How to Assess an E-voting System
Freedom to Tinker 2022-06-27
Part 1 of a 5-part series
If I can shop and bank online, why can’t I vote online? David Jefferson explained in 2011 why internet voting is so difficult to make secure, I summarized again in 2021 why internet voting is still inherently insecure, and many other experts have explained it too. Still, several countries and several U.S. states have offered e-voting to some of their citizens. In many cases they plunge forward without much consideration of whether their e-voting system is really secure, or whether it could be hacked to subvert democracy. It’s not enough just to take the software vendor’s word for it.
Switzerland is a country that wanted to do it right, fumbled, and in the process learned that an important part of getting it right is a careful (and expensive) study, that’s independent of the vendor selling the system, and independent of the governmental body that’s purchasing the system. The study wasn’t particularly expensive—about half a million Swiss francs, which is about half a million US dollars—but that’s half a million that most U.S. states or other countries have not spent before rushing to deploy a system. After the study, the Swiss government’s conclusion was, “The e-voting system currently being developed by Swiss Post has been significantly improved. However, further developments, some of them substantial, are still required.”
In 2000 the Swiss Parliament directed the Federal Chancellery to study the feasibility of e-voting, and based on those studies, several cantons (the “counties” or “states” of Switzerland) experimented with pilots starting about 2010. In 2019 the Swiss Post (the national post office) deployed a system based on cryptographic “mixnets” that were supposed to assure that only authorized votes were cast while also preserving the secret ballot. Mixnets are a decades-old scientific idea for e-voting, to enable voters to check that their vote has been counted, while preserving the secret ballot (so voters can’t prove to anyone else how they voted).
Pretty soon, four scientists (from Norway, Canada, Belgium, and Australia) published a paper showing that the cryptographic design of the Swiss Post mixnet was flawed, allowing opportunities for undetectable fraud. In July 2019, Swiss Post ceased offering its system to the cantons. The Federal Chancellery was commissioned to work with the cantons to redesign the trial phase of e-voting. The Chancellery than commissioned independent scientists to do several separate studies:
• A cryptographic protocol study of the theoretical design, by experts in cryptography;
• A systems security study of the software itself, by an expert in operating systems security;
• Infrastructure and operation of the Swiss Post in running the system; and
• Network security of the e-voting infrastructure.
I’ve read some of those reports, and they’re very good. The scientists in question are world-renowned in their specific fields of expertise. They were able to ask for clarifications and explanations from the software architects at Swiss Post. The Chancellery estimates that these “independent experts … commissioned to conduct the examinations” will cost up to a million Swiss francs, by the time these and the next round of studies are complete (see B.1 on pages 41-42 of this report). That may seem like a lot, but in reading these reports it’s clear that a lot of time and effort went into them—cryptographic protocols and software systems are complicated, and analyzing them takes a lot of time.
If you want to read the System Architecture documentation and the source code for yourself, Swiss Post has made it all available in a public repository. That kind of transparency is admirable.
For the Australian State of New South Wales, for France, for those U.S. states that permit internet ballot return for voters living abroad, my question is this: Why did you adopt an e-voting system just on the say-so of the system vendor? Where is your independent scientific study by world-class experts? Where is your million-dollar budget item to assess the system before imposing its insecurities on the public, on the candidates, upon democracy itself? Because most likely the system you adopted is even less secure than the Swiss Post system, the one that Switzerland decided to pause and revamp.
Coming next in Part 2: How Not to Assess an E-voting System, by Vanessa Teague