Security Vulnerability of Switzerland’s E-Voting System

Online voting is insecure, period. This doesn’t stop organizations and governments from using it. (And for low-stakes elections, it’s probably fine.) Switzerland—not low stakes—uses online voting for national elections. Andrew Appel explains why it’s a bad idea:

Last year, I published a 5-part series about Switzerland’s e-voting system. Like any internet voting system, it has inherent security vulnerabilities: if there are malicious insiders, they can corrupt the vote count; and if thousands of voters’ computers are hacked by malware, the malware can change votes as they are transmitted. Switzerland “solves” the problem of malicious insiders in their printing office by officially declaring that they won’t consider that threat model in their cybersecurity assessment.

But it also has an interesting new vulnerability:

The Swiss Post e-voting system aims to protect your vote against vote manipulation and interference. The goal is to achieve this even if your own computer is infected by undetected malware that manipulates a user vote. This protection is implemented by special return codes (Prüfcode), printed on the sheet of paper you receive by physical mail. Your computer doesn’t know these codes, so even if it’s infected by malware, it can’t successfully cheat you as long as, you follow the protocol.

Unfortunately, the protocol isn’t explained to you on the piece of paper you get by mail. It’s only explained to you online, when you visit the e-voting website. And of course, that’s part of the problem! If your computer is infected by malware, then it can already present to you a bogus website that instructs you to follow a different protocol, one that is cheatable. To demonstrate this, I built a proof-of-concept demonstration.

Appel again:

Kuster’s fake protocol is not exactly what I imagined; it’s better. He explains it all in his blog post. Basically, in his malware-manipulated website, instead of displaying the verification codes for the voter to compare with what’s on the paper, the website asks the voter to enter the verification codes into a web form. Since the website doesn’t know what’s on the paper, that web-form entry is just for show. Of course, Kuster did not employ a botnet virus to distribute his malware to real voters! He keeps it contained on his own system and demonstrates it in a video.

Again, the solution is paper. (Here I am saying that in 2004.) And, no, blockchain does not help—it makes security worse.

Tags: , , , ,

Posted on October 17, 2023 at 7:11 AM26 Comments

Comments

Fabrice October 17, 2023 7:35 AM

Luckily this is still under evaluation in Switzerland, and only a very small portion of the population can use it. Let’s hope the debate continues and that its generalization can be prevented.

Terrill October 17, 2023 7:45 AM

New South Wales, Australia used the iVote system for local elections in 2011, 2015, 2019 and 2021 elections. In 2021 tens-of-thousands of voters logged in to vote… and couldn’t. Three races were close enough that eventually the Supreme Court ordered a new election. Since voting is a “state thing” in the United States, can you image the chaos if this happened in one or more states during a national election? And considering state and federal laws have no provisions for do-over elections, state legislatures would have to pass new legislation AND perform the new election(s) before the deadlines for finalizing the vote(s) arrived (e.g. Electoral College). Who would trust the results?

Robert Olson October 17, 2023 8:58 AM

Bruce, why would Blockchains make it worse if there is an ID system that is verifiable on-chain and your vote is stored on-chain? Would this then make it possible for institutions to verify your vote? For you to verify and confirm that your vote was registered correctly? How else could we implement this in the digital realm? I understand we have a paper-based system that works but suffers from drawbacks like long lines and a lack of voting options for the working class.

denton scratch October 17, 2023 9:12 AM

@Terrill

state legislatures would have to pass new legislation AND perform the new election(s) before the deadlines for finalizing the vote(s) arrived (e.g. Electoral College).

Is that right? I think that (at least in some states) if an election has been fluffed, then the state house/senate/governor can direct the electoral college, or the college can direct themselves.

What doesn’t seem to be possible is to postpone declaring an outcome, at least for a presidential election; the declaration date is fixed by law.

It’s weird (to me) that state laws apply to federal elections. State legislatures come up with some pretty dodgy stuff, like trying to redefine pi (of course, the federal legislature does shifty stuff too).

sb3k October 17, 2023 9:32 AM

“If a system contains security vulnerabilities, then it is insecure.”

So, I guess we aren’t past the security vs. risk fallacy, yet.

Andrew L Duane October 17, 2023 9:36 AM

The real problem is that it’s not even necessary to hack the election or corrupt any votes at all. I remember a smart person (probably Bruce himself) once saying that the difference between e-voting and electronic funds management is that if someone claims they stole $2,000,000 from a bank, the bank can count it’s balances and see that $2,000,000 is missing. But if someone claims they stole 2,000,000 votes from an election, there’s no way to confirm or refute that claim if there’s no physical paper backup. Just the idea that someone corrupted the election would be enough to cause widespread havoc.

SomeAB October 17, 2023 9:55 AM

Hi Bruce, can you do a deep dive into the Indian Election system specially the EVMs & VVPATS.

Many experts in India are raising concerns about it, & its already in use. But the Election Commission just ends most arguments with “Its impossible to break” which is obviously a ruse & lie to block transparency.

Your Impartial views would be appreciated.

Ivan Gilbert October 17, 2023 11:38 AM

Robert Olson, that blockchain-based system sounds complicated. It does nothing against malware, and you’ve handwaved the identification and verification systems. An overly complex identification system risks disenfranchising voters and causing hundreds of thousands of support calls in the final hours of an election; and people do like to propose very strict requirements, despite identity fraud affecting maybe one in a million ballots. As for verification, remember that the system “For you to verify and confirm that your vote was registered correctly” must also be unable to prove whom you voted for.

Even in the hypothetical case that such a system is mathematically sound and we can deal with those objections, it overlooks a critical goal of government elections: public trust. The public are supposed to be able to understand the election process and results, and to participate in the process—not just see that a computer gave some result using mathematics beyond their ken. With paper, we can even re-verify later if objections are raised. One simply needs to be able to count and read at a very basic level—just enough to know which candidate is marked on each ballet, and which has the most results.

As for implementing this “in the digital realm”, why not hold off until we’re able to secure said realm? Paper voting scales well, which means lines are short in a well-managed system—in Canadian elections I’ve never had more than a few people in front of me, nor had to walk more than 10 minutes from home. As for “voting options for the working class”, I’m not sure what to make of that statement. Employers here are required to give three consecutive hours of time off while the polls are open (usually for 12 hours) on the final day, and of course there are several advance polling days for each person; if none of those days work, one can vote at one’s returning office (open daily with good hours, for quite a while before the final day, though not necessarily in a walkable location), or apply to vote by mail. Mail voting does raise some concerns about coercion and perceived pressure, but for now only about 3-4% of ballots use this method.

Clive Robinson October 17, 2023 12:16 PM

@ ALL,

For those talking about mail / post these services are becoming things of the past.

They are also open to abuse in all sorts of ways in voting systems.

So any voting proposal should minimise the involvement of postal systems as a primary part or back-up.

Michael Gaul October 17, 2023 12:23 PM

The other challenge of voting that is often forgotten, is that one must ensure that even the voter must not have any way to prove how he individually voted. (It is more difficult to coerce someone to vote a certain way if there is no way for even him to prove that he cooperated). That makes the problem very different from e-commerce. An otherwise-useful audit trail is not available.

Max Muster October 17, 2023 12:42 PM

Don’t they use camenisch-lysyanskaya signatures? I thought there are already some proven systems based on ZKP for evoting.

Andrew P October 17, 2023 12:48 PM

@Robert Olson the reason that blockchains hurt is that in voting systems, you have multiple security goals beyond just correctly recording individuals’ votes.

In particular, you don’t want it to be publicly visible what a person’s vote was, or even to provide a transferrable proof of what a person’s vote was, because this can make people subject to coercion. Here a blockchain, by being a publicly verifiable ledger, would actually undermine security.

You can fix this by layering on enough zero-knowledge proofs etc., but the final result will resemble something from the (massive) literature on cryptographic voting, except with a blockchain uselessly tacked on.

A second problem, which applies to all cryptographic voting solutions, is that you need the general public to be able to understand and trust the system. This pretty-much excludes any scheme except for paper ballots which are counted. Perhaps with some simple multi-envelope protocols layered on to prevent the postal service from seeing or manipulating your vote.

Ivan Gilbert October 17, 2023 1:35 PM

Clive Robinson, re: “For those talking about mail / post these services are becoming things of the past.”

Nearly all evidence I’ve seen suggests the opposite. In Canada, more people use it with every election. In the USA, “no-excuse” postal voting has been greatly expanded in recent years. Wikipedia lists a whole bunch of countries (Austria, Finland, Germany, Hungary, Italy, Mexico) as having recently expanded it to all eligible voters, or all living abroad; and, notably for this story, claims 90% of Swiss ballots are postal.

Yeah, these systems do add some risks, but very few that aren’t inherent to any unsupervised voting. At physical polls, workers ensure that nobody takes a picture of their ballot or votes with another person watching (excepting an approved assistant). With postal voting, I think the best we could do is require an independent witness to attest it. That’s not required here in Canada, though we can apparently have a ballot and ballot-box brought to our home if necessary (election staff can also come right to a hospital bed, and have polls set up in nursing homes, prisons, and the like).

I think people should go to the polls if able, so I do, but I don’t see postal voting being nearly as bad as every other replacement being proposed. I might be a little worried if it got to like 10 or 20 percent of ballots, at which point a “suspect” subset of those could sway an election.

Anyway, when discussing any voting method, it’s important to tie the discussion to specific requirements. I and Michael noted a specific type of repudiability being a requirement (difficult with postal voting), and I also noted comprehensibility. Robert notes convenience and accessibility. After-the-fact verifiability has been called out too, but must not conflict with repudiability.

P Coffman October 17, 2023 1:37 PM

Sometimes, a court intervenes in the event of blatant gerrymandering. With e-voting, the court could also be nullified.

Clive Robinson October 17, 2023 7:17 PM

@ Ivan Gilbert, ALL,

You are thinking to narrowly, voting only happens every few years, thus any increase in postal voting is just a statistical blip on normal postal mail usage currently.

However it is normal postal mail usage that is declining quite significantly, and eventually it won’t be sustainable in the form it currently is.

When it gets towards that, is when the issue with postal voting security getting worse will most likely happen.

ResearcherZero October 17, 2023 9:05 PM

Normal human observers can monitor people counting paper votes. The system works even without electricity, and is very easily verifiable.

Each campaign has observers in the room while the ballots are being counted.

If you’re not an observer, you can turn on the Livestream and watch it on TV.

Ivan Gilbert October 17, 2023 10:13 PM

Clive, I’m not following your thought process. How does a decline in lettermail reduce the security of postal voting? Maybe we’ll have to switch to parcel mail or couriers, which are more expensive but remain popular. Maybe some of us will have to physically go to a post office instead of getting mail delivered to our door (but I’d expect that to improve security: the average home mailbox has no protection against theft). Maybe mail will only be delivered on Tuesdays and Fridays. That these things are not “the form it currently is” seem unimportant. I’m told that a hundred years ago, mail could move across London UK in a matter of hours, allowing multiple “round trips” of correspondence per day. Nobody expects that standard of service anymore (at lettermail prices); the decline’s been in progress longer than I’ve been alive.

MrC October 18, 2023 3:25 AM

@Robert Olson:

  1. A blockchain ID system is probably an insurmountable problem, and you just assume one as a fiat accompli.
  2. Blockchain does zero to address endpoint malware.
  3. Blockchain only works when a majority of the computing power is held by mutually distrustful nodes with conflicting interests. If the gov’t elections office is the only entity running nodes, then you still have the insider threat. A one-party blockchain is pointless. If you leave it to major political parties to run nodes, then you have a grave risk of a 51% attack. In fact, for countries with two-party political systems like the U.S., you will always have the conditions for a 51% attack. If you count on patriotic citizens to run nodes, how are they realistically going to afford more computing power than the political parties and their aligned billionaire donors and special interest groups? The use of blockchain here would essentially formalize the principle that whoever has the most money can buy election outcomes. (And that goes double for “proof of stake” based blockchains.)
  4. As Andrew P and Ivan Gilbert point out, you need to be able to prove that someone voted without revealing how they voted. Blockchain isn’t suited for this. To the extent that it’s even possible, you wind up with a thicket of zero-knowledge proofs and a ton of complexity. Complexity is the enemy of security, and this much complexity would make it impossible, even after many audits, to be sure that something hadn’t been overlooked. From here follow Andrew P and Andrew L Duane’s points about public trust.

Clive Robinson October 18, 2023 6:01 AM

@ Ivan Gilbert, ALL,

“I’m not following your thought process. How does a decline in lettermail reduce the security of postal voting?”

Ignore for the moment it’s specifically voting, and just consider the security of the postal system in a more general “supply chain” way.

We’ve seen the theft of post of credit cards and passports in the past due to them being “easily recognised” from the outside of the envelope just by touch, return addresses, type of envelope and even type/font style.

So we know the theft of mail inside the mail service happens and we also know that there have been “postal vote” supply chain theft/fraud already (in the UK).

Just consider it from a basic economic view point as a start point.

One aspect of this is the number of warm bodies involved, and the percentage of those who for a price might commit a crime. You will have to look it up but based on prison populations you can say that around 1 person in a thousand is in jail and work from there to get an aproximation of the number of people who would commit a crime from the working age population and you will find it’s probably greater than 1 in 10.

So if the volume of normal letters is high and each warm body only has a limited weight of mail they can carry, then there has to be a lot of warm bodies involved. So in effect only a very small number of letters going through each pair of hands are of value to a particular third party then the price for each theft is very high, as is the risk.

However if the number of warm bodies is reduced then the number of letters of value to a third party going through each pair of hands goes up so the effective price of each theft drops.

Less normal mail means less pairs of hands employed, it also means that other “concentrating effects” occur in the supply chain making the cost of the crime and risk even less.

I don’t want to get into the ins and outs of supply chain crime here, interesting though it is, esspecially as ironically it is rapidly becoming a “security field in it’s own right”, due to the Internet… Especially when it comes down to the fact the outbound system is so vulnerable and getting worse due to “cost reduction” measures.

I Just want to raise the point that it is a vulnerablity that you would be adding to a voting system that does not exist in current basic paper and ballot box voting systems.

Further as there are known examples of “postal voting” supply chain attacks already, we know that it is not a theoretical possibility but a practical reality. That is only going to get worse with time as “cost reductions” in the supply chain cause,

1, Increasing numbers of exploitable points.
2, Concentration of value at each point.

Hannah S. October 18, 2023 6:30 AM

“I understand we have a paper-based system that works but suffers from drawbacks like long lines and a lack of voting options for the working class.”

Counterexample Germany. We usually don’t have long lines with paper voting. This is because we have enough voting booths with a few people working there (usually “conscripted” among public service workers, but can also be volunteers). The process of checking eligibility, handing out the ballot(s), and re-checking before putting the ballot into the urn is quite streamlined.

And elections are always on Sundays so at least a significant proportion of workers aren’t blocked from going (in Germany, Sunday has a public holiday status where most work on jobs is forbidden).

And we have relatively easy access to mail in voting in advance, so who, for whatever reason, can’t vote on the date itself can vote early and/or elsewhere than the assigned voting booth.

In my eyes this solution is much preferable over questionable, less transparent digital voting schemes.

Note that with the paper ballot, electronic aids for counting are not categorially excluded. The important thing is that observers can still check what’s going on and recounts can always be done based on simple, comparably fail-safe methods.

Especially important is that among the common populace, it’s easier to be an observer to a paper-based process (which anyone here is allowed to, we’re allowed to observe both the voting process in the booth, and the counting process, of course excluding the actual act of a voter marking the ballot until it’s obscured [folding/envelope/urn]), than de facto restricting public observability to the few who understand the respective digital technology of choice (and security analysis etc.). So in that sense, paper voting is more democratic too.

ResearcherZero October 19, 2023 2:50 AM

@Hannah S.

We have the same kind of system in Australia, and I have been conscripted as an electoral observer. It’s a very efficient system and quite good at catching anyone who tries to cheat. As a result cheating remains rare, and the process runs smoothly and quick.

Many polling places ensures minimal frustration and a pleasant experience. It enhances public trust in the entire voting system as everyone has a clear view of what is taking place. More polling stations can help create more trust in the system, and it gives more people a chance to participate in the process if they would like.

There used to be tougher rules about campaigning outside polling places, which have been relaxed. Seems that this might increase people’s frustrations, and it perhaps should be considered if more stringent campaign rules should again be imposed. However, that is in the hands of politicians who are struggling to agree on anything.

Lowering tensions may help to reduce the amount of misinformation and disinformation regarding the process. And shorter polling lines greatly reduce people’s frustrations.

Stephan October 19, 2023 3:48 AM

For context, you need to know that the Swiss election habits is already really weird compared to other countries. Most Swiss do not go to the ballot at all but vote via mail.

The upside of it is that elections and ballots are very low effort and as a result Swiss can vote on almost everything directly every few weeks instead of relying on representatives.

lurker October 19, 2023 11:15 PM

Data point: I voted in the NZ General Election last Saturday. Elections, like Censuses are not immune to what some would call neo-con cash stripping. As an economy measure at my local voting place the number of clerks and booths was halved since the previous election. Only those checking the bona fides had printed rolls. The meeter and greeter at the door who pre-checked irregulars, had access only to some centralised roll via wifi. The voting place was a primary school, and the wifi was carefully designed to give poor to no performance out in the street where the queue waited.

It should be noted that early voting places were available for two weeks prior to polling day, but only during normal office hours, and mostly at different places to the usual voting places. So all the local farmers turned up at the school as they have done in past years on the appointed Saturday, and had time in the queue to mutter …

Cow October 21, 2023 2:12 AM

No system is perfect. Sure there are many negatives, but they are all true of payments and banking and yet i havent heard anyone say we shouldnt only online forms for those.

If you really want to protect elections, ban advertising.

Shymaa Arafat December 6, 2023 7:01 AM

-Is it always assumed that there’s no leakage of mail sent codes?! There’s the printer guy, the envelope sealing guy,the possibility of sending to people who usually don’t vote and vote for them,…etc
.
2-I have another Q to such a cryptographic community: is there any cryptanalysis of differential attack types?
I mean specific to any code generation method, any competing candidate can always find voters that are exactly preceding/following/ or sandwiched between some of his/her supporters that are willing to reveal their codes to be analyzed?

JTC December 7, 2023 12:07 PM

I appreciate your thoughtful approach to the voting process. You never forget people in the process and have done a good a good risk assessment and followed that up with concrete suggestions (specifically your previous paper on paper ballot backups). Thanks for all you do. Some of us thoroughly enjoy reading both your column and books. Not too many I can ever say that about in these days! Thanks, from a grateful reader.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.