Electronic voting has been with us since 1960 and online voting since the Internet existed. But they have never been as relevant as they are today. Pandemics forced more than 3 billion people into confinement. In business, telecommuting is becoming more and more normalized. And hybrid events are already more frequent than face-to-face ones.
In this context, boards of directors, shareholders' meetings, association assemblies, union elections, town council meetings or owners' meetings are all forced to hold telematic or mixed events. But how to ensure the legal validity of these collegiate decisions and how to avoid unwanted challenges? In this article we explain some basic concepts to help you understand how online voting works and how it can help you achieve more participation with less effort and at a lower cost.
Online and electronic voting
There are many electronic voting systems. Broadly speaking, we can classify them into two groups: vote casting systems and vote counting systems. Counting systems are the most widespread in the public sphere. A large number of countries use them in their general and regional elections. Casting systems are equally mature at the technological level, but their use is mostly restricted to private use - companies, associations, cooperatives, etc. One of the most widely used electronic voting systems is the online voting system; therefore, in this article we will speak of electronic voting or online voting interchangeably.
The law provides for the use of online vote casting and counting systems in shareholders' meetings, boards of directors, association assemblies, union elections, town council meetings and other government bodies. In order to be able to do so with all the guarantees, there are basically two requirements: duly guaranteeing the voter's identity and accrediting the security of the system. Below, we tell you a little more about these two aspects.
Electronic identification means
The key to ensuring the legal validity of online voting lies in how to guarantee the voter's identity. The European framework that regulates electronic identification services is Regulation 910/2014, known as eIDAS. In this text, electronic signature is defined as the set of electronic data that make it possible to duly guarantee the identity of the signatory. Although the word may be misleading, an electronic signature is nothing more than a means of electronic identification. Therefore, in telematic voting, the voter must sign (or provide a series of identifying data) in order to cast his or her vote online.
Most of us are familiar with the electronic certificates we use when signing contracts digitally. These certificates can only be obtained by appearing before a competent authority such as the FNMT or the Police. The signature issued with these certificates is known as qualified electronic signature. However, there are two other types of signature included in the eIDAS regulation. These are the simple signature and the advanced signature, the two most widely used means of electronic identification to duly guarantee the identity of voters in the decision-making processes of private organizations.
We can say, then, that the electronic signature - whether simple, advanced or qualified - allows us to duly guarantee the voter's identity. And, therefore, any of the three can be used to hold telematic votes with legal validity in the private sphere. The main difference between them is the level of security they allow us to achieve. But before going into the details of the different types of signature, we must better understand how an identification process works.
Face-to-face vs. digital identification
An identification process consists of different steps. Some steps are more vulnerable than others to fraud. So we can say that the security level of the whole process is equivalent to the security level of the most vulnerable step of all. When we talk about digital identification processes, we tend to obsess about possible security breaches. But we often fail to realize that face-to-face identification processes are just as vulnerable. Let's see why.
The word identity comes from the Latin idem entitas (same entity). Therefore, to verify the identity of an individual we need two subjects, the individual himself and some attribute issued by an official body that allows us to make a comparison (a passport, a driver's license, a national identity card, etc.). Traditionally, this comparison has been made by a qualified person - a policeman, a civil servant, a notary or the like. A person trained to avoid cheating and deception. However, we all know stories of twin brothers swapping to pass driving tests. And on the deep web you can buy a fake passport for just over 3,000 euros - if it's German, Portuguese ones are around 700 euros.
Some online voting providers claim that their systems are inviolable. But this is not true. The digital world is as vulnerable as the real world. The point is to minimize these risks as much as possible and always in accordance with the applicable legislation for each type of organization (public administrations, companies or associations) and transaction (it is not the same to travel by bus with my partner's transport card than to buy a Louis Vuitton coat with his credit card).
Identification process in online voting
We have said that the security level of an identification process is equivalent to the security level of the most vulnerable step. But what are the steps of an identification process in an electronic voting? We distinguish four steps: registration, verification, identification and activation.
Let's imagine that a listed company holds its shareholders' meeting telematically. The first step is to draw up a census. If there is a proxy voting system, only shareholders who are registered can vote. Otherwise, the census will include all shareholders. But before voting, some adjustments will have to be made to manage proxy voting and to identify the authorized representatives of the legal entities entitled to vote. It is in this second step that it will be necessary for the company in question to verify the identity of its shareholders. They will be asked for their ID card or passport and, where applicable, the deeds linking their identity to that of the legal entity they represent or a letter authorizing the person to whom they are delegating their vote.
These first two steps are usually carried out by the company without the intervention of a telematics voting provider. And ideally, the security of the next steps should be equal or superior to the previous two steps. In other words, an online voting provider must ensure that the security of its identification and activation system is less vulnerable than its customer's registration and verification system. Otherwise, it's like having a high-end car and putting retreaded second-hand tires on it.
The third step, then, takes place on voting day, when voters access the online voting platform to exercise their right. This is when voter identification takes place. To understand the different levels of security in this step, it is very useful to read the Security Technical Specifications established by the European Union(EU Regulation 2015/1502).
In short, in order to have a high level of security it is important to perform a two-factor authentication. This is the typical process in which the user is asked for a piece of information they have (such as their passport number or personal password) and a dynamic piece of information that is sent to them at that moment (for example, a verification code via SMS). This is the level of security required by banks to authorize online financial transactions for their customers and, likewise, it is a reasonable level of security for the type of voting we are discussing in this article.
The fourth and final step consists of activating (or authorizing) the voter to cast his or her vote online. Here, we have already duly guaranteed their identity. The next step is to accredit the integrity of the data. That is to say, to guarantee that the data, once registered, cannot be altered by anyone. To do this, so-called time stamps are usually used; systems in which a trusted third party generates an alphanumeric key (or hash) that is linked to the date and time the vote was cast, as well as other data associated with the voter (personal data, IP address and the device from which he/she votes, etc.). If the data is altered, when the trusted third party is asked to re-generate the alphanumeric key, it does not match the initial one and, therefore, the data has been altered.
An alternative to time stamps generated by trusted third parties is blockchain technology, which allows us to do something similar dispensing with the certifying authority.
Simple, advanced and qualified electronic signature
Now that we have a good understanding of the whole process of identification and electronic voting, it is easier to distinguish between simple and advanced electronic signatures. The former allows us to duly guarantee the voter's identity, generally thanks to a secure two-factor authentication. The second also guarantees the integrity of the data, thanks to a qualified time stamp.
The simple electronic signature is therefore less secure than the advanced one, but equally legal depending on the type of organization using it and the importance of the decision at stake. The result of an electronic vote with a simple signature is a record of votes. Whereas with the advanced signature, documents are generated that contain all the evidence of identification and carry a qualified time stamp. These documents are admissible in court as documentary evidence and therefore make it more difficult for a potential challenge to progress.
Finally, as mentioned above, in addition to the simple and advanced electronic signature, there is the qualified signature. For a signature to be qualified, the first two steps of the process described above must be carried out in person by a recognized certification service provider (Police, FNMT, etc.), issuing a qualified signature certificate. Although it is the most secure signature of all, it does not allow us to carry out a completely telematic process.
Which online voting system should I choose?
To know if your online (or electronic) voting process is completely legal, you must first know what regulatory framework applies to your organization and the type of decision to be made. That regulation - whether it is the Capital Companies Act or your organization's Articles of Association - will require that, at the very least, the identity of the voters is duly guaranteed. And for them, according to the Electronic Signature Law, you can opt for a simple, advanced or qualified signature. Whichever signature you choose, make sure that your provider offers secure two-factor authentication and that it complies with the National Security Scheme and ISO27001 for Information Security. And if in your case it is imperative to guarantee the integrity of voting records, opt for an advanced signature with a qualified time stamp.
We know that the technical vocabulary is not very intuitive. But if you reread this article calmly, you will see that it is actually simpler than it seems. At Kuorum we have been helping public and private clients in seven countries with their telematic voting since 2013. If you have any questions contact us at without obligation.
