a) International and Regional Standards for Cybersecurity in Elections
International standards for elections provide the basis for assessing the introduction of technology into the electoral process. Any introduction of technology must promote core election principles, such as transparency and accountability of the process, as well as integrity and verifiability of election results.
On the other hand, as societies evolve and technologies advance, international institutions are
continually updating and refining standards for cybersecurity, transparency, open data, and privacy.
These evolving standards stem from – and must adhere to – fundamental political rights established by
the Universal Declaration of Human Rights (UDHR) and the International Covenant on Civil and Political
Rights (ICCPR).[1]
Beyond these universal instruments, international organizations and governing bodies are increasingly
establishing international standards on the conduct of elections in which any election-related data is
stored digitally. Although not the first forum to establish guidelines on data management, recognized
international standards are summarized in the United Nations (UN) General Assembly Guidelines for the
Regulation of Computerized Data Files.[2] 9 Adopted by the General Assembly in 1990, these guidelines
provide broad principles of data management that place responsibility for data on those persons who
collect it, specifically requiring that data collectors be responsible for ensuring that the data is accurate,
transparently and lawfully collected, properly restricted to avoid discrimination, securely stored, and
lawfully disseminated.[3] The UN guidelines do not provide specific technical requirements to ensure that
these principles are met, and the guidelines apply only to “governmental international organizations.”[4] These guidelines define the principle of security as taking appropriate action to “protect the files against
natural dangers, such as accidental loss or destruction and human dangers, such as unauthorized access,
fraudulent misuse of data or contamination by computer viruses.”[5] Though the guidelines do not
explicitly mention election technology, they have implications for electronic data management in
electoral processes and outline protections that should apply to the full range of stakeholders involved
in the electoral process – voters, candidates, election officials, among others – whose data may be
collected.
There are additional standards for the introduction of technology in voting or vote-counting processes
specifically. Most notably, the Council of Europe’s 2017 e-voting standards place specific responsibility
on EMBs for the “availability, reliability, usability and security of the e-voting system.”[6] The Council of
Europe also maintains a set of non-binding standards for e-voting that cover the application of general
principles, such as universal suffrage and accountability, to e-voting technology. Universal suffrage
requires that voting interfaces are easy to use and understand for all voters, for example, and accountability requires that the system be open to audits and that EMBs maintain responsibility for
ensuring compliance with security requirements “even in the case of failures and attacks.”[7]
Some countries establish their own voluntary standards or legislation. For example, the U.S. Electoral
Assistance Commission maintains a set of voluntary guidelines to help election authorities test whether
their systems meet certain functionality, accessibility and security standards. Many U.S. jurisdictions
have adopted these standards as obligatory.[8] Certification of election technologies has also been
captured in the Council of Europe’s guidelines for certifying e-voting systems, which focused on
selecting certification bodies, renewing certification, and conducting cost-benefit analyses.[9]
The privacy of the individuals whose data is collected is another integral aspect of data management
that has become particularly prominent with the recent passage of the European Union’s (EU) General
Data Protection Regulation (GDPR),[10] which went into effect in May 2018. This regulation governs
personal data of EU residents that companies and organizations collect, store or process, and requires
more openness about what data they have and who they share it with.[11] The United Nations has adopted various general resolutions on data privacy[12] to ensure the privacy of individuals or groups whose data is
collected. Collectively, these principles aim to ensure transparency in the collection of data to protect
the use of this data and offer the opportunity to determine whether information is accurate and nondiscriminatory.
For the sake of transparent elections, it is important to allow access to certain types of data to voters,
political parties, and civil society organizations. For example, access to preliminary voter lists is
important in order to verify details and to challenge registrants who are not eligible, and access to final
voter lists is important so these can be used by party agents on Election Day and for voters to know
which polling station to go to. Limitations on data access are typically imposed, such as limited access
for political parties to the full voter register or its signed version.[13] In 2011, 75 countries signed the Open
Government Declaration, committing themselves to advancing transparency and openness within government.[14] The declaration includes a provision for increasing access to and use of new technology in
order to make government practices transparent, secure online spaces and platforms, and provide
“alternative mechanisms of civic engagement.”[15]
The Open Government Declaration also provides standards that require signatories to “increase the
availability of information about governmental activities.” This includes open access to government data
so that information can be easily found and used. The importance of open data is enshrined in the
declaration: “We recognize the importance of open standards to promote civil society access to public
data, as well as to facilitate the interoperability of government information systems.”[16] These standards will be essential when implementing voting and counting technology, where individual information must be securely and transparently stored and checked to ensure the validity of both the voters and the vote.
b) Best Practice Guidelines for Implementing Election Technology
Improper management and implementation of technology can discredit an entire electoral process,
leading to public disenchantment with elections and even violence. Although there are a variety of
different principles for data collection and management, there is no single set of good practice
guidelines for their implementation. A substantial number of intergovernmental and international nongovernmental
organizations, including the Council of Europe, European Commission, IFES, International
IDEA, the National Democratic Institute (NDI), and the Organization for Security and Co-operation in
Europe’s Office for Democratic Institutions and Human Rights (OSCE/ODIHR), among others, have
contributed guidelines and handbooks on election technologies.
There are three recent publications that connect cybersecurity and elections. They are all valuable
contributions in advance of upcoming elections around the world and the use of technology therein. In
February 2018, the Center for Internet Security (CIS) published A Handbook for Elections Infrastructure
Security, which establishes election system risks and how to mitigate them through a detailed use of
good practice that county or state election administrators could implement.[17] Academic institutes such
as the Harvard Kennedy School’s Belfer Center have also contributed to the literature in this space, with
a State and Local Election Cyber-Security Playbook, that is designed for U.S. election officials but can also be used in wider contexts.[18] This publication offers a myriad of recommendations organized by various
topics and using the five-step functional approach developed by the National Institute of Standards and
Technology (NIST). Most recently, in July 2018, an EU Cooperation Group[19] published a Compendium on
Cyber Security of Election Technology that aims to systemize the cyber concerns and threats across the
European continent and offers myriad experiences accumulated from EU member states’ elections in
case studies.[20]
IFES has found through global experience that EMBs or governments often focus on security concerns during the collection of data, and focus less on how the data will be processed, transmitted and stored.
IFES argues that one of the first steps in implementing election technology is to weigh the costs and
benefits of adopting a particular tool.[21] 8 IFES has found through global experience that EMBs or
governments often focus on security concerns during the collection of data, and focus less on how the
data will be processed, transmitted and stored. Regardless of country context, this step should always
include the input of a diverse group of stakeholders, such as election officials, government leaders,
political party leaders, and civil society organizations, including special needs groups. This assessment
also provides an opportunity to identify the problems in the electoral process that a particular
technology can help solve. IFES’ own work on guidelines states that “a specific technology should only
be considered if there is a specific problem that the technology can address.”[22] It is important that there
be a clear need for the technology, and that technology is not
introduced for technology’s sake. The technical and financial
feasibility, potential benefit, and likelihood of acceptance by
stakeholders of the new technology should be evaluated before
testing whether the technology is a good fit.[23] The common practice
of procuring election technologies from private vendors, for example,
brings potential benefits, such as world-class technology expertise
and global experience, but also risks. IFES, the European Commission,
and the UN Development Programme (UNDP) all note the risk of
private vendors having control over EMB operations once the technology is in place, with EMBs unable
to switch technology again without incurring huge costs.[24] Security vetting of private contractors can also be a challenge.
The electoral legal framework may present a challenge for the introduction of new technology in the
electoral process. The relevant legal provisions may reside in three locations: “the constitution, if there
is one, the laws relating to elections (or articles in general laws related to elections, such as for example,
the criminal code), and the secondary legislation (such as regulations, rules and procedures often passed
by EMBs).”[25] In some cases, legislation governing these technologies may be found in areas outside of
elections, such as regulations on data protection.[26] Before working within the existing framework of
laws and regulations, it is necessary to address “not only the tools needed, but also the systems and
processes that must be reengineered in order to shape an effective solution.”[27] As noted by the Council
of Europe, any changes to the legal and regulatory system should be accompanied by clear, public
explanations of why those changes are necessary, which “will reinforce voters’ and other stakeholders’
trust and confidence.”[28]
In addition, the country’s specific election system must also be considered before implementing new
election technology. For example, before using new technology for voter registration, it is important to
know who registers voters (the EMB, another government agency, or another organization), who
collects data on voters, how that information is shared with the EMB (if the EMB does not collect the
data), and who owns the data.[29] New technology typically requires additional human capital
considerations, such as stronger information technology (IT) skills and experience. Many election staff
often lack the skills to manage new technology without training.[30] In Kosovo in 2010, local staff were
found to need two electoral cycles’ worth of training before they would have the IT skills and experience
necessary to run the relevant technology on their own.[31] This highlights the security risks around poorly
equipped technology users who may be easy targets for malware on individual terminals that are
connected to a wider system.
An appropriate timeframe for procurement, implementation, testing, and training is also a decisive
factor in determining whether to use a new technology. Timelines for ensuring a smooth transition to
new technology will vary by country and electoral cycle. EMBs should have a clear plan, from the initial
determination of the merits of the technology to the electoral process through final implementation.
Introducing new technology too quickly can fail to build public trust and can lead to technical issues,
further eroding trust in the process.[32] A fundamental part of this process that is often not adequately
factored into planning is the testing process, which should be part of standard operating procedures.
Another key factor to consider is whether there will be a process of systems integration, usually between hardware and software, or the wholescale introduction of new hardware and software into an
electoral process. Both can produce vulnerabilities, but systems integration can give rise to unique
challenges, particularly where a new solution is essentially “bolted on” to an existing system or platform.
The level of public trust and confidence in the electoral process and the EMB specifically must also be
taken into account when deciding whether to implement new election technology.[33] If public trust in the
electoral process is already low, introduction of a new system may cause public unrest.[34] Rather,
technology should be introduced at a stage when all electoral stakeholders enjoy significant trust in the
process, rather than attempting to use technology to mask the problems. In terms of confidencebuilding
measures, IFES has previously noted that, while fully open source code for technology platforms
may not be necessary, it is the more preferable option to support transparency and public trust.[35] A
growing number of governments are requiring open source technologies, which can aid with re-use,
integration, and standardization, while also making the technology more sustainable and cost-effective.
Open source solutions are also inherently transparent, which can improve credibility with stakeholders
and avoid vendor or implementer lock-in or conflict of interest. Should open source code not be used,
IFES has noted that “experts representing key electoral stakeholders (political actors and civil society)
should be allowed sufficient access to review the source code and should not be restricted in reporting
their analysis of its content by the use of any non-disclosure agreements (NDAs).”[36] In cases where open
source technologies are not or cannot be used, NDAs should be pre-negotiated as part of the
procurement process to protect the intellectual property of the technology providers and to ensure that
critical stakeholders, such as political parties, observers, and election commissions, have access to the
code in order to rigorously test the security and functionality of the technology and maintain minimum
levels of public trust.
To build trust, the Council of Europe recommends public debates or consultations that include all voters.
These public outreach activities should lead not only to greater trust in the technology itself but to
greater trust in the implementers of the new technology, which is equally important. International
IDEA’s recommendations include releasing the results of pre-implementation testing, auditing the new
technology regularly, and developing and publicizing clear policies “that cover all aspects of technology
use.”[37] Specific tools that provide independent ways to test the system, such as voter verified paper
audit trails (VVPATs) and post-election audits of technology systems, are also a good means to gain
public trust and secure against fraud.[38] Public communication around contingency planning is also fundamental so that changes in procedure – for example, switching to paper ballots in case of a power outage or security breach – are not perceived as suspicious in and of themselves.
c) Cybersecurity Instruments and Frameworks
The field of cybersecurity in elections is still emerging, both in national legislation and in international
jurisprudence and standards. Apart from the Council of Europe’s 2006 Cybercrime Convention
(Budapest Convention), there are no other binding international instruments at present that directly
tackle prevention of and punishment for cyberattacks.[39] Countries often have general security
regulations that do not cover all cybersecurity-related issues, or they are scattered in multiple pieces of
legislation and government regulations, some of which may be outdated. A coherent legal framework
for cybersecurity is important. For example, Ukraine passed a Law on Cybersecurity, which took effect in
May 2018, in response to its dire need to systematically handle cyberattacks, such as the (Not)Petya
malware attacks of June 2017.[40]
Several high-level policy institutes have developed cybersecurity frameworks to systematically address
cyberthreats and vulnerabilities in any complex system. These organizations include the U.S. Computer
Emergency Readiness Team (US-CERT),[41] NIST,[42] the information systems non-profit ISACA,[43] and the International Organization for Standardization (ISO).[44] In the absence of election-specific cybersecurity standards, these general frameworks may be useful for EMBs.
Cybersecurity frameworks are typically organized using a functional approach (that is, breaking down
processes into functions). NIST, together with US-CERT[45] identified a functional approach in its
framework in five steps that is now widely used within the cybersecurity community: identify, protect,
detect, respond, and recover.[46]
The US-CERT framework is detailed on the comprehensive NIST website. NIST also runs the Computer Security Resource Center, which keeps its 800-series publications (resources focused on cybersecurity) in one searchable archive. These publications range from targeted security recommendations, such as
email protection or message authentication code algorithms, to best practices for employees and
general frameworks. ISACA provides a framework for information systems security audits[47] and a framework for balancing the risks and benefits of information technology.[48] The latter is based on five principles: 1) meeting
stakeholder needs; 2) covering the enterprise end-to-end; 3) applying a single, integrated framework; 4)
enabling a holistic approach; and 5) separating governance from management.[49]
The EU Agency for Network and Information Security (ENISA) and ISO have identified critical
cyberthreats that must be addressed. ISO’s cybersecurity guidelines, which were produced through a
joint committee with the International Electrotechnical Commission, includes a list of more than 50
threats, and ENISA publishes an annual “Threat Landscape” report identifying the top 15 cyberthreats
that year.[50] While some are more directly relevant to EMBs than others, all could be used to undermine
the security and legitimacy of the electoral process. ENISA identified threats as diverse as information
leakage, such as in the 2017 French elections, cyber espionage, such as the Russian involvement in the
2016 U.S. elections, ransomware, and insider threats.[51] The diverse landscape of threats from inside and
outside an organization demonstrate the need for comprehensive and systematic cybersecurity
protection.
d) Election Observer Guidelines
As well as introducing new operational and security considerations, emerging election technology has
also changed the observation of elections. When observation missions are unprepared to observe,
analyze, and report on the use of new technology, the legitimacy of elections can be undermined by a
lack of effective observation or inaccurate observations, especially in the event of disputed results. This
can be particularly true for citizen observation missions that may lack the methodologies or capacity to
properly observe technology processes in elections. One example of this is the 2017 Kenyan elections,
when the opposition claimed technological malfeasance and manipulation had cost them the election.[52] Citizen observers were the only ones able to verify the counting and results tabulation process, but the elections ultimately were annulled over alleged irregularities in electronic results transmission and the
process for final certification of results – an aspect of the electoral process that was more difficult for
both citizen and international observer groups to observe.[53]
Some international election observation organizations have published handbooks on how to observe
technology in elections. These documents provide future observation teams with election technology
standards and best practice guidelines. The consensus among these groups favors more technical skills
for core teams, longer and earlier missions, and closer observation of election technology – including
during the development of specifications and the procurement stage. The Carter Center’s Handbook on
Observing Electronic Voting recommends having at least two members of a core observer team with
technical skills, ideally with a combination of electoral experience and technological or computer science
skills. These “e-voting experts” should have five to ten years of relevant experience.[54] Core team
members without a technical background need additional training to evaluate the technical aspects of
the electoral process. The Organization of American States (OAS) recommends that a “core group” of
technical staff and specialists, along with long-term observers, conduct an analysis of the technology to
be used in the upcoming elections. The results should be used to determine the training needed for
short-term observers.[55]
New technology requires extra preparation on the part of election observation missions (EOMs).
According to The Carter Center, EOMs should start as early as possible, typically four to six months
before an election, and stay until any dispute resolution has finished.[56] NDI recommends observer
involvement at every stage of the technological adoption process, including developing specifications for
hardware and software, testing the technology, and reviewing training manuals and attending training
sessions for EMB employees.[57] The Carter Center, ODIHR and the OAS provide a questionnaire for
observers monitoring new election technology; the OSCE has a checklist of questions in their Handbook
for the Observation of New Voting Technologies.[58] This demonstrates that observer groups are adapting to the new requirements that election technology presents, although funding and resources can be a challenge in supporting longer-term and more technical observation.
Apart from direct observation of key events, such as for example tabulation of election results as well as
interviews with EMBs, election observers should be equipped to evaluate and report on testing and
auditing, and certification, if any, of any election process that involves new technology.
e) Case Law
Several recent cases in national courts have provided various precedents on cybersecurity in elections
centered on the following issues: implementation and transparency of technology in Kenya; electronic
voting machines (EVMs) in India, Germany, and Finland; e-voting in Estonia and Austria; and
cybersecurity in the Philippines, all of which are discussed below. Together, the cases highlight the
importance of a verifiable paper trail for the voting and counting process, transparent tabulation and
certification of results, clear procedures and instructions for using technology, equality among voters,
and the importance of having cybersecurity policies and practices in place.
Implementation and Transparency of Election Technology
In its judgment annulling the August 2017 Kenyan presidential elections, the Supreme Court ruled that
the Independent Electoral and Boundaries Commission (IEBC) had failed to adhere to legal requirements
for “free and open elections.” The election results were finalized and announced based on information
from tabulated results forms (34B) that came from centralized tallying centers, instead of waiting until
the IEBC received all original results forms (34A) from individual polling stations. The court focused on
the IEBC’s failure to provide full access to its servers and server logs and its failure to provide a plausible
explanation for results released based on incomplete information. The court stated it “had no choice”
but to accept the petitioners’ claim that either the servers were infiltrated and the data compromised,
or the IEBC itself had intentionally or unintentionally compromised the data.[59] Multiple errors in
implementing technology were referenced in the decision, including interruptions on data mobile
coverage without an adequate backup plan and discrepancies between results published on the website
and official results released when compared to the breakdowns of results transmitted from polling
stations to the National Tallying Center.
Use of Electronic Voting Machines (EVMs)
Courts in India, Germany and Finland have all ruled on EVMs, focusing on the use of VVPATs to
authenticate results, voting technology that is understandable to the average voter, and clear
instructions for EVMs, respectively.
In its judgment of October 8, 2013, the Supreme Court of India directed the government to fund the
gradual phase-in of VVPATs, agreeing with the petitioner that a paper trail is a vital security measure for
e-voting. Although the Indian Election Commission (IEC) was able to print records from their EVMs with
a decoder device, the court ruled that VVPATs were also necessary. The IEC claimed that it had tested
VVPATs in field trials and had not yet adopted them on the basis of those trials. The court noted that
“[f]rom the materials placed by both the sides, we are satisfied that the ‘paper trail’ is an indispensable requirement of free and fair elections. The confidence of the voters in the EVMs can be achieved only with the introduction of the ‘paper trail.’”[60]
Following the 2005 parliamentary (Bundestag) elections, the Federal Constitutional Court of Germany
ruled on two complaints about the use of computer-controlled voting machines. Complainants alleged
that two laws that had been drafted, and the specific EVMs used, violated the principle of the public
nature of elections, which means that all essential steps of an election “are subject to the possibility of
public scrutiny.”[61] The complainants moved to invalidate the elections and to repeat them with voting
slips and ballot boxes. The principle of equality was also alleged to have been violated by the different
treatment of voters who used voting slips and voters who used EVMs. The court ruled that one of the
laws in question did permit voting machines without effective monitoring of voting or results and was
therefore unconstitutional. It found that the EVMs used were also incompatible with the public
principle; votes were recorded only on an electronic storage medium, so voters could not verify their
votes, and could only see that the machines had registered a ballot. No procedure should render the
voter unable to verify “whether his or her vote is unfalsifiably recorded and included in the
ascertainment of the election result, and how the total votes cast assigned and counted.”[62] The court
did not dissolve the Bundestag, saying that without evidence of manipulation, or evidence that results
would have been different without the EVMs, there was no sufficient reason to invalidate the elections.
The public interest “in the protection of the status quo of the people’s representation composed in trust
in the constitutionality of the Federal Voting Machine Ordinance outweighs the election errors that have
been ascertained.”[63]
EVMs were introduced in Finland through a pilot project in the 2008 municipal elections. E-voting was
an option at polling stations in three municipalities, and voters there had a choice between traditional
and e-voting. Voters used a voting card to cast their vote, but instructions on the card were incomplete.
Accordingly, nearly two percent of e-votes were not recorded. In its decision on a subsequent election
petition, the Supreme Administrative Court found that both the instructions on the cards and the EVMs
used were inadequate, and annulled the elections.[64] Elections were then re-held using only traditional
voting. The Council of Europe’s observation report concluded that universal suffrage, especially the right
to vote and the right to be elected, had been violated.[65]
Use of Internet Voting or Electronic Voting (e-voting)
E-voting has featured in several major court decisions, most notably in Estonia and Austria. In 2005, the
Estonian Parliament (Riigikogu) passed an amendment allowing e-voters to change their vote on the internet an unlimited number of times during advance polling. E-voters could also cast one paper ballot
as their final vote, either in the advance period or on the day of the polls. The president of Estonia
challenged the amendment in the Supreme Court, claiming that it gave e-voters an unfair advantage,
violating the principle of uniformity in § 156(1) of the Estonian Constitution, interpreted as all having an
equal possibility to affect the voting results. The president did not contest e-voting itself, only the ability
for anyone e-voting to change his or her vote.[66]
The amendment was ruled constitutional and in line with the Council of Europe standards of e-voting.
Estonia uses a mandatory ID card to verify identity in e-voting, so no legal obstacles were created.
Voters already used different means to vote, such as postal voting, and did so in different situations,
meaning voting was already not strictly uniform. The principle of one vote per voter was guaranteed by
an electronic version of the double-envelope system used in advanced voting: voters approve their evotes
by digital signature, pairing personal data with the encrypted vote. The two were not separated
until after polls closed on Election Day, ensuring that no voter could vote twice. Voters’ information
could not be transferred together into the computer that did the counting, guaranteeing secrecy. Each
subsequent vote replaced the last, preventing voters from using multiple channels to cast multiple
votes.
The court noted that a possible violation of the right to equality is only unconstitutional if it is
disproportionate to the “weight of the aims pursued.”[67] The aims of increasing participation in elections
and modernizing voting practices were considered legitimate (although it is worth mentioning that the
amendment did not actually increase turnout, and that comparative studies generally have shown that
the use of technology tends not to influence turnout).[68] Further, the court found that using e-voting
without allowing voters to change their vote may open this process up to possible intimidation, as
internet voting is used in an uncontrolled environment, unlike the controlled environment of a polling
station, where it is difficult to guarantee secrecy and freedom from intimidation.
The Austrian Constitutional Court ruled on remote e-voting following the 2008 Austrian Student
Association elections, in which e-voting was introduced for the first time. Two political parties in the
election brought complaints against the election and the regulations governing it. The court did not object to e-voting generally, but ruled that the relevant legislation was not specific enough on the duties
of the Election Commission, the specifications of the technology to be used, and the protection of the
principles of secrecy and publicity. Although there was no evidence of malfeasance, the law left open
the possibility of tampering. A CD-ROM with the election data stored on it that could be used to print
the data at any point was found insufficient as a paper record. The court noted that electoral principles
require public access to the system used and the underlying software, including the source code.
Because the e-vote was remote, regulations therefore had to be at least as stringent as regulation of
postal voting. Austrian law requires that student elections are held Tuesday through Thursday, and evoting
was available from the preceding Monday through Friday. The court ruled that this also violated
the law. The ruling was in 2011, after the terms of the representatives elected in the 2008 election had
expired, so no election was annulled.
Ensuring Cybersecurity in Elections
While not enshrined in case law, punitive measures imposed on the EMB in the Philippines in 2016 are
instructive in terms of the EMB’s responsibility for cybersecurity in elections. In March 2016, the
Philippines Commission on Elections (COMELEC) was hacked by a group called Anonymous Philippines.
The hackers took over COMELEC’s website, which was temporarily shut down in the aftermath, and
released extensive voter information, including fingerprints. Following the attack, the National Privacy
Commission recommended criminal charges against COMELEC Chairperson Andres Bautista for
negligence. In its decision of December 28, 2016, the commission stated that “the willful and intentional
disregard of his duties as head of agency, which he should know or ought to know, is tantamount to
gross negligence. The lack of a clear data governance policy, particularly in collecting and further
processing of personal data, unnecessarily exposed personal and sensitive information of millions of
Filipinos to unlawful access.”[69] The commission did not find Bautista guilty of helping with the attack,
but did establish a precedent of holding EMBs and their leadership accountable for information security
failures and data breaches in elections. The commission ordered COMELEC to implement new security
measures, conduct a privacy assessment, appoint a Data Protection Officer, and establish a Privacy
Management Program and a Breach Management Program. Less than a month later, a computer was
stolen from the Office of the Election Officer (OEO) in Lanao Del Sur, which the National Privacy
Commission noted was “COMELEC’s second large-scale data breach in a span of less than a year.”[70] The
computer contained biometric records of registered voters. Chairperson Bautista was impeached in
October 2017 and resigned that month. Bautista was accused of mishandling the data hack, receiving
payment from the company whose voting machines were used in the 2016 elections, and failing to
disclose his assets. As of the time of writing, a Senate inquiry is ongoing. The Philippines case is a
compelling example of potential institutional and personal liability for EMBs and election officials with respect to cybersecurity in elections, and the role that privacy commissions may play with respect to
oversight of personal data in elections.
[1] Article 21 of the UDHR states that the will of the people “shall be expressed in periodic and genuine elections which shall be by universal and equal suffrage and shall be held by secret vote or be equivalent free voting procedures.”
[2] United Nations General Assembly, Guidelines for the Regulation of Computerized Data Files, 14 December 1990, res. 45/95. http://www.refworld.org/pdfid/3ddcafaac.pdf.
[3] Ibid.
[4] Ibid., sec. B.
[5] United Nations General Assembly, Guidelines for the Regulation of Computerized Data Files, sec. A(7).
[6] Council of Europe, CM-Rec (2017)5, 17 June 2017, Appendix I, sec. VIII. This is a revision of the 2004 standards, which were the first of their kind.
[7] Council of Europe, CM-Rec. (2017)5, Appendix I, sec. VIII.
[8] “Voluntary Voting System Guidelines,” Voting Equipment, U.S. Election Assistance Commission, https://www.eac.gov/voting-equipment/voluntary-voting-system-guidelines/.
[9] Council of Europe, Certification of e-voting systems, 2011.
[10] Regulation (EU) 2016/679, https://eur-lex.europa.eu/legal-content/EN/TXT/?qid=1532348683434&uri=CELEX:02016R0679-20160504.
[11] “What does the General Data Protection Regulation (GDPR) govern?”, European Commission, https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-does-general-data-protection-regulation-gdpr-govern_en.
[12] G.A. res. 44/132, 44 U.N. GAOR Supp. (No. 49) at 211, U.N. Doc. A/44/49 (1989). See also General Assembly resolutions 68/167 of 18 December 2013 and 69/166 of 18 December 2014, as well as Human Rights Council resolutions 28/16 of 26 March 2015 on the right to privacy in the digital age and 32/13 of 1 July 2016 on the promotion, protection and enjoyment of human rights on the Internet.
[13] Ed. Michael Yard, “Civil and Voter Registries: Lessons Learned from Global Experiences,” International Foundation for Electoral Systems, 2011, 15.
[14] Open Government Partnership, Open Government Declaration, 2011, https://www.opengovpartnership.org/open-government-declaration. Since joining in 2011, Hungary and Turkey withdrew their participation. Azerbaijan’s status is inactive since 2015.
[15] Ibid.
[16] Ibid.
[17] Calkin et al., A Handbook for Elections Infrastructure Security, Center for Internet Security, 2018, https://www.cisecurity.org/wp-content/uploads/2018/02/CIS-Elections-eBook-15-Feb.pdf.
[18] Harvard Kennedy School’s Belfer Center, Defending Digital Democracy Project (D3), ‘The State and Local Election Cyber-Security Playbook, https://www.belfercenter.org/publication/state-and-local-election-cybersecurity-playbook.
[19] Comprising experts from the EU member states, the European Commission and ENISA.
[20] EU NIS Cooperation Group, Compendium on Cyber Security of Election Technology, July 2018, https://www.ria.ee/public/Cyber_security_of_Election_Technology.pdf
[21] Ben Goldsmith and Holly Ruthrauff, Implementing and Overseeing Electronic Voting and Counting Technologies, International Foundation for Electoral Systems and National Democratic Institute, 2013, 23-24.
[22] Michael Yard, ed., Direct Democracy: Progress and Pitfalls of Election Technology, International Foundation for Electoral Systems, 2010, 20.
[23] Ben Goldsmith, Electronic Voting and Counting Technologies, International Foundation for Electoral Systems, 2011, 13.
[24] European Commission and United Nations Development Programme, Procurement Aspects of Introducing ICTs solutions in Electoral Processes, 2010, 73; Yard, ed., Direct Democracy: Progress and Pitfalls of Election Technology, International Foundation for Electoral Systems, 112.
[25] Goldsmith and Ruthrauff, Implementing and Overseeing Electronic Voting and Counting Technologies, 106.
[26] Organization for Security and Co-operation in Europe, Guidelines for Reviewing the Legal Framework for Elections, 2nd ed., 2013, 65-69.
[27] Yard, ed., Direct Democracy: Progress and Pitfalls of Election Technology, 21.
[28] Council of Europe, Guidelines on Transparency of E-enabled Elections, 2011, 5. (Source No Longer Found)
[29] Michael Yard, ed., Civil and Voter Registries: Lessons Learned from Global Experience, 2011, 8; European Commission, Methodological Guide on Electoral Assistance, 2006, 59-60.
[30] Yard, ed., Civil and Voter Registries: Lessons Learned from Global Experience, 157.
[31] Ibid., 42.
[32] European Commission and UNDP, Procurement Aspects of Introducing ICT Solution in Electoral Processes, 2010, 55.
[33] European Commission, Methodological Guide on Electoral Assistance, 57.
[34] Council of Europe, “Guidelines on the implementation of the provisions of Recommendation CM/Rec (2017) 5 on standards for e-voting,” CM-Rec(2017)50, June 14, 2017.
[35] Ben Goldsmith and Holly Ruthrauff, Implementing and Overseeing Electronic Voting and Counting Technologies, International Foundation for Electoral Systems and National Democratic Institute, 2013, 175-176.
[36] Ibid.
[37] Helena Catt, et al., Electoral Management Design, revised ed., International IDEA, (Stockholm, Sweden: 2014) 266-267.
[38] European Commission, Methodological Guide on Electoral Assistance, 63.
[39] “Budapest Convention and related standards,” Council of Europe, https://www.coe.int/web/cybercrime/the-budapest-convention.
[40] The original ransomware attack known as “Petya” held hostage data from several companies and demanded a ransom to release it. A number of cyber security analysts maintain that the newer versions were rather aimed at causing damage. Olivia Solon and Alex Hern, “’Petya’ ransomware attack: what is it and how can it be stopped?”
The Guardian, June 28, 2017, https://www.theguardian.com/technology/2017/jun/27/petya-ransomware-cyber-attack-who-what-why-how.
[41] US-CERT, https://www.us-cert.gov/.
[42] NIST, https://www.nist.gov/.
[43] ISACA, https://www.isaca.org/Pages/default.aspx?gclsrc=aw.ds.
[44] ISO, https://www.iso.org/home.html.
[45] US-CERT, https://www.us-cert.gov/.
[46] National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, ver. 1.1, 2018, 3, https://www.us-cert.gov/ccubedvp/cybersecurity-framework.
- Identify (develop organizational understanding to manage risk),
- Protect (develop/implement safeguards),
- Detect (develop/implement activities to recognize if an event is related to cybersecurity),
- Respond (develop/implement actions to contain the impact of a cybersecurity event) and
- Recover (develop/implement activities related to restoring capabilities if systems were impacted and increase resilience).
[47] Shemlse Gebremedhin Kassa, “Information Systems Security Audit: An Ontological Framework,” ISACA Journal vol. 5, 2016, https://www.isaca.org/Journal/archives/2016/volume-5/Pages/information-systems-security-audit.aspx.
[48] “COBIT,” ISACA, http://www.isaca.org/cobit/pages/default.aspx.
[49] ISACA, COBIT 5: A Business Framework for the Governance and Management of Enterprise IT, Executive Summary.
[50] International Organization for Standardization and International Electrotechnical Commission, ISO/IEC 27005:2011, 2011; European Union Agency for Network and Information Security, ENISA Threat Landscape Report 2017, 2018.
[51] European Union Agency for Network and Information Security, ENISA Threat Landscape Report 2017, 79-87.
[52] “Kenya opposition leader Raila Odinga claims election fraud,” Financial Times, August 9, 2017, https://www.ft.com/content/2f795986-7cda-11e7-ab01-a13271d1ee9c.
[53] Julia Brothers, “Using Open Data to Verify Information in Elections,” NDI, March 2018, https://www.demworks.org/using-open-data-verify-information-elections.
[54] The Carter Center, Observing Electronic Voting, (Georgia: 2012), 5.
[55] Gustavo Aldana, et al., Observing the Use of Electoral Technologies: A Manual for OAS Electoral Observation Missions, Organization of American States, 8.
[56] The Carter Center, Observing Electronic Voting, 2012, 6-7.
[57] Vladimir Pran and Patrick Merloe, Monitoring Electronic Technologies in Electoral Processes, National Democratic Institute for International Affairs, (Washington, DC: 2007), 35-41.
[58] The Carter Center, Observing Electronic Voting, 2012, 41-65; Aldana, et al., Observing the Use of Electoral Technologies: A Manual for OAS Electoral Observation Missions, 33-35; Organization for Security and Co-operation in Europe, Handbook for the Observation of New voting Technologies, (Warsaw, Poland: 2013), 70-71.
[59] See section 279 of Odinga and Musyoka v. IEBC et al. (Supreme Court of Kenya 2017): “The IEBC in particular failed to allow access to two critical areas of their servers: its logs which would have proved or disproved the petitioners’ claim of hacking into the system and altering the presidential election results and its servers with Forms 34A and 34B electronically transmitted from polling stations and CTCs.”
[60] Swamy v. Election Commission of India (Supreme Court of India 2013).
[61] Judgment of the Second Senate of 3 March 2009, 2 BvC 3/0 (Federal Constitutional Court of Germany).
[62] Ibid.
[63] Ibid.
[64] Sections 2.42 and 2.5 of KHO:2209: 39 (Supreme Administrative Court of Finland).
[65] Kieth Whitmore, Information Report on the Electronic Voting in the Finnish Municipal Elections, Council of Europe, 2008, 3.
[66] Constitutional judgement 3-4-1-13-05 (Supreme Court of Estonia).
[67] Ibid.
[68] See, e.g., Kristjan Vassil and Till Weber, “A Bottleneck Model of E-Voting: Why Technology Fails to Boost Turnout,” New Media & Society 13, no. 8 (2011), 1336-1354; Karel Sál, “Remote Internet Voting and Increase of Voter Turnout: Happy Coincidence or Fact? The Case of Estonia,” Masaryk University Journal of Law and Technology 9, no. 2 (30 September 2015): 15-32; Harald Baldersheim, Jo Saglie, and Signe Bock Segaard, “Internet Voting in Norway 2011: Democratic and Organisational Experiences,” Oslo: Insitute for Social Research (2013), 10-14; and Gary H. Roseman Jr. and E. Frank Stephenson, “The Effect of Voting Technology on Voter Turnout: Do Computers Scare the Elderly?”, Public Choice 123, no. 1 (2005): 39-47. New e-voters tend not to be new voters, but instead the technologically savvy portion of the existent traditional voter pool. A study on turnout in Estonia from 2005 (when the law was passed) to 2015 found a small increase in turnout following the introduction of e-voting, but not a causal connection. Mihkel Solvak and Kristjan Vassil, E-voting in Estonia: Technological Diffusion and Other Developments Over Ten Years (Tartu, Estonia: Johan Skytte Institute of Political Studies, 2016), 11-12, 169.
[69] National Privacy Commission, “Privacy Commission recommends criminal prosecution of Bautista over
“Comeleak,” January 5, 2017, https://www.privacy.gov.ph/2017/01/privacy-commission-finds-bautista-criminally-liable-for-comeleak-data-breach/.
[70] National Privacy Commission, “NPC starts probe into COMELEC’s 2nd large scale data breach; issues compliance
order,” February 20, 2017, https://www.privacy.gov.ph/2017/02/npc-starts-probe-comelecs-2nd-large-scale-data-breach-issues-compliance-order/.