E-voting: when transparency means more security
On 14 December 2016, the State of Geneva started a revolution by publishing the first elements of the source code of its native E-voting system “CHVote” on the GitHub Platform (https://republique-et-canton-de-geneve.github.io/chvote-1-0/index-fr.html). This groundbreaking step toward transparency and co-creation was the outcome of a long process launched seven years earlier, when the cantonal parliament allowed any citizen from Geneva, Bern, Basel and Lucerne to audit the source code – something which the Bern University of Applied Sciences (BFH) and the Geneva Pirate party also did in 2012.
In January 2015, the Geneva Parliament, on the recommendation of the government, adopted a new law requiring publication of the entire source code of the E-voting system within three years. To do so, the Government chose the Affero GPL 3.0 (AGPL) open source licence as the template. On 20 April 2017 a prototype of a universal verifiability protocol was published. This protocol presents the end-to-end cryptographic tools to be implemented between citizens and the system infrastructure, thus offering optimal security thanks to universal verifiability. It is being currently developed.
This shift from a passive transparency in which the citizen has to ask the government to consult the source code toward an active one meaning the code is directly and publicly published on the internet is justified by the ever-greater need to build trust in digital tools, and especially those used in democratic processes. Transparency builds trust. But not only that, transparency also contributes to greater security.
There is no system built by humans that doesn’t involve risks. It is the responsibility of any system developer and provider to ensure that their system is as secure as can be. This is why from the very start, the Geneva E-voting system has been developed with security as the top priority. Since 2015, citizens who use CHVote have been able to verify, using individual and personal control codes, that their vote has been correctly placed in the electronic ballot box. This is called “individual verifiability”.
More traditional security measures are also implemented and regularly updated. The system and the network are constantly monitored through logs and checks. The electronic ballot box is sealed and opened by an independent electoral commission that possesses all the access codes. This same commission also places control votes in the electronic ballot box during the voting process to ensure its integrity. Audits and hacking tests are carried out regularly. Every three years full, legally-required public audits are carried out and their results published. Finally, the whole system is placed under the scrutiny and authorization of the federal authorities. All of which are vitally necessary measures.
For a long time, security in the digital world meant building sophisticated systems, processes and firewalls. On the technical level, this is a perfectly sound approach. But security was achieved through keeping things closed, both in technological and communications terms; the higher the walls, the lower the possibility of looking into the system’s black box, the higher the security. Today, this paradigm is fading away – and with good reason.
In 2015, before we published the first part of our source code, we organized workshops with hackers, citizens, journalists and academics to investigate how we could enhance the trust citizens have in E-voting. The outcomes were clear-cut: let citizens look into the system, let the best hackers and specialists contribute to the system and share their experience and expertise. Opening up the system and allowing public scrutiny contributes directly to its security. Firstly, by benefiting from their knowledge. Secondly, by showing that we have nothing to hide and that the system is exactly what it is meant to be: an unbiased democratic tool.
From here we start to see a pattern emerge: transparency builds trust, which contributes to co-creation, which in turn enhances security. In this paradigm, the citizen both contributes to and benefits from this approach. By having the opportunity to see for themselves how the system works and is made, their confidence and thus their appetite for using E-voting increases. And by being required to contribute to the creation of the system itself, they take part in making it better and safer. In the end, the goal is that this crucial democratic tool becomes the citizens’ tool. Because we are much more likely to defend something we own, than something we simply use.