173 points by tzmudzin 2 months ago
The central issue with electronic voting is that it's opaque to observers. You can't guarantee vote privacy and monitor the counting process at the same time in electronics. I find that problem alone should mean no electronic voting should be used at scale.
Further, vote privacy is threatened at the client side. The fact that they specifically exclude client vulnerabilities is telling: "... known and accepted characteristics of the system will however not be accepted. Such “issues” include: Any operation compromising the vote privacy on the client-side (e.g. browser extension);" They even met "issues" in quotes, even tough these are a common attack vector. They are real and dangerous.
It's common in Switzerland to vote by mail, so there's the possibility that people get pressured into voting in a certain way by their relatives. But the scale is very different when people must expose their voting preferences to a machine they already know watches them.
I agree about the risk of client-side vulnerabilities. Another state-level actor could easily abuse this to influence an election.
On the counting side though, I don't fully agree. Paper voting sees some enormous mistakes. Whether they are intentional or not, but it has happened before where an entire town's votes for a candidate missed a zero. No election observers or people sent from either party noticed it until a volunteer pointed it out. Electronic voting isn't going to make such mistakes and I believe that if the process is handled well, then the secrecy of the vote shouldn't be an issue from the server side.
But again, there's nothing you can do about the client side attack vector.
In your example it worked: a volunteer pointed it out. The volunteer probably would not have been able to with e-vote.
Who has the skill to be able to assess such a system ? And among those, who has the time ?
I've been a programmer for 15 years and I'm pretty sure I would not be able to look at such a system and feel confident there is no error. And definitly not in the reasonable time period required for voting.
This exactly - complete recountability and the fact that there actually are independent volunteers recounting are the only assurances of a transparent, legitimate voting system. Black boxes (and computer systems by their nature are black boxes) introduced into this system will always void its transparency.
> In your example it worked: a volunteer pointed it out. The volunteer probably would not have been able to with e-vote.
I believe the parent's example was to show that it was missed by the system that was intended to catch it. That the catch in itself was a fluke, lucky.
It should bring into question "How many times have we missed and not caught it?" not "Well it worked this time, it must always work." In fact, we can only recognize cases if we catch them. Therefore it is confirmation bias to use this example as a "proof of it working". It can only serve as an example of "We have caught failures in the system" and suggest that we should be wary of others existing (neither proving nor disproving fault in the system).
We can't know how many, but we know it's possible. For e-vote, i'm not sure it's possible. Hell, i can't tell with certainty my own laptop is clean.
While I agree that voting with paper ballots is prone to errors, I argue the errors are of the type that can be detected by observation. Manipulation at scale takes many conspirators and can be detected just by watching the process. You know you can't trust a vote when the watchers complain they couldn't monitor the ballot boxes at all time.
In electronic voting, you just have to trust the machine to do it right. There are multiple layers of manipulation available that are hard to detect. Sure, the bar is higher, but so are the opportunities for doctoring by the involved actors. What are the watchers to do? They simply can't watch the ballot box when it's inside a machine where no single human can fully understand its machinations.
To expand on this, "verification" or "observation" of paper voting can be done by just about anyone. Young or old, natives or transplants, left or right, comp sci majors or the high school dropout, just about anyone can count along and watch a box to make sure nobody is stuffing tons of ballots in there. That's what makes it so powerful. If you think some conspiracy is happening by "the other side", you can go down and watch for yourself, or you can gather a hundred other people to watch with you.
Exactly. The goal isn't just to minimise the number of errors, it's to minimise the estimated number of errors among the most conspiracy-prone 10% of your fellow citizens. The validity of the vote is something which resides in their heads.
It is possible to create an encrypted log of all votes, each vote encrypted with a different key. Voters would receive a decryption key printed on a slip of paper at the voting booth. Later on they could check to see if their vote was correctly counted.
There are two cases. Either you can prove to other people what you voted for. And then they can extort you. Or you can't and then you how can you prove you were cheated? And if we think one more step, hostile government can start rumors of distortions and no one can know.
There is an out. If no single person can prove their vote but people in aggregate can.
Can this procedure confirm that the machine properly recorded my preferences, reported them to the central tabulator, and that the tabulator included my ballot choices in the final counts?
That's why you have paper ballots with dumb electronic counters, as Ontario (Canada) did in its last provincial election. The ballot is a full letter size piece of paper that is fed through the counting machine while the voter watches, into a standard ballot box that can easily be recounted.
Maybe I'm incredibly naive but if we can build safe financial trading platforms then why cant we build safe electronic voting platforms? It seems like someone would have as much motivation to steal money as they would to change votes if it was possible.
I'd guess that a lot of that "safety" depends on the audibility of what happens on financial trading platforms. If someone manipulates them, this can be discovered (and the manipulator punished) precisely because there's a trail recording exactly who did what.
If a voting platform has such a trail, what becomes of ballot secrecy? And if it doesn't, how will the process be reliably audited?
I'm sure a simple, transparent, and bullet-proof blockchain solution is just around the corner. /s
Voting needs not only to be safe. It needs to be safe in a way that even old people, or those with zero knowledge of technology, do not belief conspiracy theories about how their vote is being stolen.
>The central issue with electronic voting is that it's opaque to observers.
There was this interesting talk years ago. https://www.youtube.com/watch?v=ZDnShu5V99s
Does anyone in the space have a more up to date reference on where things are at ?
While I agree with your point about client-side vulnerability, I think the central issue you highlight has reached a tipping point.
The use of zero-knowledge arguments of knowledge, such as the zk-snark, allows for anonymous, but still verifiable voting systems. These could be decentralized (via blockchain or similar), or built according to a more traditional architecture, but I do think that such a tool would represent a genuine advancement in voting systems.
The problem is that very few people can follow how a zero-knowledge protocol works. We'd all have to trust a small set of people to do it right. And then we'd have to trust the people implementing it to do it right. Then we'd have to trust the people who provision the devices it runs on to do it right. But then we'd have to trust the devices themselves too. All the people who worked on the devices must be trusted. In the end it means we can't know there was no manipulation.
Contrast this with a box where you can watch the pieces of paper as they are put inside. And as they are taken out again. As long as you can watch the box, you can can verify the process.
> The central issue with electronic voting is that it's opaque to observers.
The central issue with electronic voting is that it is centralized.
This program is a failure for the get go.
> Scalable manipulation of votes that is undetectable by voters and trusted auditors;
Such a bug would be a complete worst-case failure and if you report it, it would net you up to 50'000 CHF. This is a ridiculously low amount for such a critical infrastructure.
The expected black market value of such a vulnerability is way way higher. Just to give you a frame of reference, in Switzerland we have 4 national votes a year and depending on the topic, affected interest groups and parties spend between 3 to 6 Mio CHF per vote for ads and influence. Now do the math yourself, whats the expected value of a vulnerability "undetectable by voters and trusted auditors" in a 10-20 Mio/y market (just at the national level) for influence?
But you only need one honest hacker amongst all those who discover the same vulnerability to claim the bounty. There are plenty of hackers and pen-testers out there who do legitimate work and have no interest in breaking the law. The bounty only needs to be as high as the market rate for their work.
Still the 150,000 CHF maximum bounty is way too low. Even though the system has already been pen-tested, there could still be dozens of undetectable vote manipulation bugs out there and they should not reduce the incentive of finding them by capping the payouts.
Yes, but even if some bounties are paid out, what guarantee do we have that this one honest white hat did his work? And remember this is not an usual bug bounty for some company, where the failure mode is some lost revenue due to hacking. This could become ultra critical infrastructure, since in Switzerland we do not only elect the politician but we decide on any policy and law if it is of sufficient interest.
In the absolute worst case a rigged electronic vote could enable laws bordering human rights violations or even laws to abolish some people's right to vote. So the failure mode here is complete loss of democratic control.
That's not a particular problem for e-voting. I don't see a concrete reason why there should be an enhanced risk for manipulation just because you transmit your vote via the internet instead of sending it by letter or visiting the polling station. I rather see an opportunity for the voter to verify that the vote has been correctly carried depending on the implementation of the e-voting system. But for that I still need a closer look into the details of this system (which I will do as it concern myself).
At the moment I see the project quite positive. For example in Germany they used a closed sourced software called "PC Wahl" and the ccc had quite some difficulties to get the source code. And when they got it the catastrophe just began. The software included such funny things like a 1 byte (sic!) hash as checksum. Then it had a weird encryption created by the guy who coded the software, which wouldn't even met 80's standards. Also the software was distributed via a cheap, hosted web server with the login credentials "test" "test" (sic!) and there wasn't any signatures for the updates nor for the transmitted results. To see the hole catastrophe you can watch "PC Wahl Hack" with Linus Neumann. It's quite funny especially when you hear that the software company (from that one guy who coded it since the 90s) was sold for about 1 Mio. €.
> whats the expected value of a vulnerability "undetectable by voters and trusted auditors" in a 10-20 Mio/y market
You might be low balling it yourself. The influence market has a limited value because players who would want to influence towards outlandish outcomes (ex. a union with Russia, declaring war to Germany or simply self-destruction via civil war) know they are wasting their money since their desired outcome is essentially impossible to achieve.
A system where you can enforce a change of leadership in a OECD country with 700 billion GDP is worth at least billions, if not tens of billions. You could recover most of your costs simply by influencing government purchasing for 4 years, and get any politically desired outcomes for free.
I am from a far far away land.
Would you mind explaining what Mio means in this context.
Mio == million
There are, what, 6 million or so voting age people in Switzerland.
6 million x 3 to 6 million CHF = I’m confused.
1 CHF = about 1 USD?
36,000,000,000,000 CHF four times a year. M
I know I’m very tired. Did I miss something?
They mean "3 to 6 M per vote" as in per election, not per citizen.
Exactly, on any of the 4 voting days a year, there can be multiple issues/proposition/topics and for the important ones of those, we see budgets in the millions
Oh dear. Talk about fatigue decontextualised misinterpretation.
Thanks for clearing that up.
I'm not sure the maximum is 50000 CHF. They present it as "Minimum compensation: Between 30000-50000 CHF" which is a bit ambiguous.
Posted 19h ago: https://news.ycombinator.com/item?id=19127631
Stop trying to fix something that isn't broken.
The paper ballot and manual counting here is Switzerland works and needs no fixing.
So did a pair of feet, but the car made things a whole lot easier eventually. Humanity is only here for a bit, I feel we owe it to ourselves to keep innovating, regardless of whether or not all of our innovations turn out to be great.
The oligarchy can't disenfranchise you as easily, though.
Look at how screwed up the US is where liberal states import massive amounts of illegal immigrants and then launder them into voters by giving them driver's licenses. And when they're not running the tables with illegal immigration, they're doing it via gerrymandering (census counts legal and illegal alike), disavowing Voter ID laws as "Racist"--when every other thing we do requires an ID that is never accused of being racist, mind you.
And then there's the vote "counting" itself.
I think if Americans knew the full scale of fraud around voting there would be a real revolution.
> An amount of CHF 150'000.- is available for compensations.
Seems to me like this is the wrong approach. Essentially, they’re saying they they have no idea how much they can pay per bug.
A sensible approach would be to insure bug bounties, at least up to the amount that a black hat could profit from compromising the system.
Good luck getting a legislature to sign off on an unlimited bug bounty budget though...
An insurance policy would suffice.
Good luck insuring this. I'm pretty sure the insurance premium will be the same as the actual cost.
They have a table below that with amounts listed for different types of bugs.
I'm guessing the 150'000 means they'll stop paying for new bugs once they've reached that amount.
What it means is that they only have a budget of 150k CHF for all of the compensations they have to pay out. So if there are 4 bugs that would amount to 50k per bug, then only first 3 would get compensated and the rest would not.
Source:  -> Q&A regarding the public intrusion test -> Is the federal government allowed to pay for hacker attacks?
Not exactly related to this e-voting system, but more generally there will probably be a federal popular initiative for a moratorium on e-voting in Switzerland [1,2]. It is possible (for Swiss citizens) to support the collection of signatures by registering here .
Oh, that is great to know, thank you!
username checks out
First of all, great news! I live in Switzerland, and this is really good to hear.
To those who think that 150’000 Fr. compensation is too low — think of the prestige! Hacking the Swiss voting system, the only direct democracy in the world! No amount of money is equal to that.
Right, because extolling political capital from one of the centers of global banking is definitely not more valuable than a CV blurb
The Swiss are actually ready to shut down the e-voting system for good. This is the final “military excercise” test; if it will be able to stand the combined power of the finest hackers of the planet (which is doubtful), it might survive. But I don’t think so. This is a suicide letter for the system. At the very least, it will be DDoSed out of existence.
There's lots of direct democracy at sub-national levels in various countries.
This is still my favorite take on the eVoting topic: https://xkcd.com/2030/
Reminds me of developers' attitudes towards software patents (similarly, near-universal consensus that they're a terrible idea).
For a bit more background: The online newspaper Republik recently published a piece about this project and some of the problems with the company Scytl providing the system. They provide an English translation of that article:
After Geneva made their system available as free software (AGPLv3), I can't help but feel a tiny bit disappointed about the restrictive terms for the release of the source code.
Why is arbitrary code execution worth so little? Isn't that usually considered the worst bug somebody could find?
The way I read it, if you can leverage arbitrary code execution to manipulate votes, then you can claim one of the higher-paying categories... but if you can execute code, but can't figure out how to use that to actually affect votes, they don't care as much.
I can't say I'm 100% sure that's the best strategy, but I think it makes at least some sense.