On June 25, 2021, the POLYAS CORE 2.5.0 was once again certified according to the international Common Criteria standards. We took this opportunity to fact-check the frequently asked questions concerning the BSI certificate (BSI = German Federal Office for Information Security).
What does the BSI certificate mean? What exactly is being certified?
The basis for a BSI certificate is the international Common Criteria Protection Profile BSI-CC-PP-0037-2008, which formulates the conditions for online voting systems. These conditions from the Basic Set of Security Requirements for Online Voting Products (PDF) are derived from general voting principles (free, equal, secret, universal, and direct).
The voting software POLYAS CORE 2.5.0. meets the requirements of the international Protection Profile according to Common Criteria.
Certified elections with the POLYAS CORE 2.5.0 require particular organizational and administrative processes, which are listed in the certification report. According to this, various framework conditions have to be observed with regards to the hosting, the postal dispatch of the voter credentials, and other organizational measures
Conditions that the POLYAS voting system 2.5.0 meets:
- It must not be possible for the identity of voters to be inferred from the votes cast.
- It must not be possible for voters to demonstrate their voting decisions to third parties.
- Eligible voters must be uniquely and reliably identified and authenticated in order to cast their votes, so that only people on the electoral roll can actually vote.
- Voters may only cast one vote at a time.
- Votes may not be modified, deleted or amended to during transmission on the network.
- Votes in the ballot box may not be subsequently modified, deleted or amended.
- There should be no calculation of intermediate results.
Who does the BSI certificate apply to?
The certificate is valid worldwide, as different countries have agreed on mutual recognition of IT security certificates.
The preliminary remarks of the BSI certificate specify the suitability for “elections with low potential for attack”, such as for board elections at associations or university elections. Consequently, elections with a high media coverage or in areas of significant social influence—not least in the political arena—require further security measures.
What was verified as part of the certification?
The German Research Center for Artificial Intelligence (DFKI) has confirmed the assurance level of the POLYAS Online Voting software with the Evaluation Assurance Level 2 (EAL) augmented by ALC_CMC.3, ALC_CMS.3, ALC_DVS.1 and ALC_LCD.1.
What this means is: The audit partner assessed the system architecture and thus analyzed the structural integrity of the voting system.
Why has the certificate number changed?
POLYAS CORE 2.2.3 was originally certified in 2016 with a validity period of 5 years. The re-certification applies to the POLYAS CORE 2.5.0. It is based on an identical Protection Profile and, also, there were no major changes to the POLYAS system.
However, we made a few necessary updates to ensure, for example, that the scripting languages were up to date. Accordingly, re-certification merely reflected the updated services being used, but not the POLYAS Online Voting System itself.
Why is the POLYAS Live Voting not certified?
The basis for certification is always a suitable Protection Profile and a product’s security specifications. For the Live Voting, there currently is no corresponding Protection Profile. For this reason, POLYAS observes the “Requirements for products for virtual meetings and voting” as defined by the BSI.
Compliance with the principle of the public nature of elections
Following the use of voting computers in the 2005 Bundestag election, the German Constitutional Court judgment 2 BvC 3/07 was the basis for creating the sixth electoral principle: The principle of the public nature of elections. According to this, every step in the election process and in determining the election result should be publicly verifiable without prior technical knowledge.
If one wishes at the same time to ensure voting secrecy for the electorate, the need for verifiability presents challenges that can only be solved mathematically and cryptographically. To this end, POLYAS uses CORE 3.0, which offers various methods of verification. In cooperation with the scientific community, POLYAS constantly works to improve these methods.
The CORE 3.0 system architecture differs from the certified system and is therefore not encompassed by the certification. For this reason, we currently rely on transparent procedures and test mechanisms that provide evidence of compliance with the electoral principles and the integrity of the system.
Do you wish to set up a POLYAS online election yourself?