Creative Commons License

The ten criteria to be met for a democratic voting of present days




Bases in Swiss law


One and only one vote for every citizen having the right to vote (universality and uniqueness).


Universality : CF art.136 al.2 part. LDP art.8a al.2 part., ODP art. 27d al.1a & 1b
Uniqueness :
ODP art.27f al.4, ODP art. 27j


The anonymity of the voter and the confidentiality of its ballot are unconditionally guaranteed


Anonymity :  ODP art 27f al.1 & 2, ODP art.27g al.1 & 4, ODP art.27h al.2
Privacy :
LDP art.5 al.7, (early vote :LDP art.7 al.4, postal vote :LDP art.8 al.1), LDP art.8a al.2, ODP art.27d al.1d, ODP art.27f al.3, ODP art.27g al.1


The ballot must contain the motivation of the voter


CF art.34 al.2ODP art. 27e al.7, ATF 121 I 187


The voting should not be able to vote by proxy, or obtain evidence enabling him to sell his vote

not transferable

No attorney : ODP art.27a al.4
No sale :
ODP art.27h al.4 sec.part. (same)


The content of the ballot may not be known until the close of polling.


ODP art.27f al.5ODP art.27m al.2 (opposite)


The ballot box should contain only and must contain all ballots collected (precision and completeness).


Precision : ..., CF art.34 al.2note
Completeness :
LDP art.8a al.2 part., ODP art. 27d al.1e, (Preservation : ODP art.27k)


Ballots must be able to be recounted with sense (verifiability of their authenticity and integrity).


ATF 114 Ia 42note, ATF 131 I 442, ODP art. 27n


Claims (before closing) and challenges (after) should be resolvable


ODP art. 27nbis


The whole session and every single voting process must be monitored.


... note1, note2


Any attempt to fraud are prevented or detected without delay.


ODP art. 27d al.1c & al.1f

Note : CF = Constitution Fédérale (Federal Constitution), LDP = Loi fédérale sur les Droits Politiques (federal law on political rights), ODP = Ordonnance sur les Droits Politiques, état 1 janvier 2008 (Ordinance on political rights -as at 1 January 2008)
ATF = Arrêt du Tribunal Fédéral (Federal Court. Case)

It is also expected that a voting system would be ergonomic, be economic (including providing a comfortable speed), and of high technical quality (elegant architecture, powerful tools, reliable code, semantically rich data) to allow for optimal maintenance and operating.

See also this list (French) to other documents on electronic voting or this short text (English)
And the document "
Federal pilots of electronic voting meet the principles of democratic vote" for a quick comparison, general and non-technical, of the three pilots of electronic voting with the Ten Criteria of the vote..

 To meet the criterion (1) - rightness:

The voting must be identified fairly strong, and a central database (registry of voters) must control his right and save live his voting channel (entry into the voting booth, valid sealed postal ballot received, internet empowerment issued - see also 8 for the actual successful completion).


 To meet the criterion (2) - Secrecy

We must unconditionally guarantee confidentiality and anonymity

To ensure confidentiality, the ballot must be completed, confirmed and crypted (key of the ballot box, see 5-temporality) locally on the voter's station, without being transported in clear form at distance (or without leaving any traces locally, see 10-security).

Furthermore, to ensure anonymity, obtaining the right to vote -empowerment- and its instruments (blank ballot, etc.) must be done in another logical session than the sending of the filled ballot. In addition, the IP address the sender of the filled ballot must be different 1 from that of the application of the voting right, and order of arrival of filled ballots should be diffrent from the initial authorization requests. Finally, the marks the voting rights authenticating the filled ballots (see 7-recountability) should not be linkable at the request of them.


 To meet the criterion (3) - Compliance:

The expression of choice must be understandable, and its transcript during the processing and the storage not ambiguous and unalterable

In particular, the motivation that the voter has expressed, then verified and confirmed, must be kept clear and intact during transport, inclusion in the ballot box, storage, until counting included (till the end of the period of appeal).

This is done by a lock -a cryptographic lock- on the literal text of the filled ballot, which takes place between the expression and confirmation, then the preservation of the lock through the dispatch (encryption) and subsequent operations (see 7-recoutability, and partially 8-provable).


To meet the criterion (4) - not transferable :

For no-attorney, the individual citizen must digitally sign the dematerialized voting card.

For unsaleability, although the voter gets a receipt proving to him -personally- the deposit of his ballot in the ballot box, but it is not a valid receipt to a third party, because the voter may -but only him- have built another content for the ballot also validating the receipt


 To meet the criterion (5) - temporality:

The ballot must be encrypted on the voting station, and before to go away, with an asymmetric cryptographic key, whose dual decryption key (for the "opening" of the urn) is not available before the close of polling.

To get this unavailability, the decryption key must be dispersed just after its creation -without leak- between the public administration and the various political factions of the electoral committee (scrutators) and be rebuild only with the sufficient recombination of its parts. 


 To meet the criterion (6) - accuracy:

To be sure there were no "jamming" of the ballot box (precision), or subtraction of valid ballots (completeness), each ballot must be authenticated (see 7-recountability) to ensure it comes from a validated voter, and received ballots should be chained with a tamper-proof link (double authority and notarization) to prevent any subsequent deletion.


 To meet the criterion (7) - recountability;

Each ballot contains the literal text which was displayd and the literal motivation of the voter, it is sealed by a mark (electronic stamp) on the voter's station 2 before its encryption with the key to the ballot box (urn). This stamp guarantees the authenticity (from an empowered voter) and integrity (inalterability) of the ballot.

This stamp has been built with a anonymization stage preventing it would be linked to a specific recognizable voter, while guaranteeing to be an authentic representative of a certain individual valid voter 3.


 To meet the criterion (8) - provable:

Each operation is logged, each and every stage are signed by the operating entity, every important act gives rise to the issuance of a signed receipt for the recipient (eg empowerment of the citizen -validation as a voter- is done after signing of the electronic voting card, the filing of the ballot has its receipt for the voter).

The presence of two authorities (and the voting computer as a third party), the anonymity and untraceability, as well as a strict partitioning of the informations (eg flow between separated transactions nominally identified and anonymous authenticated transactions ) allows to show the good end -the filing of the intact ballot- without any revelation of the secrecy of the vote.


 To meet the criterion (9) - Transparency:

The criterion of transparency is part of the practice of democratic vote (the necessary monitoring), but is also an implicit consequence of the previous two : 7-recountability et 8-provability.

Static transparency is through the full publication of the software (documentation and source code in electronic form), it is necessary4 for his criticism and therefore his confidence, but it is not sufficient because the executed code may not be the one studied.

Dynamic transparency requires a second group of servers participating in the voting protocol, and operating on behalf of the Central Election Commission (monitoring by the political control).

Moreover, to allow a disseminated and distributed monitoring through the population, the computer* of the voting citizens must be a necessary node for the transactions of the protocol operating with the public administration and the political control.

(*) The software running on the citizen's computer is under his control, it is the only place where the public can be certain that the executable is identical to the source studied - in having compiled and personally installed.


To meet the criterion (10) - Safety:

This safety criterion 5 spells a consequence arising from the first three criteria.

The criterion (1-universality), seen as right-of-expression, implies indirectly and partly the availability of the means of voting and its proper functioning, so the protection against sabotage and attacks in denial of service.

The criteria (2-secret) et (3-compliance) require protection against attacks by third parties (hacking) to disrupt the balloting, by awareness of choice vote, or falsification of this choice.

Beyond that, the only possibility of a undetectable piracy by pre-knowledge6 or by forgery, is a virtual attack which is effective because it induces loss of confidence in the result which could have been manipulated and therefore undermine the ballot method.

The security against attack in the protocol is reached, both by efficient use of standards which have been publicly scrutinized, on the other hand, by the foundation of authentication and confidentiality of each transaction and all Important items on a rigid hierarchy of cryptographic keys.

Security against piracy is purely technological, by strengthening the servers themselves (the quality of the code writing and the tools of the application software, hardening of host systems) than by their physical and logical protection, but also by the isolation of the entire voting process on the voter's station (protection against malware, sealing against data leakage).

Mitigation of an attack on the existence of the transport (the network link) is done by the proper use of connection protocols, the possibility of deferred resume and the multiplicity of possible connections.


Any question :

Notes of legal references

CF34al2: The Federal Constitution (Article 34, para. 2) and the jurisprudence of the Federal Tribunal (eg ATF 121 I 187) protects the free formation of opinions of citizens and the faithful expression and secure their will. It follows from this constitutional guarantee that citizens have a right to expect that the outcome of a referendum or an election is not recognized if it is not safe and faithful expression of the free will of citizens .
Circular Federal Concil 20/09/2002

Visibility (1):  The traditional vote - including voting by ballot and handwritten cards before allowing the electronic counting of votes - is the very real existence of an electoral register, certificates of civic capacity, ballots, sheets of typing, a physical urn, handwritten signatures, and so on. Where manipulation may take place are visible in the proper sense, which - in case of failure or abuse - to operate controls or recounts in full view of everyone.
Report of the Federal Council on 02,009 electronic voting, opportunities, risks and feasibility (p. 16)

Visibility (2):  "The vote must meet the following principles: universal suffrage, periodicity, equality, secret, freedom, security and transparency"
"Another principle to consider in establishing a legal framework allowing voting by Internet distance: transparency. [...] This is even more important than increased dematerialization of the vote could give an impression of opacity of the process to voters, which is not compatible with the spirit of democracy. "
To achieve functional equivalence of transparency, the author proposes three ways: "Establishment of a chain of controls", "Access to the source code software to vote", "The audit process"
Philippe Mercorio, Faculty of Law - Faculty of Graduate Studies, University of Montreal

ATF114Ia47: The voters, depending on the circumstances, even the right to a recount of the votes that were counted in the traditional way (ATF 114 Ia 47).


1That the numerical Internet address (IP) of the computer used to vote differs, it must be possible to pause and resume -without restarting- the process from another post, or use an overnet of untraceability to issue the ballot  (a chain ofpartitioned intermediaries).

2The locking occurs between filling and confirmation See criterion (3-compliance). Confirmation takes place on the locked form; syntax sent to the display is not the same as for filling (although homological) In addition, the display may be done by a separate track.

3 The stamp is both the digital signature of the original ballot by a validated anonymous asymmetric key, and the public part of this key completed by its validation (anonymized) making it genuine.

4To be studied efficiently, the software must implement more systematically possible usual standards, algorithms described in the current literature, and based on standard libraries. It should also be strongly based on core principles and customary practices of the vote, having emerged from the need of history. The writing of the source program must follow the stylistic rules and the modularization (procedural contract, encapsulation, abstract data types, ...). These arrangements ease the study, as the reading may be macroscopic and build on previous knowledge.

5The risk mitigation is done either by reducing the probability of occurrence of danger or by limiting the extent of its damage.Here, the mitigation is done either by preventing the attack, or by detecting at the earliest before it does damage, or to cancel in time this damage.

6The  pre-knowledge (violating the temporality-5) would done by conditionally mobilize voters opposed to interim results of an election.  This attack is only effective if the duration of a session is long (which is the case under current law -3 weeks).

© Jean-Paul Kroepfli 20080705_2125 21.07.08 13:03 (32)