BSI security goals for virtual voting
Now that many votes are taking place on virtual channels, the question of their IT security has moved more into focus. Associations and companies in particular are suddenly faced with the question of how they can hold their general meeting or shareholders’ conference digitally and with legal compliance.
In 2020, the BSI (German Federal Office for Information Security) published a practice-related ViVA guide to virtual events and voting. This names four pillars of security that are best used to explain the complex issue of cyber security:
Secret content should remain secret and may only be transported via secure transmission routes. In general, as little data should be collected as possible.
The voting system, the transmission routes and the users’ end devices must be available during the voting period so that all eligible voters are able to cast their votes.
Ballot papers may not be added, changed or deleted from the outside. The system must have demonstrable integrity. Unexpected system behavior must be notified and acted upon immediately, up to and including the cancellation of the election.
All participating persons must be unambiguously authenticated before casting their votes. Various authentication procedures are available for different security levels—from the transmission of ID/password combinations to digital identity cards.
POLYAS Live Voting is constructed to allow secure digital voting. This page presents the security mechanisms used by POLYAS Live Voting and is based on the four BSI security goals for virtual voting.
Confidentiality for virtual voting
In order to meet the BSI's security goal of confidentiality, information intended for the public may only be transmitted to the outside via secure channels Further, voting secrecy must be assured where required. Here, voter authentication (i.e. the check on voting eligibility) must be decoupled from the authenticated information (the vote). And in principle, the digital implementation of voting should collect no more information than the analog variant.
End-to-end encryption of the ballot papers with POLYAS Live Voting ensures that voting is secret. The vote is encrypted on the device used by the eligible voter, it is transmitted securely and is only decoded after cryptographic shuffling in the ballot box.
Secure communication of the system components
Communications between all components of the Live Voting System are controlled by communication keys. Thus only authorized components have access to the functions offered by other components, and this access is regulated by fine-grained access guidelines based on the principle of least privileges.
POLYAS works strictly in line with the principle of data minimization. Of course, we comply with the requirements of the European General Data Protection Regulation (EU GDPR). Furthermore, customers have the option to work with an anonymized electoral roll that is free of any personal data.
The availability of virtual voting
The availability must be ensured for the voting system itself, the communication link, and the decentralized end devices (cell phones, PCs, laptops). System and communication failures must be prevented at all of these points.
Protection of the POLYAS infrastructure
POLYAS ensures the best possible availability of the voting software thanks to a scalable operating concept that dynamically adapts to load, and a hosting concept that offers redundancy. Furthermore, POLYAS takes extensive protective measures to protect the system from external attacks. This includes, for example, regular penetration tests, as well as protection against DDos and brute force attacks. More information is available here.
In general, the ballots in POLYAS Online Voting and Live Voting are optimized so that the minimum of data is transmitted and not all elements have to be reloaded at every step. This amounts to just a few kilobytes per ballot.
Security instructions for browsers
To guarantee the security of the end devices used for voting, it is important that these devices have operating systems and web browsers that are updated regularly. We provide an overview of the supported operating systems and browsers for POLYAS Live Voting.
Get to know the POLYAS Online Voting Manager and set up your own Live Voting in just a few steps.To the Online Voting Manager >
Integrity of the voting software
The integrity of voting software is assured if votes are demonstrably transmitted without alteration. This means that ballot papers may not be added, changed or deleted from the outside.
Unaltered transmission of ballots
With POLYAS CORE 3.0, the ballot of each eligible voter is encrypted in the browser during the voting process. This encryption is also active on mobile devices. Like all POLYAS systems, votes are transmitted exclusively over a TLS-encrypted connection based on a server certificate from D-Trust GmbH. This prevents tampering with the ballot paper while it is transmitted over the Internet.
The securely transmitted ballots undergo a cryptographic shuffling process in the ballot box before being decrypted and the vote being counted. The integrity of the ballot papers is checked by zero-knowledge proofs, a cryptographic protocol that verifies the probability of ballot-paper integrity without revealing the content.
Bulletin boards for an exhaustive audit trail
POLYAS CORE 3.0 makes use of bulletin boards to store all data that is critical to the security of an election. The POLYAS Live Voting thus has a database that all relevant information is added to during the voting, but from which nothing can be deleted and for which there is a complete audit log. Changes can only be made by authorized persons.
After the election, the bulletin board policy can be reviewed by controllers who ensure that all published entries are properly signed and that the integrity of the hash chain is maintained. This technology is comparable to the blockchain, with the difference that the bulletin board is hosted centrally and not decentrally (i.e. on a large number of servers).
Various authentication methods are available for POLYAS Live Voting. The overall security of unambiguous authentication can be increased by additional functions, such as two-factor authentication or the generation of login data by a third party.
Each method ensures that eligible voters can exercise their voting right once only. Eligible voters cast their votes directly and independently using an Internet-enabled device. Visually impaired voters are also able to vote independently with the help of a screen reader.