Alice in E-Voterland

Author: Alko R. Meijer

Introduction

Early in February 2019, the Swiss postal authority announced a challenge: for four weeks, starting later that month, all interested parties would be welcome to take part in a so-called "intrusion test" of their proposed electronic voting system. The design of the system was a combined effort of Swiss Post and Scytl, then a Spanish company specializing in electronic voting and election technology in general. The purpose of such a test is to submit the system to attacks on its integrity. Thus attackers would try to break the confidentiality of votes or show that the outcome of an election could be manipulated by a hacker. The initial announcement explained that such a test was required under Swiss law:

In order for the cantons to be able to offer e-voting with Swiss Post's completely verifiable system to all voters in the future, the system requires federal approval. To gain such approval the system must undergo a public intrusion test in accordance with the requirements of the Confederation and the cantons. [Swiss Post 2019a]

As part of the test, the source code of the system was made available to participants who agreed to certain conditions, one of which was that a successful attack would only be published at least 45 days after informing Swiss Post.

It seems likely that someone leaked the source code because there was an almost immediate reaction from various sides, pointing out a fundamental flaw in the design [Lewis et al. 2019]. The planned rollout for the Swiss canton elections in May 2019 was cancelled [Walker 2019].

What went wrong?

We discuss electronic voting and the demands made on any design in order to satisfy the requirements of the voting populace. We then outline techniques that appear to meet these demands but find that they suffer from the weakness pointed out by Lewis et al. [2019]

A caveat is necessary here: We concentrate on one aspect of electronic voting, thus simplifying matters by ignoring many vital problems, such as those of identifying and authorising the voters as well as the method of voting itself. We work with a scenario in which only registered voters submit votes, which they do by means of a voting machine that is, for the sake of our discussion, considered secure and trustworthy. This is, in real life, a very demanding assumption: There are many problems in the design and use of such machines. Just Google "voting machines problems." But, to us, voting machines, and paper for scribbling on, buttons for pressing, or cards for punching, etc., are all allowed and taken to work as advertised. Our concern is with getting the completed ballots from their source to some counting device or body, and that the counting be done accurately.