Direct suffrage

The committee did not categorise any of their standards under ``direct suffrage'' saying that it ``does not call for special attention'' [7]. We contend that, since direct suffrage (as defined by the CoE) requires that ``the ballots cast by the voters directly determine the person(s) elected'' [7], any measure used to protect the votes from tampering falls into this category, as does any measure to ensure that the results are tabulated correctly.

14) The e-voting system shall accurately record votes (95)

1. It shall be ensured that the voter is presented with an authentic ballot (90a)
2. The vote cast by a voter shall be the vote recorded within the system (92) [10, guideline 42]

15) The e-voting system shall prevent recorded votes from being changed or deleted (15, 34a, 92)

16) The e-voting system shall accurately calculate the result based solely on the votes cast (7, 98)

1. There shall be a secure and reliable method to aggregate all votes. (8)

In order to support these requirements:

17) Provision shall be made for the observation of all stages of elections to the extent permitted by law. (23, 56)

1. Reliable, accurate, detailed observation data shall be produced. (83)
2. Observers shall be educated about the expected behaviour of the system and its operators so that they can make informed judgements about the reliability of election results [14]

18) There shall be a comprehensive audit system designed into the e-voting system to provide information about the functioning of the system at all levels. (59, 100, 101, 102, 103, 104, 107, 108) Audit information recorded shall, at a minimum, include:

1. The number of votes cast,
2. Count information (including personnel involved, and enough information to reproduce the count results),
3. Any suspicious activities which may indicate some kind of attack on the system (including votes affected, if applicable),
4. System failures and malfunctions,
5. Logs of authorised access to the system (including user identity and activities undertaken). (57, 58)

19) Software engineering best practice shall be followed, including:

1. A comprehensive risk assessment shall underpin the decision to introduce e-voting in general, and any system in particular. This assessment shall be carried out by individuals with a suitable level of expertise. (III) ⁴
2. Components' access to time sources shall be strictly limited on a ``need to know'' basis [14,20]. (contrast with 84, see section 6.4)
3. Change management for the system shall be open and transparent. In particular:
   1. All components of the system shall be subject to version control. (69b)
   2. It shall be possible to accurately and reliably determine whether a given component is the version tested and approved for use.
   3. Any updates of software, including third-party software such as operating systems, shall be justified before installation [14].
   4. There shall be a bug-tracking system.
   5. All of these measures shall follow best practices.
4. Compliance with suitable open standards is recommended. (66) ⁵
5. At least one competent, independent body (certification authority) shall be appointed to assess and certify the system's operation and compliance with these standards. (111)
6. The certification authority shall develop a test plan which covers testing to be carried out: before the system is introduced, at regular intervals, and triggered by specific events (for example software updates, upcoming elections) as well as the timing of such tests. (25, 31, 73)
7. All components of the system and software used, and all audit information, shall be publicly disclosed. Exceptions to this rule shall only be allowed where it can be shown that such a disclosure would either endanger the security of the system or genuinely endanger the intellectual property of the vendor. In either of these cases, full disclosure shall be made to the certification authority for verification and certification purposes. (contrast with 24, 69a, 105, 110)
8. The system shall be fault tolerant and fail safe.
   1. Any backup system shall conform to the same standards and requirements as the original system. (70b)
   2. Technical and organisational measures shall be taken to ensure that no data will be permanently lost in the event of a breakdown or a fault affecting the e-voting system. (27 - see point 65 in [8] , 77)

20) Security measures shall be employed (28) to protect the system from fraud and error. (29)

1. Where data must be transmitted and/or stored electronically its origin shall be verifiable and its integrity shall be protected. Currently this is likely to require the use of cryptography. (26, 75c, 89, 97, 99, 109) (Such data may include votes, voter registers, lists of candidates (86), and audit information.)
2. Where access to data must be restricted (for example authentication data), its secrecy shall be protected. Currently this is likely to require the use of cryptography. (81)
3. The system shall be monitored during operation for compliance with requirements. (72a, 79a)
4. Security arrangements shall ensure that, for the duration of operation, each component is the version tested and approved for use.
5. Incident levels shall be defined and appropriate responses identified. (76)
6. All technical operations shall be subject to a formal control procedure. (74a) In particular:
   1. The principle of separation of duty shall be applied wherever applicable. [2]
   2. Physical and electronic access to equipment used in elections shall be limited via a comprehensive authentication system which complies with best practice, including the principle of least privilege. (32a, 80)
   3. Clear rules shall be developed for determining access privileges of individuals, and for the appointment of personnel to sensitive positions. (32a)
   4. All personnel who have been assigned a cryptographic key for authentication shall be educated about key management.
   5. The physical security of equipment used in elections shall be protected during (75a) and between elections. Access shall be restricted according to the formal control procedure.
   6. Any changes to key equipment shall be notified to the authorities identified in the control procedure. (74b)
   7. Critical technical activities shall be carried out by teams of at least two people. The composition of the teams shall be regularly changed. All such activities shall be the subject of a report. As far as possible, such activities shall be carried out outside election periods. (32b, 33a)
   8. Where such activities must be undertaken during an election period, they shall be monitored by election observers. (33b)