08/10/2006: OSCE/ODIHR : Expert Visit on New Voting Technologies
The report of Office for Democratic Institutions and Human Rights on 8 October 2006 Local Elections in Kingdom of Belgium.
Official version :
Executive Summary
- In response to an invitation from the Belgian Government to observe the local elections scheduled on 8 October 2006, the OSCE/ODIHR sent two experts in electronic voting, accompanied by an ODIHR election adviser for a five day visit to Belgium between 4 and 9 October 2006.
- This was not an observation mission as such, but an expert study to increase ODIHR’s comparative knowledge of e-voting systems, also with a perspective on how to most effectively observe such processes.
- The experts familiarised themselves with the automated voting equipment and procedures in use in Belgium.
- They held meetings with the authorities responsible for the conduct of the elections, including administrators of the automated voting system currently in use in Belgium, as well as other bodies involved with automated voting. In addition, the experts also met with representatives of political parties and civil society.
- On 8 October 2006, Belgian voters voted for the country’s 589 Communal Councils and 10 Provincial Councils. This election took place within a renewed institutional framework, which has vested the Regions with the responsibility of their regulation and organisation.
- This was the fifth time since 1999 that e-voting has been used on a large scale in Belgium (some 44% of the electorate). Although two different electronic systems were used, both systems imply similar voting and counting procedures.
- The procedure, which did not provide for a voter verifiable paper trail, is being criticised in some for a for lack of transparency.
1. Introduction
In response to an invitation from the Belgian Government to observe the local elections scheduled on 8 October 2006, the OSCE/ODIHR sent two experts in electronic voting, accompanied by an ODIHR election adviser for a five day visit to Belgium between 4 and 9 October 2006. This was not an observation mission as such, but an expert study to increase ODIHR’s comparative knowledge of e-voting systems, and also with a perspective on how to most effectively observe such processes.
The OSCE/ODIHR is taking a stronger interest in electronic voting systems in order to further enhance its capacity to observe the performance of such systems in accordance with OSCE commitments. The long standing experience with e-voting, and the variety of the experiments conducted in the Belgian context, made it a particularly valuable case for an OSCE/ODIHR expert visit focussing on e-voting.
The experts held meetings with the authorities responsible for the conduct of the elections, including administrators of the automated voting system currently in use in Belgium, as well as other bodies involved with automated voting. In addition, the team also met with representatives of political parties and civil society (See Annex).
On the eve of election day, the team attended a session of tests and installations for the voting machines in the commune of Woluwe-Saint-Pierre (Brussels Region), and on Election Day, the members of the team visited polling stations and tabulation centres in the communes of Leuven (Flanders Region), Ixelles and Brussels (Brussels - Capital Region) and Durbuy (Wallonia region).
The OSCE/ODIHR wishes to thank the Belgian authorities, in particular the OSCE Chairmanship Unit, within the Federal Public Service of Foreign Affairs, for the cooperation and support extended to the team before and during the visit.
2. The 8 October elections
On 8 October 2006, Belgian voters were to elect the members of the country’s 589 Communal Councils (308 in the Flemish Region, 262 in the Walloon Region and 19 in the Brussels Capital Region), as well of the country’s 10 Provincial Councils.
Voting is compulsory in Belgium, and the electorate of some 7,575,893 Belgian voters (4,614,584 in Flanders, 2,394,591 in Wallonia, and 566,718 in Brussels) were expected by law to come to vote on 8 October. In addition, 63,578 non-Belgian EU citizens and 5,091 non-EU citizens residing in Belgium were also expected to take part. Non-Belgian voters were only able to vote for the commune councils and not for the provincial ones.
Since the 2001 Lambermont Agreement and Lombard Agreement, initiating the Fifth Reform of the State, and the subsequent Special Law of 13 July 2001, the legislation and regulations pertaining to communal and provincial elections, as well as their organisation, are within the competence of the Regions. This was the first time the Regions exercised this prerogative.
Both for provincial and communal councils, voters vote via a system of proportional representation with preference voting. Seats are then allocated using the rare Imperiali highest averages method.
3. E-voting in Belgium
Following an initiative from the Minister of the Interior in 1989, the Federal Parliament decided to start testing e-voting in two electoral cantons for the parliamentary and provincial elections of November 1991. Firms were requested to develop a system “as close as possible to the paper system”. Based on the lessons learnt from this experience, a system of e-voting was organised in the Law on Automated Voting adopted in April 1994, which made possible the extension of e-voting over the Belgian territory. It still constitutes the main legal basis for e-voting in Belgium. It has since then been amended several times.
In 1995, some 20% of the Belgian electorate voted electronically, and since 1999 e-voting involves some 44% of the Belgian electorate (100% in Brussels, 49% in Flanders and 22% in Wallonia), or 201 Communes out of 589. Although initially - and still officially - foreseen, no further extension of the use of e-voting has taken place since 1999. Large scale e-voting has been used in Belgium for the June 1999 regional elections, the October 2000 local elections, the May 2003 general elections, the June 2004 regional and European elections, and now the October 2006 local elections.
An amendment to the Law of April 1994 created a control body, the College of Experts, nominated by both Chambers of the Parliament for national elections, and by Regional Parliaments for local ones. They are in charge of controlling the use and functioning of all automated voting, counting and tabulation systems. The control works mostly through analysis and compilation of the source codes, spot checks of the materiel before election day, and of its functioning on election day. The experts are expected to issue a report after each election to the Minister of Interior.
There are two e-voting systems in use in Belgium : ‘Digivote’ (STERIA - 85% of the market) and ‘Jites’ (STESUD - 15% of the market). The source codes of the voting software were made available on an internet government portal. It is up to the communes which have opted for e-voting to choose which system they will use. The two systems being incompatible, all communes within one single canton must agree on the same system.
Although incompatible, both systems imply similar voting and counting procedures :
- Voting takes place in polling stations ; on average polling stations have 1000 voters and each voting machine in a polling station is foreseen for 200 voters.
- Voting machines in polling booths and the electronic ballot box are activated by the Polling Station Chair by means of a floppy disc before opening the polling station.
- After identification, voters receive a magnetic ballot card ;
- In polling booths, voters insert their ballot card into a computer and candidate lists appear on the screen ;
- Voters choose from the screen and confirm their choice, the computer only records the vote on the magnetic card ;
- The computer gives back to the voter their ballot card, where their vote is recorded ;
- The voter walks out of the booth, shows the polling station chair that his/her ballot card does not show any mark that could make it identifiable, and inserts the ballot card into an electronic ballot box.
- The card falls into the box ; the content of the box can be used for an electronic recount.
For the 2003 elections, a system referred to as ‘ticketing’ was tested in two electoral cantons. It mostly functioned as the above mentioned e-voting system, to which a paper trail was added. After expressing his/her choice, the voter could see the vote on a ticket behind a glass. If the vote on the ticket corresponded to the voter’s choice, the voter confirmed it and the ticket was cut and fell into a box. The law foresaw that in case there was a discrepancy, the voter had to call the polling station chair for help. There was a debate that such a modality was putting the secrecy of the vote at risk. In addition, experts concluded the technology used for the paper trail was not reliable enough. [1]
A system called ‘Favor’ (Fabricom) of automated counting by optical reader was also tested in 1999, 2000 and 2003. Voters voted using traditional ballot papers which were then scanned by an optical reader. In its report on the 2003 elections, the College of Experts concluded that automated counting was reliable. [2]
4. Current discussions
Over the past years, e-voting has become a matter of further discussion in Belgium, and some members of Parliament have expressed dissatisfaction vis-à-vis the current system. During these debates, controversial issues have arisen, which seem to be the main reason why the use of e-voting in Belgium has not been extended beyond the current 44% of the electorate using it since 1999. Some of the actors met complained that little or no debate took place when the experiment started, and the e-voting system has never been the object of a national evaluation / discussion.
Since 2003, a number of proposals for legal amendments reveal the diversity of positions across the political spectrum. None of these have been adopted, but during a debate on e-voting organised in the Federal Chamber of Representatives in December 2003, the Chairman of the Chamber recognised that there was growing opposition to e-voting in Belgium, within the Chamber.
A Resolution was adopted by the Regional Parliament of Brussels - Capital in July 2006, asking for "adding transparency to the e-voting system”, through, inter alia, the addition of a voter verifiable paper trail, an increased oversight of the College of Experts, the publication of all expert reports, and clarification of the tendering process for e-voting service providers.
In addition, some scholars have argued that the presentation of the lists on the screens had a political effect, in the sense that contrary to the paper ballot system, it implies giving a priority to the choice for a party over the choice for a particular candidate. Contrary to the paper ballot which shows all the lists with their candidates on the same paper, with the e-voting system, the voter can only see the name of the candidates once he/she has already chosen the party. According to some, this aspect could favour a party-driven political process, often referred to in Belgium as “particratie”.
Several NGOs have given debates on this topic an increasing visibility ; in particular these are reflected on the following websites among others : www.afront.be, www.poureva.be, www.vooreva.be
Besides questions and some criticism concerning the value for money of the e-voting system, which are outside the scope of the ODIHR study, the main critics have focussed on what is seen as a limitation of possibilities for democratic control, with a particular emphasis on the absence of a voter verifiable auditable paper trail. It is argued that voting operations cannot be controlled / monitored properly, either by the voters or by party / candidate representatives in polling stations. This aspect was already mentioned by the Belgian Privacy Commission [3] before the adoption of the Law on Automated Voting in 1994.
The question of the confidence in the system is linked to the degree of transparency of the system for the voter. In the context of the Belgian e-voting system, confidence would mean that voters implicitly answer positively the following questions :
- Is what is written by the voting machine on the magnetic card an accurate reflection of the choice made by the voter on the screen ?
- Does the ballot box software read accurately the content of the magnetic card when the voter inserts it into the box ?
- Is what is stored in the ballot box memory and subsequently on the ballot box floppy disc really the voter’s vote ?
- Will the content of the ballot box floppy disc be read accurately in the tabulation centre ?
In the absence of a paper trail, which could allow the voters to verify the accuracy of their vote, and would provide for possibilities of a paper recount in case of doubt, there is no way the above mentioned aspects can be directly observed.
5. Observing e-voting
In these circumstances, observation of the e-voting system is de facto limited to an analysis of the security mechanisms in place, and to an observation of their implementation.
Actors involved in the e-voting system for the 8 October 2006 elections
- Regional Ministries of the Interior : In charge of running the elections. They conduct the tendering processes, certify the software, reproduce and distribute the software to be used in polling stations.
- Developers / Vendors : Private IT firms which prepare the voting software. They also provide technical support / help desk on election day.
- Auditing Companies : Private auditing companies which audit the software produced by the vendors and deliver an audit report to the Ministries of the Interior. This procedure started in 2003, upon a recommendation of the College of Experts.
- Regional Colleges of Experts : Nominated by the regional Parliaments, in charge of controlling the functioning of the whole voting and tabulation automated system. Their mandate starts 40 days before election day. They deliver a report to the regional Ministries of the Interior.
Hardware
Communes using e-voting have been equipped with two sorts of computers to be in place in polling stations :
- voting machines in polling booths ;
- one computer / electronic ballot box which both initialises voting magnetic cards, and reads the cards as they are inserted in the box.
Software
There are actually three separate programmes, which are different for the Digivote and the Jites systems :
- The voting software to be installed in voting machines in polling booths ;
- One software used to initialise the magnetic cards, which is also installed in the electronic ballot box and used to read the cards as they are inserted in the ballot box by the voters ;
- One software is used for the tabulation at Commune / Canton level.
Stages of the process
In each of the three regions :
- The process starts by selecting the firm in charge of updating the software, through tender or other means. In the case of local elections, the regional Ministry of the Interior (MoI) is responsible for choosing the provider. The firm STESUD won the market in all three regions. [4]
- The software produced by the firm is then submitted to an audit. The audit was carried out by Bureau Van Dijk in Brussels Region, Price Waterhouse Coopers in the Flanders Region and Control Service Solutions in the Walloon Region.
- The audit report is then handed to the regional MoI. It is not public. Based on the audit report, the regional MoI certifies the conformity of the software.
- The software is stored on CD-Rom and kept in a bank safe. Two copies are made of it, in front of the regional College of Experts. One copy is handed to the regional MoI and the other is given to the College of experts.
- The College of Experts perform their own compilation of the source code and compare the outcome with the executables provided by the vendor.
- From its copy, the MoI gives the source code of the software to political parties contesting the elections.
- Once the period for candidates to apply is closed, three to four weeks before election day, the lists of parties and candidates are inserted in the software. Screens showing the candidates lists are printed and signed in each Commune by the Justice of the Peace who chairs the main electoral office of the Commune (Bureau Principal de Commune).
- From its copy of the software, the regional MoI starts preparing sets of floppy discs to be used in each polling station (one master disc and 2-3 backup discs). The floppy discs are encrypted using AES Rijndael encryption standard. For each set of floppy discs, the MoI generates a password which is unique to each polling station.
- The password is used as a cryptographic key for encrypting software and election-specific information (candidates etc.) on the disc. Passwords and floppy discs are sealed in different envelopes. As a rule, the package for each polling station comprises an envelope containing the discs and an envelope containing the password, both being attached together.
- Polling Station Chairpersons receive the set of floppies and the password to be used in their polling station on the eve of election day or in the morning of election day, usually with a set of magnetic voting cards.
- On Election Day, each polling station Chair opens the envelopes and uses the password to decrypt contents of the disc when starting up the voting machines and the ballot box. The passwords remains in the memory (RAM) of the ballot box.
- Before opening the polling station to the public, reference votes are made for each e-voting booth using four to six initialized magnetic cards. These votes are random and non-blank in order to assess the correct functioning of the voting machine software if needed. Chosen reference votes are recorded in a given paper form. This paper with magnetic cards used for the reference votes are enclosed in an envelope.
- Voting computers are discless. They are booted from the floppy discs and run during election day on the floppy discs. In each polling station, the same unique encryption key is written in the voting software, and in the software used for both the initialisation of magnetic cards and their reading by the ballot box.
- When voters insert their card into the electronic ballot box, votes are read out from the card, saved in RAM and also in the floppy disc of the ballot box.
- The main purpose of writing votes on floppy disc is that in case of power loss, accident rebooting or malfunctioning of the electronic ballot box hardware, it can be restarted from the floppy disc with (encrypted) votes on it.
- Votes stored on the ballot box floppy disc are encrypted with the same password of the polling station. When voters insert their magnetic ballot card into the ballot box, the ballot box software recognises the polling station password, and stores the content of the card in the box memory. Cards which have not have been initialised with the right polling station password are rejected by the ballot box.
- The ballot box programme randomly stores the still encrypted votes in its memory in a database file, so that votes could not be identified from reconstructing the order in which they have been inserted in the box. [5]
- After the end of voting, votes are summarized in the electronic ballot box following a special procedure. The generated summary of the votes is encrypted with the same password of polling station. Several backup discs are made.
- Vote tabulation is performed generally at commune level (for municipal elections) although there might be multiple levels of counting involved. Presidents of the voting stations are supposed to physically bring the discs with summarized encrypted votes on it together with the sealed ballot boxes to the commune main electoral office.
- Discs containing the tabulation software are also prepared centrally by the MoI. The same scheme is used - software and election-specific information is encrypted by key/password for each individual tabulation place with secure password delivery.
- There appears to be two modes of handling the encrypted disc from polling station - automatic and manual. With the manual mode, station-specific password must be entered. With automatic mode there’s no need for the password. This implies that the tabulation software discs can recognise passwords for each polling station of the commune / area. Also, a printed list of passwords for each polling station is available in practice for the manager of the tabulation office.
- The tabulation software is designed so that it does not output intermediate results before the vote summary from at least three individual polling stations are entered. They can add together the results of up to 30 polling stations and only deliver the aggregated results [6].
- If needed, it is possible to recount the votes of a particular polling station by unsealing the ballot box, initializing its software and inserting again all the magnetic cards it contains.
Issues for Review and Observation
The aim of the study visit was not to observe as such, and provide an assessment of the e-voting system in Belgium ; rather, the deployment of experts provided an additional perspective, from the Belgian experience, which can be valuable in developing methods for observation of new voting technologies. In this context, and building upon other comparative experience, the following issues emerged from the study visit :
- How the system was chosen ;
- How the hardware is kept between elections ;
- How the technical specifications are established before the tendering process for the update of the software ;
- How the software is audited and certified ;
- Who has access to the certification documentation ; in particular whether contestants or observers can have access to it ;
- Who has access to the software master copies and how they are stored ;
- Whether the public authorities make the source code of the software available to the public ;
- The degree to which the public authorities rely on the vendors for technical support ;
- Who has access to the polling stations’ passwords and how polling stations’ discs are kept and distributed ;
- Whether the security procedures are adhered to by all stakeholders ;
- Whether the system ensures anonymity of the vote or, on the contrary, whether there exist possibilities to disclose the content of a particular vote ;
- Whether it is possible to delete votes cast ; to substitute electronic votes or to tamper with the results ;
- Whether the system is easily accessible to all voters ;
- Whether the system allows for a recount.
Steps for Direct observation :
There are different observation tasks that can be performed by the e-voting experts at central level, by long-term observers and short-term observers.
Centrally, e-voting experts should be able to directly observe the various stages of the process, possibly including (for a system such as the Belgian one) :
- Having access to the technical specifications for the tendering process ;
- Having access to the audit reports ;
- Following the College of Experts in the performance of their control duties such as spot checks, compilation of source codes, copying of software, etc. In practice, the confidentiality clause in the status of the members of the College of Experts could constitute a limit to direct observation.
- Observing the preparation of the floppy discs to be used in polling stations at the level of the Ministry of the Interior.
The role of observers in the regions would be limited to attending sessions of diagnostics of the hardware (if the timeframe allows), observing the installation of voting machines and ballot boxes in polling stations (spot check), observing the delivery of the software floppy discs polling station sets and the magnetic cards, observing how these materials are stored locally before being dispatched to polling stations.
On election day, observers would follow e-voting procedures in polling stations, commencing with the starting up of the voting machines, and would assess the adherence to procedures in the polling stations visited, using a check list prepared by e-voting experts.
ANNEX : Structure and Conduct of the Visit
The expert team comprised Mr. Tarvi Martens (Estonia), Mr. Herman Ruddijs, (Netherlands), and Mr. Gilles Saphy, ODIHR Election Adviser.
After an introductory meeting with the OSCE Chairmanship Unit within the Belgian Ministry of Foreign Affairs, the team held a series of meetings aimed at familiarising themselves with both the context and the technology.
The team met with members of the Federal Parliament who have taken an interest in the use of e-voting systems in Belgium, in particular with those who, over the past few years have forwarded proposals to amend the Law on Automated Voting. These were Mr. Philippe Mahoux (Senate - PS), Ms Clotilde Nyssens (Senate - CDH) and Ms Zoé Genot (Chamber of Representatives - ECOLO). The team also met with Pr. Francis Delpérée (Senate - CDH), who is also a prominent academic lecturing on constitutional law in the University of Louvain-La-Neuve. The team requested a meeting with Mr. Alain Destexhe (Senate MR), who was not available.
On the technical side, the team met with Mr. Henri Snyers and Mr. Stéphan De Mul, from the Directorate General for Institutions and Population, within the Federal Public Service of the Interior. They have been over the past years in charge of the supervision of the e-voting system at central level and provided the team with detailed explanations on how the overall architecture of the system operates, with a particular emphasis on the technology used and the safety mechanisms. For the October 2006 elections, they acted as an advisory desk for the regional authorities, vested with the responsibility to run local elections.
The team also met with members of the Colleges of Experts of the Region of Brussels - Capital and of the Walloon Region. The members presented their mandate to the team and the tools at their disposal to carry out their control duties. These meetings gave further opportunities to the team to acquire a deeper knowledge of the system.
The team met with representatives of the firms providing software and technical support for e-voting, in particular the two firms, STERIA and STESUD, which have been involved in e-voting in Belgium since 1991. They both have provided the hardware in use in Belgium since the beginning, STERIA holding 85% of the market with its “Digivote” system, and STESUD 15%, with the “Jites” system. For the October 2006 elections, STESUD won the market of the update of the voting software for the three regions.
The team also met with authorities involved in the running of the elections at the level of the Regions : Mr. Paul-Henri Philippe, Directorate General for the Administration of Local Government, Region of Brussels - Capital, Mr. Philippe Courard, Minister for Internal Affairs and Civil Service of the Walloon Region, and Ms Mireille Francotte, in charge of the Election Cell within his Ministry ; Mr. Rik Haex, Head of the main office of Leuven, Region of the Flanders.
The team met with a representative of the association PourEVA, a civic group who take an active part in debates on e-voting in Belgium and express critical views on the system currently in use.
Finally, the team met with Mr. Jan Vansevenant, legal adviser for the Belgian Privacy Commission. That commission had issued recommendations on e-voting in 1993, before the Law on Automated Voting was adopted.
+++ OSCE +++
[1] See : Chambre des représentants et Senat de Belgique, Collège d’experts Charge du contrôle des systèmes de vote et de dépouillement automatises, Rapport concernant les élections du 18 mai 2003, Belgische Kamer van Volksvertegenwoordigers en Senat, College van deskundigen belast met de controle van de geautomatiseerde stemmingen en stemopneming, Verslag betreffende de verkiezingen van 18 mai 2003
[2] Ibid.
[3] Commissie voor de bescherming van de persoonlijke levenssfeer - Commission de la protection de la vie privée, Recommendation 1/93
[4] In the Regions of Brussels - Capital and Wallonia, this was done through a tendering process, which both regions chose to conduct jointly, and the tender was won by STESUD. In the Flanders the situation was different since the Regional Government has a contract with the firm EDS (Electronic data Service) which grants the firm a “right of first refusal”. EDS subcontracted STESUD.
[5] Some commentators express doubts that a complete random storage is feasible and argue that reconstruction of the order of the votes is theoretically possible.
[6] The Belgian legislation prevents counting and issuing results by polling station. For polling station functioning with traditional paper system, the content of the ballot boxes of at least three polling stations must be mixed together before being counted.