INNOVATE
Internet Voting as Part of the mGov4EU Project
Voter privacy and election integrity
One of the most critical environments from the point of view of security and privacy in “the Digital Era” are electoral processes. Within these processes it is necessary to ensure the privacy of voters as well as the integrity of the votes, to guarantee the accuracy of the election results. Furthermore, it’s important to ensure the authenticity of the voters and their eligibility in the election process, in other words, that they are authorized to vote. Otherwise, election integrity could be put at risk.
Voter Authentication
How are voters authenticated when voting online? Let’s take a look at nine countries to see some real-world examples: Australia, Canada, Estonia, France, Mexico, Pakistan, Panama, Switzerland, and the United States of America (USA).
Melanie Volkamer (2009: 25) identified three main ways of identification and authentication as applied to remote electronic voting:
- A first category, based on knowledge (“something you know”), such as passwords, PINs, or birthdates.
- A second category, based on ownership (“something you have”), such as identification and authentication cards, unique to each voter.
- A third category is based on biometric attributes (“something you are”), such as fingerprints, iris scans, and face recognition.
A combination of any of these techniques is possible as well.
Our analysis reveals that the use of solely knowledge-based factors for voter authentication is the most common practice. In most cases, a combination of several credentials is used (e.g., in Canada and Australia). In others, voter authentication works analogously to already-existing paper-based voting channels, such as postal voting (i.e., Switzerland). Another alternative is to rely on a different combination of knowledge and ownership-based authentication methods that does not require e-IDs or digital certificates (e.g., as in France and Mexico).
In Estonia the identity of the voter is ascertained based on a combination of ownership and knowledge-based authentication methods. Biometric identification has only been used in the USA, during the 2018 mid-term elections when the State of West Virginia conducted a pilot using a blockchain-based internet voting system.
mGov4EU
As part of the EU-funded project mGov4EU, we are currently researching new possibilities to ensure an even stronger unique mapping between natural persons and identifiers for different applications. During the three-year project period, several mGov4EU pilot applications will be designed and implemented to validate the solution, modules, and infrastructure services.
The pilot applications include internet voting, smart mobility based on subsidized taxi rides, and mobile signature. The aims of the three pilots are to demonstrate cross-border mobility, cross-border collaboration, providing additional cross-border information based on eIDAS.
“The eIDAS Regulation enables the use of electronic identification means and trust services (i.e. electronic signatures, electronic seals, time stamping, registered electronic delivery and website authentication) by citizens, businesses and public administrations to access on-line services or manage electronic transactions.
It gives:
- transparency and accountability: well-defined minimal obligations for Trust Service Providers (TSP) and liability;
- guarantee of trustworthiness of the services together with security requirements for TSPs;
- technological neutrality: avoiding requirements which could only be met by a specific technology;
- market rules and standardisation certainty.”
European Commission, Q&A: Electronic Identification and Trust Services (eIDAS) Regulation
The pilots are planned to demonstrate their feasibility under real-life conditions and in real life environments like internet voting for the student’s council at the University of Tartu. This use case consists of integrating the eIDAS authentication in the online voting system of the mGov4EU Partner Scytl, thus voters from different countries and with different eIDAS-compliant authentication tokens, can authenticate seamlessly in the system for voting.
In addition, the project introduces the ability to produce anonymous statistics from voter personal data relevant to statistics by means of the SDG-Layer. This layer is the implementation of the Single Digital Gateway Regulation which provides access to EU citizens to information, administrative procedures and assistance services between different EU countries.
“The single digital gateway facilitates online access to information, administrative procedures, and assistance services that EU citizens and businesses may need in another EU country.
[…]
By the end of 2023, Your Europe will offer access to 21 online procedures in all EU countries, with procedures such as registering a car or claiming a pension being fully digitalised and eliminating the need for paperwork. The most important administrative procedures for cross-border users will be fully available online in all EU countries. A system to transfer documents needed for these procedures between national authorities in different EU countries will also be included. For example, a diploma obtained in one country can be shared with the national authorities of another, where it is needed to start a business.”
European Commission, The single digital gateway and Your Europe
In certain cases, it might be interesting to have access to some personal data of the voter for statistics. For example, it can be needed to know the election participation concerning socio-demographic variables, such as gender and age of the voters. This can be done by requesting the voter consent to access to their gender and age using the SDG-Layer. In this manner, the voting system does not require a database with the personal data of all the voters and the voter does not need to manually introduce their data for statistics.
A previous version of this article was published on mGov4EU’s Newsletter.
This article has been adapted by Jordi Cucurull, Cryptography Researcher and by Adrià Rodríguez-Pérez, Public Policy Researcher at Scytl.
