Federal Chancellery Ordinance on Electronic Voting (OEV)

1. Definitions

In addition to Article 2, the following expressions mean:

1. voting secrecy is a situation in which no person or component has the following data:1.1.1votes cast or data indicating the content of votes cast,1.1.2data allowing the persons voting to be identified (data on voters), and1.1.3data allowing the data on voters to be matched with the votes cast;
2. the exclusion of premature partial results is a situation in which no person or component has the votes cast or data indicating the votes cast prematurely;
3. the verification reference is data sent with the voting papers to enable voters to check whether their vote has been cast correctly, in accordance with Article 5 paragraph 2 in conjunction with Number 2.5 of the Annex (e.g. a list showing a code for each voting option);
4. an external attacker is a person or group of persons who is not familiar with how the system has been developed or how it operates, who has average resources and expertise, from whom an attack originates; their motives may include political activism and financial gain;
5. an internal attacker is a person or group of persons involved in the development or operation of the system from whom an attack originates; their motives may include political activism, financial gain, or the intention to harm their employer;
6. a hostile organisation is a group of individuals with substantial resources and above-average expertise that is the source of an attack; it may also be supported by a state; its motives may be to obtain data for profiling purposes, to disrupt a ballot or to influence the results of the ballot;
7. an attacker is a person, group of persons or organisation as defined in Numbers 1.4-1.6;
8. an electronic ballot box is storage space in which the votes cast can be stored until they are decrypted and counted;
9. a system log is a log established from the infrastructure components to monitor the system and investigate incidents.

2. Cryptographic protocol requirements for complete verifiability (Art. 5)

1. System participants

The cryptographic protocol regulates the tasks of the following abstract system participants:

1. voter / person voting
2. user device
3. set-up component
4. untrustworthy system (any component excluding the other components listed in this Number; UT system)
5. print component
6. one or more groups of control components
7. auditors
8. auditors’ technical aids
9. Communication channels

The cryptographic protocol may provide the following communication channels to enable system participants to exchange messages:

1. voter / person voting ↔ user device
2. user device ↔ UT system
3. set-up component ↔ UT system
4. control component ↔ UT system
5. UT system → print component
6. UT system → auditors’ technical aid
7. print component → voter / person voting
8. set-up component → auditors’ technical aid
9. auditors ↔ auditors’ technical aid
10. bi-directional channels for communication between control components
11. Attackers
12. The cryptographic protocol must provide protection against an attacker attempting to tamper with the votes and the result, to breach voting secrecy or to obtain premature partial results (Nos 2.5–2.8).
13. The assumption must be made that an attacker has the following abilities:–He can take control of all untrustworthy system participants (cf. No 2.4), so that they share all the secret data with him and act without restriction according to his instructions.–He can read or prevent delivery of all messages that are exchanged on untrustworthy channels and feed in his own messages as he pleases.
14. Trustworthy and untrustworthy system participants and communication channels
15. System participants and communication channels are considered either to be «trustworthy» or «untrustworthy». The permitted trust assumptions for individual system participants are governed by Number 2.9.
16. Trustworthy system participants and communication channels are regarded as protected against attackers. For the cryptographic protocol, the following assumptions may be made:–Trustworthy system participants keep private data secure and only carry out operations defined by the cryptographic protocol.–Trustworthy communication channels keep transmitted messages private and protect them from manipulation.
17. Requirement for the cryptographic protocol: individual verifiability

The voter is given proofs in accordance with Article 5 paragraph 2 in conjunction with Article 6 letters a and b to confirm that no attacker:

1. has altered any partial vote before the vote has been registered as cast in conformity with the system;
2. has maliciously cast a vote on the voter’s behalf which has subsequently been registered as a vote cast in conformity with the system and counted.
3. Requirement for the cryptographic protocol: universal verifiability

The auditors receive a proof in accordance with Article 5 paragraph 3 letter a in conjunction with Article 6 letters a and c to confirm that no attacker:

1. after the votes were registered as cast in conformity with the system, has altered or misappropriated any partial votes before the result was determined;
2. has inserted any votes or partial votes not cast in conformity with the system which were taken into account in determining the result.
3. Requirements for the cryptographic protocol: preserving voting secrecy and excluding premature partial results
4. It must be ensured that no attacker is able to breach voting secrecy or establish premature partial results unless he can control the voters or their user devices.
5. There is no obligation to prevent attacks that limit the number of tallied votes to the degree that all partial votes for a question, list or candidate are the same.
6. It must be ensured that no attacker can take control of user devices unnoticed by manipulating the user device software on the server. The person voting must be able to verify that the server has provided his or her user device with the correct software with the correct parameters, in particular the public key for encrypting the vote.
7. Requirement for the cryptographic protocol: effective authentication

It must be ensured that no attacker can cast a vote in conformity with the system without having control over the voters concerned.

1. List of trustworthy and untrustworthy system participants
2. For soundness of the proofs referred to in Number 2.5
3. The following system participants are considered untrustworthy:–user device–UT system–three out of four control components per group, leaving open which three they are–a significant proportion of voters–auditors–auditors’ technical aids
4. The following system participants may be considered trustworthy:–set-up component–print component–one of four control components per group, leaving open which one it is
5. For soundness of the proofs referred to in Number 2.6
6. The following system participants are regarded as untrustworthy:–user device–UT system–three of four control components per group, leaving open which three they are–a significant proportion of voters–set-up component–print component
7. The following system participants may be considered trustworthy:–one of four control components per group, leaving open which one it is–one auditor in any group, leaving open which auditor it is–one technical aid from a trustworthy auditor, leaving open which aid it is
8. For preserving voting secrecy and excluding premature partial results in accordance with Number 2.7
9. The following system participants are regarded as untrustworthy:–UT system–three of four control components per group, leaving open which three they are–a significant proportion of voters–auditors–auditors’ technical aids
10. The following system participants may be considered trustworthy:–set-up component–print component–user device–one of four control components per group, leaving open which one it is
11. If an entire group of control components is used by a private system operator, none of these control components is considered trustworthy.
12. For the effectiveness of the authentication referred to in Number 2.8
13. The following system participants are regarded as untrustworthy:–UT system–three of four control components per group, leaving open which three they are–a significant proportion of voters–auditors–auditors’ technical aids–user device
14. The following system participants may be considered trustworthy:–set-up component–print component–one of four control components per group, leaving open which one it is
15. List of trustworthy and untrustworthy communication channels
16. The following communication channels are considered untrustworthy:–user device ↔ UT system–set-up component ↔ UT system–control component ↔ UT system–UT system → print component–UT system → auditors’ technical aids–bi-directional channels for communication between control components
17. The following communication channels may be considered trustworthy:–voter / person voting ↔ user device–auditors’ technical aid ↔ auditors–set-up component → auditors’ technical aids–print component → voter / person voting
18. Additional requirements for the soundness of the proofs
19. The probability of an attacker being able to falsify a proof under Number 2.5 if he changes a partial vote, suppresses a partial vote or casts a vote in someone else’s name must not exceed 0.1%.
20. The probability of an attacker being able to falsify a proof under Number 2.6 if he causes the calculated result to deviate by 0.1% from the correct result by altering and suppressing votes cast in conformity with the system or by entering votes not cast in conformity with the system may not exceed 1% per proposal, list or candidate selection.
21. If the probability of an attacker being able to falsify a proof under Number 2.6 is not negligible in the cryptographic sense³, it must be possible to reduce the probability of success as desired by repeated tallying, by providing the auditors with an additional, independent proof under Number 2.6 for each count.
22. Functional requirements for the voting process with implications for the cryptographic protocol
23. Only one vote can be cast with the authentication credentials assigned to a voter.
24. The person voting enters their vote on the user device.
25. The person voting can change the vote up to the point of confirming the decision to cast it and can check the vote against a summary.
26. After the person voting has had the opportunity to check the vote against the summary, he or she confirms on the user device that he or she wants to cast the vote as entered.
27. The proofs of correct voting under Number 2.5 must be divided into at least two sequential items of proof. Any indication presented as an item of proof must make a genuine contribution to the soundness of the proof referred to in Number 2.5.
28. The user device displays the first item of proof to the person voting after he or she has confirmed on the user device that he or she wants to cast the vote.
29. The user device will not display the next item of proof to the voting person until the voting person has entered into the user device that the previous item of proof is correct.
30. By confirming that the penultimate item of proof is correct, the voting person confirms his or her decision to cast the vote definitively.
31. The group of control components registers the vote as having been cast in conformity with the system when it has received confirmation of the definitive decision to cast the vote.
32. When the person voting has checked the last item of proof as being correct, the voting process is complete. The last item of proof should be made particularly easy to check, by limiting the check as far as possible to the correct display of a single code or other simple indication.
33. If voting data are imported, a setup component or a print component must no longer be considered trustworthy from that point on.
34. Requirements for the definition and description of the cryptographic protocol
35. Wherever possible, building-blocks are used that are in widespread use worldwide and have been thoroughly scrutinised by experts. Standards, reference projects and academic publications can be used as a benchmark. Derogations and cases of doubt must be dealt with separately in the context of the risk assessment referred to in Article 4.
36. Instructions must not be underspecified. Individual instructions must restrict the options for implementation to such a degree that any form of implementation that the instructions allow is also compliant with meeting the cryptographic protocol requirements.
37. It may be assumed that trustworthy channels exist to distribute electronic certificates among system participants. Number 3.8 applies.
38. Proofs of compliance with the cryptographic protocol requirements
39. A symbolic and a cryptographic proof of compliance must demonstrate that the cryptographic protocol meets the requirements in Numbers 2.1–2.12.
40. The proofs of compliance must directly refer to the protocol description that forms the basis for system development.
41. The proofs of compliance relating to basic cryptographic components may be provided according to generally accepted security assumptions and constructions (e.g. «random oracle model», «decisional Diffie-Hellman assumption», «Fiat-Shamir heuristic»).

3. Requirements for trustworthy components in accordance with Number 2 and for their operation

1. The operation of the set-up component and at least one control component in the group which contains part of the key for decrypting the votes is the direct responsibility of the canton and must take place within its infrastructure. Outsourcing to a private system operator is not permitted.
2. Sufficient entropy must be ensured when selecting random values, in particular for set-up components and control components.
3. Auditors must verify the proofs referred to in Number 2.6 at least once and must use a technical aid referred to in Number 2 for this purpose.
4. The operational requirements for set-up components in accordance with Number 3 also apply to technical aids used by the auditors. Within the scope of their responsibility under cantonal law, the auditors may provide for derogations.
5. With the exception of the components mentioned under Numbers 3.1 and 3.3, the canton may delegate the operation of any part of the system, including the control components and the print component, to private service providers. A private operator of the print component may only perform operational tasks that are required for preparation, packaging and delivery.
6. Trustworthy components (set-up components, print components, auditors’ technical aids and control components) must be set up, updated, configured and secured in an observable process.
7. Before installing software, all programs must be checked using an official and trustworthy reference to ensure that the files are the correct and unaltered version.
8. When other system participants’ electronic certificates are installed, their authenticity must be ensured. To that end, there should be a manual process in which people transfer the electronic certificates from one machine to another via a physical data carrier in accordance with 3.13.
9. The timing for updating all software of trustworthy components must be such that the expected benefits outweigh the potential hazards.
10. Set-up components, print components and auditors’ technical aids that are involved in any way in the processing of critical data must be physically monitored during the entire computing time by two persons and until any critical data have been deleted or securely stored. At most, they may be interconnected by visible physical cables so that it is as evident as possible that no other machines can access them until the confidential data is destroyed.
11. Trustworthy components may not be connected to the internet when installing or updating software.
12. In principle, critical data must be destroyed after use. If there are good reasons, secure storage of the data carrier is also permitted as an alternative.
13. Data exchange or storage media, such as USB flash drives, must be removed after the data has been uploaded to the trustworthy components and may only be reused before the data is destroyed if there was no critical data on the trustworthy component before the data was uploaded.
14. Data exchange or storage media must be reformatted and any data on them must be destroyed before they are used with the aid of a component operated in accordance with the requirements for trustworthy components.
15. Logical or physical access to trustworthy components or data carriers containing critical data must be impossible without another person becoming aware of it, for example by having to assist in granting access (strict two person principle).
16. Success in gaining unauthorised access to a control component should not as far as possible give any advantage in an attempt to access another control component unnoticed. In addition to the requirements set out in Number 3, the following requirements apply in this respect:–If a person has physical or logical access to a control component, that person may not have access to any other control component.–The hardware, the operating systems and the monitoring systems for the control components should be as distinct as possible from each other.–The control components should be connected to different local networks.–A control component must take the form of a physical device. Virtualisation across multiple physical devices is not permitted.
17. Control components must be designed to recognise unpermitted instances of access and to alert the persons responsible. The persons responsible should arrange external monitoring measures, such as the monitoring and the manipulation-resistant logging of network traffic or physical monitoring with cameras that are under their control. The persons responsible must be considered to be particularly trustworthy and reliable.
18. Trustworthy components may perform only the intended operations.
19. The software for the auditors’ technical aids must be obtained from a different system developer from the one who developed the main part of the software for the other system components. The publication of the software for the technical aid under a licence that meets the criteria for open source software⁴ may justify an exception. If auditors use several technical aids, this provision applies to at least one of the technical aids.
20. All procedures for dealing with trustworthy components must be documented in writing and in a manner that is easily understood by the persons concerned.
21. Any access to and use of a trusted component or data carrier containing critical data must be logged.

4. Voting process

1. The person voting must declare that he or she is aware of the rules on electronic voting and of his or her own responsibilities.
2. Before casting a vote, the person voting is notified that he or she is taking part in a ballot in the same way as voting by post or voting in person at the ballot box. The person voting may only cast his or her vote after confirming that he or she has taken note of this.
3. When voting, the person voting is requested to check the proofs in accordance with Number 2.5 against the verification reference and to report any doubts as to its correctness to the canton.
4. At any time before casting an electronic vote definitively, the voter may still choose to cast his or her vote via a conventional voting channel.
5. The client-side system as it appears to the person voting does not influence the person voting in his or her decision on how to vote.
6. The user guidance must not lead persons voting to cast hasty or ill-considered votes.
7. The system does not offer the person voting any functionality allowing them to print out or store their vote.
8. The person voting is not shown any information after the voting process is completed about the content of the vote that has been encrypted and cast.
9. A voter who is unable to cast a vote because third parties have cast a vote using his or her voting papers unlawfully may still be allowed by the canton to vote provided the canton declares the unlawfully cast vote null and void. Voting secrecy in accordance with Number 2.7 must be preserved.
10. Voters with disabilities may be provided with a simplified procedure for checking the proofs. Only in such a case are derogations from the requirements set out in Number 2.9.1 permitted.
11. As long as the system has not registered confirmation of a definitive electronic vote, the voter may still choose to cast his or her vote via a conventional voting channel.
12. The use of a means of authentication independent of electronic voting is permitted. Effects on the integrity of the verification of the right to vote and the preservation of voting secrecy must be examined in detail as part of the risk assessment.

5. Preparations for the ballot

1. If the electoral register data is imported from a third-party system that is outside the canton’s control, the data must be encrypted and signed. The signature must be verified on receipt of the data. For delivery to the printing office, the provisions of Number 7 take precedence.
2. The data required to examine the proofs in accordance with Number 2.6 must be handed over to the auditors.

6. Requirements for polling cards

1. If possible, the polling cards shall be designed so as to allow voters with a disability barrier-free access to electronic voting.
2. Security elements on the polling card (e.g scratch codes) may only be used if there is a confirmation that the concealed information is well protected against unauthorised reading.
3. If it is decided not to use security elements to protect confidential information on the voting card, organisational procedures must be in place to ensure security.

7. Requirements for printing offices

1. The printing data used to produce the polling cards are transmitted encrypted and signed. Alternatively, a data carrier containing this data may be delivered in person. In this case, the data carrier must be transported and delivered to the printing office by two persons, who must both stay with the data carrier until it is delivered.
2. The encryption must meet the requirements of eCH standard 0014⁵, Chapter 7.5. If encryption is symmetric, the secret decryption key is sent to the persons responsible at the printing office via a secure secondary channel.
3. The person responsible at the printing office who receives the data carrier must sign an acknowledgement of receipt.
4. For the data carrier containing the print data, the component on which the critical data is decrypted and all components that process the critical data, the provisions for the print component as set out in Number 3 apply.
5. The persons responsible at the printing office carry out a material quantity check.
6. After printing the polling cards, the printing office must destroy the data received.
7. If the printing office also carries out the packaging and dispatch of the polling cards, these must be packaged together with the voting papers immediately after printing.
8. The channel between the printing office and the voters may only be considered trustworthy if the bodies responsible under cantonal law deliver the packaged voting papers to the voters by post or ensure that it is handed over in person.

8. Information and instructions

1. The body responsible at cantonal level must issue guidelines on providing information to citizens about electronic voting.
2. The guidelines ensure that the information is authorised by the responsible bodies.
3. Tips and instructions on vote casting are given on the internet along with information on voters’ responsibilities. This should counter over-hasty or ill-considered vote casting behaviour.
4. Verifiability, further security measures and the procedure in the event of anomalies are explained to voters in an accessible manner.
5. Voters are told what they have to pay attention to in order to cast their vote securely.
6. Voters are given instructions on how to delete their vote from all the memories on the device used for entering the vote.
7. Voters may request support if they have questions about electronic voting.
8. Voters are requested to report incorrectly displayed proofs in accordance with Number 2.5 such as verification codes or other verification steps with negative results to the body responsible at cantonal level. This request is also made in the instructions sent out with the voting papers.
9. Voters are requested to keep the voting papers with the security elements in fulfilment of Number 2.5 securely until they cast their final vote or until the voting process is concluded.
10. Voters are given the information required to check the authenticity of the website and the server used for voting. The informative value of a successful check must be supported by the use of cryptographic resources according to the best practices.
11. The information essential for secure voting is sent with the voting papers. Voters are told that if in doubt, they should comply with the information in the voting papers rather than the information displayed on the user device.
12. The measures taken to preserve voting secrecy are explained to voters.
13. Known flaws and the need for action associated with them are communicated transparently.
14. The auditors should be suitably informed about and trained in the processes that determine the accuracy of the result, the preservation of voting secrecy and the exclusion of premature partial results (for example key generation, printing the voting papers, decryption and tallying). They must be able to understand the essential aspects of the processes and their significance.

9. Opening and closing the electronic voting channel

The electronic voting channel is only available during the permitted period.

10. Conformity check and storing finalised votes

Votes not cast in conformity with the system are not stored in the electronic ballot box.

11. Tallying votes in the electronic ballot box

1. The decryption of the votes and the tallying may not begin before Polling Sunday.
2. The canton carries out the decryption and tallying within its own infrastructure.
3. The canton must ensure that the decryption of votes and their tallying is documented. The minutes are released by the body responsible at cantonal level.
4. From the decryption of votes to the transmission of the result of the ballot, any access to the system or to any of its components must be made jointly by at least two persons; it must be recorded in writing and it must be possible for the auditors to check it.
5. If the result data is transmitted to a third-party system that is outside the canton’s control, the data must be encrypted and signed.
6. The system allows the polling card to be used to determine whether someone has cast an electronic vote.
7. Auditors must be present during decryption and tallying. The cantons may permit additional remote auditing work.
8. If components used to tally votes are not trustworthy in accordance with Number 2.4, the same requirements apply to these components as to set-up components under Number 3.
9. The auditors exercise their responsibility in accordance with cantonal law when examining the proofs in accordance with Number 2.6.
10. The body responsible at cantonal level submits all relevant indicators of the correctness of the result to the auditors. This includes, in addition to the proofs in accordance with Number 2.6, in particular the number and nature of anomalies reported to the canton by voters.
11. The canton anticipates any anomalies and, in consultation with the bodies concerned, draws up an emergency plan specifying the appropriate course of action. It creates transparency towards the public.
12. Statistical methods must be used to check the plausibility of the result, provided they are available and there is sufficient data.

12. Confidential data

1. It is guaranteed that neither employees nor externals hold data that allow a connection to be made between the identity of persons voting and the votes they have cast.
2. It is guaranteed that neither employees nor externals hold data before the decryption of the votes that allow the premature determination of partial results.
3. The canton may not pass on to private companies its part of the key for decrypting the votes which it has on the control component that it operates in accordance with Number 3.1.
4. The canton must treat the results of the ballot as confidential between the time the votes are decrypted and the time of publication.
5. The canton must ensure that data that indicate whether a voter has voted electronically are treated as confidential.
6. The canton must treat the individual votes as confidential after they have been tallied.
7. The canton must ensure that vote and election results in small constituencies are treated as confidential.
8. Following validation and in accordance with a predetermined and documented process, all data created as part of the electronic ballot that relate to the individual votes received and that are classified as confidential must be destroyed.

13. Threats

1. The threats listed in Numbers 13.3-13.40 are of a general nature and form a basis; this must be added to. They relate to the security objectives and must be taken into account when identifying risks. Depending on the system vulnerabilities identified, when the various bodies carry out their risk assessments, the list should be updated with full details based on the actual circumstances and depending on the specific threat.
2. The following are considered to be potential threats:–inadvertent or intended electronic or physical threats from internal or external actors;–threats resulting from a malfunction of the system or system-supporting elements.

14. Identifying and reporting security events and vulnerabilities; dealing with security events and making security improvements

1. An infrastructure monitoring system detects incidents that could endanger the security, including availability, of the system and alerts the responsible personnel. The personnel deal with incidents according to a predetermined procedure. Crisis scenarios and rescue plans serve as guidelines (and include a plan that guarantees that voting-related activities can continue) and are applied as required.
2. Errors in the registration of votes in the control components and in the ballot box must be detected. Further information relating to the error must be available in order to identify and eliminate the cause. Any incidents detected must be reported to the body responsible at cantonal level.
3. Records are created on the infrastructure whose recording, transmission and storage are resistant to manipulation (system logs). The records are consistent with each other and allow the relevant events to be traced when investigating suspected manipulation or errors. They serve as evidence of the complete, unfalsified and exclusive tallying of votes cast in conformity with the system, of preservation of voting secrecy and of the exclusion of premature partial results.
4. The content of the records covers at least the following events:–start and end of the audit, identification and authentication processes–start, restart and end of the voting or election phase–start of the tallying with the determination of the results–conduct and results of any self-tests–malfunctions identified in elements of the IT infrastructure that affect the ability to operate
5. The date and time of each event, the type of event, the possible originator and the result in terms of failure or success are documented.
6. The system logs are made available to the body responsible at cantonal level in such a way that it can interpret the information.
7. The monitoring and recording of system logs are subject to a continuous improvement process. The improvement process involves an open dialogue between those involved and a regular and objective assessment of the effectiveness of the instruments and processes used. The results of these evaluations will be taken into account.
8. The monitoring and recording of system logs in no way detracts from the effectiveness of the measures taken to preserve voting secrecy.
9. It must be guaranteed that in the event of a malfunction, the votes and the data that prove the smooth operation of the vote tallying are stored safely in the infrastructure.
10. After a breakdown in the system or a failure of communication or storage media, the system enters a recovery mode in which it is possible to return to a safe state. Voting processes that have been started are interrupted. The person voting cannot resume voting until the system is returned to a safe state.
11. It is possible to cast control votes using authentication credentials that are not assigned to any voter. The content of these control votes is recorded. The tallying of the control votes is compared with the records.
12. It must be ensured that the control votes are dealt with in as similar a way possible as votes cast in conformity with the system, while at the same time ensuring that they are not counted.
13. Infrastructure availability must be checked and recorded at selected intervals.
14. All parts of the voting system must be regularly updated in a predetermined and documented process in order to eliminate weaknesses that have become known.
15. The measures for monitoring and keeping records of system usage, the activities of administrators and of malfunction records must be described in detail, implemented, monitored and reviewed.

15. Use of cryptographic measures and key management

1. Electronic certificates must be managed according to the best practices.
2. In order to guarantee the integrity of data records that substantiate the accuracy of the result and ensure that critical data, including the authorities’ identification and authentication data, are kept secret, effective cryptographic measures that correspond to the state of the art must be used.
3. To ensure that critical data are kept secret, effective cryptographic measures are used in the infrastructure that correspond to the state of the art. Such data is always stored encrypted on data carriers.
4. Basic cryptographic components may only be used if the key lengths and algorithms correspond to the current standards (e.g. NIST, ECRYPT, ESigA). The electronic signature meets the requirements of an advanced electronic signature in accordance with the Federal Act of 18 March 2016¹⁰ on Electronic Signatures (ESigA). The signature must be verified by means of an electronic certificate that has been issued by a recognised supplier of certificate services under the ESigA.

16. Secure electronic and physical exchange of information

1. All infrastructure components must be operated in a separate network zone. This network zone must be protected in relation to other networks by an appropriate routing control.
2. As a principle, electronic voting should be clearly separated from all other applications.

17. System tests

1. The functions relevant to the security of the system (security functions) are tested. The tests are documented with test plans, and expected and actual test results.
2. The test plan:–specifies the tests to be performed;–describes the scenarios for each test, including any dependencies on the results of other tests.
3. The expected results must show the results that are expected if the test is successfully executed.
4. The actual results must be consistent with expected results.
5. An analysis must be made of the test coverage. This includes evidence that:–the tests defined in the test documentation match the functional specifications of the interfaces;–all interfaces have been fully tested.
6. An analysis must be made of the depth of testing. This includes evidence that:–the tests defined in the test documentation match the subsystems related to security functions and modules that play a role in ensuring security;–all subsystems related to the security functions mentioned in the specifications have been tested;–all modules that play a role in ensuring security have been tested.

18. Organisation of information security

1. All roles and responsibilities for the operation of the system must be precisely defined, assigned and communicated.
2. The initial configuration of the infrastructure, whether with regard to hardware, software or access rights, and any modification must be approved beforehand.
3. The risks in connection with third parties (contractors such as suppliers and service providers) must be identified and if necessary reduced by means of suitable contractual agreements. Compliance with the agreements must be appropriately monitored and reviewed throughout their term.

19. Management of intangible and tangible resources

1. All intangible and tangible resources in the sense of the term asset in the standard ISO/IEC 27001, 2013, Information technology – Security techniques – Information security management systems – Requirements¹¹, relevant in the context of electronic voting (organisation as a whole, in particular the organisational processes and the information processed in these processes, data carriers, facilities for processing information of the infrastructure and premises of the infrastructure) are recorded in an inventory. A list must be kept of human resources. The inventory and human resources list must be kept up to date. Each intangible and tangible resource is assigned a person who takes responsibility for it.
2. The acceptable use of intangible and tangible resources must be defined.
3. Classification guidelines for information must be issued and communicated.
4. Procedures must be devised for the labelling and handling of information.

20. Trustworthiness of human resources

1. Suitable policies and procedures must be devised and promulgated in order to guarantee the trustworthiness of human resources before, during and after termination of employment or in the case of a change of activity.
2. Heads of human resources must accept full responsibility for guaranteeing the trustworthiness of human resources.
3. All human resources must be acutely aware of the significance of information security. To this end, an education and training programme that is tailored to the tasks concerned must be devised and operated.

21. Physical and environment security

1. The security perimeters of the various premises of the infrastructure are clearly defined.
2. For physical entry to these various infrastructure premises, entry controls must be defined, implemented and appropriately checked.
3. To guarantee the security of devices within and outside the infrastructure premises, appropriate policies and procedures must be defined and compliance therewith monitored and reviewed.
4. All data must be processed and in particular stored exclusively in Switzerland.

22. Management of communication and operations

1. Obligations and areas of responsibility must be apportioned so that the risks originating from human resources relating to operations and communications are reduced to residual risks that are compatible with the risk acceptance criteria.
2. Appropriate measures must be taken to protect against malware.
3. A detailed plan for data backup must be prepared and implemented. The data backup must be regularly reviewed to check that it is functioning correctly.
4. Appropriate measures must be defined and implemented to protect the network from the threats listed in the risk assessment in accordance with Article 4 and in connection with Number 13 and for the security of network services.
5. The procedures for using removable data carriers and for disposing of data carriers must be regulated in detail.

23. Allocation, administration and withdrawal of access and admission authorisations

1. It must be ensured that, during the ballot, any subsequent change in physical and logical access rights takes place only with the consent of the body responsible at cantonal level.
2. Access to infrastructure and software must be regulated and documented in detail on the basis of a risk assessment. In high-risk areas and for all manual operations in connection with the electronic ballot box (e.g. opening the voting channel, closing the voting channel, starting tallying), operations must be conducted by at least two persons.
3. Manual operations in connection with the electronic ballot box (e.g. opening the voting channel, closing the voting channel, starting tallying) must be expressly authenticated.
4. It must be guaranteed that information on the voting portal and related information pages cannot be changed without authorisation.
5. During the ballot, access of any nature to the infrastructure that is of no relevance to the ballot must be prevented.
6. It must be ensured that none of the elements of the client-sided authentication credentials can be systematically intercepted, changed or redirected during transmission. For authentication, measures and technologies must be used that sufficiently minimise the risk of systematic abuse by third parties.

24. Development and maintenance of information systems

1. Development
2. A life cycle model is defined. The life cycle model:–is used for the development and maintenance of the software;–provides for the necessary controls during the development and maintenance of the software;–is documented.
3. A list must be made of the development tools used and configuration options chosen for the use of each development tool.
4. The documentation for the development tools includes:–a definition of the development tool;–a description of all conventions and directives used in the implementation of the development tool;–a clear description of the significance of all configuration options for using the development tool.
5. The implementation standards to be applied must be specified.
6. The software must be specified and implemented in such a way that the security functions cannot be bypassed.
7. The security functions must be specified and implemented in such a way that they are protected against manipulation.
8. The security architecture of the software must be documented. The documentation:–has a level of detail that corresponds to the description of the security functions;–describes the security domains to which the security functions apply;–describes how the initialisation processes are secured;–demonstrates compliance with Numbers 24.1.5 and 24.1.6.
9. The functional specifications are documented. The documentation:–maps the entire software;–describes the purpose and application of all interfaces;–identifies and describes all parameters associated with the interfaces;–describes all actions associated with interfaces;–describes all direct error messages that can result from calling the individual interfaces.
10. Traceability between functional specifications and security requirements is guaranteed to interface level.
11. All security functions are implemented in the source code.
12. Traceability between the entire source code and the specifications of the security functions is ensured and their correspondence is evident.
13. The security functions are designed and implemented in such a way that they are well structured. The internal structure is described and includes a rationale that:–specifies the criteria used to assess «well-structured» and «complex»;–shows that all security functions are well structured and not too complex.
14. The specifications include the following aspects:–a description of the structure of the software in terms of subsystems;–a description of the security functions as modules and, for each module, the objective and a description of how the module relates to the other modules; the description of the security enforcing modules must also include the available interfaces, the return values of those interfaces and the interfaces of the other modules that they use to interact with them;–a description of all subsystems related to the security functions, including the possible interactions between them;–a clear presentation of the subsystems associated with security functions to demonstrate that all interfaces conform to the behaviour described in the specification; the presentation must have a level of detail at least as far as the modules.
15. The software is provided with a unique identification.
16. The configuration management documentation includes:–a description of how configuration items are identified;–a configuration management plan describing how the configuration management system will be used in the development of the software and the procedures that will be followed for the adoption of changes or new elements;–evidence that the procedures for adoption provide for adequate review of changes for all configuration items.
17. The configuration management system:–uniquely identifies all configuration items;–provides automated measures to ensure that only authorised changes are made to configuration items;–supports the development of the software through automated procedures;–ensures that the person responsible for accepting the configuration item is not the same person who developed it;–identifies the configuration items that make up the security functions;–supports verification of all changes to the software using automated procedures, including logging of the author and the date and time of the change;–provides an automated method for identifying any configuration items that are affected by a change to a particular configuration item;–can identify the version of the source code on the basis of which the software is generated.
18. All configuration items are inventoried in the configuration management system.
19. The configuration management system is used in accordance with the configuration management plan.
20. A configuration list is created that contains the following items:–the software;–evidence of the checks required to ensure security compliance;–the parts that make up the software;–the source code;–the commit history¹²;–reports on security flaws and on the status of their correction.
21. For each element relevant to security functions, the developer is named. Each element is uniquely identified.
22. Software development security documentation includes:–a description of the physical, procedural, personnel, and other security measures necessary to protect and ensure the integrity of the design and implementation of the software in its development environment;–evidence that the security measures provide the necessary level of protection to preserve the integrity of the software.
23. Operation
24. An operating manual is created that includes the following for each user role:–a description of the functions that the user can access and the permissions that must be controlled in a secure environment, including appropriate warnings;–a description of how the available interfaces can be used in a secure manner;–a description of the available functions and interfaces, in particular all security parameters under the control of the user, highlighting the values relevant to security;–a precise description of all types of security events related to the user-accessible functions to be performed, including adjustments to the security properties of elements under the control of the security functions;–a description of the security measures to be implemented in order to achieve the operational security objectives.
25. The operating manual must identify all possible modes of operation of the software, including the resumption of operation after the detection of errors and the description of the consequences and effects of errors on the maintenance of secure operation.
26. The operating manual must be precise and fit for purpose.
27. Reliable and verifiable compilation and deployment
28. The preparation process describes all the steps necessary for:–the secure acceptance of the system components in accordance with the delivery procedure;–the secure preparation of the operating environment in accordance with the operational security objectives;–the secure installation of the software in the operating environment.
29. The delivery of the software or parts of the system must be documented and include all processes required to maintain security in the delivery of the software.
30. A reliable and verifiable compilation with appropriate security measures must be carried out to ensure that the executable code is a verifiable and faithful representation of the source code which has been subjected to public scrutiny and independent examinations. The compilation allows a chain of proofs to be created for the verification of the software and includes in particular:–evidence that the compilation environment is designed as described on the public platform (all tools with the respective version, operating system and any configurations); any derogations must be documented and justified;–evidence that the software has been compiled in accordance with the instructions available on the public platform; if an error in the instructions is found during compilation, this must be recorded and the documentation must subsequently be corrected;–evidence that the source code submitted for public scrutiny and examined is in fact the source code used for compilation;–evidence that no elements other than those provided for in the instructions have been introduced;–evidence that the cryptographic signature of all dependencies has been verified against a proven, public, and trusted reference;–evidence that a dependency vulnerability analysis has been performed and that, if vulnerabilities relevant to the software exist, they do not render the software vulnerable to attack;–evidence that the parameters introduced, if any, do not render the system vulnerable.
31. A reliable and verifiable deployment with appropriate security measures must be carried out to ensure that:1.the code used in production is a verifiable and faithful representation of the source code which has been subjected to public scrutiny and independent examinations; and2.the production environment conforms to that which has been subjected to public scrutiny and independent examinations.
32. The deployment allows a chain of proofs to be created for the verification of the software and includes in particular:–evidence that the production environment is the same as that which has been subjected to public scrutiny and independent examinations; any discrepancies (firmware version, configuration files, etc.) must be documented and justified;–evidence that the software deployed in the production environment is in fact that which was created using a reliable and verifiable compilation process;–evidence that the parameters introduced, if any, do not render the system vulnerable.
33. The quality of the evidence of reliable and verifiable compilation and reliable and verifiable deployment must be confirmed by the presence of at least two witnesses from different institutions or by technical procedures to establish the truth of the evidence in the light of current academic knowledge and experience.
34. The chain of evidence of reliable and verifiable compilation and deployment is made publicly available.
35. Systematic correction of flaws
36. Processes are defined for the correction of flaws. The processes include:–documentation of specific aspects, in particular with regard to the traceability of flaws for all versions of the software, and of the methods used to ensure that system users have information on flaws, corrections and possible corrective actions;–the obligation to describe the nature and impact of all security flaws, information on the status of work to find a solution and the corrective measures adopted;–a description of how system users can make reports and enquiries about suspected flaws in the software known to the software developers;–a procedure requiring a timely response and automatic dispatch of security flaw reports and appropriate corrective actions to registered system users who may be affected by the flaw.
37. A process is defined for handling reported flaws:–This process ensures that all reported and confirmed flaws are corrected and that the procedures for correction are communicated to system users.–It provides for arrangements to ensure that the correction of security flaws does not give rise to new security flaws.
38. Policies must be defined for the reporting and correction of flaws. These include:–instructions on how system users can report suspected security flaws to the developer;–instructions on how system users can register with the developer to receive reports of security flaws and the corrections;–details of specific contact points for all reports and inquiries on security issues concerning the software.
39. Quality Assurance

Regular and objective checks are carried out to ensure that the processes carried out and the associated work products comply with the description of the processes, standards and procedures to be implemented. Deviations are followed up until they are corrected.

25. Quality of the source code and documentation

The source code and documentation must as a minimum meet the following quality criteria:

1. Traceability
2. Traceability is understood as those attributes of the software that provide a thread from the requirements to the implementation.
3. All cryptographic protocol requirements across all work products associated with the software development process must be traceable.
4. A description must be provided of the link between the legal requirements and the cryptographic protocol, the specifications and the documentation of the architecture.
5. Completeness
6. Completeness is understood as those attributes of the software that provide full implementation of the required functions.
7. The software must not contain ambiguous references (input, function, output). If the same element is referenced, the same term is always used.
8. All data referenced and all functions used are defined in the specifications.
9. All functions defined in the specifications are used.
10. For each decision point (e.g. conditional execution), the possible alternatives are defined in the specifications.
11. All parameters are defined and validated in the specifications (no implicit parameter passing).
12. All serious reported flaws must be fixed before proceeding to the next step in the development cycle.
13. The cryptographic protocol, specification, design and source code are aligned.
14. Consistency
15. Consistency is understood as those attributes of the software that provide uniform techniques and notations in design and implementation.
16. The descriptions in the documentation correspond to a convention created by the software developer.
17. The functions and the variables correspond to a naming convention created by the software developer.
18. Input and output of functions are handled according to a convention created by the software developer.
19. Errors are handled according to a convention created by the software developer.
20. The variable types used are consistent.
21. Commonality of communication
22. Commonality of communication is understood as those attributes of the software that facilitate the use of standardised protocols and interface routines.
23. The rules for communication with other systems are defined.
24. Communication is based on standardised communication methods.
25. Commonality of data
26. Commonality of data is understood as those attributes of the software that facilitate the use of standardised presentation of the data representation.
27. The standard method of representing data for communication with other systems must be formally defined.
28. Standards must be defined for converting from one representation to another.
29. The conversion functions should be centralised in one module.
30. Learnability
31. Learnability is understood as those attributes of the software that enable users to learn how to use the software.
32. Persons who operate and use the system must be trained and provided with the necessary documentation.
33. Training includes the opportunity to train on a system designed for training purposes.
34. Help on using the system must be readily available.
35. Usability
36. Usability is understood as those attributes of the software that enable users to interact with the system.
37. The software must be user-friendly. The user guidance is based on generally familiar schemes.
38. The client-side system as it appears to the person voting complies with Accessibility Standard eCH-0059¹³, with the exception of the requirements for alternative communication forms in Chapter 2.4 of the standard. The cantons shall ensure that compliance is confirmed by a specialist entity.
39. Error tolerance
40. Error tolerance is understood as the attributes of the software that provide continuity of operation under exceptional conditions.
41. Errors are detected and dealt with to enable the program to continue to run without interruption.
42. Error handling, including logging, is performed at the level most relevant to continued operation. An error that cannot be processed at one level is transferred to the next higher level.
43. Validity conditions are defined for the input parameters.
44. All input parameters are checked before execution starts.
45. Modularity
46. Modularity is understood as those attributes of the software that provide a structure of highly independent modules.
47. The task of each module is clearly defined.
48. The task of each module should be limited and focused. The tasks of two modules should not overlap.
49. The modules do not share data via a common volatile memory (e.g. global variable).
50. Simplicity
51. Simplicity is understood as those attributes of the software that implement functions in the most understandable way, which generally means avoiding practices that increase complexity.
52. A top-down approach (hierarchical structure) is chosen in the design.
53. The design does allow the duplication of functions between modules.
54. The design does not provide for global data, that is, data that can be used by everyone without being cleared as a parameter.
55. Complicated Boolean combinations in the source code must be avoided as far as possible.
56. No variables may be reused in the source code for purposes other than those originally intended.
57. In the source code, the number of nestings is limited as much as possible.
58. In the source code, cyclomatic and cognitive complexity is limited as much as possible.
59. Conciseness
60. Conciseness is understood as those attributes of the software that provide for implementation of a function with a minimum of instructions in the source code.
61. The software does not contain any superfluous passages in the source code (so-called «dead code»).
62. The source code does not contain any superfluous variables.
63. The source code should not contain any repetitions.
64. Self-descriptiveness
65. Self-descriptiveness is understood as those attributes of the software that create a situation in which addressees can identify the objectives, assumptions, constraints, inputs and outputs, components and status of the software.
66. Classes, functions and complex processing steps are commented on in the source code according to a convention defined by the software developer.
67. Variables and functions are given meaningful names.
68. A statement should only comprise one single line, unless readability is improved by the use of two or more lines. Multiple statements per line should be avoided.
69. Instrumentation
70. Instrumentation is understood as the attributes of the software that allow its use to be measured or errors to be identified.
71. The unit tests¹⁴ cover all possible paths and limits of the permitted and unpermitted values of the input parameters.
72. The integration tests cover all modules.
73. The software tests cover all modules.
74. Errors and necessary information are recorded in logs.

26. Examination criteria for the systems and their operation

1. Examination of the cryptographic protocol (Art. 10 para. 1 let. a)
2. Subject: the following are examined:–whether the requirements set out in Article 5 in conjunction with Articles 6–8 and Number 2 of the Annex are met; this assessment is made in particular on the basis of the cryptographic and symbolic proofs of conformity;–whether and to what extent the cryptographic protocol is based on existing and proven protocols and building blocks;–which improvements could contribute to a strengthening of security.
3. Responsibilities: the examination is carried out by experts in cryptography. The Federal Chancellery commissions the examination and monitors its conduct in accordance with the mandate.
4. Time of examination:–A complete examination must be carried out before the system is used for the first time.–The examination is repeated after two to three years.–The cryptographic protocol must be examined again whenever it is modified and in the event of relevant new research findings concerning the security of cryptographic elements used and the threat situation.
5. Examination of the system software (Art. 10 para. 1 let. b)
6. Subject: the following are examined:–whether the cryptographic protocol tested in accordance with Number 26.1 has been implemented; the correct implementation of functions of trusted components must be checked in particular detail;–whether the system software meets the requirements of this Ordinance and adequately supports the specified objectives;–whether the client-side system as it appears to the person voting conforms to the eCH-0059 standard in accordance with Number 25.7.3; the examination may be based on a valid certificate or a valid examination report issued by an institution recognised by the Federal Chancellery confirming conformity with the standard.
7. Responsibilities: the examination is carried out by experts in cryptography and in software development. The examination is commissioned by the Federal Chancellery.
8. Time of examination:–A complete examination must be carried out before the system is used for the first time.–The examination is repeated after two to three years.–The examination is repeated for each significant modification, in particular:–following each modification to the cryptographic protocol;–in the event of any modification to the source code of functions whose trustworthiness is essential to the soundness of the proofs provided for in relation to verifiability;–in the event of relevant new research findings concerning the security of cryptographic elements used and the threat situation;–if it is decided to dispense with mechanisms that aid the secure use of trustworthy components in accordance with Number 2 or if such mechanisms are fundamentally modified.
9. Examination of the security of infrastructure and operation (Art. 10 para. 1 let. c)
10. Subject: the following are examined:–whether the system and its operation at the canton, the system operator and the printing office meet the requirements of this Ordinance and adequately support the specified objectives;–whether the basic components, such as the software that aids the secure and independent use of control components, the operating systems used or the server used meet the best standards.
11. Responsibilities: the examination is carried out by experts on cryptography and in operating highly secure systems. The examination is commissioned by the Federal Chancellery.
12. Time of examination:–A complete examination is carried out before the system is used for the first time.–The examination is repeated after two to three years.–The examination is repeated for each fundamental modification, in particular:–following a modification to the cryptographic protocol;–if it is decided to dispense with mechanisms that aid the secure use of trustworthy components in accordance with Number 2 or if such mechanisms are fundamentally modified;–in the event of a fundamental modification to processes or infrastructure.–If new versions of basic components (new servers, patches for operating systems or software that aid the secure and independent use of trustworthy components accordance with Number 2) are used, no new checks are required provided the basic components are still proven to comply with the best standards.
13. Examination of protection against attempts to infiltrate the infrastructure (Art. 10 para. 1 let. d)
14. Subject: it is examined whether experts commissioned by the Federal Chancellery succeed in infiltrating the infrastructure of the online system and gaining access to important data or taking control of important functions during a test.
15. The tests must be carried out on the basis of potential vulnerabilities identified following a methodological analysis of publicly available documentation, in particular that specified in Article 11.
16. Responsibilities: the examination is carried out by security experts. The examination is commissioned by the Federal Chancellery.
17. Time of examination:–A complete examination is carried out before the system is used for the first time.–The examination is repeated after two to three years.–The examination is repeated for each fundamental modification to the infrastructure.–The examination must take place in the event of relevant new findings concerning the security of the equipment used and the threat situation.
18. Audit of the information security management system (Article 10 para. 2)
19. Objective: to assess whether the system operator’s ISMS is compliant with ISO/IEC 27001, 2013, Information technology – Security techniques – Information security management systems – Requirements. The scope of the ISMS includes all the system operator’s organisational units that are legally, administratively and operationally responsible for the system.
20. Responsibilities: the certification body is accredited by the Swiss Accreditation Service to perform audits according to the standard ISO/IEC 27001, 2013, Information technology – Security techniques – Information security management systems – Requirements. The audit is commissioned by the canton or the system operator; the canton ensures that the audit is carried out.
21. Term of validity of a document: Re-audits must be carried out at the intervals specified by ISO/IEC 27001, 2013, Information technology – Security techniques – Information security management systems – Requirements. A valid certificate and the corresponding «Statement of Applicability» is available each time the system is used. If a new version of Standard ISO/IEC 27001:2013, Information technology – Security techniques – Information security management systems – Requirements, is published, valid certification of the ISMS under the new version must be proven at the latest on expiry of the transition period. The scope of the ISMS may not be reduced thereby.