Orig­i­nal source pub­li­ca­tion: Palas Nogueira, J. and F. de Sá-Soares (2012). Trust in e-Vot­ing Sys­tems: A Case Study. In H. Rah­man, A. Mesquita, I. Ramos and B. Per­nici (Eds.), Pro­ceed­ings of the 7^th Mediter­ranean Con­fer­ence on Infor­ma­tion Sys­tems MCIS 2012—Knowl­edge and Tech­nolo­gies in Inno­v­a­tive Infor­ma­tion Sys­tems, 51–6. Guimarães (Por­tu­gal). Lec­ture Notes in Busi­ness Infor­ma­tion Pro­cess­ing, Vol­ume 129, Berlin Hei­del­berg: Springer-Ver­lag, ISBN: 978-3-642-33243-2.
The final pub­li­ca­tion is avail­able here.

Trust in e-Vot­ing Sys­tems: A Case Study

João Palas Nogueira and Fil­ipe de Sá-Soares

Uni­ver­sity of Minho, Cen­tre ALGO­RITMI, Guimarães, Por­tu­gal

1. Introduction

The act of vot­ing is a key part in democ­racy and one of its car­di­nal rights. The evo­lu­tion that occurred in the vot­ing process over times enables present day free elec­tions to be framed in a well defined set of stages and require­ments, which when prop­erly imple­mented and enforced con­fer the fun­da­men­tal char­ac­ter­is­tics of cred­i­bil­ity and trust to all involved in the elec­tion—pro­mot­ers, devel­op­ers, elec­toral com­mis­sions, audi­tors, and most impor­tantly, can­di­dates and vot­ers.

The method of vot­ing has under­gone changes in the var­i­ous stages that make up its life cycle in order to improve its speed, secu­rity, flex­i­bil­ity, avail­abil­ity, and cost, espe­cially dur­ing the authen­ti­ca­tion of the voter, the cast­ing of the vote, and the tab­u­la­tion stages.

As illus­tra­tions of the improve­ments imple­mented over time, there is the use of paper bal­lots, the devel­op­ment of spe­cific leg­is­la­tion to stream­line the vot­ing process, and the intro­duc­tion of mechan­i­cal means that made the process faster. In the recent past, we have wit­nessed the intro­duc­tion of infor­ma­tion tech­nolo­gies (IT) in the vot­ing process, not with­out ups and downs along the way, seek­ing the trans­for­ma­tion of the tra­di­tional vot­ing sys­tem (paper bal­lot) in an elec­tronic vot­ing sys­tem.

How­ever, the intro­duc­tion of these tech­no­log­i­cal ele­ments in the elec­tions has not been easy or con­sen­sual, espe­cially with regard to the sus­pi­cions that they raise, their abil­ity to meet the require­ments that made paper bal­lot method trust­wor­thy, and to a set of new ques­tions con­cern­ing basic val­ues like the anonymity of the vote and the accu­racy of the sys­tem.

IT sys­tems are cur­rently used in many sen­si­tive areas of soci­ety, such as for pro­cess­ing per­sonal data, clin­i­cal data, or finan­cial trans­ac­tions. How­ever, it seems these areas gather a greater con­sen­sus and appar­ently greater con­fi­dence on the use of IT by those involved than the intro­duc­tion of these same tech­nolo­gies in the vot­ing process.

In fact, elec­tronic vot­ing sys­tems (EVS) are not yet widely used in elec­tions of greater rel­e­vance and we observe coun­tries mov­ing for­ward and back­ward in imple­ment­ing EVS for national elec­tions: while some coun­tries are already using EVS for sev­eral years, oth­ers banned its use. Between these extremes, there are cases of suc­cess and fail­ure in the use of EVS [Dill et al. 2003; Granne­man 2003; Mer­curi 2001; Schneier 2004a; Schneier 2004b; Schneier 2006].

Among the var­i­ous aspects that may facil­i­tate or inhibit the suc­cess of EVS, trust has been rec­og­nized as a key fac­tor [Anto­niou et al. 2007; Grove 2004]. Along the quest for a com­pletely trust­wor­thy e-vot­ing sys­tem—one that does not lose, add, alter, dis­re­gard, or dis­close bal­lots—there is also the need to ensure that vot­ing stake­hold­ers also trust the sys­tem really has those prop­er­ties [Ran­dell and Ryan 2006].

The abil­ity to demon­strate that EVS are trust­wor­thy has a direct impact in the legit­i­macy and accep­tance of the vot­ing results, and it may be con­sid­ered a pre­req­ui­site for shift­ing from the tra­di­tional vot­ing sys­tems to the vot­ing sys­tems on the Inter­net. Indeed, the inte­gral accep­tance of EVS must encom­pass all of soci­ety, includ­ing all vot­ers and not just those who are pre­dis­posed to use them. If there is a large num­ber of vot­ers skep­ti­cal about this method of vot­ing, trust in democ­racy may be com­pro­mised [Jones 2000; Schneier 2006].

The rel­e­vance of trust in e-vot­ing may also be appre­ci­ated if one con­sid­ers the poten­tial goals of a delib­er­ate attack launched against EVS, namely to pro­duce an incor­rect tab­u­la­tion of votes, to pre­vent elec­tors to cast their votes, to raise doubts about the legit­i­macy of the results of the elec­tion, to delay the pro­mul­ga­tion of the results, and to vio­late the anonymity of the vote [McDaniel et al. 2007]. The pos­si­bil­ity of any of these goals being achieved or the actual ver­i­fi­ca­tion of their sat­is­fac­tion casts a shadow of doubt among the elec­torate, severely affect­ing their con­fi­dence in those sys­tems.

The belief that trust plays a major role in the adop­tion and accep­tance of EVS as inno­v­a­tive tech­no­log­i­cal sys­tems with social impact moti­vated the exe­cu­tion of this work. Know­ing what instills con­fi­dence into elec­tors regard­ing the use of EVS will help to under­stand vot­ers’ atti­tude towards e-vot­ing and to devise bet­ter ways to design and deploy these sys­tems.

There­fore, the aim of this study is to iden­tify what fac­tors influ­ence vot­ers’ trust in EVS.

2. Literature Review

2.1 Voting Systems

The vot­ing sys­tems are the means used by peo­ple who have the right to vote (the vot­ers) to freely choose between dif­fer­ent options.

Until the mid-nine­teenth cen­tury, the elec­tions were con­ducted with­out much con­trol and pri­vacy [Jones 2001]. Every­body swore before a judge to be enti­tled to vote and hav­ing not already done, and the act of vot­ing was exer­cised ver­bally, which means that a trust rela­tion­ship was estab­lished between the vot­ers and those who led the elec­tion (the judges). It was by then that were laid the foun­da­tions of the now widely accepted vot­ing sys­tem.

World­wide, the most used and accepted vot­ing sys­tem is the paper bal­lot vot­ing sys­tem (PBVS). Briefly, the voter attends in per­son (with some excep­tions referred to in the leg­is­la­tion) and makes a mark in his or her choice of vote on paper and puts it in a bal­lot. At the end of the period stip­u­lated for the vot­ing process, the votes cast in the bal­lot are man­u­ally counted.

This vot­ing sys­tem is mature and has been used innu­mer­ous times, which gives it a high degree of con­fi­dence for all to see. How­ever, it still has cer­tain lim­i­ta­tions, both in terms of assur­ing the sat­is­fac­tion of cer­tain require­ments (e.g., ensure that only those reg­is­tered may vote or that the con­tent of the vote is not elim­i­nated dur­ing or after the vot­ing period) and when com­pared to other vot­ing sys­tems (e.g., the delay and poten­tial errors in the man­ual count­ing of the votes or the manda­tory pres­ence of vot­ers in pre-estab­lished places in order to vote). There­fore, it is not sur­pris­ing that other alter­na­tives to the tra­di­tional sys­tem of vot­ing have emerged, such as EVS.

Elec­tronic vot­ing or e-vot­ing is a vot­ing sys­tem that uses in any of its phases elec­tronic means to assist the vot­ing process. In the con­text of e-vot­ing we may con­sider two main vot­ing sys­tems: poll-site elec­tronic vot­ing sys­tems (PEVS) and remote elec­tronic vot­ing sys­tems (REVS). The for­mer, as in PBVS, implies the pres­ence of the elec­tor to vote in a pre-defined and con­trolled place by the elec­toral com­mis­sion. The lat­ter does not imply the pres­ence of the voter in a pre­vi­ously defined place: the vote can be cast any­where using the Inter­net as a medium of com­mu­ni­ca­tion between the sys­tem and the voter. This study focuses on this type of elec­tronic vot­ing sys­tems.

Regard­less of the vot­ing sys­tem used, in order to have qual­ity and to trans­mit the nec­es­sary con­fi­dence to those involved in the vot­ing process, the vot­ing sys­tem will have to sat­isfy a set of require­ments.

2.2 Requirements of Voting Systems

The lit­er­a­ture review enabled the iden­ti­fi­ca­tion of a set of 12 core require­ments against which vot­ing sys­tems should be ana­lyzed and eval­u­ated in order to judge their ade­quacy [ACE 2001; Antunes 2008; CE 2004; Crane et al. 2004; Cra­nor and Cytron 1997; Frith 2007; Gritza­lis 2002; Hall 2008; Jones 2000; Mer­curi 2000; Mon­teiro et al. 2001; Neu­mann 1993; Shamos 1993; Strauss et al. 2005].

Table 1 presents those require­ments. The order in which require­ments are listed intends to sig­nal the impor­tance that researchers have attrib­uted to each one of the require­ments, from the most impor­tant to the least impor­tant, based on the sur­vey of the lit­er­a­ture. The table is divided into five columns: the first includes the des­ig­na­tion of the require­ment, the sec­ond briefly describes it and the remain­ing columns pro­vide a clas­si­fi­ca­tion of the three vot­ing sys­tems con­sid­ered in terms of require­ments sat­is­fac­tion. In these last three columns, a + sign indi­cates that the sys­tem gen­er­ally sat­is­fies the require­ment, a - sign indi­cates that the sys­tem falls short of meet­ing the require­ment, and a +/- sign indi­cates that cur­rently the sys­tem does not meet the require­ment, but may meet it in the short term.

Table 1: Rela­tion­ship between Vot­ing Require­ments and Vot­ing Sys­tems

None of the vot­ing sys­tems sat­is­fies all require­ments, with sys­tems that best meet cer­tain require­ments falling short of meet­ing other require­ments.

2.3 Trust and Voting

In the realm of vot­ing sys­tems, trust may be con­ceived as the cer­tainty, held by all elec­toral stake­hold­ers, that the whole process takes place observ­ing the desired assump­tions, specif­i­cally with regard to the require­ments that vot­ing sys­tems must meet, thus attest­ing the qual­ity of the sys­tem and ensur­ing com­pli­ance with secu­rity para­me­ters [Hall 2008].

If there is no trust by the stake­hold­ers of a vot­ing process, a vot­ing sys­tem will hardly suc­ceed and any sus­pi­cion that falls on the sys­tem pre­cip­i­tates its dis­credit and may jeop­ar­dize the elec­tions. Indeed, sev­eral cases of mis­con­duct in EVS led to a sig­nif­i­cant decrease of cit­i­zens’ trust on e-vot­ing [Neu­mann 2004]. The lit­er­a­ture pro­vides details about sev­eral of those cases. A set of illus­tra­tive exam­ples fol­lows. In 1993, dur­ing the trial of two EVS, it was found that in an indus­trial precinct in which there were no reg­is­tered vot­ers, the sys­tem indi­cated 1,429 votes for the incum­bent mayor, who inci­den­tally won the elec­tion by 1,425 votes [Mer­curi 2001]. In 2002, in the realm of a pres­i­den­tial elec­tion, an elec­tronic vot­ing machine attrib­uted to a can­di­date a final vote count of neg­a­tive 16,022 votes [Schneier 2004b]. In the same year, in the sec­ond round of a pres­i­den­tial elec­tion, the final result of the elec­tion was decided by five votes, how­ever it was found that the e-vot­ing sys­tem had not reg­is­tered 78 votes [Dill et al. 2003]. One year later, an elec­tronic vot­ing sys­tem reported results of 140,000 votes, when only 25.000 res­i­dents were eli­gi­ble to vote [Schneier 2004b]. In 2006, an elec­tion was won by only 386 votes out of about 150.000, los­ing the trail to 18.000 votes [Schneier 2006]. In 2007, sev­eral EVS were tested result­ing in tab­u­la­tions whose val­ues dif­fered from those derived from man­ual tab­u­la­tion in 56.1% of the votes counted [Open Rights Group 2007]. Any of these inci­dents has the poten­tial to under­mine the trust that peo­ple place in e-vot­ing, rais­ing doubts about its value and increas­ing peo­ple’s reluc­tance to use such sys­tems, in light of the dan­gers and risks they entail.

Con­cep­tu­ally, trust can be defined as “the will­ing­ness of a party to be vul­ner­a­ble to the actions of another party based on the expec­ta­tion that the other will per­form a par­tic­u­lar action impor­tant to the trustor, irre­spec­tive of the abil­ity to mon­i­tor or con­trol that other party” [Mayer et al. 1995, p. 712]. In a trust rela­tion­ship there is an accep­tance of vul­ner­a­bil­ity to a pos­si­ble, but not expected, dam­ag­ing action [Schlienger and Teufel 2002].

The con­cept of trust requires that there has to be a risk to the par­ties involved in the trust process and an inter­de­pen­dence between the par­ties since at least the inter­ests of one of the par­ties can only be achieved if there is col­lab­o­ra­tion from other party [Brei and Rossi 2005]. Not being sta­tic, trust is sit­u­a­tional, evolves based on the abil­ity to pre­dict the behav­ior of the other and it typ­i­cally emerges and builds up based on past expe­ri­ences.

In vot­ing sys­tems, as impor­tant as meet­ing the require­ments, sys­tems need to con­vey that those require­ments are effec­tively sat­is­fied.

In the case of e-vot­ing, there are authors who advo­cate the print­ing of elec­tronic votes and the trans­parency of the sys­tem by open­ing the source code as a way to trans­mit the nec­es­sary con­fi­dence to vot­ers [Crane et al. 2004; Dill et al. 2003].

For remote elec­tronic vot­ing sys­tems, the dif­fi­cul­ties of ensur­ing and demon­strat­ing trust seem to become more acute. In a 1999 study, 69% of the vot­ers sur­veyed believed that secure Inter­net vot­ing would take many years to become real­ity or per­haps would never be achieved [Jones 2000]. One decade later, there is still no EVS archi­tec­ture able to rea­son­ably pro­vide a suf­fi­cient degree of trust to the elec­toral stake­hold­ers. In fact, the sim­ple con­sid­er­a­tion of the dif­fer­ences in terms of the scal­ing of vot­ing sys­tems struc­ture shows that an attack in PBVS usu­ally affects a lim­ited num­ber of bal­lots (those cir­cum­scribed to a bal­lot box), whereas in the case of EVS a sim­ple mod­i­fi­ca­tion may change the con­tent of thou­sands of votes [Mer­curi 2002].

After pon­der­ing on e-vot­ing lit­er­a­ture, we advance the fol­low­ing issues as poten­tially influ­enc­ing trust in elec­tronic vot­ing sys­tems:

• Infor­ma­tion made avail­able—the quan­tity and qual­ity of infor­ma­tion and brief­ings ses­sions about the e-vot­ing sys­tem may influ­ence the vot­ers’ con­fi­dence in the sys­tem

• His­tory of use—the num­ber of times an elec­tronic vot­ing sys­tem was used with­out pre­sent­ing sig­nif­i­cant errors may influ­ence the vot­ers’ con­fi­dence in the sys­tem

• Open source code—the abil­ity to inspect the source code of the sys­tem may influ­ence the vot­ers’ con­fi­dence in the sys­tem

• Scope of elec­tion—dif­fer­ent elec­tions will make vot­ers trust dif­fer­ently in the sys­tem

• Tests—the quan­tity and qual­ity of the tests made to the sys­tem may influ­ence the vot­ers’ con­fi­dence in the sys­tem

• Audits and Cer­ti­fi­ca­tions—the exis­tence of audits and cer­ti­fi­ca­tions from the sys­tem devel­op­ment process up to the elec­tions may influ­ence the vot­ers’ con­fi­dence in the sys­tem

• Devel­op­ment team—the recog­ni­tion and rep­u­ta­tion of the team that devel­oped the sys­tem may influ­ence the vot­ers’ con­fi­dence in the sys­tem

• Abil­ity to meet require­ments—the abil­ity of a sys­tem to meet require­ments, espe­cially those related to the anonymity of the voter’s bal­lot, may influ­ence the vot­ers’ con­fi­dence in the sys­tem

This list of issues forms the start­ing point for the iden­ti­fi­ca­tion and analy­sis of the fac­tors that may influ­ence the con­fi­dence in EVS. It will be impor­tant to deter­mine whether the pro­posed issues are rel­e­vant to vot­ers and whether there are other fac­tors that vot­ers con­sider imper­a­tive.

3. Research Design

The pur­pose of this study is to iden­tify the fac­tors influ­enc­ing vot­ers’ con­fi­dence in EVS. This goal could only be accom­plished through the involve­ment of vot­ers. Since the focus is on trust in EVS, it would be impor­tant that the study’s sub­jects pos­sessed expe­ri­ence of using these sys­tems as this would allow draw­ing con­clu­sions based on the use of EVS rather than on the inten­tion to use EVS.

To this end, it was nec­es­sary to iden­tify indi­vid­u­als who already had used EVS in sit­u­a­tions of real elec­tions. The authors knew a Por­tuguese uni­ver­sity that had devel­oped and reg­u­larly used a remote elec­tronic vot­ing sys­tem. After grant­ing access to this research site, the inquiry was designed based on the exis­tence of that pop­u­la­tion of vot­ers.

The first ver­sion of the afore­men­tioned remote e-vot­ing sys­tem was devel­oped ten years ago and the sys­tem has been used in sev­eral inter­nal elec­tions at the depart­men­tal and school lev­els of the uni­ver­sity, with a num­ber of vot­ers rang­ing from few tens to half a thou­sand. The typ­i­cal users of the sys­tem are the pro­fes­sors of the insti­tu­tion. The sys­tem was one of the first of its kind to obtain the pos­i­tive opin­ion of the Por­tuguese Data Pro­tec­tion National Com­mis­sion and it is equipped with a set of secu­rity mech­a­nisms that aim to instill trans­parency in the sys­tem.

Method­olog­i­cally, the study con­sisted in a case study. For the delim­i­ta­tion of the case we defined as sub­jects of inter­est all the pro­fes­sors who, belong­ing to the engi­neer­ing school of that uni­ver­sity, had used at least once the remote e-vot­ing sys­tem to exer­cise their vot­ing rights in the con­text of a real elec­tion.

In car­ry­ing out the study we applied two research tech­niques: col­lec­tion of doc­u­ments and semi-struc­tured inter­views. The first tech­nique involved the col­lec­tion of doc­u­men­ta­tion on the sys­tem in order to under­stand its archi­tec­ture, fea­tures, and func­tion­al­ity. The sec­ond tech­nique was the main instru­ment to gen­er­ate data on the fac­tors that may influ­ence the con­fi­dence of vot­ers in EVS.

Pre­vi­ously to con­duct the inter­views, we devel­oped the inter­view script, tested the qual­ity of the script by ask­ing two vot­ers to review its word­ing, and elab­o­rated a pre­lim­i­nary ver­sion of the code­book that would sup­port the cod­ing stage.

The script of the inter­view was struc­tured around the fol­low­ing five themes:

• Assess­ment of the use of the remote elec­tronic vot­ing sys­tem

• Opin­ion on EVS before using an elec­tronic vot­ing sys­tem and after its use

• Key require­ments that remote elec­tronic vot­ing sys­tems should sat­isfy

• Use of EVS at national elec­tions or ref­er­en­dums

• Main fac­tors influ­enc­ing the con­fi­dence in EVS

The prepa­ra­tion of the pre­lim­i­nary code­book involved the def­i­n­i­tion of a set of codes based on the lit­er­a­ture review and on the ques­tions that made up the inter­view script.

It was also decided that the first four inter­views would serve as pilot, to ensure that the script enabled the gen­er­a­tion of data with enough qual­ity to feed analy­sis.

At the begin­ning of each inter­view we would request the respon­dent if we could audio record the inter­view. Then, inter­view records would be tran­scribed and coded. In order to facil­i­tate mechan­i­cal pro­ce­dures asso­ci­ated with cod­ing and analy­sis we would use Atlas.ti qual­i­ta­tive data analy­sis soft­ware.

4. Description of Study

The doc­u­ments on the remote e-vot­ing sys­tem were obtained from the sys­tem devel­op­ment team, which was com­posed of tech­ni­cal ele­ments from the IT area and ele­ments from the legal area.

Regard­ing the inter­views, 259 emails were sent to the fac­ulty of seven depart­ments of the school with an invi­ta­tion to par­tic­i­pate in the study. The emails asked pro­fes­sors an inter­view related to their use of the sys­tem. Of the 259 invi­ta­tions sent, 26 were directed to the depart­ment fac­ulty where the sys­tem best fit in terms of sci­en­tific area, namely the depart­ment of infor­ma­tion sys­tems and tech­nolo­gies. We attempted to pro­mote a sig­nif­i­cant num­ber of inter­views with pro­fes­sors per­tain­ing to other depart­ments, in order to avoid that find­ings would be based on a too tech­ni­cal view of the sys­tem.

In the invi­ta­tion email we described the study, empha­sized the impor­tance of vot­ers’ col­lab­o­ra­tion, and assured the anonymity of the par­tic­i­pants and that the data col­lected would only be used in the study. Although we asked for an indi­vid­ual inter­view in per­son, we also sug­gested as an alter­na­tive the pos­si­bil­ity of inter­views being con­ducted with the use of online com­mu­ni­ca­tion tools, or as a last resort to the pos­si­bil­ity to send the ques­tions by email and receive the answers also by email.

Of the 259 invi­ta­tions sent, we got 51 accep­tances to par­tic­i­pate, 24 indi­ca­tions from pro­fes­sors who so far had not used the sys­tem (and there­fore did not con­sti­tute sub­jects of the study), six responses from pro­fes­sors who were not avail­able to sched­ule the inter­view for the period stip­u­lated for the inter­views and 14 sys­tem mes­sages of email unde­liv­ered due to inex­is­tent or full mail­boxes.

Most inter­views were con­ducted in per­son at the pro­fes­sors’ offices dur­ing June and July 2011. The dis­tri­bu­tion of the 51 respon­dents by sci­en­tific area of the depart­ment is as fol­lows: 15 (29.4%) from infor­ma­tion sys­tems and tech­nolo­gies, 9 (17.6%) from elec­tron­ics, 9 (17.6%) from civil engi­neer­ing, 9 (17.6%) from pro­duc­tion engi­neer­ing, 5 (9.8%) from mechan­i­cal engi­neer­ing, and 4 (7.8%) from tex­tile engi­neer­ing (one of the depart­ments to which we had sent 23 invi­ta­tions pro­vided no feed­back).

At the begin­ning of each inter­view we recalled the aim and scope of the study, rein­forc­ing that the answers would be treated anony­mously and solely for pur­poses of the work, and the absence of any link­age between the researchers and the devel­op­ment, main­te­nance, or pro­mo­tion of the sys­tem. Next, we requested per­mis­sion to audio record the inter­view.

Fifty inter­views were in per­son and one was held via Skype. Four respon­dents did not allow the audio record­ing of the inter­view. Inter­views amounted to a total of about 10 hours, with an aver­age of 40 min­utes per inter­view, and orig­i­nated 434 pages of tran­scripts.

As already men­tioned, we started the cod­ing stage with a pro­vi­sional code­book, since it was not pos­si­ble to estab­lish a pri­ori all the cat­e­gories in which the responses of par­tic­i­pants would be clas­si­fied. There­fore, as the analy­sis of the inter­views pro­gressed, we extended the code­book as required, in a process inspired by Grounded The­ory. When­ever a new issue arose in the inter­view, a new code was cre­ated and defined in the code­book. Some­times the addi­tion of the code to the code­book required the review of pre­vi­ous clas­si­fi­ca­tions, espe­cially when the intro­duc­tion of this new code led to an explo­sion of an exist­ing code into sub­codes (the readi­ness of retriev­ing pre­vi­ously coded units of text with a cer­tain code pro­vided by Atlas.ti greatly sim­pli­fied this task). At the end of the cod­ing stage, the code­book con­tained 166 codes, of which 35 were super codes.

5. Results

The pre­sen­ta­tion of the main results of the study will fol­low the five struc­tural themes listed in the research design sec­tion.

Over­all, the respon­dents assessed pos­i­tively the remote elec­tronic vot­ing sys­tem they had used. Regard­ing the usabil­ity of the sys­tem, 82.7% of the inter­vie­wees were sat­is­fied. Those that crit­i­cized the sys­tem pointed to dif­fi­cul­ties in find­ing the email mes­sage they had received with details regard­ing the elec­tion, to pre­fer that this mes­sage had been sent from an insti­tu­tional email address, and to issues with the web browser inter­face or the need to install a browser add-on for the sys­tem to work prop­erly.

With regard to the infor­ma­tion pro­vided about the vot­ing process, 70.6% of the inter­vie­wees did not retain much more than basic infor­ma­tion about the sys­tem (user­name, pass­word, and URI). Still, 84.4% con­sid­ered to be per­fectly clear with the infor­ma­tion received.

On the com­po­si­tion of the sys­tem devel­op­ment team, there was una­nim­ity among respon­dents that the team should include ele­ments from the legal area, in addi­tion to ele­ments from the IT area. In what con­cerns the need to inte­grate into the team ele­ments from other areas, 61.1% of respon­dents did not con­sider that addi­tional areas of knowl­edge were in need in the devel­op­ment team, 16.7% claimed that it would make sense to inte­grate ele­ments from psy­chol­ogy, and 11.1% sug­gested the inclu­sion of ele­ments from soci­ol­ogy and ethics.

Given that the Por­tuguese Data Pro­tec­tion National Com­mis­sion had issued an opin­ion on the sys­tem, we tried to find out if vot­ers knew it and how they regarded it. Only 9.8% knew the opin­ion and its con­tents, 78.4% were unaware of its exis­tence, and 11.8% knew of its exis­tence, but were unaware of its con­tents. After inform­ing the vot­ers about that opin­ion and its pos­i­tive result, 74.5% of the par­tic­i­pants con­sid­ered it very pos­i­tive and impor­tant for pro­mot­ing con­fi­dence in the sys­tem.

In order to increase the trans­parency of the vot­ing process, the sys­tem allows the pro­vi­sion to the voter of a numeric code for con­fir­ma­tion of the vote cast in the sys­tem. Ques­tioned about this sys­tem’s fea­ture, 48.6% of the inter­vie­wees stated to be unaware of it. Among those who knew it, 21.6% resorted to this mech­a­nism and ver­i­fied that the sys­tem cor­rectly indi­cated the vot­ing option they had expressed, and 16.2% did not exper­i­ment the func­tion­al­ity. Con­cern­ing the impor­tance of this mech­a­nism, 65.7% of the inter­vie­wees con­sid­ered it an impor­tant mea­sure, 14.3% clas­si­fied it as a minor fea­ture. How­ever, of the remain­ing 20% respon­dents who dis­agreed with the use­ful­ness of the mea­sure, 8.6% peremp­to­rily argued that this fea­ture might indi­cate an inse­cure sys­tem, since it allowed to asso­ciate codes, to vot­ers and to votes.

The sec­ond theme of the inter­view script con­cerned the par­tic­i­pants’ opin­ions on EVS before using an e-vot­ing sys­tem and after its use. Regard­ing the opin­ion prior to the use of such a sys­tem, 44.6% stated they had never thought about it before the use, 28.6% indi­cated hav­ing a favor­able opin­ion, and 26.8% reported some sus­pi­cion and appre­hen­sion. After using the sys­tem, 93.0% of the respon­dents con­sid­ered that they felt so con­fi­dent using EVS as if they had used the tra­di­tional vot­ing sys­tem. This view is rein­forced by the fact that only 8.3% of the par­tic­i­pants would select the tra­di­tional vot­ing sys­tem if they could choose between the two sys­tems. Curi­ously, when ques­tioned whether the vote may be more com­pro­mised when EVS are used instead of the tra­di­tional sys­tem (in the sense of a third party know­ing the vot­ing option of a voter), 14.6% of the inter­vie­wees con­sid­ered that the vote is no more com­pro­mised in the case of e-vot­ing, 43.8% thought it may be more com­pro­mised, and 33.3% stated that although per­son­ally they did not think so, they con­ceived that this could be the under­stand­ing of other peo­ple.

Regard­ing the main require­ments that an e-vot­ing sys­tem should sat­isfy (the third theme of the inter­view), the respon­dents pro­vided 118 indi­ca­tions cat­e­go­rized as illus­trated in Table 2.

Table 2: Main Require­ments of e-Vot­ing Sys­tems

Still con­cern­ing the require­ments of EVS, we asked if respon­dents had ver­i­fied or tried to ver­ify if the remote elec­tronic vot­ing sys­tem that they had used met the require­ments they pointed to. Only 11.1% stated they had exam­ined, albeit very super­fi­cially, some of the require­ments. The remain­ing 88.9% asserted they had not car­ried out any ver­i­fi­ca­tion.

The fourth theme relates to the pos­si­bil­ity of using EVS at the national level. With regard to the use of REVS, half of the par­tic­i­pants believed that their use would not be desir­able, mainly because there is a set of require­ments that can not be met due to the exis­tence of var­i­ous risks, such as those related to the tech­ni­cal infra­struc­ture, coer­cion, large scale, and vot­ers’ authen­ti­ca­tion. On the other hand, 35.4% of respon­dents con­sid­ered that using EVS would be pos­si­ble and 4.2% con­sid­ered it pos­si­ble, but as an alter­na­tive method oper­at­ing in par­al­lel to the tra­di­tional vot­ing sys­tem. In the case of PEVS, 23.9% replied neg­a­tively to the appli­ca­tion of these sys­tems since they would add lit­tle value to the vot­ing process, 41.3% pro­vided a pos­i­tive response, 4.3% con­sid­ered it pos­si­ble, but as an alter­na­tive method to the tra­di­tional vot­ing sys­tem, and 30.4% had no opin­ion.

We also asked par­tic­i­pants if they would be will­ing to give up of some require­ments, such as anonymity, integrity of the vote, or unco­ercibil­ity, in order to have mobil­ity, increased speed, and reduced costs with the vot­ing process. Sur­pris­ingly, 75.6% of respon­dents answered affir­ma­tively.

The fifth and final theme was related to the fac­tors that would influ­ence vot­ers’ con­fi­dence in EVS.

With regard to the avail­abil­ity of the sys­tem source code, 40.4% of respon­dents believed that the code should be closed, except for the audi­tors, 25.0% advo­cated open source sys­tems, and 25.0% stated to be indif­fer­ent.

On the nature of EVS cer­ti­fi­ca­tions, and given that the Data Pro­tec­tion National Com­mis­sion’s opin­ion reflected a strictly legal assess­ment with­out rely­ing on a tech­ni­cal (IT) eval­u­a­tion of the sys­tem, 77.6% par­tic­i­pants stated that the legal eval­u­a­tion should be com­ple­mented by a tech­ni­cal eval­u­a­tion, while 22.4% con­sid­ered that the tech­ni­cal eval­u­a­tion was not needed or was not essen­tial.

Another ques­tion aimed to estab­lish if the elec­toral com­mis­sion which pro­motes and mon­i­tors the elec­toral process could influ­ence the con­fi­dence in the sys­tem, i.e., if the rep­u­ta­tion and idone­ity of its mem­bers could instill in vot­ers greater con­fi­dence. Faced with this ques­tion the opin­ions were divided: 56.3% of respon­dents believed that this could be the case, while 43.8% con­sid­ered that those were inde­pen­dent fac­tors.

Inter­vie­wees were also asked whether they were aware of neg­a­tive past expe­ri­ences with other EVS and whether these neg­a­tive expe­ri­ences could shake the con­fi­dence of vot­ers, par­tic­u­larly dur­ing the debate on the pos­si­ble adop­tion of EVS at national level. Approx­i­mately 70% of respon­dents were not aware of those expe­ri­ences. Faced with fac­tual accounts of some of the exper­i­ments, 70.2% reported that such infor­ma­tion might adversely affect pub­lic opin­ion and demol­ish any attempt to imple­ment EVS at national level. On the other hand, 29.8% of the respon­dents believed that each sys­tem should be treated as a sep­a­rate sys­tem, and although these expe­ri­ences might be used as polit­i­cal weapons in a debate on the adop­tion of EVS, peo­ple would be able to dis­tin­guish between the sit­u­a­tions.

Regard­ing the main fac­tors that influ­ence the con­fi­dence of respon­dents in EVS, the analy­sis of the inter­views led to the aggre­gated results in Table 3.

Table 3: Main Fac­tors Influ­enc­ing Trust in EVS

6. Discussion

The pos­i­tive assess­ment of the elec­tronic vot­ing sys­tem is sup­ported in a large major­ity of respon­dents that claimed to trust the sys­tem. To this gen­eral opin­ion we may oppose the fact that a sig­nif­i­cant num­ber of respon­dents did not check if the sys­tem met the require­ments, was unaware of cer­tain fea­tures of the sys­tem and that the sys­tem had been cer­ti­fied by the Data Pro­tec­tion National Com­mis­sion. The expla­na­tion for this appar­ent incon­sis­tency may rest on par­tic­i­pants plac­ing their con­fi­dence in the sys­tem devel­op­ment team and in the elec­toral com­mis­sion, and on the acknowl­edg­ment that they did not have major con­cerns on using the sys­tem given the lim­ited scope of the elec­tions.

Before using the sys­tem, many par­tic­i­pants had not formed an opin­ion on evot­ing since they had never reflected on this sub­ject, oth­ers indi­cated they had some appre­hen­sion about this par­tic­u­lar tech­nol­ogy and the risks it entails, still oth­ers were more recep­tive to the use of e-vot­ing, per­haps because they had greater propen­sity to the use of IT. After using the sys­tem, the major­ity of par­tic­i­pants were more con­fi­dent in this type of sys­tems, with less appre­hen­sion, but revealed that after going through the process it remained the feel­ing that the free­dom to vote may be more com­pro­mised in EVS than in the tra­di­tional sys­tem. There­fore, a per­cep­tion that when using EVS some­thing can go wrong and that the vote that was expressed may be revealed and so the voter may suf­fer the con­se­quences does per­sist.

The pos­si­bil­ity of using e-vot­ing in broader elec­tions also raises divi­sions. On the one hand, there is a more con­ser­v­a­tive line of par­tic­i­pants that advo­cated a grad­ual tran­si­tion, from the tra­di­tional vot­ing sys­tem to PEVS and then to REVS. On the other hand, a large pro­por­tion of respon­dents con­sid­ered that PEVS are no longer attrac­tive. Finally, there is a large group that thinks it is very dif­fi­cult to use REVS in national elec­tions.

By com­par­ing the five core require­ments of EVS that were extracted from the lit­er­a­ture with the five require­ments most cited by par­tic­i­pants we find sig­nif­i­cant dif­fer­ences, as illus­trated in Table 4.

Table 4: Com­par­i­son of Core Require­ments of EVS

Although a defin­i­tive con­clu­sion might not be pos­si­ble (the order­ing of require­ments extracted from the lit­er­a­ture resulted from the authors’ inter­pre­ta­tion of the rel­a­tive impor­tance researchers attribute to the require­ments and the par­tic­i­pants’ order­ing is lim­ited to the case ana­lyzed), we find that only two require­ments are com­mon. Albeit respon­dents may have taken for granted cer­tain require­ments, it stands out the impor­tance attrib­uted to anonymity and mobil­ity, as well as the empha­sis placed on REVS usabil­ity, a require­ment less stressed in the lit­er­a­ture.

The issues ini­tially pro­posed as poten­tially influ­enc­ing vot­ers’ con­fi­dence in EVS were expressed by par­tic­i­pants as rel­e­vant to the process of build­ing trust in EVS.

The most cited fac­tor by vot­ers dur­ing the inter­views was the scope of the elec­tions: elec­tions with dif­fer­ent scope and rel­e­vance demand dif­fer­ent lev­els of trust in the sys­tem, so that the degree of con­fi­dence in the sys­tem will vary with the elec­tion in ques­tion.

In the sec­ond place come sys­tem audits and cer­ti­fi­ca­tions. For the other fac­tors which influ­ence con­fi­dence in EVS opin­ions are divided. One exam­ple con­cerns if the sys­tem source code should be open or closed. A large group of par­tic­i­pants argued that the code should be closed, except for audit pur­poses. Another sig­nif­i­cant group of respon­dents (clos­est to the IT area) only con­ceived con­fi­dence in this type of sys­tems if the source code was open.

The fac­tors that were iden­ti­fied as influ­enc­ing trust in EVS are inher­ently dif­fer­ent. The first fac­tor—the scope of the elec­tion—acts as a mod­er­a­tor of trust: the larger the elec­torate and the more impor­tant elec­tions are the greater the demands of vot­ers to trust the sys­tem. Other fac­tors, such as the sys­tem devel­op­ment team and the mon­i­tor­ing com­mit­tee, rep­re­sent sources of trust, i.e., enti­ties that directly instill vot­ers with trust in the sys­tem. The remain­ing fac­tors may ne viewed as car­ri­ers of trust, i.e., tech­nolo­gies and pro­ce­dures that con­vey con­fi­dence in the sys­tem. These car­ri­ers serve as prop­a­ga­tors or trans­mit­ters of trust from the sources of trust. Hence, in the case of audits and cer­ti­fi­ca­tions, the sources of trust are the agen­cies that assess and cer­tify the elec­tronic vot­ing sys­tems, the audit reports and the cer­tifi­cates are the vehi­cles (car­ri­ers) of trust of those sources.

Apply­ing this inter­pre­ta­tion regard­ing the nature of trust fac­tors leads to the char­ac­ter­i­za­tion shown in Table 5, where each fac­tor was clas­si­fied in terms of type (mod­er­a­tor, source of trust, or car­rier of trust). For the car­rier fac­tors, we sug­gest the cor­re­spond­ing sources of trust.

Under­ly­ing these fac­tors there is a set of beliefs held by peo­ple. For instance, regard­ing the scope of the elec­tion there is the belief that elec­tions with higher num­ber of vot­ers have higher lev­els of com­plex­ity and increased risks. Given this esca­la­tion, vot­ers require stronger evi­dence that the sys­tem remains wor­thy of trust. The case of open source code is also illus­tra­tive: it can be argued that under­ly­ing this fac­tor is the belief that if the sys­tem source code is made pub­licly avail­able, the com­mu­nity as a whole (actu­ally a very lim­ited and spe­cial­ized sub­set of that com­mu­nity) may scru­ti­nize it, or if an indi­vid­ual of that com­mu­nity mod­i­fies the code, the com­mu­nity will detect it and react against the mod­i­fi­ca­tion. An alter­na­tive belief is that if the code is open is can be more eas­ily exploited by malev­o­lent indi­vid­u­als who will then be able to attack the sys­tem. Accord­ing to this belief, source code should be care­fully pro­tected, namely by keep­ing it closed.

Table 5: Char­ac­ter­i­za­tion of EVS Trust Fac­tors

In the end, we may be able to reduce the phe­nom­e­non of trust in EVS to the cred­i­bil­ity that vot­ers attach to the sources of trust and to the reli­a­bil­ity they rec­og­nize car­ri­ers of trust pos­sess. The sources of trust that a voter chooses and the car­ri­ers of trust that a voter favors both depend on the beliefs of the voter. Iso­lat­ing these beliefs, iden­ti­fy­ing the sources of trust, and assess­ing the car­ri­ers of trust may be the way to under­stand the degree of con­fi­dence vot­ers place in an e-vot­ing sys­tem and to pro­vide the means to build and deploy trust­wor­thy EVS.

7. Conclusion

In this study we iden­ti­fied the fac­tors that influ­ence vot­ers’ con­fi­dence in elec­tronic vot­ing sys­tems by under­tak­ing a case study on the use of a remote elec­tronic vot­ing sys­tem in which 51 vot­ers were inter­viewed.

The main con­tri­bu­tion of this work is the list of fac­tors that vot­ers con­sider influ­ence their con­fi­dence in EVS, in order of rel­e­vance and char­ac­ter­ized accord­ing to the role they play in the process of instill­ing trust in vot­ers. Another con­tri­bu­tion of this study is the set of require­ments that respon­dents claimed to be essen­tial to EVS to sat­isfy, and its com­par­i­son with the set of require­ments extracted from the lit­er­a­ture.

The find­ings of the case study embody a set of rec­om­men­da­tions to be taken into account in the imple­men­ta­tion of vot­ing processes using IT sys­tems.

We also argue that by con­sid­er­ing the nature of each of the fac­tors—mod­er­a­tor of the degree of trust, source of trust, or car­rier of trust—we are bet­ter equipped to under­stand the degree of con­fi­dence that vot­ers place in this type of sys­tems, as well as the processes under­ly­ing the for­ma­tion of vot­ers’ atti­tudes in what con­cerns the adop­tion and use of EVS.

The work enriches the lit­er­a­ture by focus­ing on the fac­tors that elec­tors favor as defin­ers of their con­fi­dence in EVS. This com­ple­ments sev­eral propo­si­tions of EVS archi­tec­tures found in the lit­er­a­ture that seek to address spe­cific secu­rity require­ments from a tech­ni­cal point of view. Hence, the find­ings pro­vide con­text mfor the use of EVS by vot­ers. By know­ing what fos­ters trust on EVS from the per­spec­tive of vot­ers, we will be in a bet­ter posi­tion to design trust­wor­thy vot­ing processes and sys­tems, as well as to devise improved pro­ce­dures to ver­ify and audit their tech­ni­cal prop­er­ties.

The study has sev­eral lim­i­ta­tions. Although it is not easy to find vot­ers who have already used remote elec­tronic vot­ing sys­tems, a larger num­ber of inter­views would allow a deeper under­stand­ing of the processes and con­di­tions that lead to the estab­lish­ment of a rela­tion­ship of trust between vot­ers and EVS.

Another lim­i­ta­tion relates to the char­ac­ter­is­tics of the case study, since the elec­tions ana­lyzed refer to a small uni­verse of vot­ers, have a restrict scope and were pro­moted within a con­trolled and cul­tur­ally homo­ge­neous envi­ron­ment. In addi­tion, the par­tic­i­pants in this study are extremely qual­i­fied indi­vid­u­als with a high cul­tural level, so this group of vot­ers is not rep­re­sen­ta­tive of the elec­torate.

This paper reports an exploratory study on EVS trust fac­tors which leaves open many oppor­tu­ni­ties for future work. We restricted the study’s sub­jects to vot­ers and it would be wor­thy to obtain a view of other stake­hold­ers in the process of EVS adop­tion, such as devel­op­ers and audi­tors, and to find out whether the fac­tors that these groups rec­og­nize as influ­enc­ing trust in e-vot­ing dif­fer from those found in this study.

Another work would be to build a vari­ance model based on the trust fac­tors iden­ti­fied and test the causal rela­tion­ships with a research design that involved a rep­re­sen­ta­tive sam­ple of the elec­torate at the national level.

A more qual­i­ta­tive research would be to build a model to explain the process of for­ma­tion, main­te­nance, and dete­ri­o­ra­tion of stake­hold­ers’ trust in EVS.

Besides these pro­pos­als for future work, there are spe­cific issues that arose dur­ing the study and that require a bet­ter expla­na­tion, such as the rea­sons that led some vot­ers to con­sider that the vote might be more com­pro­mised in EVS than in the tra­di­tional vot­ing sys­tem and the extent to which vot­ers are will­ing to sac­ri­fice cer­tain require­ments of the vot­ing process in favor of other require­ments.

These are research oppor­tu­ni­ties worth pur­su­ing so that we can bet­ter under­stand trust in e-vot­ing sys­tems and to improve the chances of EVS being suc­cess­ful.

References

• ACE (2001). Oppor­tu­ni­ties, risks and chal­lenges of e-vot­ing. ACE Pro­ject, The Elec­toral Knowl­edge Net­work. http://ace­pro­ject.org/

  Anto­niou, A., C. Korakas, C. Manolopou­los, A. Pana­gio­taki, D. Sofo­tas­sios, P. Spi­rakis and Y. C. Sta­ma­tiou (2007). A Trust-Cen­tered Approach for Build­ing E-Vot­ing Sys­tems. In Wim­mer, M.A., J. Scholl and A. Grön­lund (Eds.), EGOV LNCS 4656, 36–377. Hei­del­berg: Springer.

  Antunes, P. (Ed.) (2008). Voto Elec­trónico—Dis­cussão téc­nica dos seus prob­le­mas e opor­tu­nidades. Lis­boa: Edições Sílabo.

  Brei, V .A. and C. A. V. Rossi (2005). Con­fi­ança, valor perce­bido e leal­dade em tro­cas rela­cionais de serviço: um estudo com usuários de Inter­net Bank­ing no Brasil. Revista de Admin­is­tração Con­tem­porânea 9, 145–168.

  CE (2004). Legal, Oper­a­tional and Tech­ni­cal Stan­dards for e-Vot­ing. Rec­om­men­da­tion Rec. (2004) of the Coun­cil of Europe. Coun­cil of Europe Pub­lish­ing.

  Crane, R. E., A. M. Keller, A. Dechert, E. Cher­lin and D. Mertz (2004). A Deeper Look: Rebut­ting Shamos on e-Vot­ing. http://www.acm.org/cross­roads/xrds2-
  4/vot­ing.html

  Cra­nor, L. F. and R. K. Cytron (1997). Sen­sus: A Secu­rity-Con­scious Elec­tronic Polling Sys­tem for the Inter­net. Pro­ceed­ings of the Hawai Inter­na­tional Con­fer­ence on Sys­tem Sci­ences. Wailea.

  Dill, D. L., B. Schneier and B. Simons (2003). Vot­ing and Tech­nol­ogy: Who Gets to Count Your Vote? Com­mu­ni­ca­tions of the ACM 46(8), 29–31.

  Frith, D. (2007). E-vot­ing secu­rity: hope or hype? Net­work Secu­rity 11, 14–16.

  Granne­man, S. (2003). Elec­tronic Vot­ing Deba­cle. Secu­rity, http://www.secu­ri­ty­fo­cus.com/colum­nists/198

  Gritza­lis, D. A. (2002). Prin­ci­ples and require­ments for a secure e-vot­ing sys­tem. Com­put­ers & Secu­rity 21(6), 539–556.

  Grove, J. (2004). ACM State­ment on Vot­ing Sys­tems. Com­mu­ni­ca­tions of the ACM 7(10), 69–70.

  Hall, J. L. (2008). Pol­icy Mech­a­nisms for Increas­ing Trans­parency in Elec­tronic Vot­ing. PhD Dis­ser­ta­tion. Uni­ver­sity of Cal­i­for­nia at Berke­ley, USA.

  Jones, B. (2000). A Report on the Fea­si­bil­ity of Inter­net Vot­ing. Cal­i­for­nia Inter­net Vot­ing Task Force, Sacra­mento, USA.

  Jones, D. W. (2001). Vot­ing and Elec­tions. The Uni­ver­sity of Iowa, USA. http://www.divms.uiowa.edu/~jones/vot­ing/

  Mayer, R. C., J. H. Davis and F. D. Schoor­man (1995). An Inte­gra­tive Model of Orga­ni­za­tional Trust. The Acad­emy of Man­age­ment Review 20(3), 709–734.

  McDaniel, P., A. Aviv, D. Balzarotti, G. Banks, M. Blaze and K. But­ler (2007). EVER­EST—Eval­u­a­tion and Val­i­da­tion of Elec­tion-Related Equip­ment, Stan­dards and Test­ing. http://www.patrickm­c­daniel.org/pubs/ever­est.pdf

  Mer­curi, R. (2000). Ques­tions for Vot­ing Sys­tem Ven­dors. http://www.nota­ble­soft­ware.com/check­lists.html

  Mer­curi, R. (2001). Elec­tronic Vote Tab­u­la­tion: Checks & Bal­ances. PhD The­sis, Uni­ver­sity of Penn­syl­va­nia, USA.

  Mer­curi, R. (2002). A bet­ter bal­lot box? IEEE Spec­trum 39(10), 46–50.

  Mon­teiro, A., N. Soares, R. M. Oliveira and P. Antunes (2001). Sis­temas Elec­tróni­cos de Votação. Tech­ni­cal Report, Uni­ver­si­dade de Lis­boa, Por­tu­gal.

  Neu­mann, P. G. (1993). Secu­rity Cri­te­ria for Elec­tronic Vot­ing. Pro­ceed­ings of the 16^th National Com­puter Secu­rity Con­fer­ence. Bal­ti­more.

  Neu­mann, P. G. (2004). Spe­cial Issue: The prob­lems and poten­tials of vot­ing sys­tems. Com­mu­ni­ca­tions of the ACM 47(10), 28–30.

  Open Rights Group (2007). May 2007 Elec­tion Report—Find­ings of the Open Rights Group Elec­tion Obser­va­tion Mis­sion in Scot­land an Eng­land. http://www.open­rights­group.org/wpcon­tent/uploads/org_elec­tion_report.pdf

  Ran­dell, B. and P. Y. A. Ryan (2006). Vot­ing Tech­nolo­gies and Trust. IEEE Secu­rity and Pri­vacy 4(5), 50–56.

  Schlienger, T. and S. Teufel (2002). Infor­ma­tion Secu­rity Cul­ture: The socio-cul­tural dimen­sion in infor­ma­tion secu­rity man­age­ment. Pro­ceed­ings of the IFIP TC11 Inter­na­tional Con­fer­ence on Infor­ma­tion Secu­rity, 191–202.

  Schneier, B. (2004a). Get­ting Out the Vote: Why is it so hard to run an hon­est elec­tion? San Fran­cisco Chron­i­cle, Octo­ber 31.

  Schneier, B. (2004b). What’s wrong with elec­tronic vot­ing machines? Open­Democ­racy, http://www.open­democ­racy.net/media-vot­ing/arti­cle_2213.jsp

  Schneier, B. (2006). Did Your Vote Get Counted?, http://www.schneier.com/essay-133.html

  Shamos, I. (1993). Elec­tronic Vot­ing—Eval­u­at­ing the Threat. Pro­ceed­ings of the Third Con­fer­ence on Com­put­ers, Free­dom and Pri­vacy, 3.18–3.25. Burlingame.

  Strauss, C., D. Mertz and K. Dopp (2005). Elec­tronic Vot­ing Sys­tem Best Prac­tices. http://elec­tion­math­e­mat­ics.org/em-vot­ingsys­tems/Best_Prac­tices_US.pdf