Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Politics

Why Switzerland's E-Voting System Is a Bad Idea (schneier.com) 65

Last year, Andrew Appel, professor of computer science at Princeton University, wrote a 5-part series about Switzerland's e-voting system, highlighting the inherent security vulnerabilities it faces and the safeguards the country has in place. Now, he's writing about an interesting new vulnerability in the system that can be exploited to manipulate votes without anyone knowing. The vulnerability was discovered by Swiss computer scientist Andreas Kuster. From a blog post written by security technologist Bruce Schneier: "The Swiss Post e-voting system aims to protect your vote against vote manipulation and interference. The goal is to achieve this even if your own computer is infected by undetected malware that manipulates a user vote. This protection is implemented by special return codes (Prufcode), printed on the sheet of paper you receive by physical mail. Your computer doesn't know these codes, so even if it's infected by malware, it can't successfully cheat you as long as, you follow the protocol.

Unfortunately, the protocol isn't explained to you on the piece of paper you get by mail. It's only explained to you online, when you visit the e-voting website. And of course, that's part of the problem! If your computer is infected by malware, then it can already present to you a bogus website that instructs you to follow a different protocol, one that is cheatable. To demonstrate this, I built a proof-of-concept demonstration."

Appel again: "Kuster's fake protocol is not exactly what I imagined; it's better. He explains it all in his blog post. Basically, in his malware-manipulated website, instead of displaying the verification codes for the voter to compare with what's on the paper, the website asks the voter to enter the verification codes into a web form. Since the website doesn't know what's on the paper, that web-form entry is just for show. Of course, Kuster did not employ a botnet virus to distribute his malware to real voters! He keeps it contained on his own system and demonstrates it in a video."

This discussion has been archived. No new comments can be posted.

Why Switzerland's E-Voting System Is a Bad Idea

Comments Filter:
  • It's disappointing that a system the Swiss tried really hard to get right is hackable. But perhaps that's too high a standard. We'd want to compare how difficult it is to hack this, and how much damage a villain could do, against a paper ballot system.

    Even in this case, I wouldn't be surprised if paper ballots win. It's difficult to create 100,000 phony physical ballots and physical ballots are conceptually easy to audit. Given the nature of this exploit it might be possible to scale an e-attack to have a v

    • by Geoffrey.landis ( 926948 ) on Tuesday October 17, 2023 @08:40PM (#63932961) Homepage

      It's disappointing that a system the Swiss tried really hard to get right is hackable.

      Disappointing, but not unexpected. Experts have over and over warned about the dangers of electronic voting.

      https://engineering.stanford.e... [stanford.edu]
        https://www.comparitech.com/bl... [comparitech.com]
        https://www.usagovpolicy.com/d... [usagovpolicy.com]

      It is a bad idea.

      But perhaps that's too high a standard.

      What, not having elections stolen is "too high a standard"?????

      That is the minimum standard.

      • And, neither electronic nor mail-in-voting allows the voter to KNOW FOR SURE that their vote is actually confidential/private. That can only be done in-person. As long as your ID being checked is not part of the actual voting process. Example....

        My State finally went back to a system that is good (the system we had BEFORE electronic voting machines). ID is checked in one line. Next line you get a paper form from a stack, manned by different people. Then you sit at a private booth and mark your votes o

        • I realise I'm late, but Swiss mail in votes are checked and added for counting by the people. Yes, people voting in person are requested to assist in the count and checks to see that things are done properly. It's certainly not impossible to cheat, but to do so with a meaningful impact isn't really possible.
      • Yep. This. Voting in person at specified public places on bits of paper still seems to be the least problematic way to do it, even if there are much cheaper, more efficient ways to do it. The important thing is that the votes are valid; way more important than what it costs to process them. What we've got seems to work OK. We also have fairly independent global organisations, e.g. https://www.osce.org/odihr [osce.org], that monitor elections to ensure that they're free, fair, & valid, & so far, they've done a
      • Re: (Score:2, Troll)

        by AmiMoJo ( 196126 )

        Heard it all before, for example about banking. Online banking is a terrible idea, they said. Can never be secure, they claimed.

        And in some ways they were right, people do steal money by hacking online banking. But they also stole money by doing paper and in-person fraud before online was available too. Oh, and telephone fraud, and of course telephone banking was decried as insanely insecure and stupid when that first started too.

        Similarly, voter fraud happens with paper ballots. Not very often, but for exa

        • by sinij ( 911942 )
          Our society works only insofar as vast majority of people have confidence in the key systems working fairly. This way perception of fairness is nearly as important as actual security. This is not true for banking, as it works as long as people can quantify and manage risks. So risk tolerance is completely different. For example, small chance of credit card fraud [prnewswire.com] is very acceptable, the same cannot be said about elections.
        • Heard it all before, for example about banking. Online banking is a terrible idea, they said. Can never be secure, they claimed.

          Banking is a vastly different problem. In banking, you tag each transaction to the individual, which makes individual transactions traceable. In voting (at least, with a secret ballot), it is critical that each vote is not tied to the voter. You can't correct a problem-- "oh, these twenty thousand votes were switched from red party to orange, so we will correct that by switching them them back" because the voter is separated from the content of the vote.

          ...Similarly, voter fraud happens with paper ballots. Not very often, but for example coercion and impersonation are relatively easy with postal votes.

          Tremendous difference here. That is one at a time fra

    • by znrt ( 2424692 ) on Tuesday October 17, 2023 @09:12PM (#63933025)

      i wrote part of that system. this flaw is indeed serious, but it think it can be reasonably mitigated by informing the user about the steps via the mentioned paper voting cards, or other means; the entire protocol is fairly complex but the instructions for the voter are actually simple and straightforward. maybe so simple that they seemed so obvious to everybody involved that nobody really saw this coming.

      • What really is so terrible about voting with paper ballots?
        • by znrt ( 2424692 )

          you tell me. why do you ask me such a loaded question? i'm not an advocate, just sharing what i know about the subject.

          i was skeptical about electronic voting being at all possible before that job. it looked like a very interesting job anyway and it didn't disappoint. it turned out it works and is a trustable process. there is room for improvement, though. it has a lot of complexity and needs scrupulous management and supervision, i'm not sure that's adequate for every context or even that it scales very we

          • why do you ask me such a loaded question?

            My question was not at all loaded. Presumably, advocates of electronic voting have to believe there's something so wrong with paper voting to the point of justifying all the time and money to develop, implement, and deploy electronic voting. I'm just asking what such people believe those sufficiently wrong things are.

            the purported benefits are efficiency, increased accessibility, increased participation .... those are mostly noble goals, but not a priority in my o

            • by znrt ( 2424692 )

              I'm just asking what such people believe those sufficiently wrong things are

              can't really help there. i don't think paper voting is fundamentally flawed at all, but it is far from a perfect process either. it is a costly and unwieldy operation that involves huge quantities of human labor (which tends to qualify poorly btw), generates quite a bit of waste and is often disruptive of the productivity, and isn't impervious to fraud either. deferred voting in particular, (e.g. mail voting) is often cumbersome in many places (for some weird reason) and offers far less guarantees. incident

    • It's disappointing that a system the Swiss tried really hard to get right is hackable.

      Any system is hackable. It was demonstrated elsewhere (for example in the Netherlands, where they played chess on a voting machine) that voting machines can never be trusted

      This has everything to do with being a black box. Even if there are no connections to the outside world, you can generate strong electric fields to wipe the memory or temporarily disable it. The fact that paper is less hackable is that everything is visible. For paper, you need enough eyes to see that there is no tempering, for devices

  • by Joe_Dragon ( 2206452 ) on Tuesday October 17, 2023 @06:45PM (#63932791)

    your boss can force you to vote at work the way they want?

    way does this need to be online??

    • The other thing more important with Switzerland is that they have a mostly direct democracy.
      Many issues are directly decided by people voting on the issue, at all levels.
      It is far superior than any other country's indirect and biased political system.

    • your boss can force you to vote at work the way they want?

      Your boss could also kill you, steal your ID and go vote in person too. Your boss could do many illegal things. This concern is really incredibly short sighted.

    • by AmiMoJo ( 196126 )

      If you boss wants to do that they can simply insist you get a postal vote and watch you fill it in at work.

      That's not the issue here. The issue is a technical problem that can be used to manipulate vote counts undetectably.

  • by Press2ToContinue ( 2424598 ) on Tuesday October 17, 2023 @06:56PM (#63932803)
    C'mon man, they can all be hacked.
  • by Baron_Yam ( 643147 ) on Tuesday October 17, 2023 @07:01PM (#63932811)

    Paper ballots, hard pencils. You can design the ballots to make scanning into a computer easy and reliable for computer tallying, but the original vote needs to be on paper.

    If you have issues with voter disenfranchisement, switching to a system where the process is opaque only lets them get away with it more easily behind the scenes.

    If your population doesn't care enough to protect ballots, democracy no longer matters.

    • Pencils? Sorry, you kinda lost me there, but.... my state elections use scannable cardstock paper ballots with indelible Sharpie pens to mark them up

      They go to great lengths to document custody and ensure that the votes are properly tabulated and the ballots stored for future review.

      Mail in ballots have a more complicated review and "curing" process, but voters are allowed to track their ballot to make sure it was tabulated

      So far, the right wing nut cases have lost every court case they have tried to raise

      • The pencils used in elections are indelible, too. They contain special coloring substances that get transferred to the paper. See e.g. https://cool.culturalheritage.org/coolaic/sg/bpg/annual/v17/bp17-05.html .
        • Interesting, apparently a UK/EU thing

          So says the wiki

          Modern uses

          An Italian copy pencil used in elections
          In Italy and other countries, their use is still mandated by law for voting paper ballots in elections and referendums. The signs written with copying pencil cannot be tampered with, without leaving clear traces on the paper.

          Apparently there are some down-sides I suspect we will stick with Sharpies

          Health risks
          Indelible pencils were the cause of significant health risks due to the presence of aniline dyes.

    • by AmiMoJo ( 196126 )

      Being able to vote electronically helps increase participation. It also makes voter suppression harder, because simply taking away polling stations in areas unlikely to vote for your candidate doesn't work so well.

      • When you're trying to work around voter disenfranchisement, you've already surrendered something fundamentally important - you've accepted disenfranchisement as a valid political tactic.

        Rather than trying to work around it, you ought to be hanging the people who work to selectively disenfranchise voters. They're traitors to your society. Dangerous ones.

  • by bjoast ( 1310293 ) on Tuesday October 17, 2023 @07:08PM (#63932827)
    With remote voting, there is no way to guarantee that you have not been coerced. If you have to privately enter a booth in a physical space, you have deniability.
    • With remote voting, there is no way to guarantee that you have not been coerced. If you have to privately enter a booth in a physical space, you have deniability.

      Precisely why unions in the US want 50% of workers signing a card being enough to create a union (union organizers can see how you vote, but employer can't), vs. 30% of workers signing a card being enough to trigger a NLRB-supervised election (neither side can see how a worker votes). The ability to coerce is worth a 20% higher voting threshold.

      https://en.wikipedia.org/wiki/... [wikipedia.org]

      (Yes, employers coerce on the other side, but the way to fix that is to fix/punish that, not just balance that out by increasing co

    • by znrt ( 2424692 ) on Tuesday October 17, 2023 @09:19PM (#63933039)

      the system mentioned in this article actually approaches this in a simple and very effective way: you can vote as many times as you want, only the last one counts, and if that fails you can always vote on paper which would override any electronic vote, thus it protects against coercion at least as well as traditional paper voting.

      • ...unless you have a representative at the polling site that checks who goes in and who doesn't. And it is important that representatives are allowed into physical voting locations to check for fraud.
        • by znrt ( 2424692 )

          i'm unsure about what part you misunderstood here? political representatives do indeed need to be present at polling stations like in any other election to supervise several aspects of the process: privacy in the booths and prevention of coercion but also fair access to voting materials, custody of ballot boxes and supervising the whole voting and counting process.

          what i'm saying is that the system provides a mechanism to circumvent coercion while voting remotely but still allows the voter to fall back to t

          • Please don't assume I'm the one misunderstanding things here.

            Let me give an example. Party A offers me $1000 if I vote for them. To prove that I voted for them, they ask me to vote electronically in their presence at the time when electronic voting closes. Then, their representative monitors the poll station and checks I am not overriding the electronic vote with a paper vote: if they see me at the poll station, no $1000 for me.

            Your secure voting system cannot prevent this vote control exploit, can it?
            • by znrt ( 2424692 )

              voter coercion has nothing to do with vote buying/selling

              if we adapt your example to plain coercion, though, the voter may simply "lose" the voting card, thus being forced to vote on paper. other than that you are describing a voter that is under absolute control of another person (maybe a family member), and you also add the collusion of a party representative which is actually overkill too, because if you have full control of a person you can prevent them from going to the polling station anyway.

              now, talk

              • My example does not assume constant control by a family member. You just need the voter to be under your control at the time electronic voting ends. Or, even simpler, for them to give you their credentials for electronic voting, so *you* can vote for them at the end of the allotted time.

                Yes, this example requires a party representative to be on the board. I am not sure which threat model you have, but to me this seems the most dangerous scenario, not individual efforts to coerce one single vote.

                Yes, I agree
    • With remote voting, there is no way to guarantee that you have not been coerced.

      With local voting there's no guarantee that you have not been murdered and someone else has taken your identity and voted in person. Murder of course is illegal, so is fraudulent voting, so is voter coercion. The latter is rarely significant enough to impact an election as no one is fucking dumb enough to do it for the sake of a couple of votes.

  • Every step away from in person paper voting in triplicate(one copy into the counted ballot box, one copy into the county level backup, and one copy into a state level backup) with indelible ink marked fingers is inherently more insecure than the last. Moreover, any system that is not genuinely auditable has a significant measure of fraud in it, period. Anyone saying otherwise is either ignorant, delusional, or a disingenuous shitstain.

    • I do not get the "in triplicate" requirement, it seems to offer too many opportunities for the three copies not to match. You also have a simpler chain of custody if a single repository is used

      • "It seems to have too many opportunities for the copies to not match"

        I'm sorry, do you not understand the concept of pressure sensitive papers?

        • LOL, I have actually used them and they suck, the sheets frequently misalign and the bottom sheet is frequently hard to read

          It seems like unnecessary complexity with more problems than benefits

  • by nospam007 ( 722110 ) * on Wednesday October 18, 2023 @03:41AM (#63933467)

    These guys prevented women from voting until the 70ies, in some canton only in 1991, they are not 'modern' or 'progressive'.

  • For a very simple reason: Conspiracy nuts.

    Even if it was 100% audited and perfectly safe, it opens up a very dangerous can of worms. It can only be audited by a very small group of people. Security experts. And every time something becomes dependent on the goodwill of a small group, even if that group was honest and honorable, you also open the floodgates for the conspiracy nutters who will claim that THEY control them and that THEY rig the system. That every security expert is of $political_group_I_don't_l

  • One of the key issues with e-voting is that votes have monetary value and consequently will be sold on the black market. In-person polling station voting has one key advantage - your actual vote is not known to other parties.

    Considering that in recent past key and impactful elections and referendums were rather close, imagine high value such votes would bring. More so, vote buying would be conducted by state-sponsored spy networks with unprecedented sophistication, so it will be hard to detect.
  • it would be trivial to print the proper url and procedures on the same page as the codes and require 2FA

  • (Donning my flame retardant suit in anticipation of the reaction from the humor-impaired)
  • So it looks like the actual voting system gives you a paper card with different verification codes for each candidate.

    After you cast your vote the server sends you back the verification code for the candidate you chose. The idea being that only you (with your paper card) and the server know the proper code, so even if the browser is compromised they attacker won't know the proper code to send back.

    The hack in this case is for the browser plugin modify the voting page to ask for the verification code for the

  • by RightwingNutjob ( 1302813 ) on Wednesday October 18, 2023 @11:13AM (#63934431)

    Sorry folks. That's a paddlin'.

    Kinda like keeping the schools open is anti-intellectual, and letting poor black kids take algebra 1 in the 8th grade is racist.

    [circus music plays in the background]

  • What voters seem to forget in countries with big central governments that are involved in everything is that this very "the government is involved in everything" issue makes it so that every election involves millions/billions/trillions of dollars/euros/yen etc and people will do a lot of nasty stuff for those piles of cash. People will murder other people for $100K life insurance policies. What will somebody be willing to do for a million? a billion? a trillion? Is messing with elections taken more serious

  • Any voting system that has an electronic component to it that's proprietary can't be audited. There are so many flaws to current voting systems. The paper ballots aren't unique and are easily reproduced. Vote counting that takes place in locations like stadiums can't be secured. Humans feeding the ballots into the machine can double-count ones they prefer because they aren't unique. The software in the machine can easily be pre-programmed to give a desired result that's just slightly above suspicion an

Avoid strange women and temporary variables.

Working...