Because a large number of its citizens live outside the country, in 2001 Geneva initiated its eVoting project as a third option in addition to polling station and postal voting. The goal was to develop an Internet voting system that would be as secure as postal voting, which is to say only somewhat secure.

Geneva mandated that the software, which it owns, not contain any secret code. Vendors were informed that “it must be possible for specialists external to the State of Geneva ... to examine thoroughly all the software dealing with the ballots.” [1] In 2003 it was estimated that the development costs would ultimately be about two million Swiss francs ($1.35 million at the time).

Before each election the voter is sent a voting card via postal mail. The card contains an identification number, not hidden, and a PIN, concealed under metallic paint that must be scratched off in order to vote on the Internet. A voter choosing to vote over the Internet first logs on to the voting website and enters the identification number from the card. The website uses that information to verify that the voter has not yet voted. The voter then enters her choices on an electronic ballot, and the system returns the voter's selections for the voter to modify or verify. The voter authenticates the choice by providing some personal information and the PIN from the voting card. Because the voter has a unique ID, there is a risk that the voter's choice might become known. The prohibition against secret software provides some defense against this risk.

To protect the voter from mistakenly accessing counterfeit websites, the system returns a “verification code” that should match the code that has been included on the voting card. Voters who do not receive the correct verification code are instructed to notify an election official. Presumably, notification would trigger a new election, though it is not clear what would happen if only a very small number of people claimed not to have received a correct verification code. There is also the risk that some voters may not bother checking the verification code or might be fooled by a spurious error message.

Paper is intrinsic to the system; only the link from the voter to the election website is electronic. Paper is used to distribute the voter's ID number, PIN, and verification code.

The Geneva system does not provide a good defense against an attack by malware that has been installed surreptitiously on the user's machine. The malware could intercept all communications between the voter and the voting website and modify the voter's selection. The voter, who still would receive the correct verification code, would not know that her vote was changed.

While the Geneva system attempts to protect against a denial of service attack, there is the recognition that this might not be possible. In the event that a denial of service attack were to make Internet voting difficult or impossible, Internet voting would be halted, and voters would be instructed to vote at polling stations. Citizens residing in Geneva would have little trouble voting, but those living outside the country who had not yet voted could be disenfranchised.

In February 2009, Geneva voters ratified a constitutional amendment guaranteeing Internet voting in Geneva. [3]

[1] Republique et Canton de Geneve. The Geneva Internet Voting System, 2007.

[2] Robert Hensler. The Geneva Internet Voting System. Republique et Canton de Geneve, January 2003.

[3] Republique et Canton de Geneve. E-Voting – Internet voting in Geneva, Frequently asked Questions (FAQ), 2009.