how each state has implemented the solution may vary, there is a common approach:
- To use this type of authentication, each citizen must register at a public institution in person, or online if they already have an electronic certificate recognized by that administration.
- During the registration process, the citizen defines their username and password, and provides an alternative communication channel, usually a mobile phone, which allows for two-factor authentication. The system does not allow phone numbers to be associated with more than one citizen. Therefore, identification and authentication are based on the combination of something the citizen knows and something the citizen owns (two factors).
Voter authentication and eID
This model, which allows a citizen to carry out transactions that demand the highest security and grant access to high-privacy personal data (such as their medical history), could be used to authenticate voters in an online voting system. In this scenario, online voting systems would act as an electronic administration service, similar to others offered by public administrations. The system would connect through an identification gateway that uses the state or regional identification and authentication service (Cl@ve, DigiD, CMD or Digi- ID, following the examples above) to provide secure authentication.
What is an identification gateway?
It is an “intermediary system that enables service providers to access the different identification mechanisms and their selection by the user” — Cl@ve
In fact, the authorization of eIDs for online voting has already been granted by both public governments and private institutions. As an example, the Portuguese Electoral Law (article 8) states:
The Government shall carry out the studies and steps necessary to enable the Assembly of the Republic to legislate on the introduction, in cases where voting is exercised by correspondence, of electronic non-face-to-face voting with identity validation through the digital mobile key (Chave Móvel Digital) or equivalent electronic identification means
In this way, the improvement in security and interoperability of digital authentication mechanisms that the EU promotes through eIDAS, and that many European countries are already providing, answers one of the main obstacles to the implementation of online voting: that of voter authentication. Therefore, we can make use of the technological advances currently taking place for electronic transactions and processes of all kinds to aid in the implementation of online voting systems.
This article was written by Alicia Ramón, Electoral Consulting Director at Scytl.