Why Switzerland's E-Voting System Is a Bad Idea (schneier.com) 65
Last year, Andrew Appel, professor of computer science at Princeton University, wrote a 5-part series about Switzerland's e-voting system, highlighting the inherent security vulnerabilities it faces and the safeguards the country has in place. Now, he's writing about an interesting new vulnerability in the system that can be exploited to manipulate votes without anyone knowing. The vulnerability was discovered by Swiss computer scientist Andreas Kuster. From a blog post written by security technologist Bruce Schneier: "The Swiss Post e-voting system aims to protect your vote against vote manipulation and interference. The goal is to achieve this even if your own computer is infected by undetected malware that manipulates a user vote. This protection is implemented by special return codes (Prufcode), printed on the sheet of paper you receive by physical mail. Your computer doesn't know these codes, so even if it's infected by malware, it can't successfully cheat you as long as, you follow the protocol.
Unfortunately, the protocol isn't explained to you on the piece of paper you get by mail. It's only explained to you online, when you visit the e-voting website. And of course, that's part of the problem! If your computer is infected by malware, then it can already present to you a bogus website that instructs you to follow a different protocol, one that is cheatable. To demonstrate this, I built a proof-of-concept demonstration."
Appel again: "Kuster's fake protocol is not exactly what I imagined; it's better. He explains it all in his blog post. Basically, in his malware-manipulated website, instead of displaying the verification codes for the voter to compare with what's on the paper, the website asks the voter to enter the verification codes into a web form. Since the website doesn't know what's on the paper, that web-form entry is just for show. Of course, Kuster did not employ a botnet virus to distribute his malware to real voters! He keeps it contained on his own system and demonstrates it in a video."
Unfortunately, the protocol isn't explained to you on the piece of paper you get by mail. It's only explained to you online, when you visit the e-voting website. And of course, that's part of the problem! If your computer is infected by malware, then it can already present to you a bogus website that instructs you to follow a different protocol, one that is cheatable. To demonstrate this, I built a proof-of-concept demonstration."
Appel again: "Kuster's fake protocol is not exactly what I imagined; it's better. He explains it all in his blog post. Basically, in his malware-manipulated website, instead of displaying the verification codes for the voter to compare with what's on the paper, the website asks the voter to enter the verification codes into a web form. Since the website doesn't know what's on the paper, that web-form entry is just for show. Of course, Kuster did not employ a botnet virus to distribute his malware to real voters! He keeps it contained on his own system and demonstrates it in a video."
Is it less perfect than the alternative? (Score:2)
It's disappointing that a system the Swiss tried really hard to get right is hackable. But perhaps that's too high a standard. We'd want to compare how difficult it is to hack this, and how much damage a villain could do, against a paper ballot system.
Even in this case, I wouldn't be surprised if paper ballots win. It's difficult to create 100,000 phony physical ballots and physical ballots are conceptually easy to audit. Given the nature of this exploit it might be possible to scale an e-attack to have a v
Re:Is it less perfect than the alternative? (Score:5, Informative)
It's disappointing that a system the Swiss tried really hard to get right is hackable.
Disappointing, but not unexpected. Experts have over and over warned about the dangers of electronic voting.
https://engineering.stanford.e... [stanford.edu]
https://www.comparitech.com/bl... [comparitech.com]
https://www.usagovpolicy.com/d... [usagovpolicy.com]
It is a bad idea.
But perhaps that's too high a standard.
What, not having elections stolen is "too high a standard"?????
That is the minimum standard.
Re: (Score:3)
And, neither electronic nor mail-in-voting allows the voter to KNOW FOR SURE that their vote is actually confidential/private. That can only be done in-person. As long as your ID being checked is not part of the actual voting process. Example....
My State finally went back to a system that is good (the system we had BEFORE electronic voting machines). ID is checked in one line. Next line you get a paper form from a stack, manned by different people. Then you sit at a private booth and mark your votes o
Re: Is it less perfect than the alternative? (Score:1)
In Switzerland they had to change mail-in ballot because of too much fraud. Now you have a "secure" sticker with your name on it to stick to the return card, in addition to signing it, in order to vote. About the secure sticker, a middle-range color printer can print it. And what happen to those ballot reach their destination ? "Oh it's from X, who's known to vote for Y"...
In person is the only secure way to vote.
Re: (Score:2)
>"Damn, how archaic"
And yet, it works
>"Most states allow mail in ballots."
That doesn't make it OK
>"Simple and quick without needing 200 volunteers at every voting center and people waiting in line for two hours for their turn."
And insecure and impossible to guarantee privacy. And my voting location has maybe 12 volunteers for the day.
>"Why make election day a "national holiday" when most people can finish their at-home voting days before and just watch the results as the ballots are counted."
Be
Re: (Score:3)
Damn, how archaic.
I instantly can tell you are from Silicon Valley, probably working at a startup. You think everything should work that way, failing to realize drastic consequences of a high rate of failures startups experience. Most startups don't produce anything of value. While you can innovate this way, you can't build a functioning society with this approach.
We want our mission-critical systems to be stable and thoroughly debugged. Our ballot casting and tabulation system is feature-complete, there is absolutely no n
Re: (Score:2)
Re: (Score:2)
Re: (Score:2, Troll)
Heard it all before, for example about banking. Online banking is a terrible idea, they said. Can never be secure, they claimed.
And in some ways they were right, people do steal money by hacking online banking. But they also stole money by doing paper and in-person fraud before online was available too. Oh, and telephone fraud, and of course telephone banking was decried as insanely insecure and stupid when that first started too.
Similarly, voter fraud happens with paper ballots. Not very often, but for exa
Re: (Score:2)
Not like banking [Re:Is it less perfect than t...] (Score:3)
Heard it all before, for example about banking. Online banking is a terrible idea, they said. Can never be secure, they claimed.
Banking is a vastly different problem. In banking, you tag each transaction to the individual, which makes individual transactions traceable. In voting (at least, with a secret ballot), it is critical that each vote is not tied to the voter. You can't correct a problem-- "oh, these twenty thousand votes were switched from red party to orange, so we will correct that by switching them them back" because the voter is separated from the content of the vote.
...Similarly, voter fraud happens with paper ballots. Not very often, but for example coercion and impersonation are relatively easy with postal votes.
Tremendous difference here. That is one at a time fra
Re:Is it less perfect than the alternative? (Score:4, Informative)
i wrote part of that system. this flaw is indeed serious, but it think it can be reasonably mitigated by informing the user about the steps via the mentioned paper voting cards, or other means; the entire protocol is fairly complex but the instructions for the voter are actually simple and straightforward. maybe so simple that they seemed so obvious to everybody involved that nobody really saw this coming.
Re: (Score:2)
Re: (Score:2)
you tell me. why do you ask me such a loaded question? i'm not an advocate, just sharing what i know about the subject.
i was skeptical about electronic voting being at all possible before that job. it looked like a very interesting job anyway and it didn't disappoint. it turned out it works and is a trustable process. there is room for improvement, though. it has a lot of complexity and needs scrupulous management and supervision, i'm not sure that's adequate for every context or even that it scales very we
Re: (Score:2)
My question was not at all loaded. Presumably, advocates of electronic voting have to believe there's something so wrong with paper voting to the point of justifying all the time and money to develop, implement, and deploy electronic voting. I'm just asking what such people believe those sufficiently wrong things are.
Re: (Score:2)
I'm just asking what such people believe those sufficiently wrong things are
can't really help there. i don't think paper voting is fundamentally flawed at all, but it is far from a perfect process either. it is a costly and unwieldy operation that involves huge quantities of human labor (which tends to qualify poorly btw), generates quite a bit of waste and is often disruptive of the productivity, and isn't impervious to fraud either. deferred voting in particular, (e.g. mail voting) is often cumbersome in many places (for some weird reason) and offers far less guarantees. incident
Re: (Score:2)
It's disappointing that a system the Swiss tried really hard to get right is hackable.
Any system is hackable. It was demonstrated elsewhere (for example in the Netherlands, where they played chess on a voting machine) that voting machines can never be trusted
This has everything to do with being a black box. Even if there are no connections to the outside world, you can generate strong electric fields to wipe the memory or temporarily disable it. The fact that paper is less hackable is that everything is visible. For paper, you need enough eyes to see that there is no tempering, for devices
your boss can force you to vote at work the way th (Score:4, Interesting)
your boss can force you to vote at work the way they want?
way does this need to be online??
Switzerland is Superior (Score:3)
The other thing more important with Switzerland is that they have a mostly direct democracy.
Many issues are directly decided by people voting on the issue, at all levels.
It is far superior than any other country's indirect and biased political system.
Re: (Score:2)
your boss can force you to vote at work the way they want?
Your boss could also kill you, steal your ID and go vote in person too. Your boss could do many illegal things. This concern is really incredibly short sighted.
Re: (Score:2)
If you boss wants to do that they can simply insist you get a postal vote and watch you fill it in at work.
That's not the issue here. The issue is a technical problem that can be used to manipulate vote counts undetectably.
Why *any* E-Voting System - FTFY (Score:3)
C'mon... this isn't hard (Score:5, Interesting)
Paper ballots, hard pencils. You can design the ballots to make scanning into a computer easy and reliable for computer tallying, but the original vote needs to be on paper.
If you have issues with voter disenfranchisement, switching to a system where the process is opaque only lets them get away with it more easily behind the scenes.
If your population doesn't care enough to protect ballots, democracy no longer matters.
Re: (Score:2)
Pencils? Sorry, you kinda lost me there, but.... my state elections use scannable cardstock paper ballots with indelible Sharpie pens to mark them up
They go to great lengths to document custody and ensure that the votes are properly tabulated and the ballots stored for future review.
Mail in ballots have a more complicated review and "curing" process, but voters are allowed to track their ballot to make sure it was tabulated
So far, the right wing nut cases have lost every court case they have tried to raise
Re: (Score:2)
Re: (Score:2)
Interesting, apparently a UK/EU thing
So says the wiki
Modern uses
An Italian copy pencil used in elections
In Italy and other countries, their use is still mandated by law for voting paper ballots in elections and referendums. The signs written with copying pencil cannot be tampered with, without leaving clear traces on the paper.
Apparently there are some down-sides I suspect we will stick with Sharpies
Health risks
Indelible pencils were the cause of significant health risks due to the presence of aniline dyes.
Re: (Score:1)
Being able to vote electronically helps increase participation. It also makes voter suppression harder, because simply taking away polling stations in areas unlikely to vote for your candidate doesn't work so well.
Re: (Score:2)
When you're trying to work around voter disenfranchisement, you've already surrendered something fundamentally important - you've accepted disenfranchisement as a valid political tactic.
Rather than trying to work around it, you ought to be hanging the people who work to selectively disenfranchise voters. They're traitors to your society. Dangerous ones.
Remote voting can never be secure (Score:3)
Coercion is fun when you're the winner, though (Score:2)
With remote voting, there is no way to guarantee that you have not been coerced. If you have to privately enter a booth in a physical space, you have deniability.
Precisely why unions in the US want 50% of workers signing a card being enough to create a union (union organizers can see how you vote, but employer can't), vs. 30% of workers signing a card being enough to trigger a NLRB-supervised election (neither side can see how a worker votes). The ability to coerce is worth a 20% higher voting threshold.
https://en.wikipedia.org/wiki/... [wikipedia.org]
(Yes, employers coerce on the other side, but the way to fix that is to fix/punish that, not just balance that out by increasing co
Re:Remote voting can never be secure (Score:5, Insightful)
the system mentioned in this article actually approaches this in a simple and very effective way: you can vote as many times as you want, only the last one counts, and if that fails you can always vote on paper which would override any electronic vote, thus it protects against coercion at least as well as traditional paper voting.
Re: (Score:2)
Re: (Score:2)
i'm unsure about what part you misunderstood here? political representatives do indeed need to be present at polling stations like in any other election to supervise several aspects of the process: privacy in the booths and prevention of coercion but also fair access to voting materials, custody of ballot boxes and supervising the whole voting and counting process.
what i'm saying is that the system provides a mechanism to circumvent coercion while voting remotely but still allows the voter to fall back to t
Re: (Score:2)
Let me give an example. Party A offers me $1000 if I vote for them. To prove that I voted for them, they ask me to vote electronically in their presence at the time when electronic voting closes. Then, their representative monitors the poll station and checks I am not overriding the electronic vote with a paper vote: if they see me at the poll station, no $1000 for me.
Your secure voting system cannot prevent this vote control exploit, can it?
Re: (Score:2)
voter coercion has nothing to do with vote buying/selling
if we adapt your example to plain coercion, though, the voter may simply "lose" the voting card, thus being forced to vote on paper. other than that you are describing a voter that is under absolute control of another person (maybe a family member), and you also add the collusion of a party representative which is actually overkill too, because if you have full control of a person you can prevent them from going to the polling station anyway.
now, talk
Re: (Score:2)
Yes, this example requires a party representative to be on the board. I am not sure which threat model you have, but to me this seems the most dangerous scenario, not individual efforts to coerce one single vote.
Yes, I agree
Re: (Score:2)
With remote voting, there is no way to guarantee that you have not been coerced.
With local voting there's no guarantee that you have not been murdered and someone else has taken your identity and voted in person. Murder of course is illegal, so is fraudulent voting, so is voter coercion. The latter is rarely significant enough to impact an election as no one is fucking dumb enough to do it for the sake of a couple of votes.
Of course it is. (Score:2)
Every step away from in person paper voting in triplicate(one copy into the counted ballot box, one copy into the county level backup, and one copy into a state level backup) with indelible ink marked fingers is inherently more insecure than the last. Moreover, any system that is not genuinely auditable has a significant measure of fraud in it, period. Anyone saying otherwise is either ignorant, delusional, or a disingenuous shitstain.
Re: (Score:2)
I do not get the "in triplicate" requirement, it seems to offer too many opportunities for the three copies not to match. You also have a simpler chain of custody if a single repository is used
Re: (Score:2)
"It seems to have too many opportunities for the copies to not match"
I'm sorry, do you not understand the concept of pressure sensitive papers?
Re: (Score:2)
LOL, I have actually used them and they suck, the sheets frequently misalign and the bottom sheet is frequently hard to read
It seems like unnecessary complexity with more problems than benefits
Re: (Score:2)
Except you don't need to read. You fill a bubble or punch a hole depending on specific system.
Re: (Score:2)
Again, with the misalignment of multiple sheets, it becomes a matter of interpretation
Re: (Score:2)
I remember when "remove all incumbents" seemed like a novel voting practice, but you just end up with a bunch of easily swayed novices in office who have no concept on how to run a government
Some people think that is a "feature" of a political party, but is quickly devolves into chaos, I find myself wondering if a meritorious technocracy would be a better solution
Re: What people keep forgetting about voting. (Score:1)
We already have vote-by-postal mail in Switzerland for quite some years. While there is always the risk that some voters are forced to vote by a gunman sitting at their home, this kind of attack is considered hard to scale.And having a few forced votes probably would be within the margin of error of the whole process anyway.
Re: (Score:2)
While true, scaling mail-in vote fraud is quite complicated, because you need to force every single person at gunpoint to vote the way you'd like them to. That may allow you to manipulate a few 100 votes if you have considerable personnel, but in a ballot where a few millions cast their votes, that's a rounding error. And if you're a state actor trying to manipulate your votes, whether you have mail-in or whether ballots happen at some central point is moot because, as history has shown, if you work at that
Re: What people keep forgetting about voting. (Score:1)
It's Switzerland! (Score:3)
These guys prevented women from voting until the 70ies, in some canton only in 1991, they are not 'modern' or 'progressive'.
Paper and pen ballots only, please! (Score:2)
For a very simple reason: Conspiracy nuts.
Even if it was 100% audited and perfectly safe, it opens up a very dangerous can of worms. It can only be audited by a very small group of people. Security experts. And every time something becomes dependent on the goodwill of a small group, even if that group was honest and honorable, you also open the floodgates for the conspiracy nutters who will claim that THEY control them and that THEY rig the system. That every security expert is of $political_group_I_don't_l
Votes have value and will be sold (Score:2)
Considering that in recent past key and impactful elections and referendums were rather close, imagine high value such votes would bring. More so, vote buying would be conducted by state-sponsored spy networks with unprecedented sophistication, so it will be hard to detect.
it would be trivial to fix this / not a real flaw (Score:2)
it would be trivial to print the proper url and procedures on the same page as the codes and require 2FA
So it's like absentee voting... on the internet (Score:2)
Not as bad an exploint as I thought (Score:2)
So it looks like the actual voting system gives you a paper card with different verification codes for each candidate.
After you cast your vote the server sends you back the verification code for the candidate you chose. The idea being that only you (with your paper card) and the server know the proper code, so even if the browser is compromised they attacker won't know the proper code to send back.
The hack in this case is for the browser plugin modify the voting page to ask for the verification code for the
Questioning election integrity? (Score:3)
Sorry folks. That's a paddlin'.
Kinda like keeping the schools open is anti-intellectual, and letting poor black kids take algebra 1 in the 8th grade is racist.
[circus music plays in the background]
Is it really a bug? perhaps it's a feature (Score:2)
What voters seem to forget in countries with big central governments that are involved in everything is that this very "the government is involved in everything" issue makes it so that every election involves millions/billions/trillions of dollars/euros/yen etc and people will do a lot of nasty stuff for those piles of cash. People will murder other people for $100K life insurance policies. What will somebody be willing to do for a million? a billion? a trillion? Is messing with elections taken more serious
If it's closed-source, it's unauditable (Score:2)
Any voting system that has an electronic component to it that's proprietary can't be audited. There are so many flaws to current voting systems. The paper ballots aren't unique and are easily reproduced. Vote counting that takes place in locations like stadiums can't be secured. Humans feeding the ballots into the machine can double-count ones they prefer because they aren't unique. The software in the machine can easily be pre-programmed to give a desired result that's just slightly above suspicion an