Research and expert commentary on digital technologies in public life
Part 5 of a 5-part series starting here
Switzerland commissioned independent expert reviews of the E-voting system built by Swiss Post. One of those experts concluded, “as imperfect as the current system might be when judged against a nonexistent ideal, the current system generally appears to achieve its stated goals, under the corresponding assumptions and the specific threat model around which it was designed.”
I have explained the ingenious idea (in the Swiss Post system) behind client-side security: because the voter’s computer may be quite insecure, because the client-side voting app may be under control of a hacker, keep certain secrets on paper that the computer can’t see. Professor Ford, the systems-security expert, points out that part of the threat model is: if the printing contractor is corrupt, that prints the paper and mails it, then the system is insecure.
The new threat model in 2022. But I’ll now add something to the threat model that I would not have thought about last year: Step one of the voter’s workflow is, “type in a 20-character password from the paper into the voting app.”
In the old days (2020 and before) the voter would do this using a physical or on-screen keyboard. In the modern era (2022) you might do this using Apple’s “live text”, in which you aim your phone camera at anything with text in it, and then you can copy-paste from the picture. And, of course, if you do that, then the phone sees all the secrets on the paper.
So the security of the Swiss Post E-voting system relies entirely on a trick–that the voter’s computer can’t know the secret numbers on a piece of paper–that has been made obsolete by advances in consumer technology.
Voter behavior as a component of the threat model. Experts in voting protocols came to realize, over the past two decades, the importance of dispute resolution in a voting protocol. That is, suppose a voter comes to realize, while participating in an e-voting system (or at a physical polling-place) that the election system is not properly tallying their vote. Can the voter prove this to the election officials in a way that appropriate action will be taken, and their vote will be tallied correctly? If not, then we say the dispute resolution system has failed.
Also, experts have come to understand that voters are only human: they overlook things and they don’t check their work. So the voting system must have a human-centered design that works for real people.
In my previous post I described the Swiss Post E-voting protocol:
But what if most voters omit step 6, checking the return codes? Then the voting app could get away with cheating: encode the wrong candidates, the server will send return codes for those wrong candidates, and the voter won’t notice.
To address that problem, Swiss Post added more steps to the protocol:
This protocol is becoming ridiculously complex – not exactly human-centered. Even so, here’s how the app could cheat: fail to transmit the “ballot casting key” to the servers, and make up a fake “Vote cast return code”. If the voter omits step 9, then the app has gotten away with cheating: it didn’t manage to cast a vote for the wrong candidate, but it did manage to cancel the voter’s ballot.
And what’s the voter supposed to do if the return codes don’t match? Recall what’s printed in red on the paper:
And what should the authorities do if voters call that phone number and claim that the return codes don’t match? This video (found on this page) suggests the answer: the voter is told, “we didn’t count your e-vote, you should vote on paper by physical mail instead.”
A big danger is that voters skip step 6 (diligently check every return code against the paper printout) and proceed directly to step 7 (enter the “casting key” to submit their ballot). Would voters really do that? Of course they would: research has shown over and over that voters don’t carefully reconfirm on paper the choices they made on-screen.
You might think, “I’ll check my own result, so it’s OK.” But if thousands of your fellow voters are careless with step 6, that allows the voting app (if hacked) to change thousands of their votes, which can change the outcome of your election. For a full analysis, see Ballot-Marking Devices (BMDs) Cannot Assure the Will of the Voters (here’s the non-paywall version).
In conclusion, the protocol has many, many steps for the voter to follow, and even then it’s not robust against typical voter behavior. These issues were left out of the threat model that the experts examined.
Other threats: For brevity, I didn’t even describe some other threats that the experts should probably consider in their next-round evaluation. For example:
Return to top of page
Copyright © 2022 ·Education Theme on Genesis Framework · WordPress · Log in