1

Seminar Thesis

eGovernment

Departement of Informatics

University of Fribourg

E-Voting : Why Can Citizens Trust It ?

PROJECT PAPER

Author:

Géraldine Rüede

Route du Mont 4

1789 Lugnorre

Matriculation number : 08-213-316

Examiner :

Prof. Andreas Meier

Supervisor :

Luis Terán

Date :

Lugnorre, 29th November 2011

2

Executive Summary

E-voting is a new voting system possibility which could be developed thanks to the

development of Internet. Designing and implementing such a process is not an easy

task, because many constraints have to be fulfilled. This Thesis will present some of

these constraints which have to be respected by the online application. The first

constraint is the respect of constitutional principles.

Another constraint is security, because this system involves personal data and a high

level of confidentiality. For this reason the Thesis will present some countries

examples where e-voting was implemented or where attempts have been done.

The last aspect the Thesis will treat is communication, because of complex

technologies, communication has a key function to obtain citizen’s trust. Government

has to explain how the system works and why some decisions have been taken.

Citizens will only use the application if they trust it. The communication strategy has

to be well elaborated.

Having an e-voting conform to the constitutional principle with not only the same level

of security as traditional vote, but also a good thought communication strategy could

be some important aspects to lead to success.

Key words: e-voting, eGovernment, requirements, security, trust, explanation.

3

Table of content

Executive Summary .................................................................................................... 2

1 Introduction .......................................................................................................... 5

1.1 Motivation ...................................................................................................... 5

1.2 Problem statement and research question .................................................... 6

2 Necessary requirements to obtain trust ............................................................... 7

2.1 Constitutional requirements and e-voting principles ...................................... 7

2.1.1 Eligibility .................................................................................................. 7

2.1.2 Equality ................................................................................................... 8

2.1.3 Freedom.................................................................................................. 9

2.1.4 Secrecy ................................................................................................. 10

2.1.5 Democracy ............................................................................................ 10

2.2 Requirements capturing methodology ......................................................... 11

3 Implementing technologies developed to try to fulfill all these requirements ..... 12

3.1.1 The SERVE system .............................................................................. 13

3.1.2 The Estonian e-voting system ............................................................... 13

3.1.3 The Polish e-voting system ................................................................... 14

3.1.4 The Canton of Geneva e-voting system ................................................ 14

4 What is important to obtain citizen’s trust? ........................................................ 19

4.1 Explanation .................................................................................................. 19

4.2 Trust ............................................................................................................ 20

4.3 Explanation and trust in e-voting and e-election .......................................... 21

4.4 Case study: Geneva .................................................................................... 22

4.4.1 Newsletter ............................................................................................. 23

4.4.2 Other communication channels ............................................................. 24

4.4.3 Communication strategy ....................................................................... 24

5 Conclusion ......................................................................................................... 26

4

6 Literature ........................................................................................................... 28

Table of figures

Figure 1: Use Case for an e-voting model ................................................................ 12

Figure 2: Ballot life cycle of the Canton of Geneva ................................................... 16

Figure 3: Flow of data ............................................................................................... 17

5

1 Introduction

E-voting is an alternative voting possibility to traditional vote which appeared with the

increasing use of computer networks. The voting possibilities are traditional vote,

correspondence vote and e-voting. Traditional vote means that each paper votes are

physically casted by citizens in the ballot box. Correspondence vote is similar to

traditional vote, instead of bringing the ballot, citizens send it by post. E-voting is the

last and new voting possibility. In this Thesis, e-voting means that ballots are casted

through Internet. E-voting is considered as a complementary voting channel that

does not supersede existing channels. This channel includes many advantages. With

the possibility by voting at home the participation quote could increase, because it is

easier and faster for citizens who live abroad to cast their ballots over a networks

than by post. This would not only be attracting for citizens living abroad, but also for

demographic groups who feel confident with Internet and use this technology.

E-voting has not only advantages, risks of attacks and security threats still exist. The

system should have a secure level similar to paper vote and assure confidentiality,

integrity, anonymity and different constitutional requirements.

1.1 Motivation

With the development of IT Technologies, citizens are becoming even more

independent and want to do their transaction and activities on their own. Thanks to

the increasing computer networks, this freedom is now possible. It seems natural that

Governments also want to design and implement online applications. E-voting and e-

election are a perfect example where Governments have to adapt themselves and

follow users demand. Both applications could not only reduce election’s cost, but also

increase citizen’s participation. This is not without danger, the system has to be

secure against malicious voters and assure personal data, integrity, confidentiality

and anonymity. For this reason and from a constitutional point of view, e-voting

needs to satisfy various requirements which also respect democracy. Some countries

have developed e-voting system conform to human rights and democratic election

principles while assuring security, and found solutions for vulnerabilities that still

exist. Government has to be conscientious that not only security and constitutional

requirements have to be in the heart of discussion, but also the necessity of

developing a communication plan. Citizens would only vote online if they are

6

convince from the system and trust it. Government has to obtain citizen’s trust and

maintain it. If security requirements are assured and voters trust it by voting online,

the application will be a success.

The aim of this Thesis is to show which constitutional and functional requirements

should be assured by implementing an e-voting system. The existing e-voting

systems which try to be conformed to these requirements will be presented. As soon

as the system is in accordance with the requirements and is secured, the

Government has to obtain voter’s trust. In this Thesis, the communication aspect will

be developed and be illustrated with a concrete case.

1.2 Problem statement and research question

The main problematic “e-Voting: Why Can Citizens Trust It” can be separated in 3

parts.

First of all, the system should be in accordance not only with law, but also with

human rights and democratic principles. E-Voting is a new voting channel, after

paper voting and correspondence voting, and democratic principles have to be

guarantee no matter which channel is chosen. Therefore, it is important to remind

which constitutional and functional requirements are necessary. This Thesis will

answer to the following question:

1. Which requirements are necessary in an e-voting system?

Secondly, implementing an e-voting process from a technical point is not too difficult,

but it is really hard to implement and design a process that fill up all constitutional

requirements and at the same time has the same secure level as the traditional

voting and election. Different attempts have been developed by the USA (SERVER),

Estonia, Poland and the canton of Genève. This aspect will be answered with this

following question:

2. Which implementing technologies have been developed in order to fulfill all

these requirements?

Finally, while an e-voting system is designed and implemented, a communication

plan has to be elaborated to inform and explain to voters how the system is running.

Opposed to traditional voting paper which also involves personal data; e-voting

7

security measures are invisible. Users cannot test the system in advance or share

their experiences to make themselves an opinion. For this reason, Government has

to persuade and obtain voter’s trust through communication. This lead to the third

research question:

3. What is important to obtain trust?

These 3 parts will be answered and treated through existing literature.

2 Necessary requirements to obtain trust

Like explained in the introduction, e-voting allows citizens to cast a secure and secret

vote through Internet. E-voting is considered as a new and complementary means to

the traditional voting process. This induce that e-voting should not only have the

same secure level, but also comply with the democratic voting principles and rights

and be conformed to the legislation. For this reason, this chapter aims to identify the

set of requirements and principles which should be met to design and implement an

e-voting system. Then a methodology which captures these requirements will be

presented.

2.1 Constitutional requirements and e-voting principles

To guarantee a democratic vote, a set of requirements have be defined, because e-

voting should comply with the principles and values of democracy. Like traditional

election e-voting should guarantee, equality, equity and secrecy. This section will

describe the most important constitutional requirement: eligibility, equality, freedom,

secrecy and democracy which should be met to design and implement an e-voting

system.

2.1.1 Eligibility

The first requirement is eligibility. This requirement means that each eligible voter has

the right to participate and vote. To guarantee such requirement, every voter should

have access to the voting ballot. With traditional vote the accessibility is easier to

guarantee, because the government has only to send via post the voting material.

With e-voting, this induces that the technology has to be accessible for every voter.

To be sure that every eligible voter has such access, one solution could be for the

government to propose public infrastructures like internet kiosks and internet voting in

8

state offices, where every citizen should be allowed to go and exercise his rights

[Gritzalis 2002, pp. 541-542].

To respect the eligibility principle, the e-voting system needs to have various

procedures: registration and authentication. In democratic election only eligible voter

are allowed to participate. This induces that voter’s eligibility should be controlled and

identified before votes are casted. For this reason, the e-voting system should have a

registration procedure. After verified voter’s eligibility, thank to registration, the

system should control that each voter could only vote once. This should be

guarantee with the authentication procedure [Gritzalis 2002, pp. 541-542].

In conclusion, to respect eligibility requirement, the system should have a registration

and authentication procedure. These measures are taken to reduce fraud and

support voter’s integrity, because only eligible voters can participate and vote only

once [Gritzalis 2002, pp. 541-542].

2.1.2 Equality

Equality is an important requirement in democratic country. This requirement includes

equality in various voting channels, procedures and infrastructure for voters and

political parties and candidates. For this reason it is possible to divide equality in 3

major points: equality in the procedures, equality for political parties and candidates

and the third point is voter’s equality [Gritzalis 2002, pp. 542-543].

At first, it is important to mention that voting channels, paper or e-voting ballot should

be edited and displayed in a similar way. Votes independently from the voting

channel should be transmitted, recorded and counted the same way manner and

without any changes This measure is taken to be equal in the procedure; not only for

voter who choose a specific channel, but also for political parties and candidates. To

guarantee the equality in the procedure another criterion should be mentioned. Every

voter is not allowed to cast more than one ballot and the voting period until the

election days should be the same for everybody [Gritzalis 2002, pp. 542-543].

To guarantee the equality for political parties, the display of the ballots on the voting

website is an important factor. The placement of the ballots should not discriminate

any of the parties or candidates. In democratic countries, political parties and

candidates are equal and should be treated equally. Governments are not allowed to

9

favorite any political parties by displaying their ballots in a strategic place [Gritzalis

2002, pp. 542-543].

The third equality principle which should be respected is voter’s equality. Voter’s

equality has various consequences. At first, it is important to mention that

independently from the voting possibility chosen by citizens, ballots should have the

same weight in the procedures. That means that it is forbidden to favoring e-voting or

another voting possibility. A second important consequence is the equality in the

voting accessibility. Voting accessibility encompass two different aspects:

accessibility to the technology and the system should be easy to use. As mentioned

under 2.1.1, every voter should have the same technological access, this could be

respected if the government proposes publicly available infrastructure [Gritzalis 2002,

pp. 542-543].

But it is important to mention that every voter should use and understand the e-

voting process. This induces that the system should be easy and user friendly. Every

eligible voter independently from his age, education or physical state should be able

to exercise his rights [Gritzalis 2002, pp. 542-543].

2.1.3 Freedom

The third requirement is freedom. Freedom means that voters should exercise their

rights without pressure, violence, coercion, influence of a third part or manipulation.

That means that propaganda message or political advertisement should not appear

on the computer screen while citizens are fulfilling their ballots. The system should

guarantee that it is not possible to implement advertisement from the political parties.

This measure is taken to protect voters, because they have to fell free in their

decision and not manipulated by propaganda messages. To guarantee this principle,

freedom in their decision, Government often discourages citizens to vote from their

working place to avoid pressure of a third part. For example, the boss could influence

his staff member, force them to vote a candidate or control their vote [Gritzalis 2002,

p. 542].

Another criterion to guarantee freedom is the traceability aspect to prevent vote

buying. For this reason, it is important that voter cannot prove what they have voted,

because it is possible to imagine citizens buying other eligible’s vote. A solution to

10

avoid this problem is, as mentioned above, by offering public infrastructure [Gritzalis

2002, p. 542].

2.1.4 Secrecy

Secrecy and freedom are closely linked, because as mentioned, voters should not

have a proof of their votes. This induces that votes are anonymous and it should not

be possible to make a relation between a vote and his elector. The consequences

deriving from this point are the following: the ballot should be transmitted, receipted,

collected and counted secretly and nobody in the voting process could link the vote

to his voter. That means that the registration and authentication procedures, that are

necessary to verify the eligibility of the voter, should be distinct and separated from

the counting. It should also be possible to recount the ballots, always by keeping

voter’s name secret [Gritzalis 2002, pp. 543-544].

2.1.5 Democracy

The last requirement is democracy. To respect this requirement 3 different criterions

have to be guarantee: the first one is security, the second one is audit and the last

one is transparence

Security is also an important aspect for democracy which encompasses various

technological notions like confidentiality and integrity, but also availability. To

guarantee confidentiality and integrity, the system has to be well secured to resist to

attacks and malicious voters. The third notion, availability, induces that breakdowns

and bugs have to be limited as much as possible. If it is not the case the equality

requirement would be violated, because citizen’s procedures and the technology

availability would not be equal [Gritzalis 2002, pp. 544-545].

To be conformed to the democratic requirement, independent auditors should check

that all votes were correctly counted for and that no malpractices have been

experienced. Government should be open to inspections. The system should also

keep election results secret until the end of the voting period [Gritzalis 2002, pp. 544-

545].

In a democratic e-voting system, the procedures have to be transparent, because

voters and other actors should understand how votes are leaded. In e-voting system,

the procedures are not transparent as traditional voting, because voters have not the

11

knowledge to understand how the system is conducted. It is important to mention that

not only voters, but also the other election actors should trust the implemented

technology. This induces that every citizen, no matter which voting possibility they

have chosen can trust the e-voting system. Because if it is not the case the

fundamental trust in the democratic process will be compromised. [Gritzalis 2002, pp.

544-545].

2.2 Requirements capturing methodology

To implement correctly a system like e-voting it is important to have a rigorous

methodology. In IT technology two methods are dominating the market: this first one

is “waterfall” (like Hermes) and the second one is “agile” methodology (RUP, Scrum).

Agile methodologies have various advantages compared to waterfall. They are more

flexible, iterative with different life cycles, results are more frequent and very

importantly it is an object oriented methodology. These different characteristics are

important to design and implement an e-voting system, because frequently results

permit to reduce risks (for example user requirements and goals are not clearly

established and understood). With e-voting, not only regular results are important, but

functional user requirements elicitation too. An important process which permits

functional user requirements is Rational Unified Process (RUP). This methodology

gives 5 different views; one of this is a user view. This view identifies which end user

functionalities have to be implemented. As seen in the chapter 2.1, e-voting has to

fulfill an important number of requirements. The best requirement capturing methods

could be use case where each use case refers to a system functional requirement.

Use cases identify which requirements have to be implemented but also by whom

and the goals. This induces that each use case have a clear description with the

actors participating in the use case, the related business Use Case (from which

system a use case has to be driven and the purpose. When each use case and

actors involved have been involved, designers could have an overview of all the

requirements which have to be implemented and by whom. Figure 1 gives an

example of a Use case. People represent actors who are involved and the circles are

the different requirements which have to be fulfilled by the e-voting system. It is

important to elaborate a complete and detailed Use Case, because all the

requirements should be identified in these steps [Gritzalis 2002, pp. 545-548],

[Hüsemann 2009, pp. 3-19].

12

Figure 1: Use Case for an e-voting model

[Gritzalis 2002, p. 547]

After having identified with a proper methodology which requirements have to be

fulfilled, designers have to identify which technology is best to respect and implement

the online voting system.

3 Implementing technologies developed to try to fulfill all these requirements

After describing the different requirements which general voting should respect, the

Thesis will analyze important attempts to implement e-voting. At first the SERVE

system will be presented, then the Estonian e-voting system and the Polish Internet

voting system. At last, the Thesis will explain the Canton of Geneva e-voting system

which was a success. By the first vote, in May 2011, where every citizens living in the

Canton of Geneva and abroad could vote online, the e-voting participation quote was

22.13%. This means that approximately ¼ of the voters used this application

[Chancellerie d’Etat 2011a].

13

3.1.1 The SERVE system

The project SERVE (the Secure Electronic and Voting Experiment) was undertaken

by the US Department of Defense (DoD) in 2003 and the deployment was planned

for the 2004 elections in USA. With this project, the US Government wanted to give a

voting possibility for American citizens who lived abroad.

The application of SERVE worked only on a Windows system. Different servers have

been used for this Voting Application running on a Windows PC. The first Server was

an online Network Server, the second was a Vote Storing Server and the last type of

Server was the Vote Counting Server. Many Counting Servers were developed,

because each local election office had his own server. Every voter received a

password and could only vote once. He could only use a Web browser which runs on

Java or ActiveX. The voting period was for 30 days before Voting until the closing of

voting places. The voter sent his vote where personal data and the ballot were

encrypted by SSL/TLS to the Network Server. Then the Network Server encrypted

again the personal data and the ballot, before sending to the Voting Storing Server.

The role of this Server was to control personal data. When it had finished, a copy of

the personal data and the ballot were saved and only the vote to the respective Vote

Counting Servers was sent. With this voting system the anonymity could be

guarantee, because only the vote were counted and saved in the Vote Counting

Server [Wierzbick &Pierzak 2007, p. 2].

But the SERVE system was never deployed, because the conclusion of a report

about the security wasn’t encouraging. This system was too risky and could be a

threat for the voting security [Wierzbick &Pierzak 2007, pp. 2-3].

3.1.2 The Estonian e-voting system

After the failure of SERVE, other countries started with e-voting projects. Estonia is

one of these countries which also wanted to have a national e-voting system. In

2005, they deployed a successful pilot project for a local election. After this success

they tried to design and implement a national pilot project [Wierzbick &Pierzak 2007,

p. 3].

To solve integrality and authentication problems, voters had to use personal IDs

which were stored on Smartcards and a personal PKI (Public Key Infrastucture). As

soon as the Network Server had controlled the access and authenticated the voter, a

14

list of candidates was sent to the voters. The voter casted the encrypted ballot to the

Votes Storing Server. All data were stored and only in the end they were counted in

an offline Counting Server. For this reason the Estonian e-voting system is not

considered as a true Internet voting system [Wierzbick &Pierzak 2007, pp. 3-4].

The Estonian system had some similarities with the SERVER. For example, the

Estonian project also gave the possibility by voting some days before the Election

Days. An important difference which could be identified is the revote possibility which

wasn’t possible with SERVE. When a citizen revoted, the Estonian system canceled

the first vote. This system was also protected against malicious voters, because if the

system observed attacks against the e-voting procedure, the vote was deleted

[Wierzbick &Pierzak 2007, pp. 3-4]

3.1.3 The Polish e-voting system

In Poland, the idea of e-voting has also been adopted. For this reason an initiative

was proposed to introduce Internet voting. This proposal has not a thorough security

analysis and seems to be naïve. This led not only to a lot of critics, but also to a lot of

media attention. Citizens were interested by the possibility to vote online. This system

would have similar weak point as the SERVE. For example only an ordinary

password would be used and the ballots would be sent in a simple Web Form to a

server, instead to use applets or ActiveX component which is more secured

[Wierzbick &Pierzak 2007, p. 4].

The project description isn’t well elaborated, because the designers have not

developed the counting aspect, or how to assure anonymity or storage votes. The

proposal stopped when the votes is send to the server.

This proposal is not complete and well-elaborated, many aspects have to be defined

and thought, before it could be designed and implemented. For this reason, in the

next step of the Thesis, the Geneva project will be presented. This project has proved

that it is possible to implement an e-voting application [Wierzbick &Pierzak 2007, p.

4].

3.1.4 The Canton of Geneva e-voting system

This part of the Thesis will present a brief summary of the e-voting system which was

implemented in the Canton of Geneva. The Canton of Geneva was one of the

15

Canton, with Neuchâtel and Zürich, chosen by the Confederation to introduce a pilot

e-voting project. The idea was to implement it in the whole country. Online voting

should give a new voting possibility which needs to have the same security level as

traditional vote [Chancellerie d’Etat 2001], [Chancellerie d’Etat 2004b]. It will be

interesting to analyze this successful project: the first online vote happened in

January 2003.

Before the application was implemented for citizens, many schools had to test it.

When the application was secured enough and proved that it was well working the

application was implemented for citizens, but it’s important to notice that at the

beginning only a few numbers of communes had the possibility to vote online. By

each election, more communes had the e-voting possibility [Chancellerie d’Etat

2004b]. Now even more citizens have the possibility to vote online and even more

Swiss cantons (Lucerne, Bern, Basel and Vaud) will use this application for their

citizens living abroad. It’s important to notice that only a Swiss citizen who lives in

one of the 27 European countries and in a country from Wassenaar Arrangement

(South Africa, Argentine, Australia, Canada, South Korea, Croatia, USA, Japan,

Norwegian, Russia, Turkey and Ukraine) could use the e-voting application

[Chancellerie d’Etat 2009].

In order for the project to be successful, a well elaborated and clear methodology and

technology have to be developed. The designers designed a ballot life cycle in 4

main stages: initialization, sealing the ballot box, voting period and counting the vote.

These stages, illustrated in Figure 2, will be analyzed in the following sub-chapters

[Chevalier et al. 2006, p. 18].

16

Figure 2: Ballot life cycle of the Canton of Geneva

[Chevalier et al. 2006, p. 18].

3.1.4.1 Initialization

Initialization is the first phase of the e-voting process. The process begins with the

data collecting. Different data are distinguished:

electoral data are communes which are allowed to vote online

object vote includes the list of candidates or voting subjects

geographic data are lists of countries and cantons

personal data which are necessary to voters authentication, this includes the

name, address and date of birth.

The flow of these data is presented in the Figure 3.

These data are saved on a secured network. They are mixed to create a random

number and then exported to a printer which prepares voting cards [Chevalier et al.

2006, pp. 18-19].

17

Figure 3: Flow of data

[Chevalier et al. 2006, p. 19].

3.1.4.2 Sealing the ballot box

This phase begins as soon as the voting cards are imported in the system and sent

to citizens. In this phase different actors are present: the Chancelière d’Etat or Vice-

Chancelier, the president and at least two members of the CEC (commission

électorale centrale), a notary, an information system security officer and an e-voting

administrator [Chevalier et al. 2006, p. 19].

Cryptographic means are developed to guarantee that the ballot box couldn’t be

violated. This induces that different keys are generated:

Public key to encode votes: This key could only encode votes and not

decipher them.

Private key to decipher votes: This key could decipher votes and obtain ballot

results.

Symmetric key from the integrity meter: This key could encode and decipher

the integrity meter.

Each key has a distinct and different protection. The private deciphering key is

protected with two passwords. These passwords (secret) should be given by two

different members of the CEC. The security officer gets on a USB key and on a CD a

copy of the 3 keys. And the correspondent passwords for the private decipher key

are given to the notary. To open the ballot box, every actor should be present,

18

because each actor has a different secret/password and this secret should be

connected to the secured infrastructure. The actors with a secret have not access to

the secured infrastructure (computer, server) [Chevalier et al. 2006, pp. 19-21].

3.1.4.3 Voting period

When the ballot is sealed, the voting session could begin and the voting website

(https://www.evote-ch.ch) could be activated. To create a secured connection (with

the use of an https protocol, a communication SSL is established) voters have to

introduce the number of their voting card, and then they receive the ballot. When they

fill it, they have to identify themselves with the date of birth and PIN code which is on

their voting card. This PIN code is hidden by a film which should be scratched

[Chancellerie d’Etat 2004b].

As mentioned above, a SSL communication is established. This communication

encodes the vote and permits an authentication with the server, but some studies

proved that this protocol is sensible to “man in the middle” attacks. It is an attack

where the attacker places himself between the e-voting website and the voter. For

this reason, a second encoding was developed. That means that each data is

encoded twice. This double security is only possible with a Java technology (Java

applet should be downloaded from the e-voting website) [Chevalier et al. 2006, pp.

21-22].

Before ballots are sent, citizens have to authenticate them with their personal data

and the password written on the voting cards. The server checks that the citizens is

allowed to vote and then saves the ballot and the number of the voting card in two

different ballot boxes. This induces that votes and citizens (register with the voting

card) are separated [Chevalier et al. 2006, p. 22].

3.1.4.4 Counting the vote

When citizens have voted and the ballots are casted, the last phase begins. Counting

the votes is an official meeting, where every actor should be present to give his

secret. To be sure that it isn’t possible to make a temporal relation with a vote and an

elector, the ballot box is mixed, before the actors open it [Chevalier et al. 2006, pp.

23-24].

19

3.1.4.5 Some conclusions

The pilot project of the e-voting application lasted 10 years, from the survey to check

if the demand exists and 2011 where every citizens of Geneva could vote online. It

was a long running project while IT technology improved. That means that the project

had to be continually adapted and improved. The project is not finished, because the

goal of the Confederation was to implement it to the whole country. And the

designers have another goal; they want the elector to be able to verify if his vote has

been correctly counted for.

It is an important step not only for citizens which could vote from their own home, but

also for the eGovernment and the democratic voting system. This example shows

that it’s possible to implement a secure e-voting system.

4 What is important to obtain citizen’s trust?

In everyday life, trust is obtained by different ways such as discussing or sharing

experiences with friends and others, or dealing with expert who have experiences in

a specific domain. Most of the time, trust ensues from past experiences or

explanations coming from an expert or from a person who experiment it. Individual

decides if the explanation is accepted or rejected. The explanation has a bigger

impact and is understood as more credible if the source is trustful. Explanation and

trust seem to be closely linked.

In the first part of this chapter the notion of explanation and then trust will be

analyzed. Then the manner how the canton of Geneva communicates with its citizens

will be presented.

4.1 Explanation

In digital environment like e-voting, the communication aspect is very important to

obtain citizen’s trust. Face-to-face discussion is not possible; for this reason one of

the best way to build citizen’s trust is obtained by an intensive and well elaborated

explanation. Because citizens could not measure and have concrete facts or

comparisons on how the system does work and if it is secure enough. Explanation is

maybe in computer network more important than in real life [Pieters 2010, p.53].

20

The term of explanation includes different ideas; it could clarify uncertain aspects, be

a fact or consequences description or be an instruction. In digital environment,

explanation usually means instruction. Agents who developed digital application have

to explain the working process, the measures which assure anonymity, integrality and

confidentiality of personal data. For example, in the e-banking process, bankers and

designers have to explain why clients can do their payments and transactions online

in a safe way. This case is similar to an e-voting process, because e-banking

designers at the beginning also had to persuade how the system was secure, to

obtain and maintain citizen’s trust [Pieters 2010, p. 55].

With explanation five different goals could be distinguished: justification (to give a

reason to something), transparency (in a process for example), relevance (why is

something relevant), conceptualization and learning (by teaching users for example).

Usually in an e-voting process, the interface is easily implemented so users shouldn’t

be taught on how to use it. In the e-voting and e-election process, the main goals are

transparency and justification. Designers have to justify their decision and be

transparent in the process; transparent in the manner how ballot boxes are sealed for

example. Citizens have to understand what designers have developed to protect

them. The other goal, transparency, generates a lot of debates. On one side users

have to be informed on the security that was implemented, but on the other side,

these explanations give too hackers possibility to attack the system [Pieters 2010, p.

55].

Based on these different points, it is essential that a communication plan is

developed. The designers have to think about the way they want to explain how the

system is secured, have to identify the best communication channel and also what

they want to tell. The correct set of information has to be defined and adequate,

because if too much information is given the danger persists that voters might be lost

with the surplus of information and don’t trust the process. Too much information kills

information.

4.2 Trust

In digital environment trust is called e-trust, but the word trust will still be used in the

rest of the Thesis.

21

Trust can be defined as: “One party (trustor) is willing to rely on the actions of another

party (trustee); the situation is directed to the future [Wikipedia 2011]”. The trustor

loses control of an action and gives it to the trustee. In compensation, he expects an

output.

With the fast ITC technological development, trust in complex technology should

increase even more, because the majority of citizens have not any knowledge on IT

technology. Citizens have the choice to use and trust IT technology by using it. That

means that risks and alternatives exist and users have to decide themselves. If users

want to trust it, they need to be well informed and conscious of the dangers that exist.

The notion of risk and self-choice are the main difference with confidence. By

confidence users are not well informed about risks and couldn’t consider alternatives.

This case happens when Government imposes an idea.

If voters have the choice between voting paper or e-voting by evaluating the

risks, and they choose internet election that means they trust the application.

If citizens use a well working e-voting system without considering any

alternatives or knowing how the system works that means they are confident

with the system [Pieters 2010, pp. 55-56].

In conclusion to this part it is important to distinguish the difference between trust,

which entails a decision because risks and alternatives are perceived, and

confidence, where no comparison between risks and alternatives has been done

[Pieters 2010, pp. 55-57].

4.3 Explanation and trust in e-voting and e-election

Explanation is a crucial requirement to obtain voter’s trust in an e-voting process,

because this system involves personal data and security is invisible.

As seen in the last paragraph, a distinction has been given between trust and

confidence. Government has to define which communication strategy they want,

because communication wouldn’t be equal if the government wants to obtain trust or

confident. The following part of the Thesis will describe two Government strategies

and how the communication has to be elaborated according to which strategy is

chosen.

22

British and Dutch have two different communication strategies by implementing their

e-voting system. The British Government decided that citizens could use and choose

which voting channel, paper voting, e-voting and correspondence voting, they want.

In the Dutch case, the Government only gave two voting possibilities, paper or online.

Then each local authority had to decide which channel they want to use [Pieters

2010, pp. 58-59].

The communication strategy is totally different in these two e-voting pilot projects. In

the British case, communication has to be focused on how the system works by

giving some internal operation details. For example users need to be informed how

the system is secure and how it works. This information should allow voters to take a

decision. Transparency is one of the main goals by implementing such strategy

where focus is based on getting citizen’s trust. By opposition to the British case the

Dutch government has to communicate external information, voters have to feel

comfortable by using the system. The local authority has to justify their decision. By

choosing the e-voting process, local authorities have to argue why the system is

secure and show that it has been tested. They can also explain that it is faster to

obtain results and more reliable than paper voting. The objective is that voters are

confident with the system. With the Dutch strategy, justification should be in the heart

of the explanation plan [Pieters 2010, pp. 58-59].

This chapter illustrates why explanation is a primordial aspect from a psychological

perspective by developing and implementing an e-voting process, because it is

necessary to obtain public’s trust.

4.4 Case study: Geneva

As mentioned, the Canton of Geneva introduced in 2003 online voting possibility for

the first time. It has been a successful project not only thanks to the safety system,

but also thanks to the well elaborated communication plan. Since the beginning of

the project, the Chancellerie d’Etat of Geneve developed a communication strategy.

The project began in 2001 with a survey. The Chancellerie d’Etat wanted to analyze if

a citizen’s demand for an e-voting system existed. The survey showed that citizens

expected it and a demand existed. In conclusion they were in favor of such a project.

Since then the communication plan began. The following part of the Thesis will

present the communication of the Chancellerie with the different channels used.

23

4.4.1 Newsletter

It is important to know that several times in year the Canton of Geneva publishes a

newsletter to inform citizens about their activities. This channel was intensively used

to inform citizens about the e-voting project. Every important test which has been

done was explained. The Chancellerie d’Etat presented also why the test was

conducted, what was the focus and goal of the test. For example a test was carried

out to verify the resistance on attacks and the system capacity to detect and

signalized them [Chancellerie d’Etat 2002b]. Other tests had been conducted to

verify if the system restituted correctly the votes or if it detected when citizens voted

twice. In the test peak influence was also simulated (when a lot of citizens were

voting in the same time). Not only tests, but also results, what worked well and what

had to be improved were presented. Naturally the Chancellerie focused on

successes of the various tests which have been done and how much they were

happy about the project. [Chancellerie d’Etat 2002a], [Chancellerie d’Etat 2002b] and

[Chancellerie d’Etat 2004b].

Newsletters were used to present various aspects for the e-voting process. It was a

good channel to explain how the voting process and the following steps that had to

be undertaken. Newsletters informed for example that the canton of Geneva was not

the onliest Swiss canton which tried to design and implement an e-voting possibility:

other pilot projects were conducted in the cantons of Neuchâtel and Zürich. This

means that e-voting was not just an idea of the canton of Geneva, but a national

project and that the Chancellerie federal supported the project [Chancellerie d’Etat

2004b].

To convince that the e-voting process for the canton of Geneva was a success, the

newsletter explained that other cantons also used the Geneva voting process where

only the canton flag has been adapted. Another argument to try to persuade citizens

was the explanation about the competition it won. In 2004, the e-voting project won a

competition price in the category Cyberadministration in the SSSA (Société Suisse

des sciences administratives). The project was presented in other countries like the

USA and France and seduced them.

In approximately every newsletter, the words “security”, “test” and the aspect of

“success” were presented. With this focus, the Chancellerie of Geneva tried to obtain

24

citizens trust and maintain it, because the Chancellerie showed that security was at

the heart of designer’s priorities and that a lot of tests were conducted to proof the

effectiveness of the system. 3 or 4 times a year for approximately 10 years, citizens

have been hearing about e-voting. This notion has had time to be implemented in

citizen’s customs. Citizens are now used to this term and know that it was a long

running project which can now be trusted.

4.4.2 Other communication channels

The Chancellerie of Geneva used not only newsletter in their communication plan,

but also other channels. Between 2003 and 2004, they organized information

meetings in the different communes which would be first confronted with the e-voting

project. Then in 2004 and 2005, in these same communes, information stands with

hostesses who had to explain how to vote online had been organized.

Before each vote they put public notices and until 2009 communes which were

involved with the e-voting got not only the voting material, but also e-voting directions

on how to vote online.

An online website was also created (http://www.ge.ch/evoting/) where citizens could

inform themselves. This platform includes published newsletters; e-voting directions

for use and several reports and studies which had been carried out. For example a

report “Voter par Internet? Le projet e-voting dans le canton de Genève dans une

perspective socio-politique et juridique” was carried out to prove the legal reliability

and citizen’s willingness for the e-voting [Chancellerie d’Etat 2001].

4.4.3 Communication strategy

As seen in the two last sub-chapters, communication was very important and

elaborated and many channels had been developed and used. This had the

advantage to reach more or less every citizen. And citizens were regularly informed

and confronted with the information. During 10 years, voters had time to think about it

and to be prepared and informed about the evolution of the project, but also about

the security, the working process and the tests.

The Canton of Geneva had clearly the same communication strategy as the British

Government. Their communication priority was constantly informing citizens. By

informing their citizens as such, the Canton of Geneva wanted to obtain voter’s trust.

25

That means that voters had to be transparent and constantly informed about how

worked the process and how secured it was. Explanation was a crucial aspect of the

communication strategy.

The last vote, in May 2011, was the first time that all citizens could vote online. The

e-voting quote was 22.13%. That means that approximately ¼ of the voters used this

application. For a first time it’s a good performance [Chancellerie d’Etat 2011a].

The success of the Canton of Geneva e-voting application lay not only on security,

but also on a well elaborated communication plan. Since the beginning of the pilot-

project, citizens were informed about the test, security and successes of the online

application.

26

5 Conclusion

The increasing use of IT technology allows developing new applications not only for

Business, like e-banking, but also for Governments. E-voting is a good example of

such application which has to be designed and implemented to satisfy citizen’s

demand. E-voting is an alternative voting channel, which means that various

constraints have to be respected.

First of all, a set of democratic constitutional requirements needs to be fulfilled by the

system. Like traditional voting, the e-voting system has to comply with the democratic

principles and rights, like human rights. This induces that democratic requirements

like eligibility, equality, freedom, secrecy and democracy have to be identified.

Fortunately various methodologies like RUP have been developed to help designers

and Business analysts by collecting all these requirements.

When the requirements have been identified, designers are confronted to another

problem: security. E-voting system should have the same secure level as traditional

voting system and at the same time respect all the requirements. It is not easy to

design and implement such system. For this reason various countries tried different

technologies: the USA with SERVE, Estonia, Poland and Switzerland with the Canton

of Geneva. The last implemented e-voting system, a successful project that still

exists.

Implementing e-voting system is a really complex project, because not only

requirements have to be respected and the level of security has to be assured, but

also a communication plan has to be elaborated. Because technologies are difficult

to understand, this induces citizens have to trust it without testing it. Only when

citizens rely and trust the e-voting system, they will use it. They have to be informed

about how the system works and designers have to justify their decision. Trust can

also be obtained with explanation, but a right level of explanation. If too many

information is given, nobody would understand it and if it is not enough, nobody will

trust it. For this reason, communication plays a major role by obtaining and

maintaining trust. Governments have to clearly define their communication strategy:

obtaining trust or confidence.

27

To design and implement a successful e-voting system is not easy. Respecting

constitutional requirements, secured implemented technology and a well elaborated

communication strategy are some of the key important aspects to lead to success.

28

6 Literature

[Chancellerie d’Etat 2001] Chancellerie d’Etat : adapter le virtuel aux exigences humaines. Communiqué du 29 novembre 2001.

[Chancellerie d’Etat 2002a] Chancellerie d’Etat: Les élèves des écoles du postobligatoire testent le vote par internet. Communiqué du 13 mai 2002

[Chancellerie d’Etat 2002b] Chancellerie d’Etat : Test de vote par Internet dans les écoles secondaires : L’application réussit son examen de passage. Communiqué du 4 juillet 2002.

[Chancellerie d’Etat 2004a] Chancellerie d’Etat : Genève à la pointe du future. Communiqué du 21 septembre 2004.

[Chancellerie d’Etat 2004b] Chancellerie d’Etat : Succès du premier scrutin électronique fédéral. Communiqué du 26 septembre 2004.

[Chancellerie d’Etat 2008] Chancellerie d’Etat : Genève, nouveau vote réussi : un dixième succès pour le vote en ligne. Communiqué du 30 novembre 2008.

[Chancellerie d’Etat 2009] Chancellerie d’Etat : Pour la première fois, les Genevois de l’étranger voteront en ligne. Communiqué du 27 septembre 2009.

[Chancellerie d’Etat 2011a] Chancellerie d’Etat : Pour la première fois, tout le canton de Genève pourra voter en ligne. Communiqué du 15 mai 2011.

[Chancellerie d’Etat 2011b] Chancellerie d’Etat : Vote par Internet : qui l’utilise et quand ? Communiqué du 30 novembre 2008.

[Chevalier et al. 2006] Chevalier, Michel; Bahèghen-Bradley, Agatha; Vigouroux, Christophe; Montmasson, François; Villemin, Rémi; Ponchel, Franck: La solution genevoise de vote électronique à coeur ouvert. Flash informatique. No. 6 (2011), pp. 18-25.

[Gritzalis 2002] Gritzalis, Dimitris, A : Principles and requirements for a secure e-voting system. Computers & Security, Vol. 21, No.6 (2002), pp. 539-556.

[Hüsemann 2009] Hüsemann, Stefan: Informationssystem: Einführung RUP und UML. Herbstsemester 2009, pp. 1-23.

[Pieters 2011] Wolter, Pieters : Explanation and trust : what to tell the user in security and AI ? Ethics and Information Technology, Vol. 13, No. 1 (2011), pp. 53-64.

[République et canton de Genève] République et canton de Genève: http://www.ge.ch/evoting/welcome.asp. accessed 20.10.2011.

29

[Wierzbick &Pierzak 2007] Wierzbicki, Adam; Krzystof Pietrzak: Analyzing and Improving the Security of the Internet Elections. Polish-Japanese Institute of Information Technology in: N. Pohlmann, H. Reimer, W.Schneider, ISSE/SECURE 2007 Securing Electronic Business Processes. Highlights of the Information Security Solutions Europe/SECURE 2007 Conference, Vieweg, Wiesbaden 2007, pp. 93-101.

[Wikipedia 2011] Wikipedia 2011, http://en.wikipedia.org/wiki/Trust_%28social_sciences%29 accessed 24.10.2011.