Key Benefits:
La Commission nationale de l' informatique et des libertés,
Seizure on 2 October 2006 by the Ministry of Employment, Social cohesion and housing of a draft decree in the Council of State and a draft decree on the testing of electronic voting for labour elections;
Given the Council of Europe Convention No 108 of 28 January 1981 For the protection of persons with regard to the automatic processing of personal data;
Having regard to Directive 95 /46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons, The processing of personal data and the free movement of such data Data;
In view of the Law n ° 78-17 of 6 January 1978 on data processing, files and freedoms, as amended by Act No. 2004-801 of 6 August 2004, on the protection of natural persons with regard to the processing of character data Staff, in particular Article 27 (II, 4);
Given the Labour Code;
In view of the Election Code;
In view of Order No. 2004-603 of 24 June 2004, in particular Article 9;
In light of Decree No. 2005-1309 of 20 October 2005 for the application of The law of January 6, 1978 as amended;
Due to deliberation n ° 2003-036 of 1 July 2003 Adopting a recommendation on the security of electronic voting systems;
After hearing Ms. Isabelle Falque-Pierrotin, Commissioner, in her report, and Ms. Pascale Compagnie, Commissioner of the Government, in her report Comments,
Emet the following notice:
Section 9 of Order No. 2004-603 of June 24, 2004 provides that " For the next renewal of the mandate of labour advisors, electronic voting shall be carried out on an experimental basis in accordance with the terms and conditions laid down by decree in the Council of State. The materials and software will have to respect the secrecy of the vote and the sincerity of the vote. "
The Ministry of Employment, Social Cohesion and Housing, following the exchange between the services of the CNIL and management since 2005 The Committee, on 2 October 2006, submitted a draft decree to the Council of State and a draft decree adopted for the application of these provisions and intended to regulate this electronic vote.
Project Decree provides for the implementation, on an experimental basis, of electronic voting for the Electors registered on the electoral lists of electors in Paris, meeting the conditions laid down in Article R. 513-11 of the Labour Code. Electronic voting would take place on the Internet, at a distance and not on the spot, the solution of a system known as " Kiosk to vote ", i.e. electronic voting on site, having not been retained.
As a preliminary matter, the Committee notes that these projects are, very broadly, in accordance with its recommendation of 1 July 2003 on the security of the Electronic voting devices. However, some of the recommendations contained in this recommendation should be taken into account in the draft decree and decree.
On the independent expertise of the electronic voting system:
The Committee notes that, pursuant to the provisions of Article 8 of the draft decree, the electronic voting system is subject to independent expertise by an approved expert, whose report is communicated to the CNIL
The Commission considers that the requirement of prior expertise of the system constitutes an essential guarantee of the integrity of the electronic voting systems and requests that the system be provided for by the draft decree
Be attached to the prior formalities file, prior to The implementation of the electronic voting system.
On the separation of the identity of voters and votes:
According to the CNIL's recommendation of 1 July 2003, the secrecy of the vote must be guaranteed by the implementation Processes making it impossible to establish a link between the elector's name and the expression of his or her vote. Furthermore, the management of the voting file and the management of the list of votes must be carried out on " Separate, dedicated and isolated computer systems ".
In addition, these files must be subject to encryption measures according to a deemed public algorithm" Strong " And should not include a link to identify electors. The ballot must be encrypted as soon as it is issued and stored on the voting server without the encryption being interrupted at any time. The link between the voter's voting terminal and the voting server must also be encrypted to ensure the security of both the voter's authentication process and the confidentiality of the vote.
The Commission Welcomes the fact that Article 7 of the draft decree reverts the terms of its recommendation by specifying that two separate, dedicated and isolated automated treatments are created, respectively, " Voters' file " And " Electronic urn ".
Section 7 (III) provides that file data" Electronic urn " Are encrypted " And shall not include a link for the identification of voters. "
Accordingly, the Commission considers that the provisions of Article 7 should be replaced by the following provisions:" The absence of a link between the "voters file and the electronic file" is such as to guarantee the secrecy of the ballot. The data in these files are encrypted ".
Article 8 of the draft decree provides that" The vote is immediately encrypted by the system, before transmission to the "electronic urn content" file.
In view of the above mentioned recommendations, the Commission requests that the draft decree specify, on the one hand, that Vote is encrypted as soon as it is broadcast on the voter's terminal and, on the other hand, the link between the voter's voting terminal and the server hosting the file " Electronic urn "
On the modalities for the transmission of the mailing lists:
Article 15 of the draft decree provides that after the opening of the electronic vote, the list of electors who have used this voting method is " To update the list of electors on an ongoing basis. "
The Commission considers that this provision should be amended to cover the updating of the lists of electors, and not Not updating the list of electors, which takes place only once a year.
The Commission takes note of the proposed amendment to the draft order-in-council proposed by the department to clarify security measures To ensure the confidentiality of data in such transmissions Work.
On the impossibility of accessing any partial result:
Article 19 of the draft decree reads as follows: Once the ballot is closed, in each district, the President and the assessors of the centralist polling stations shall read the results of the voting by electronic means for their district." Thus, the results of the electronic vote can only be known once the ballot is closed.
The Committee requests, as it recommended in the examination of the provisions of the draft decree in the Council of State concerning the modalities Electronic means for the election of staff delegates and the works council, that the draft order states that: " The voting system ensures that partial results will not be available during the voting process. Only the number of voters, if any, may be released. "
On the location of computer means:
The Commission considers that the servers and other central computing means of electronic voting systems must be located on the national territory in order to enable a Effective control of these operations by the members of the polling station and the delegates as well as the intervention, if any, of the competent national authorities.
Accordingly, the Commission considers that the provisions of the draft decree should Be completed in this sense.
On the use of tele-maintenance:
The Commission considers that the use of remote maintenance of hardware and software should not be possible during the event and until the time limit for litigation is exhausted.
This clarification should be provided to the project Stopped.
On authenticating electors:
The Commission considers that authentication of the voter on the basis of an electronic certificate is the most satisfactory solution in the state of the art.
The proposed authentication device is based on an identifier and A secret code.
However, the Commission considers, in view of the nature of the elections and the open possibility for electors to vote by correspondence, as well as the experimental nature of the treatment, that the chosen device allows Ensure the authentication of electors under conditions
On the other hand, the Commission requests that the draft text provide that a register, communicated to the polling station, should be able to record the claims of the electors in the event that their secret code and identifier were Used by third parties.
On the information of persons:
The draft decree does not refer to the right of rectification provided for in Article 40 of the Computer Law and Freedoms. The Commission considers that Article 5 of the draft decree should be completed in this sense.
On the control of voting operations:
In order to ensure effective control of electoral operations, the Committee recommends that the technical provider make available to the representatives of the body responsible for the processing, experts, members of the polling station, The delegates of the candidates and the deputy returning officers all useful documents and the training of these persons in the functioning of the electronic voting system.
Accordingly, the Commission considers that Article 7 of the draft decree, which reserves the right to Training to list delegates only, should be completed in order to target All the actors mentioned above, as well as the availability of all relevant documents.
Article 6 of the draft decree expressly provides that the Ministry in charge of the work shall transmit to the specialised technical provider the list Electors who meet the conditions to vote electronically and the lists of candidates.
As a result, the Commission considers it necessary for the claimant to enter into a specific contractual commitment of confidentiality, in particular The transmission of this list. The Commission recommends that the claimant also undertakes contractually to restore or destroy the files in his possession at the end of the electoral process.
Article 6 of the draft decree should therefore be clarified in this respect.
In addition, the Commission points out that the electronic voting device must be able to provide the technical elements (reliability of the seal, anonymity of the vote, list of neasement, integrity of the ballot box, possibility of a recount Allowing, in the event of an electoral dispute, to verify the Actual application operation. The media files must be kept under seal until the appeal period is exhausted.
It takes note that the draft decree provides, in Article 20, that up to the expiry of the appeal period, the material files Including copy of source programs and executable programs, voting materials, data files, results and backups are kept under seal " Under the control of the electronic voting office ".
In addition, the Committee notes that the title of the draft decree could be completed in order to clarify that the experiment will take place during 2008, by parallelism with the title of the
The III of Article 2 of the draft decree, relating to the deadline for obtaining an electronic voting card, indicates that this card permits " To vote electronically, to the ballot box and by correspondence." To the extent that section 2 of the draft order clearly states that an elector who has exercised his or her right to vote electronically " Is no longer allowed to vote, either by correspondence or on polling day ", the Commission considers that these articles should be brought into line.
Finally, Article 3 of the draft decree, fixing the categories of personal data Relating to registered voters in the " Electors' file ", should refer to the II of section 7 of the Order (not section 8).
Other provisions of the draft Order and Order do not call for comments.
The President,
A. Türk
