Advanced Search

Deliberation No. 2010-371, October 21, 2010, On The Adoption Of A Recommendation On The Security Of Electronic Voting Systems

Original Language Title: Délibération n° 2010-371 du 21 octobre 2010 portant adoption d'une recommandation relative à la sécurité des systèmes de vote électronique

Subscribe to a Global-Regulation Premium Membership Today!

Key Benefits:

Subscribe Now for only USD$40 per month.

Information on this text




JORF no.0272 of 24 November 2010
text No. 29



Deliberation No. 2010-371 of 21 October 2010 adopting a recommendation on the security of electronic voting systems

NOR: CNIA1000012X ELI: Not available


The National Commission for Computer Science and Freedoms,
Considering the Council of Europe Convention of 28 January 1981 for the Protection of Persons with regard to the automated processing of personal data;
Considering Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of natural persons with regard to the processing of personal data and the free flow of such data;
Vu le Electoral code ;
Vu la Act No. 78-17 of 6 January 1978 related to computing, files and freedoms, as amended by Act No. 2004-801 of 6 August 2004 relating to the protection of natural persons with respect to personal data processing;
Vu le Decree No. 2005-1309 of 20 October 2005 taken for application of Act No. 78-17 of 6 January 1978 related to computing, files and freedoms, modified by Decree No. 2007-451 of 25 March 2007 ;
After hearing Ms. Isabelle Falque-Pierrotin, Vice-President, in her report and Ms. Elisabeth Rolin, Commissioner of the Government, in her comments,



Makes the following observations:
While electronic voting was only beginning in 2003, when the first recommendation of CNIL was adopted, the Commission today notes that electronic voting systems on the spot or at a distance have developed and are now expanding to an increasing number of voting operations and voting types.
The commission emphasizes that the use of such systems must be registered in accordance with the fundamental principles that command electoral operations: the secret of the vote except for public elections, the personal, free and anonymous character of the vote, the sincerity of the electoral operations, the effective monitoring of the vote and the posteriori control by the judge of the election. These electronic voting systems must also comply with the requirements of existing constitutional, legislative and regulatory texts.
The Commission notes that if the main application of the electronic voting resides in the professional elections (company committee and staff representatives), it also develops for general assemblies, supervisory board, election of representatives of regulated professions and, since 2003, for political elections. In addition, in 2009, for the first time, the possibility of using electronic voting for a national election, by direct universal suffrage, was introduced by theOrder No. 2009-936 of 29 July 2009 relating to the election of deputies by the French established outside France.
In view of the extension of the Internet vote to all types of elections, the Commission wishes to recall that electronic voting has increased difficulties with regard to the above-mentioned principles for those responsible for organizing the elections and those responsible for verifying their conduct, mainly because of the important technicality of the solutions implemented. During the commission ' s work since 2003, it was found that the existing voting systems did not yet provide all the guarantees required by the legal texts. Therefore, and in particular, in the light of the above-mentioned elements, the Commission is reserved for the use of electronic voting systems for political elections.
The purpose of this deliberation is to review the 2003 recommendation to one of the electoral operations that have taken place since that date and their analysis by CNIL, including by the controls carried out.
The new recommendation has for the scope of application remote electronic voting devices, especially via the internet. It does not concern voting devices by barcodes, fixed or mobile telephone voting devices, or voting machines. It is intended to establish, in a pragmatic manner, the minimum guarantees to be met by any electronic voting system, which may be supplemented by additional measures. It also aims to guide future developments in electronic voting systems to better respect the principles of personal data protection and to inform processing officials of the choice of electronic voting devices to be retained.
It repeals deliberation No. 2003-036 of 1 July 2003 on the adoption of a recommendation on the security of electronic voting systems.
In the light of these preliminary comments, the Commission makes the following recommendation:


I. ― Requirements for the implementation of electronic voting systems
1. The expertise of the electronic voting system


Any electronic voting system must be subject to independent expertise.
The expertise must cover the entire system installed prior to the poll (software, server, etc.), the use of the voting system during the poll and the steps after the vote (supply, archiving, etc.).
The expertise must cover all the measures described in this deliberation, including:
― the source code of the software, including in the case of the use of free software;
- the sealing mechanisms used at different stages of the poll (see below);
- the computer system on which the vote will take place, and in particular the fact that the ballot will be held on an isolated system;
- network exchanges;
― the encryption mechanisms used, especially for the encryption of the ballot on the elector's post.
The expertise must be carried out by an independent expert, i.e., that he must meet the following criteria:
- being a security specialist;
― not having a financial interest in the company that created the voting solution to expertise, nor in the company responsible for processing that decided to use the voting solution;
– possessing experience in the analysis of voting systems, if possible by having expertized electronic voting systems of at least two different providers;
―having followed the training delivered by CNIL on electronic voting.
The report of expertise must be submitted to the controller. Electronic voting solutions providers must also forward to CNIL the expert reports corresponding to the first version and the substantial changes in the voting solution put in place.
If the expertise can cover a broader field than that of this recommendation, the report of expertise provided to the controller must include a specific part of the evaluation of the device in relation to the different points of the recommendation.
The expert must provide a technical means to verify a posteriori that the various software components on which the expertise was carried were not modified on the system used during the poll. The method and means to conduct this audit must be described in the report of expertise.


2. Separation of voter and voting data


The device must ensure that the identity of the elector cannot be related to the expression of his vote, and that at any time of the voting process, including after the counting.


3. Computer security


It is appropriate that all physical measures (access control, precise determination of the persons authorized to intervene...) and logics (firewall, access protection to applications...) are taken, both at the server level of the device and at the public-accessible stations, in order to guarantee the security of personal data and the voting system as a whole. Encryption and electronic signature algorithms must, in all cases, be known as "strong" public algorithms and must, if the elections are implemented by an administrative authority, meet the requirements set out in the General Security Reference (GRS).
If a hardware system allows multiple elections to be hosted, it must implement a technical solution (e.g. through a "virtualization" of the systems) to isolate each vote on a separate computer system so as to ensure that each system is independent and is autonomous.


4. The sealing of the electronic voting system


Before the election begins, the electronic voting systems used, the list of candidates and the list of electors must be the subject of a seal, i.e. a process to detect any changes in the system. Before this sealing procedure, it is verified that the modules that have been subject to expertise have not been modified. The mailing list and the electronic ballot must be the subject of a process that ensures their integrity during the vote, i.e. ensuring that they can only be modified by the addition of a ballot and a ballot, the integrity of which is ensured, by a non-fraudulently authenticated voter. This process must identify any other changes to the system. After the vote is closed, the starting list and the electronic urn must be sealed.
The sealing processes must themselves use well-known public algorithms and, where appropriate, comply with the recommendations of the general safety repository. Seal verification must be possible at any time, including during the conduct of the ballot. The voting office must have tools whose use does not require the provider's intervention to proceed with the sealing check, e.g. by taking a digital footprint.


5. The existence of an emergency solution


Any electronic voting system shall have an emergency device capable of taking over in the event of failure of the main system and providing the same guarantees and characteristics.


6. Effective monitoring of voting


The implementation of the electronic voting system must be carried out under the effective control, both at the central computing and, possibly, at the local level, of representatives of the voting organization or experts designated by it. Therefore, it is important that all measures be taken to enable them to verify the effectiveness of the security arrangements to ensure the secrecy of the vote and, in particular, the measures taken to:
ensuring the confidentiality of the voters' file with authentication elements;
∙ ensure the continuous encryption of ballots and their retention in a separate treatment from that implemented to ensure the holding of the voters' roster;
― ensuring the preservation of the various media during and after the voting process.
All facilities must be granted to the members of the polling station and to the delegates of the candidates, if they so wish, in order to ensure effective monitoring of all electoral operations and, in particular, the preparation of the ballot, the vote, the vote, the vote and the counting.
In this capacity and in order to ensure effective control of electoral operations, the technical provider shall make available to representatives of the processing agency, experts, voting officers, candidates ' delegates and deputy returning officers all relevant documents and shall provide training for such persons in the operation of the electronic voting system.


7. The location of the central computer system


It seems highly desirable that the servers and other central computerized means of the electronic voting system be located in the national territory in order to allow effective control of these operations by the members of the polling station and delegates as well as the intervention, if any, of the competent national authorities.


II. — On the ballot
A. ― On operations prior to the commencement of voting
1. Data privacy


The nominative files of constituted voters for the purpose of establishing the list of electors, for the purpose of sending voting materials and for the realization of the elections can only be used for the above-mentioned purposes and may not be disclosed under penalty of the criminal penalties incurred under the provisions of the articles 226-17 and 226-21 of the Criminal Code.
Data privacy is also applicable to technicians in charge of the management or maintenance of the computer system.
Files with voter authentication elements, encryption/decryption keys and urn content should not be accessible, as well as the voter registration list, except for the purpose of controlling voters' empowerment.
In the event of recourse to an outside provider, the external provider must contractually commit to complying with these provisions by signing a confidentiality and security clause and providing the detailed description of the technical device being implemented to ensure this confidentiality. The provider must also commit to returning the remaining files to its possession after the election operations and to destroy all the total or partial copies that it would have been required to perform on any medium.
The provider may automatically receive technical information on the operation of the voting system throughout the voting process. The provider must intervene on the voting system only in case of computer malfunctions resulting from a system attack by a third party, viral infection, technical failure or data deterioration. A technical device must ensure that the voting office is automatically and immediately informed of any access by the provider to the voting platform. The contractor shall inform the polling station of all measures taken to remedy the malfunction. The voting system shall include a module allowing the automatic re-up of this information to the polling station.
All actions carried out on the voting server as well as those concerning the conduct of the ballot must be reported. The integrity of this logging must be guaranteed at any time by a cryptographic process.
The voting office, for its part, has the authority to take any information and backup measures, including to decide on the suspension of voting operations. The voting system must inform electors of this decision.


2. Voter authentication processes


The voting system must provide for the authentication of persons authorized to access the system to express their vote. It must ensure the confidentiality of the means provided to the elector for this access and take all necessary precautions to avoid the fraudulent replacement of an unauthorized person to the elector.
The Commission considers that an authentication of the elector on the basis of an electronic certificate is the most satisfactory solution in the state of the art. The electronic certificate must be selected and used in accordance with the preconizations of the SMS.
In the case of the use of a biometric device for authentication, the processing officer must comply with the formalities imposed by the amended Act of 6 January 1978 on computers, files and freedoms.
In the absence of the above-mentioned solutions, in the case of the generation of identifiers and passwords from the list of electors, the file thus created must be encrypted. The terms and conditions for the generation and sending of personal codes must be designed to ensure their confidentiality and, in particular, that the various potential providers may not be aware of it.
In the event that the vote would be carried out by the registration of a permanent identifier affixed to a card or other document as well as a password sent to each elector, the generation of these identifiers and passwords must be made in the same security conditions as those listed above. The same is true of sending the password.
The authentication of the elector can be reinforced by a challenge/response type device – i.e. the sending by the authentication server of a question whose elector is alone to know the answer – or by sending a SMS code to the voter's personal phone.
In the event of loss or theft of its authentication means, a procedure must allow the elector to vote and make the authentication lost or stolen means unusable.
The vote must be accessible to all operating systems and all browsers used by electors. If the voting material is not available to all, a manual procedure shall be provided.


3. Information from electors


An explanatory note should be provided to electors in a timely manner clearly detailing the voting operations and the general functioning of the electronic voting system.


4. System control before the election is opened


A control of the electronic voting system must be organized prior to the opening of the poll and in the presence of the scrutineers in order to see the presence of the different seals, the proper functioning of the machines, that the starting list is blank and that the electronic balloting urn is empty.


5. Encryption keys


The generation of keys to allow the decipherment of ballots must be public and be held before the election is opened. This procedure must be designed to prove irrefutablely that only the chair of the office and its assessors are aware of these keys, excluding any other person, including the technical personnel responsible for the deployment of the voting system. The Commission considers that the number of encryption keys must be at least three, the combination of at least two of these keys being essential to allow the counting.
The voting system must ensure that partial results (except the number of voters) will not be available during the voting process.


B. ∙ On the conduct of voting
1. The vote


Opening and closing hours of the electronic ballot must be controlled by the members of the polling station and the persons designated or authorized to monitor the electoral process.
To connect remotely or locally to the voting system, the elector must authenticate in accordance with this recommendation. During this procedure, the voting server verifies the identity of the elector and that the elector is well authorized to vote. In this case, it accesses the lists or candidates officially selected and in the official order. White voting must be provided when permitted by law.
The elector must be able to choose a list, candidate or white vote so that this choice appears clearly on the screen, regardless of any other information. He must have the opportunity to return to this choice. He then validates his choice and this operation triggers the sending of the dematerialized ballot to the voting server.
The elector must immediately receive confirmation of his or her vote and have the opportunity to retain a record of that confirmation.


2. The encryption of the ballot


The ballot must be encrypted by a public algorithm known as "strong" on the elector's post and stored in the urn, for the counting, without being deciphered at any time, even in a transitional manner. The link between the elector's voting terminal and the voting server must be encrypted separately from the one that applies to the ballot to ensure the security of both the voter's authentication process and the confidentiality of its vote. The implementation of the communication channel must include authentication of the voting server.
In addition, the storage of the ballot in the urn should not include time-consuming, to avoid any reconciliation with the bootlist.


3. Getting started


The start must be done as soon as the vote is validated so that another vote cannot be taken from the authentication elements of the already used elector. The demarcation includes a schedule. This list, for the purpose of controlling the start, as well as the voting meter, shall be accessible only to the members of the voting office and to the authorized persons.


4. The remains


The closure of the ballot must immediately be followed by a sealing phase of the urn and the starting list, which precedes the count. All the information needed for a posteriori control must also be collected during this phase. These elements are recorded on a sealed, non-rescriptible and probative support.
The detachment is operated by the decryption keys, delivered to the office members duly designated at the time of the generation of these keys. Members of the office must publicly act on the process of remains.
Vote counts by candidate or election list must appear legibly on the screen and be subject to a secure edition, i.e. a mechanism to ensure that the display and printing of the results correspond to the count of the ballot, to be carried to the record of the election. If applicable, sending the results to a remote centralizing office must be carried out by a secure link preventing any capture or modification of the results.
The electronic voting system must be blocked after the count so that it is impossible to resume or modify the results after the decision to close the count by the electoral commission.


III. ― On the control of post-election voting by the electoral judge
1. Minimum guarantees for posteriori control


For external auditing needs, particularly in the event of electoral litigation, the electronic voting system must be able to provide the technical elements allowing the minimum to prove irrefutable that:
- the sealing process remained integrated during the election;
― encryption/decryption keys are known only to their sole holders;
the vote is anonymous;
― the starting list only includes the list of electors who voted;
― the polluted ballot box is the one containing the votes of the electors and it contains only those votes;
- no partial counting could be made during the election;
– the procedure for counting recorded votes must be re-opened.


2. The retention of data on the electoral operation


All supporting files (copy of source and executable programs, voting materials, boot files, results, backups) must be kept sealed until the deadlines for litigation are exhausted. This conservation must be ensured under the control of the electoral commission under conditions guaranteeing the secrecy of the vote. Obligation must be made, where appropriate, to the service provider to transfer all of these materials to the person or third party designated to ensure the preservation of the supports. When no litigation has been initiated prior to the exhaustion of appeals, the destruction of these documents must be done under the control of the electoral commission.


IV. ― Publication


This deliberation will be published in the Official Journal of the French Republic.


The president,

A. Türk


Download the document in RTF (weight < 1MB) Facsimile (format: pdf, weight < 3.5 MB)