Herramientas Personales
Usted está aquí: Inicio Encyclopaedia Topic Areas Elections and Technology Minimizing Risks In Using Technology


Find us on Facebook   Follow us on Twitter   RSS News Feed   ACE YouTube Channel

 
Tabla de contenido

Minimizing Risks In Using Technology

The use of technology for any purpose may imply serious risks for its users. In the case of electoral administration, a procedural or technological failure may impact gravely on a community, a region or the entire country.

 

This means that while it is always important to find ways to minimise the impact of technology malfunctions, for electoral administration and especially for voting operations it may be crucial.

 

Ways to minimise the risks in using technology for electoral purposes include:

 

  • following systems verification, testing and maintenance procedures to ensure that hardware, communications and software operate effectively

 

  • ensuring that the technology is physically secure, preventing accidental damage or unauthorised access

 

  • implementing data collection procedures and methodologies that ensure that data is collected and verified reliably

 

  • organizing appropriate electoral staff training

 

  • ensuring that data and computer programs are secure, including the use of encrypting techniques to prevent unauthorised access

 

  • putting in place data back up procedures, including reliable data storage and restoring

 

  • providing manual contingency systems

 

  • using auditing code and protecting computer software against computer viruses

 

  • taking out appropriate insurance measures to guard against monetary or material loss

 

  • building in performance safeguards to ensure that staff and external suppliers have a direct interest in the successful completion of a project, such as performance bonds, bonuses or penalty clauses

 

  • adopting public assurance measures to satisfy stakeholders that the technology is reliable and transparent through public logic  and accuracy tests, making software code available for scrutiny and conducting voter information campaigns

 

  • adopting and enforcing privacy policies to ensure that personal and confidential data is kept secure, while also guaranteeing that appropriate public information is readily available

Security

One of the most important ways to minimise the risks in using technology is to ensure that the technology is secure. This includes Physical Security, Data Access Security, Software Security and Virus Protection.

 

Physical security

 

Ensuring the physical security of technology is one of the main ways to minimise the risks in using technology.

 

Physical security measures can be divided into two broad categories: security against environmental factors, such as fire, moisture, flood, heat, cold, power failure and animals; and security against human interference, either deliberate or accidental.

 

Physical security against environmental factors

 

The types of environmental security measures that can be taken depend on the types of technology being considered and where the technology is used. Security measures appropriate to technology that is designed to travel and/or be used in places with weak or non-existent infrastructures is different from technology that is static and used in office environments.

 

Where technology is powered by electricity (and most electoral technology is), it is crucial to secure the power source and to provide backup power supply equipment as an integral part of the technology system.

 

Power can be cut off without warning anywhere in the world. It is advisable to prevent the loss of data during a power interruption by connecting sensitive technology to an intermediary piece of equipment called a uninterruptible power supply (UPS). If the main power supply fails, the battery included in the UPS kicks into operation and power for a limited period during which time backups can be performed, if necessary.

 

Some UPS systems also issue a warning signal once the main power source fails so that users are alerted to the problem and can take the necessary steps to prevent accidental data loss and conduct a controlled closing down of the system. UPS prices increase with the amount of power they are able to supply, the sophistication of the warning signals and with the period of time they are able to operate.

 

While power supplies are meant to provide a constant level of electricity, they can on occasion over-supply power. This is called a “spike” and can burn some components of technology equipment. Therefore the use of a voltage regulator between the piece of equipment and the power supply is advisable unless a UPS with a voltage regulator function is in use.

 

In countries that have unreliable power grids or where power supply can be systematically erratic, intermittent or non-existent, there might be a need to provide a generator capable of powering all the necessary equipment for extended periods. Generators also increase in price with the power they are able to deliver.

 

Various kinds of generators can be used, powered by various kinds of fuel, typically petrol or diesel and they can be used as the main source of power supply or as a backup when the main power source fails. Generators can be coupled with UPS systems, so that the UPS can handle the transfer from the main power source to generator power.

 

Where a generator is used as the primary power source, it may be desirable to have one or more backup generators available in case the primary generator fails. Regular maintenance of generators can ensure that they operate effectively.

 

Another important aspect of physical security is ensuring that technology equipment, particularly computer equipment, is appropriately housed. Ideally, computer equipment is stored in sealed buildings with climate control, so that temperature and humidity are kept at constant, optimal levels, and dirt, dust, smoke and other contaminants are excluded. In many cases, normal building air conditioning systems that control cooling and heating are employed for this purpose.

 

In particularly harsh environments, however, or in the case of specifically sensitive equipment, normal air conditioning systems may not be sufficient, and special climate control systems may have to be installed. Concentrating equipment in dedicated, sealed rooms, with the climate controlled by a specialised, air conditioning system is one solution. These rooms need to be regularly and carefully cleaned, particularly for dust build-up (dust is attracted by the static electricity generated by computer equipment, especially video display screens).

 

Cigarette smoke residues can damage computer equipment. Ideally, smoking should not be permitted in workplaces for both the health of workers and their equipment.

 

It is advisable that equipment used out of doors or in unsecured buildings, such as equipment used by remote polling teams or in polling stations, come with its own secure containers to ensure that outside environmental factors such as dust or moisture do not affect it. It may be necessary to use equipment that is purposely built for use in remote locations, ensuring that it is robust and capable of functioning under adverse circumstances.

 

Telecommunications equipment also has special physical security needs. In particular, cables connecting computer networks need to be kept safe from harm. Cables are at risk of being gnawed by rodents and being tripped over by humans. Ways of safeguarding cables include shielding the cables inside ducts or strong sheaths, placing them inside walls, below floors and above ceilings, building false floors to enable cables to travel underneath them, burying cables underground or mounting them on poles. Where cables are at risk, alternatives such as microwave links could be considered.

 

Physical security against human factors

 

Many of the measures taken to secure technology against environmental factors can also be used to prevent accidental or deliberate human intervention with technology. Physical isolation, such as placing key items of technology like network servers, inside dedicated rooms, can help to reduce the chance of human intervention. Similarly, placing network cables inside walls, below floors and above ceilings makes them hard to access.

 

However, the most effective physical measure that can be taken to prevent human intervention in technology is to lock the technology inside secure premises. Modern technology has provided a wide range of sophisticated devices that can restrict entry to buildings and rooms to authorised persons only. These include:

 

  • old-fashioned locks and keys

 

  • locks operated by access code numbers (mechanical or computerised)

 

  • locks operated by cards with magnetic strips

 

  • locks that recognise biological features, such as finger prints, hand prints or retinas

 

  • locks that require a combination of two or more of the above methods

 

The advantage of the more sophisticated locking systems that use computer systems to validate entry is that they can be used to monitor which individuals have accessed a facility and when. Locks that use biological features go one step further and ensure that only identified and verified individuals can enter a facility. Locks that do not incorporate biological features are not as secure since it is always possible for someone to steal someone else's entry card or access code numbers.

 

Surveillance is another form of security. Security guards can be used to verify entry to a facility. Security cameras can be used by security guards to monitor a range of access areas. Sensors can be used to monitor activity and set off alarms if security is compromised. If on-site security is too expensive, on-call security services can be employed at a lesser rate to patrol the premises from time to time and respond to alarm calls. Alarm systems can be set up that can not only ring a local alarm but can also set off an alarm at a remote security firm or police station.

 

While locks and surveillance systems are a good form of security, the overall level of security will only be as good as the weakest point in the security cordon. For example, many office buildings allow human access between floors in service ducts (usually for the purpose of providing air conditioning and cable access). It is important to ensure that access restrictions to technology cannot be overcome simply by a person climbing into an air-conditioning access point outside a secure area and getting into the secure area via the space above the ceiling.

 

If physical security to electoral technology is of high importance, it may be worth employing a security expert to conduct a security audit on the premises to ensure that all appropriate steps are taken.

 

The final form of security against undue human intervention in technology is to make it difficult or impossible for an unauthorised user to access or change the data held in computer systems. This can be achieved by restricting access to data through use of passwords and encryption.

 

Data access security

 

Much of the data held by an election management body (EMB) is sensitive information that is private or privileged and must be kept secure. Many computer programs used by EMBs must be safeguarded to ensure that election processes run fairly and that election results are not compromised by accidentally altered or deliberately sabotaged programs.

 

Physical security can be used to isolate computer equipment and prevent unauthorised access, but it is only the first line of defence. The next line of defence is data access security.

 

Password protection

 

The most common method of data access security is password protection. Several layers of password protection can be imposed. Computers can be set up to require a password before they can “boot up” and give users access to any of the data on the system, either on the computer's local hard drive or on the network. Networks can be configured to require all users to enter a correct user name and password before network access is permitted, so that even if an unauthorised user can operate a local computer they are not able to get onto the network.

 

Particular software programs can be password protected also, so that even if an intruder can gain access to the network, they cannot run particular programs. Finally, individual files can be password protected, so that intruders are not able to open them even if they gain access to the files or copy them to another system or to a removable disk.

 

Passwords are not foolproof, however. There are several basic rules that apply to use of passwords, aimed at ensuring that unauthorised users cannot discover them:

 

  • Passwords are best never written down and left where an unauthorised used might find them. If passwords have to be written down, they need to be securely locked away.

 

  • It is beneficial to change passwords regularly—about once a month is a good standard.

 

  • The most effective passwords are the ones that are not obvious—the name of the user, the organisation, a relative, friend or famous person can be relatively easily guessed by others.

 

  • The most secure passwords will contain a mixture of letters and numbers and, if the computer system is case sensitive, a mixture of upper and lower case letters, since such combinations are harder to crack.

 

  • Short passwords are easier to crack—eight characters or more are considered a good length.

 

  • Passwords are best not shared between colleagues, relatives or friends—each person can have their own password.

 

  • In the case of very sensitive systems it may be advantageous for the computer system to keep track of which passwords are used at what times, and what data is accessed.

 

  • It is desirable to limit the number of times in a session when a person can try to enter a password and fail. This is particularly important where password access is permitted on a public network like the Internet (some computer programs can be set up to automatically try huge numbers of possible passwords, if the system permits this).

 

  • When an employee who is assigned a password resigns or leaves a workplace to work elsewhere, that person's password access is best revoked.

 

  • System administrators need the ability to reset passwords for users who forget them.

 

  • Anyone with password access to a computer system (including any externally employed contractors or systems administrators) will need to have a security clearance at a level appropriate to the data accessible on the system.

 

Limiting authorised access

 

Even where a user has log-in permission and a valid password, an EMB may not wish that user to access all the data held on the EMB's system. For example, casual staff employed to enter payroll data will have no need to access sensitive election results programs. Password access can be used to limit a user's right to access different parts of a system by applying different levels of access rights to different classes of users.

 

Where authorised access is provided, introductory screens displayed immediately after logging in can remind users of any legal requirements for maintaining the security of data and of any penalties that may apply to misuse of data.

 

Data storage locations

 

Another way to help keep data secure from unauthorised access is to limit the places in which data is stored. In networked computer systems, it is good practice to keep all data, particularly all sensitive data, on centralised servers rather than on local personal computers' hard drives. This practice means that any unauthorised intruder trying to access data has to pass two levels of security to reach data—both the local computers and the network server's. It is generally more difficult to gain unauthorised access to data on a server than it is on a personal computer.

 

Another advantage of keeping sensitive data on servers is that it limits the number of computers that need a very high level of security. One way to steal data is to physically steal the computer on which it is stored. While it may be too cumbersome, expensive or impractical to keep all personal computers under high security, it is usually highly desirable and more practical to do so with at least the servers.

 

Remote access to data

 

Many computer networks allow remote access to data, by connecting to the network over a public system such as the Internet or the telephone system by dial-up modem. This level of access makes it much easier for unauthorised users to access data, because they do not have to gain physical access to EMB premises or a computer linked to the EMB's private network.

 

A risk assessment can be made to determine whether the level of risk of exposing a network to public dial-up or Internet access is worth the added convenience of allowing authorised users to have remote access. If a decision is made that remote access is needed, a technical expert in minimising the risks of remote access can be employed to ensure that the system is secure as possible. To be most effective it is important to seek up-to-date advice as the technology involved in this area is constantly changing.

 

Since sensitive networks that allow remote access can be targets for “hackers” who specialise in breaking the security of high profile networks, every possible step needs to be taken to minimise it. One way to do so, particularly if remote access is only needed for a limited range of functions, is to isolate the most sensitive data and programs from that part of the network accessible remotely, so that it is not possible to reach it other than through a local network.

 

Another way to limit the risks of allowing remote access is to only allow access to copies of data, with no access permitted to the original sets of data.

 

Firewalls

 

Firewalls are technological barriers built into computer networks to control access to the networks. Firewalls are intended to prevent unauthorised users from accessing data and programs protected by the firewalls. Technical experts in this field can advise on appropriate firewall technology for a given system.

 

Audit trails

 

Audit trails can be used to log the activities of persons accessing sensitive data. Audit trails can show which staff accessed which data, and can also indicate what changes to data were made, when they were made, and who made them. Properly used (and not ignored or overlooked), such audit trails can be powerful tools for either verifying that security breaches have not occurred, or can identify any breaches that have occurred.

 

Software security

 

Computer software programs are made up of complex code. Computer programs that perform sensitive operations related to running an election must run correctly, or the success and legitimacy of an election could be jeopardized. For example, should an intruder breach security and get access to software’s code, changes could be made that alter the computer-reported results of an election in a way that would be very difficult to detect.

 

Software security, therefore, is another line of defence in the battle to ensure electoral technology is kept secure.

 

External auditors can scrutinise the code used in electoral computer systems and verify that it performs appropriately. Computer code that has been externally audited can then be “escrowed,” or kept in secure off-site storage in an independent authority's control. This allows for the escrowed version to be compared to the “live” version of the code used for an electoral event.

 

In this way, it becomes possible not only to verify that computer software is free of any hidden flaws or deliberate attempts at manipulation, but also to verify after the software has been used that its code has not been changed or tampered with since it was audited.

 

This level of security may not be necessary for all software used by election management bodies, however it is highly useful for crucial systems such as electronic voting and electronic vote counting systems.

 

Another way of proving the integrity of computer software is using "open source" software rather than proprietary software since code of open source software is publicly available and external programmers can audit the code and satisfy themselves that it performs properly. This may be desirable where competing political participants wish to independently verify software code used for electoral purposes. Whether the advantages of providing code openly outweigh the risks of identifying areas of weakness will be a matter of judgement in each particular case.

 

Virus protection

 

Computer “viruses” are a serious threat to all computer systems, particularly systems linked in networks and systems connected to the Internet and to email services. Virus protection software is an essential part of any computer system.

 

What is a computer virus?

 

Computer viruses are programs developed by mischievous or malicious programmers that are capable of being attached to software or data files or of being installed on accessed computers to perform a wide range of functions from the benign to the malign.

 

Benign viruses can simply perform harmless (but usually annoying) functions such as displaying a pop-up message. Malign viruses can corrupt or change data or programs, destroy computer files, or cause massive amounts of email to be generated, threatening the stability of networks by overwhelming them with data.

 

Viruses are spread by transferring infected or malicious files from one computer to another. This can happen by transferring files to removable data disks, by accessing or downloading files on the Internet or a network, or by files sent by email. Viruses can be executable files (with an '.exe' filename extension) or files in other formats, such as word processing files containing macros. Running these executable files or opening files containing infected macros can cause a computer virus program to run that can potentially do a great deal of damage.

 

Some viruses take hold of email programs. By accessing a user's list of stored email addresses, a virus can self-replicate itself by sending copies of the virus to each email address. The multiplying effect of this strategy means that a virus can spread to a large number of computers all around the world in a short space of time.

 

Computers hit by a virus attack can be severely damaged, and a lot of data can be lost or compromised. In the worst cases a computer's hard disk can be rendered useless, and all data on it lost. In this situation the best that can be done is to reformat the hard disk (wipe it clean and start again) and reload all the necessary software from backups.

 

The possibility of a virus attack is a very powerful incentive to conduct regular, thorough backups of programs and data.

 

Virus protection software

 

The way to protect a system against a virus attack is to use virus protection software. Virus protection software is designed to run in a computer either on demand or in the background, so that the user is unaware of it unless a problem arises. Virus protection software is designed to recognise known viruses and prevent them performing their intended functions.

 

In addition, as new viruses appear frequently, virus protection software is also designed to identify the possible activity of a virus and prevent it from functioning. For example, a typical virus protection program places a “tag” on each known executable file on a computer. If an unknown executable file attempts to run a program, the virus protection emits an alert to the user asking whether the user wishes the program to run. If the user confirms that the executable file appears to be a virus, the virus protection software can delete the virus from the system.

 

As new viruses are developed, virus protection software has to play a continual game of “catch-up” for each new virus. As a result, virus protection software has to be frequently updated to ensure that it is capable of identifying and dealing with the latest known viruses. A structured regime for updating virus protection software can be part of an EMB’s technology strategy.

 

Safe computer practices

 

Regardless of the presence of virus protection software, some viruses can still escape detection and infect a computer system. In order to guard against this possibility, data should be regularly backed up and users should be taught safe computer practices.

 

All users need to be aware of steps necessary to avoid catching a virus. First, virus protection software can be installed and running, not disabled. Systems administrators will often want to monitor virus software operation to ensure that users have not disabled their virus protection, or users can be restricted from disabling their virus protection.

 

Second, users need to be careful about opening files and particularly running executable programs if they are not sure that they are legitimately sent by a known source. Even emails from known contacts can be suspect, as viruses can control a user's email contact list and send messages using any name on the list.

 

Viruses sent by email can be accompanied by plausible and enticing messages that might encourage users to open the infected files. Users need to be cautious of such approaches.

 

If users are not confident that files or programs sent to them are legitimate they should not open them. If the files or programs appear to be inconsequential, they can be deleted from the computer including from the recycle bin. If the user is not sure whether a file or program is legitimate, the sender can be contacted to verify that the file or program is genuine.

 

When in doubt, a user is supposed to contact the relevant help desk or technical assistant for advice.

Ensuring Reliability of Data

Electoral computer systems such as voter registers, electronic voting systems, election results systems and personnel management systems are developed and implemented to store and make use of data. Ensuring the reliability of this data is crucially important for any electoral process.

 

There are several measures that can be taken to ensure the reliability of data used in electoral computer systems.

 

Use reliable data sources

 

Methods to collect and capture data need to ensure that the data is reliable and that is not altered in the process. Voter information, for instance, is more accurate if obtained directly from the voters themselves and not from indirect sources such as other organisations' databases, which may be of questionable quality. The most accurate election results data is obtained directly from the polling places or counting centres, instead of media reports, election observers or political parties.

 

Data capture methods

 

The next step to consider is the method by which data is captured from the source. Data can be captured in a variety of ways: on a paper form (which could be handwritten, marked with computer readable marks or typed), by telephone (after which the data is usually written down or typed into a computer by an operator), by face to face inquiry (when the data may again be written down or typed into a computer by a staff member), by users directly entering data into electronic forms connected to the organization data centre, by an electronic voting device, and so on.

 

Some forms of data capture are more reliable than others. Handwritten forms are probably most prone to error, as handwriting can often be hard to read or decipher. To minimise the difficulty in reading handwriting, persons completing forms can be encouraged to write clearly in capital letters in blue or black ink. Clear writing can also be encouraged by printing forms with guide lines that are designed to make users write each letter or number in a separate box on the form. If it is possible to pre-print any known data about information needed in the form, this may help reduce the amount of handwriting needed and therefore the error rate.

 

Where data is received verbally by an operator or staff member, appropriate training and procedures can ensure that the operator faithfully captures the correct information. For example, information can be read back to the client to check that it is correct, and the spelling of words checked if appropriate.

 

Forms that include optical mark recognition devices such as bar codes can be used to simplify data entry and raise accuracy levels. Bar codes can be used to identify the type of form used, where the form was obtained, what the unique number of the form is, and so on.

 

Data captured electronically, where the data is typed by a user directly into a computer supplied form can be more reliable than data captured from handwritten forms or data taken verbally, as users can be expected to know exactly how their data should appear. However, such data is only as reliable as the user is accurate.

 

Training of data entry staff

 

Staff needs to be trained in techniques designed to optimise accurate input and to ensure a safe working environment. For example, regular breaks prevent eye strain and fatigue. Furniture and computer equipment can be situated to ensure good posture and sound ergonomic practices. Distractions such as staff conversation and discussions while entering data can be minimised to ensure input accuracy.

 

Data verification

 

One of the best ways to ensure the accuracy of data is to apply data verification techniques. The most common data verification technique (where data is being typed into a computer from a paper record) is to enter every piece of data twice, using two different operators for each piece of data. The results of the two data entries are compared by computer. Any variation is highlighted, and a supervisor is required to make any appropriate correction. This technique usually gives very high accuracy rates.

 

Double-keying of data can also be used to identify data-entry operators who are not achieving a high level of accuracy. Where under-performing operators are identified, this may indicate that more training is needed or that the operator is not suited to that kind of work.

 

Data can also be verified by entering the data once, and requiring another officer, perhaps a supervisor, to recheck the data on the computer screen or on print-outs, to confirm that it is correct, or make any necessary corrections.

 

Using either of the above techniques, it is desirable that data is entered once by one person and then either re-entered or rechecked by a different person, since people can make systematic errors and therefore repeat the same mistakes every time. However, it is less likely that two different people will make the same systematic errors, so a second person is more likely to pick up the mistakes made by someone else.

 

It is also possible that form design can lead to users or data-entry operators making systematic errors. If significant numbers of similar errors are discovered regularly when a form's data is being recorded, it may be that the design of the form is at fault. Redesigning the form may help to lower error rates in this case.

 

Some data can also be verified by checks built into the data capture programs. For example, when entering voting places into a database the data entry program may verify the voting place address against a computer table with all valid addresses and accept only those voting places with valid addresses. Such a verification technique does not necessarily ensure that the correct address for the voting place has been entered, but it does ensure that all the recorded addresses are indeed real.

 

Similarly, arithmetic checks and logic tests can be built into data-entry systems involving entry of numbers so that the data entry operator is prompted to correct the data, the entry is cancelled, an error log is written or any another relevant action is taken. For example, if an operator is entering a polling place voting data, the system can be programmed to query any result that shows more votes counted at the polling place than there are voters registered to vote at that place. Trends can be also calculated by computer systems and any results that vary from the trend by an unusual amount can be identified and queried.

 

Ensuring reliability of data after it has been captured

 

Once data has been entered into a computer system, it is important that it be stored securely and maintained, as well as used in a manner in which its integrity is not compromised.

 

Ensuring availability of data

 

Once data has been captured and stored securely in a computer system, it must be made available to users in a way that does not allow undue access to the data or the possibility of data corruption.

 

There are two main components to ensuring availability of data and thereby minimising the risk in entrusting valuable data to technology. These are ensuring that systems operate to deliver data as needed, and backing up data to guard against system failure or data loss.

 

Making data available

 

Making data available to users is one of the main purposes of a computer system. At the same time, however, ensuring the integrity of data is of key importance. When dealing with sensitive data, access should be restricted only to those users that need it by using passwords, login permissions or other available controlling mechanisms.

 

When data can be shared more widely, a difference may have to be made between users that need to access data for information and those that need access to change or update the data. Similar mechanisms, such as password and login permissions can be used to limit those users who are able to change data to those who have a need to do so. In addition, where users are permitted to change data, verification techniques can be used to minimise the chance of errors occurring.

 

 Data backup

 

The final safeguard against system failure and loss of data is data backup. Regular back up can mean taking these precautions at least once each working day, more often if crucial data is being collected, such as during an electoral event. Data can be backed up on a wide variety of formats and media such as removable disks of various kinds, multiple hard disks, DVDs, and magnetic tapes, to mention a few.

 

The organisation's overall information technology strategy can document a formal backup regime. Ideally, data backup can be automated to ensure that human error does not cause problems. However, regular checks of automated backups will still be necessary to ensure that computer error does not also cause problems.

 

“Live” data can be backed up as it is created, by use of mirrored hard disks, which could be located on the same server or on separate servers. Using mirrored disks, the same data is simultaneously stored on two or more disks. This means that if one disk fails, data can be restored from the other. It is preferable to use separate servers for mirrored disks, as a second server can be used if the first server fails completely.

 

Software programs, both commercial programs and those developed in-house can also be backed-up so that they are available to reload if the production versions of the programs are lost or corrupted. Most programs come loaded on disks. Increasingly, however, programs can be downloaded from the Internet. In this case, backup copies should be stored locally, as there is no guarantee that the same programs will be available on-line in the future. Program disks that are stored in a data library and managed by a responsible officer or staff unit can then be easily located and used if necessary.

 

Care should be taken, when backing up program data, that software licences are not breached. Most licences include permission to keep backup copies of software.

Manual/Alternative Contingency Systems

One of the surest ways to minimise the risks in using technology is to provide for manual or alternative contingency systems. That way, if the principle technology fails partially or totally, there will be a backup system that can be brought into operation.

 

An alternative contingency system might be a manual system, but it could also include a backup copy of the same technology, a different use of technology or a different type of technology altogether.

 

The types of manual or alternative contingency systems that could be used are as varied as the range of uses that can be found for applying technology to the electoral process. Some possible contingency systems could include:

 

  • using stand-alone personal computers or laptop computers with backup data if the computer network fails

 

  • using paper ballots if electronic voting systems fail

 

  • counting paper ballots by hand if electronic or mechanical counting systems fail

 

  • using handwritten scrutiny sheets and hand-held calculators if computerised scrutiny/spreadsheet systems fail

 

  • using handwritten forms to replace on-screen data capture where computers fail (so that business can continue while the system is down—the data can be entered when the system is restored)

 

  • mirroring computer systems on backup hardware with backup software, in case the main system fails

 

  • ensuring alternative power supplies are available if the main power system fails

 

  • using fax machines, telephones or couriers to transmit election results if on-line systems fail

 

  • issuing printed election results or other information if on-line display systems fail (in a tally room situation, for example)

 

  • ensuring presenters are available and equipped to give “live” presentations if an electronic presentation fails (in a training situation, for example)

 

  • having alternative equipment available on stand-by, so that it can be brought on-line at short notice

 

Manual or alternative contingency systems will be most effective if they are not implemented as an afterthought, but included in the overall technology strategy from the beginning. The level of resources committed to contingency systems will depend on the level of risk involved. It will also depend on the time-critical nature of the electoral activity. Provision of contingency systems will be most important where the risks are high and the process is extremely time sensitive.

 

Any equipment or forms needed for contingency systems can be included in the relevant purchasing plan and be available for use if needed during the event. With luck, they will not be needed. However, if they are needed they will be well worth the extra expense.

System Verification, Testing and Maintenance

Three instrumental means of minimizing the risks of technology are system verification, testing and maintenance. Every aspect of a computer system: hardware, software and communications, should be verified and thoroughly tested before the system is used for an electoral event. After successful testing, systems will need regular maintenance to ensure they will perform effectively when they are needed.

 

The importance of a technology application very likely determines the degree of rigour applied to verifying, testing and maintaining the technology. In the case, for instance, of a crucial electoral function, such as voting, all components of a voting system: hardware, software and communications should be regularly maintained and then verified and thoroughly tested before the system is used for an election.

 

System verification

 

For sensitive systems such as an electronic voting system, it is advisable to employ an independent testing office or organization to perform system verification tests, while for any other systems, proper verification and testing procedures can be developed and implemented in-house.

 

System verification tests or qualification tests may include:

 

  • verifying that all system components namely, hardware, software and communications are capable of performing under expected normal conditions as well as under possible abnormal conditions, including if applicable, storage, transportation, operation and maintenance environments

 

  • verifying that hardware conforms with local environmental requirements, including shelter, space, furnishings and fittings, electrical power supply and relevant extremes of temperature, humidity and pollution

 

  • testing of hardware, software and communications to ensure that appropriate standards are followed and that they perform its intended functions

 

  • performing audits of code

 

  • revision of system documentation to ensure that it is adequate and complete

 

  • testing system security measures to ensure that they are in place, that they are adequate and that they conform to appropriate standards

 

  • verifying that appropriate quality assurance measures are in place

 

In addition, measures included in a software audit can include:

 

  • verifying that the code is logically correct

 

  • verifying that the programs follow a modular design, meaning that the code is made up of discreet programming modules that can be separately tested and evaluated

 

  • verifying that there is no “hidden” code intended to perform unauthorised functions

 

  • checking that the programming is straightforward, relatively easy to understand and contains code comments to facilitate maintenance by different staff

 

  • verifying that the programming is designed to facilitate testing meaning that it includes code to allow testing of data flow of data within and between modules

 

  • verifying that the code is robust including error treatment routines that prevent the loss of data while identifying, logging and reporting errors so as to allow for a rapid detection and correction of errors

 

  • verifying that code incorporates security features that will prevent unauthorised access and/or detect and control any attempts at unauthorised access

 

  • verifying that the system is user-friendly and does not require complex or obscure procedures that are difficult to follow

 

  • verifying that the software can be easily installed in the live environment

 

  • verifying that the software can be easily maintained, and that errors or defects can be easily identified, corrected and validated after installation

 

  • checking whether the software can be easily modified to add new features

 

Once all the components of the system are verified, a report is issued and the necessary measures need to be taken to correct the problems found during the verification exercise. Once the corrections take place another round of verification needs to take place.

 

System testing

 

After a system has been verified, it needs to be thoroughly tested to ensure that every component of the system is performing in accordance with the specific requirements and that it is operating as it should including when the wrong functions are requested or the wrong data is introduced.

 

Testing measures consist of developing a set of test criteria either for the entire system or for specific hardware, software and communications components. For an important and sensitive system such as an electronic voting system, a structured system testing program may be established to ensure that all aspects of the system are thoroughly tested.

 

Testing measures that could be followed include:

 

    • applying functional tests to determine whether the test criteria have been met

    • applying qualitative assessments to determine whether the test criteria have been met

 

    • conducting tests in “laboratory” conditions and conducting tests in a variety of “real life” conditions

 

    • conducting tests over an extended period of time to ensure systems can perform consistently

 

    • conducting “load tests”, simulating as close as possible likely conditions while using or exceeding the amounts of data that can be expected to be handled in an actual situation

 

Test measures for hardware may include:

 

§         applying “non-operating” tests to ensure that equipment can stand up to expected levels of physical handling

 

§         testing “hard wired” code in hardware (firmware) to ensure its logical correctness and that appropriate standards are followed

 

Tests for software components also include:

 

§         testing all programs to ensure its logical correctness and that appropriate design, development and implementation standards have been followed

 

§         conducting “load tests”, simulating as close as possible a variety of “real life” conditions using or exceeding the amounts of data that could be expected in an actual situation

 

§         verifying that integrity of data is maintained throughout its required manipulation

 

System maintenance

 

After systems have been verified, tested and implemented, they must continue to be maintained to ensure that they continue to perform correctly and that they can adapt to new requirements if needed.

 

Ongoing monitoring or testing of systems may need to be systematised to ensure that maintenance needs are identified and met when necessary. Where systems are for extended use, a mechanism can be put in place to monitor feedback from users as another means to determine the need for maintenance and modification.

 

Maintenance routines vary depending on the type and complexity of the technology. Many items come with a maintenance schedule or program recommended by the manufacturer or supplier. For some hardware and software, maintenance is provided by the manufacturer or supplier as part of the purchase agreement.

 

Where modifications to hardware, software and/or communications are made as a result of maintenance or upgrades, it may be necessary to conduct further rounds of system verification and testing to ensure that requirements meet the same or updated specifications.

Insurance

While insurance may not prevent technology from failing, it can be used to guard against financial loss resulting from the failure of technology. To this extent, insurance is another way to minimise the risks of using technology.

 

Many government agencies do not take out insurance with commercial insurance companies, preferring instead to be “self-insuring” because it is often more cost-effective to simply cover the cost of any system failure than it is to take out commercial insurance. In some cases, however, commercial insurance policies are purchased by government agencies and an election management body (EMB) may consider whether insurance is an option in accordance with their own local policy.

 

An EMB considering insuring any of its uses of technology needs to contact appropriate insurance providers to determine whether insurance is available and the cost of needed insurance.

Performance Safeguards

Many election technology projects involve external suppliers of goods and services. These external suppliers may not have the same commitment to the success of an electoral event as an election management body (EMB) has. Inclusion of performance safeguards in contracts with external suppliers can help to minimise the risks in using technology by increasing the commitment of external suppliers to the success of the project. Performance safeguards can also be applied to internal staff to raise their level of commitment to an electoral technology project.

 

Performance safeguards can include performance bonuses, bonds, penalty clauses and scheduled payments.

 

Performance bonuses are extra payments above the basic agreed price that are made if agreed performance criteria are met. Bonuses should not be so freely given as to be expected, regardless of performance. Satisfactory performance should be demonstrated before bonuses are paid. Bonuses can be paid at different rates tied to varying levels of performance.

 

A performance bond is a payment made up front by a supplier of goods or services that is refunded in whole or in part if certain performance criteria are met.

 

A penalty clause in a contract will provide that agreed performance criteria must be met, otherwise the penalty clause will be invoked. The penalty could include a payment that must be made by the supplier or an amount that will be deducted from payments due to the supplier. Deducting amounts from payment due is probably the most effective kind of penalty clause.

 

Scheduled or staggered payments on a project are another form of performance safeguard. Payments can be made in instalments as agreed milestones are met, and the final payment on a project can be withheld until the project is successfully completed. This form of payment is a powerful incentive for suppliers to deliver the goods on time and according to the agreed standard.

 

Performance criteria used to enforce performance safeguards should be clear and measurable. Criteria that are vague or hard to measure can be difficult or impossible to enforce. It will also be most effective if all relevant parties agree to the criteria before the commencement of a project. Furthermore, care should be taken to collect relevant data to ensure that performance can be measured.             

 

Performance criteria can include quality and timeliness measures. Goods and services must be both of high quality and provided on time. Timeliness is particularly important where an electoral event is time-dependent. Timeliness measures are useful to include as performance criteria as they are generally easier to measure than quality measures.

 

When including performance safeguards in contracts, legal advice may be necessary to ensure that any penalties are legally enforceable.

Encryption

Encryption is an effective tool for minimising the risks of using communications technology whenever there is a need to send sensitive data through a public network or other non secure channels.

 

Messages transmitted through data communications channels can be subjected to passive and active threats. A passive threat is an intrusion type eavesdropping, whereby an intruder intercepts messages to view the message data. With an active threat, the intruder modifies the intercepted messages.

 

Basically, encryption encodes data using cryptography techniques in such a way that only the sender and the recipient of the data can read it.

 

Data is encrypted by the sender using cryptographic algorithms that transform the data appearance but not its meaning. The data that is then transmitted to the recipient does not make sense to an intruder, but the recipient decrypts the data by using similar cryptographic algorithms then transforms the unreadable data back into the original readable data.

 

There are different types of encryption with different levels of complexity. As with any code, encryption can be broken given sufficient time and resources, although available cryptographic tools that do not need to be kept secret can make it extremely difficult to unscramble encrypted data.

 

Encryption is supposed to provide data with authentication, integrity, non-repudiation, and secrecy:

 

  • authentication allows the recipient of a message to validate its origin

 

  • integrity allows the recipient to be assured that the data was not modified or otherwise recognize that it was indeed modified during the communication, since modifications cannot be prevented

 

  • non-repudiation can provide the recipient with proof of the data origin by assuring the identity of the sender and/or providing the sender with the assurance that the data was delivered properly

 

  • secrecy or confidentiality prevents disclosure of the data to unauthorized users

 

Cryptographic algorithms require the data to be mapped, and, at a minimum, require a value called a key to control the mapping process. Given the same text and the same algorithm, different keys produce different mappings, and these keys do need to be kept secret.

 

Some systems use two different keys to encrypt and decrypt data. The two keys are linked together mathematically. A person's public key is distributed to other users and is used to encrypt messages to that person. The person keeps the private key secret and uses it to decrypt messages sent with the public key.

 

Data encryption has several uses for electoral purposes. Whenever sensitive data such as personal information or voting data needs to be sent over a public network, it is advisable to encrypt it.

 

Encryption technology is a rapidly changing field. Therefore, it is advisable to consult an expert in encryption to ensure that the most up-to-date available technology is used.

Public Assurance Measures

Public assurance measures are an integral part of the implementation strategy of any electoral technology that can affect the public. Such measures are another means by which the risks of implementing technology can be minimised.

 

There are a range of strategies that can be used to assure the public of the reliability of new electoral technology.

 

Voter information campaigns

 

Where new electoral technology is introduced, it is important to include the public as stakeholders and to gain their trust in the new system. This may entail a large-scale communications campaign to inform the voting population of the proposed changes.

 

Before attempting such communication, it may be desirable to use market research methods to test proposals with focus groups or by surveying samples of the population. Significant changes, like the introduction of electronic or Internet voting, may be subject to public inquiries, such as a commission of inquiry or a parliamentary committee inquiry. Public inquiries are a good opportunity to gauge reaction by means of both submissions from the public and the media interest generated by their conduct.

 

Logic and accuracy tests

 

Some segments of the public will need more than a voter information campaign to satisfy them that new electoral technology is reliable. These people (such as election candidates, political parties and election reform groups) may need to be convinced that the technology works effectively.

 

This need can be met by conducting logic and accuracy tests to demonstrate that the technology performs according to specifications, followed by making these test results public.

 

Code visibility

 

Another way to satisfy special interest groups of the reliably of electoral technology is to publish the code used for electoral computer programs so that they can be independently analysed. This allows all interested groups to verify, if they wish, that the code being used performs its intended functions.

 

Where code is published in this way, procedures need to be in place to verify that the code used in practice is the same as the code that has been published. This can be achieved by lodging "escrow" copies of the code with independent authorities, who can compare the escrow copies with the copies used by the election management body and verify that the code is the same.

 

Publishing code is not routinely done, and is normally only contemplated where a system being used is particularly sensitive, such as an electronic voting or electronic counting system.

 

Care needs to be taken when code is published, since making it publicly available may expose weaknesses that could be exploited by anyone with access to the code once it is in use.

Public Information and Privacy Policies

Another way to minimise the risks in using technology is to have clear policies concerning what information held by an election management body (EMB) is made public, and what information is kept private.

 

Many uses of technology are only as good as the quality of the data they contain. This is particularly important for electoral technology, where the data being used is often personal data of electors, as well as voting data.

 

For electoral data to be accurate, those providing the data need to be satisfied that their personal data is kept secure and that any sensitive data is kept private. On the other hand, those relying on electoral data, such as candidates, parties and election monitoring bodies, need to be satisfied that data is genuine, so some level of public scrutiny is desirable.

 

These competing needs for privacy for individuals' data and transparency for key electoral data need to be met so that the risks for all concerned are minimised.

 

Maintaining privacy standards

 

An EMB can establish clear, written, publicly available privacy standards. These standards could set out:

 

  • what personal information is recorded and stored by the EMB

 

  • what types of personal information are made publicly available (such as names and addresses)

 

  • what types of personal information are not made publicly available (such as dates of birth, identity numbers, and so on)

 

  • whether any personal information not made publicly available is made available to selected organisations (such as law enforcement agencies, social security agencies and medical research bodies)

 

  • whether any personal information is supplied to candidates, political parties or members of parliament

 

  • whether a person has the right to apply to have any personal information suppressed from public release (such as the address of a person who considers publication of his or her address to jeopardize his or her safety, or the safety of family members)

 

  • whether a person has the right to apply to view his or her own private information and then amend any information that may be incorrect

 

In many countries, existing privacy laws apply to electoral data. However, where there are no legislated privacy laws in force, an EMB might follow its own voluntary privacy code.

 

Maintaining information availability

 

While an EMB needs to ensure that sensitive personal information is kept private, it needs also to have a clear policy stating what information held by the EMB is publicly available. Making information publicly available is an important part of ensuring that the electoral process is transparent and open to public scrutiny. Transparency helps to build trust in the overall electoral process.

 

As with an EMB's privacy policy, an EMB's information policy can clearly set out what information is made publicly available, and what needs to be done to gain access to such information. The list of items that could be made available by an EMB is extensive, and could include everything from that which is designated not sensitive, such as certain personal data, to sensitive internal working documents, such as advice to the government.

 

Some items that could routinely be made publicly available include:

 

  • electoral roll data (including names, addresses, electoral districts), except for private personal data

 

  • election results (including voting data at all counting levels for all recent elections)

 

  • polling location lists

 

  • electoral laws, policies, procedures and guidelines

 

  • lists of EMB officials

 

  • political disclosure returns

 

Some countries have freedom of information laws that may require EMBs to make specified types of information publicly available, but where freedom of information laws are not in force, an EMB may need to establish its own voluntary procedures.

 

Technology can be used to facilitate information availability. In particular, where large amounts of data are made available, it may be more convenient, and more useful, to provide it in an electronic form. Information can be made available on EMB Internet sites, or on CD-ROMs, for example.

Acciones de Documento

© 1998-2012 ACE project