Electronic media and more specifically computers have become part of our daily lives. It is therefore not surprising that the role of information technology in the de­mocratic process is increasingly being discussed and ways to use this technology to support and enhance political participation are being tested.

 This happens primarily in countries and regions with a high standard of living such as the United States, Europe and New Zealand. In the United States the last presiden­tial election has given rise to an intensive debate about more reliable methods for vote counting using modern technology. The European Commission is funding a re­search project for CyberVoting[1]. Some consider offering an online voting option at the next direct elections for the European Parliament to be a realistic scenario. Switzer­land and Germany are testing online voting systems on the local level, in universities and in non-governmental bodies. New Zealand is discussing legislation to allow for electronic voting to be used in local elections.

 However, developing countries may also have an interest to support voting proce­dures by information technology to overcome problems of infrastructure or organisa­tion and to cope with large distances when collecting and counting ballot papers.

I cannot cover in this brief paper all aspects of electronic democracy such as voting by phone or central voter registration in nationwide databases which in turn might raise privacy issues. Instead I am confining myself to Internet voting.

A great many hopes are pinned by some on voting via this global network which has become in recent years a mass medium in certain areas of the world and which has opened new opportunities of communication and access to information. Despite all efforts by certain governments (e.g. the Peoples Republic of China, Afghanistan) to block or control access to the Net it can hardly be disputed that this medium has a democratic potential when it comes to distributing and accessing information for op­position parties and minorities in non-democratic systems. In democratic states pro­ponents of online voting argue that handicapped or elderly people may have a greater chance in taking part in elections and that low voter turnout in general may also be raised.

On the other hand critics argue that the political process should not rely on digital images and blinking banners in order not to degenerate into a "mouse-click democ­racy" dominated by "junk votes". In their view vote casting should continue to take place at the local polling station where the active citizenry traditionally gathers to vote for public officials.

There are good arguments on both sides here. But even if all or at least some of the positive expectations were realistic what are the privacy and security issues at stake when it comes to Internet voting ?

Democratic elections are generally expected to be free, equal and secret. These ba­sic principles must be adhered to no matter if the votes are cast by a physically pre­sent voter in the polling booth, by mail, phone or via Internet.

The principle of equality will only be observed if the digital divide is overcome by general access of the electorate to the Internet at polling stations or public access points (kiosks). There are issues of voting secrecy at stake here which are not to be underestimated: e.g. in Germany it has seriously been suggested that voting should be possible at automatic teller machines. Most of these machines nowadays are un­der CCTV surveillance which would make unobserved voting impossible.

Two forms of online voting can be distinguished:

- using certified hard- and software at official polling stations in a dedicated network ("closed" or "end-to-end"-systems)

- using any input device (e.g. home PCs, mobile phones) with any uncertified software over the Internet ("open systems").

Remote voting via the Internet leads to the same risks for free voting which occur in connection with other methods of remote or absentee voting: when voting by mail family members or employers may try to influence or control the voter's decision. That is not a specific risk of online voting.

 A specific dilemma of online voting can be described thus: On one hand ballot se­crecy is of utmost importance. Secrecy is the precondition of the voter’s free political decision. In a way ballot secrecy could be described as “political privacy”. In view of the mounting pressure on providers to store certain data on Internet use for law en­forcement purposes and against the backdrop of the increasing interception of con­tent data in the same context it is difficult to see how online voting could be exempt from these inroads upon communications secrecy.

 On the other hand ballot secrecy has to be reconciled with transparency and audita­bility of the entire voting procedure. The experience of surveillance and vote-rigging in non-democratic societies has shown that the trustworthiness of the entire political system is at stake here. Paper-based elections are transparent at least to the extent that the voter himself casts his ballot paper into the box; the votes in many countries are counted in public. Online voting procedures do not have these elements of trans­parency. So far there is no “trusted channel” available to transmit votes over the Internet from the voter’s computer to the server which collects and counts the votes.

Online voting on the other hand may be even more secure than conventional voting methods. However, voting not only has to be secure, it has to be seen to be secure. Here lies a second dilemma: cryptographic methods (e.g. blind signatures ) and the informational separation of powers and functions (separation of privilege) between servers which check voter registration and which collect and count votes are under discussion. They are highly complex but at the same time they will have to compen­sate for the lack of transparency[2]. In addition designers and manufacturers of such novel systems are - for economic and intellectual property reasons - reluctant to give insight into their source code. In doing so they prevent any reliable security analysis. The situation is similar to the debate on cryptography where controllers sometimes refuse to disclose the cryptographic method they are using on security grounds. But “security by obscurity” is not good enough.

In the end voter confidence will be of key importance when it comes to implementing any online voting system. Therefore any proposal or system for online voting has to be scrutinised carefully and the results should be published. A recent report in the United States in the aftermath of the Presidential Election 2000 expressly stressed that remote Internet voting poses serious security risks; it recommended a delay of Internet voting until suitable security criteria are in place which may take at least ten years[3].

The International Working Group on Data Protection in Telecommunications has dis­cussed these issues at its recent meeting in Berlin. Five recommendations have re­sulted from this discussion which are at present being finalized in a written proce­dure:

The complex technical questions with regard to security and availability of online voting systems (protection against unauthorised access and “denial of service”-attacks) should be answered before any such system is used at par­liamentary and other governmental elections on any level; these systems should be subject to a thorough risk analysis and tested at first in (non-political) internal elections (e.g. organisations, universities).

Secure authentication procedures for voters have to be used before casting the vote in order to ascertain their right to vote, to prevent
double-voting and at the same time to ensure ballot secrecy.

While the system should warn the voter if the vote has not been registered or transmitted correctly, receipt-free vote casting must be ensured in order to di­minish the risk of influencing prospective voters or victimising those who have voted.

The entire hard- and software including the source
code has to be documented and open to scrutiny.

Trusted certification procedures for hard- and software have to be
implemented.

Furthermore any future online voting system will depend on reliable public key infra­structures and electronic signatures. The International Working Group has made rec­ommendations in a second Working Paper which will soon be published. With regard to online voting one recent practical example from Switzerland shows the vulnerabil­ity of any such infrastructure not for technical but for economic reasons. In May 2001 Swisskey – the only certification-service-provider in Switzerland - went out of busi­ness after issuing 10.000 electronic identities. These identities will be revoked by the end of this year unless an alternative company takes over.

The example illustrates a fundamental problem which has to be solved when building a public key infrastructure for vital electronic transactions including online voting: no government should delegate the responsibility for offering a certification-service entirely to private companies. In other words the state has a basic responsibility for the reliability of public key infrastructures which are used for e-government applications and in particular for online voting. If this responsibility is not honoured voters relying on the Internet will be disenfranchised. The new German Electronic Signature Act[4] which implements the EU Directive on a Community framework for electronic signatures[5] provides for different levels of electronic signatures the highest being qualified signatures with voluntary accreditation. Only if such accredited services are used the accreditation authority will take over responsibility for issued signatures in case the service provider stops doing business.

To sum up, it is not inconceivable that we will be able to vote for public officials online freely and securely sometimes in the future. But some very complex issues which I have described have to be solved beforehand. Finally, as long as the digital divide has not been overcome, any online voting system can only be an additional option to conventional (paper-based) voting.