CoE CM/Rec(2017)5 on standards for e-voting
| Nr | Label | Status |
|---|---|---|
| 1 | UI is easy to use for voters | ◯ |
| 1(a) | Easy to interpret voting options | ◯ |
| 1(b) | Voters involved in design | ◯ |
| 1(c) | System compatibility | ◯ |
| 2 | Independence for disabled voters | ◯ |
| 2(a) | Special voting interfaces | ◯ |
| 2(b) | WCAG 2.0 AA compliance | ◯ |
| 3 | Other voting channels available if e-voting not universally accessible | ◯ |
| 4 | Live election interface is explicit | ◯ |
| 5 | Voting info presented uniformly | ◯ |
| 5(a) | No superfluous info on ballot | ◯ |
| 5(b) | No biased info about candidates | ◯ |
| 6 | Secure aggregation across channels | ◯ |
| 7 | Voters uniquely identifiable | ◯ |
| 8 | Voters authenticated | ◯ |
| 9 | One vote per voter… | ◯ |
| 9(a) | …even if multiple casts allowed | ◯ |
| 9(b) | …even if multiple channels | ◯ |
| 9(c) | Multiple casts prevented otherwise | ◯ |
| 10 | Voting system is protected | ◯ |
| 10(a) | Voter taught to verify connection | ◯ |
| 10(b) | Only official information on ballot | ◯ |
| 10(c) | Cast ballots are tamper-resistant | ◯ |
| 10(d) | Coercion resistance | ◯ |
| 11 | Procedures ensure authentic ballot | ◯ |
| 12 | Proper voter intent-capture | ◯ |
| 12(a) | Ballot modifiable before casting | ◯ |
| 13 | Voters can cast an abstain vote | ◯ |
| 14 | Voters are advised of invalid votes | ◯ |
| 15 | Individual verifiability | ◯ |
| 15(a) | Paper copies of votes at polls | ◯ |
| 15(b) | Statistical audits (e.g. RLAs) | ◯ |
| 16 | Confirm of cast ballot | ◯ |
| 17 | Can verify all valid votes incl. | ◯ |
| 18 | Can verify only valid votes incl. | ◯ |
| 19 | Ballot secrecy | ◯ |
| 19(a) | Voter list separated from voting components | ◯ |
| 20 | Data minimization | ◯ |
| 21 | Authentication data is protected | ◯ |
| 21(a) | Authentication uses cryptography | ◯ |
| 22 | Voter list has access control | ◯ |
| 23 | No transferable proof of cast vote | ◯ |
| 23(a) | Paper-based proofs | ◯ |
| 23(b) | No residual info after casting | ◯ |
| 23(c) | Voters informed of ballot secrecy risks and mitigations | ◯ |
| 23(d) | Voters taught to remove traces from devices | ◯ |
| 24 | No disclosure of premature results | ◯ |
| 25 | Pre-cast selections also secret | ◯ |
| 26 | Voters anonymous during count | ◯ |
| 26(a) | Voter identity and choice separated | ◯ |
| 26(b) | Ballots decoded ASAP after close | ◯ |
| 26(c) | Confidentiality during auditing | ◯ |
| 27 | Gradual introduction of e-voting | ◯ |
| 27(a) | Public feasibility study beforehand | ◯ |
| 27(b) | Early pilots | ◯ |
| 27(c) | Final system tested before election | ◯ |
| 27(d) | Comprehensive pilots | ◯ |
| 28 | Legislation enacted beforehand | ◯ |
| 28(a) | Law: Implement/operate/count | ◯ |
| 28(b) | Law: Vote validity | ◯ |
| 28(c) | Law: Discrepancies in verification | ◯ |
| 28(d) | Law: Data destruction | ◯ |
| 28(e) | Law: Domestic/int’l observers | ◯ |
| 28(f) | Law: Timelines | ◯ |
| 28(g) | No voting before voting period | ◯ |
| 28(h) | E-voting in-person allowed before | ◯ |
| 28(i) | No voting after voting period | ◯ |
| 28(j) | System delays don’t invalidate vote | ◯ |
| 28(k) | System inaccessible after election | ◯ |
| 29 | EMB has control over system | ◯ |
| 29(a) | Transparent procurement | ◯ |
| 29(b) | Limit conflicts of interest | ◯ |
| 29(c) | Separation of duties | ◯ |
| 29(d) | Not unduly dependent on vendor | ◯ |
| 30 | Observability of the count | ◯ |
| 30(a) | Records of vote-counting process | ◯ |
| 30(b) | Evidence-based vote counts | ◯ |
| 30(c) | Accuracy features are verifiable | ◯ |
| 30(d) | Availability/integrity of ballot box | ◯ |
| 31 | Transparency | ◯ |
| 31(a) | Published list of software used | ◯ |
| 31(b) | Public access to source code, docs | ◯ |
| 31(c) | Detailed guidelines, incl. procedural manual | ◯ |
| 32 | Voters provided info about election | ◯ |
| 32(a) | Docs and support how to vote | ◯ |
| 32(b) | Voter info widely available | ◯ |
| 32(c) | Public demo of e-voting system | ◯ |
| 33 | Disclosure of system components | ◯ |
| 33(a) | Detailed/reliable observation data | ◯ |
| 33(b) | Observers have access to docs | ◯ |
| 33(c) | Docs in common language | ◯ |
| 33(d) | Observers trained by EMB | ◯ |
| 33(e) | Observable hardware and software testing | ◯ |
| 33(f) | Observable certification process | ◯ |
| 34 | Observable election | ◯ |
| 35 | Component interoperability | ◯ |
| 36 | Standards exist for e-voting | ◯ |
| 36(a) | Certification aims and methods | ◯ |
| 37 | Independent review of compliance | ◯ |
| 37(a) | Certification costs determined | ◯ |
| 37(b) | Certification bodies receive relevant info and get sufficient time | ◯ |
| 37(c) | Certification mandate regularly reviewed | ◯ |
| 37(e) | Certification reports are self-explanatory | ◯ |
| 37(f) | Disclosure of certification docs | ◯ |
| 38 | Certified system is immutable | ◯ |
| 39 | Open and comprehensive auditing | ◯ |
| 39(a) | Detailed auditing requirements | ◯ |
| 39(b) | Components have synchronized time sources | ◯ |
| 39(c) | Audit conclusions considered in future elections | ◯ |
| 40 | EMB is responsible for compliance, availability, reliability, usability, and security | ◯ |
| 40(a) | No downtime | ◯ |
| 40(b) | Inform voters of incidents | ◯ |
| 40(c) | No eligible voters excluded | ◯ |
| 40(d) | Cast votes are accessible, secure, and accurate | ◯ |
| 40(e) | No data loss when technical problems occur | ◯ |
| 40(f) | Security mechanisms consider usability | ◯ |
| 40(g) | System uptime regularly checked | ◯ |
| 40(h) | E-voting infrastructure is secure | ◯ |
| 40(i) | Disaster recovery plans exist | ◯ |
| 40(j) | Possible to check state of protection of voting equipment | ◯ |
| 40(k) | Permanent backup plans available | ◯ |
| 40(l) | Incident response protocols available to staff | ◯ |
| 40(m) | Post-election securely stored | ◯ |
| 41 | Only authorized people have access to infrastructure | ◯ |
| 41(a) | System access limited to necessary function | ◯ |
| 41(b) | Two-person rule, mandatory reporting and monitoring during voting | ◯ |
| 41(c) | Two-person rule for other critical technical activity | ◯ |
| 42 | Deployed voting system is genuine and operates correctly | ◯ |
| 42(a) | Equipment checked before each election | ◯ |
| 43 | Software updates are recertified | ◯ |
| 43(a) | Infrastructure deployment procedures | ◯ |
| 44 | Vote protected and immutable once cast | ◯ |
| 45 | No info released about votes and voters before counting commences | ◯ |
| 46 | Secure handling of cryptographic material by electoral body | ◯ |
| 46(a) | Cryptographic key generation ceremony open to public | ◯ |
| 47 | Integrity incidents are reported | ◯ |
| 47(a) | Integrity threats specified in advance | ◯ |
| 47(b) | Incident mitigations specified | ◯ |
| 48 | Integrity of voter/candidate lists | ◯ |
| 48(a) | Security of printing process for voter cards | ◯ |
| 49 | System identifies irregular votes | ◯ |
| 49(a) | System determine if votes cast within time limit | ◯ |
◯: No info ⨂: Not applicable ⨀: Not met ◐: Partially met ⬤: Fully met
See also
Derived from
Online Voting in Ontario Municipalities:
A Standards-Based Review
CC BY 4.0 James Brunet & Aleksander Essex 2023