The public intrusion test of Swiss Post’s e-voting system carried out in recent weeks has aroused a great deal of interest among experts and the public, especially when the discovery of serious vulnerabilities became known. These incidents show how important cooperation and transparency are in the introduction of e-voting. In mid-February, Swiss Post published the specification and source code of its e-voting system. This happened in the run-up to the intrusion test, which attracted great media attention. However, the serious vulnerabilities that have now become known are already apparent in the specification of the system; the source code and the intrusion test play a subordinate role. The specification is the actual blueprint of the system. It describes which components make up the system and how they work together. If this blueprint has an error, it is a fundamental problem.
Universal verifiability is missing
The vulnerabilities discovered are serious because they show that the so-called universal verifiability of the postal system does not exist. Universal verifiability is the central security requirement that the Federal Chancellery places on all new e-voting systems that are to be used for political elections in Switzerland. It allows independent bodies to check the result after an election or vote on the basis of the data collected. This verification can be compared to the recounting of votes in paper-based voting systems. This prevents anyone from manipulating the result of an election or vote without being noticed. At the end of 2013, the Federal Chancellery issued the first ordinance on the use of e-voting systems for political elections in Switzerland, in which universal verifiability was required for the first time. In addition, a process was defined for the certification of e-voting systems, with which universal verifiability must be demonstrated. This certification process corresponded to the state of knowledge at the time. At the end of 2018, however, science was able to show that proving the verifiability of an e-voting system alone is not enough, but that the individual verification steps must be concretely defined as part of the specification. Only then can independent expert groups check the verification for completeness. Notwithstanding these new findings, the certification process of the postal system was carried out on the current legal basis. This made it possible at all for a system that could not be universally verified to successfully go through the certification process.
Conclusion of the BFH researchers
All of this shows how important it is for political institutions, manufacturers and academia to work closely together in the development of e-voting systems and the definition of the associated processes. In addition, the public must be involved at an early stage in order to achieve the greatest possible transparency. This includes an open discussion of the trust assumptions on which universal verifiability is based. For example, the non-manipulability of an election or vote is only guaranteed if certain components of the system are operated by independent organisations, so that none has sole control over the system. Another important assumption is the trustworthiness of the printing company that prints the election documents and thus plays a critical role at the beginning of an election or vote. From the point of view of the BFH’s e-voting group, it is important that all assumptions are questioned in order to be able to consciously decide whether the residual risk they carry is acceptable for our democracy.