Talk on E-Voting at #LibertyBits2018

The slides can be found here, they don’t contain any text though.

I love technology. I’ve been programming since I was eight years old, and still do up until this day. But in the last years I’ve been trying to get a better understanding on what technology does to our society. Technology makes our lives easier, we no longer have to go to the river to get water. We can get pump out of the ground. It keeps us connected all the time, you may argue if that is a good thing or not, but if you want it it is there.

It keeps our food safe for consumption and by that helps us to stay alive. In fact we’re so reliant on it that if power goes out, we’d have riots over food within eight days because we’re not equipped to keep food safe or prepare it without electricity. At least not for as many people as would depend on it.

Technology leads us down paths we would never have imagined twenty years, let alone a century ago. Facebook(tm) is not even 13 years old!

But technology also leads us down paths that may impact society in a far worse way. Oil was great for the last century but now we’re struggling to develop and introduce cost-effective alternatives, as we’ve found out it’s not the best idea to pump CO2 into the air.

Nuclear energy has been thought of a very clean source of power. But after Fukushima, things have changed a bit. With the development of nuclear power something else had to happen first. And I don’t want to think what happens to us all if we get to that point again. Of course I’m not comparing the introduction of the A-Bomb to E-Voting but sometimes you need to paint a dark picture to get attention.

Democratic decisions have always had a great acceptance because everybody understands how the system and its processes. Here is how it works in Switzerland. You get a ‚token‘ and your ballot sheets in a letter. Together with some information material that should be impartial, should. You show up to the polling-place or mail your vote in. It gets locked-up in sealed boxes and after 12 o’clock on a voting Sunday the seal gets broken in front of everybody and the votes get counted.

Paper ballot voting is easy to verify. At least in Switzerland you can go to the polling-place and observe how the ballots are being counted. The people counting are drawn from a pool of volunteers from elected parties, so a good mix of people from both sides are sitting at the table counting votes.

This transparency ensures that even in close races the winners and losers of the vote will accept the result. At least most of the times. Still some may cry voter fraud, but the people know how the process works. They know that it’s very hard to cheat the system. And those cries die down quickly, and if there is fraud detected it mostly stays in the single digits of votes.https://packi.ch/data/evoting_pstaehlin.pdf

With E-Voting that’s not that easy. How do you observe an e-voting system? The server may not even be located in the same place or country the vote takes part.

E-Voting will divide the people in to two groups. Those who have believe the results and those who understand the algorithms behind it. To keep the vote on the ballot a secret, even from the E-Voting provider, you need to employ heavy math that is probably understood by 20 people in Switzerland.

This division will instill doubt in the results, either implicitly or explicitly by shouting fraud, because the process becomes in-transparent. Before you had a number of people you actually knew counting the votes, now it’s a black-box that spits out the results.

The constitutional-court of Germany ruled that „every voter needs to be able to understand how his vote gets counted and what measures are in place that their vote will not be altered“.

For me, and the groups I represent, this is the main point to be made. E-Voting destroys the transparency of voting results. We’re not even talking about voting-fraud or manipulating systems yet. It’s just too complex for an average citizen to grasp.

And don’t make the mistake of comparing E-Voting to E-Banking. E-Banking works because internally it’s all transparent. With E-Voting, or any voting system you need to make sure that nobody is able to see what or who or what you’ve voted for. Also E-Banking saves the banks a lot of money, they don’t have an incentive to publicly announce breaches. They cover your loss if you’re being skimmed to keep the security problems under wraps. If they wouldn’t do that, the trust in the banking system would erode and we’d have a bank run.
In a vote you have much higher stakes. If you fail to prove the result is valid you’d have riots every time somebody is not happy with the result.

Bruce Schneier wrote in a 2017 blog-post: „While that seems attractive, and certainly a way technology can improve voting, we don’t know how to do it securely. We simply can’t build an Internet voting system that is secure against hacking because of the requirement for a secret ballot.“

And no, the Blockchain isn’t the solution to this problem. Sure, it helps securing, distributing and verifying results per voting district. Something that we in Switzerland still do by unsecured E-Mail and Excel-sheets.

Germany has an application for that. At the last Chaos Communication Congress in Leipzig there was talk about the software used to transfer the tallied votes to the administration centers. It wasn’t pretty. No security, none, or wrongly employed cryptography, passwords of FTP-Servers in configuration-files. Or publicly accessible documentation containing them and VPN credentials to access them. And those are the companies that actually get to implement e-voting systems. This leaves me speechless.

And with that, it should be clear that e-voting is a danger to society. Maybe not as much as the invention of the atom-bomb but still a danger.

But still our government wants to go forward, we’re being called tinfoilhats or conspiracy-theorists. But as it is part of the E-Government strategy it can’t be questioned. The agency that is responsible for evaluating and making up the roles for these systems are inept in the area of security.

So let me tell you how they think it should work:

You get an access code in a letter by the Postal service. Then you use your computer or mobile device to vote and submit your result to a server that tallies the results.

Now all the lightning bolts hint at a problem.

First, you can’t have the Swiss Post generate and deliver access codes and operate the e-voting system. You can’t have the issuer of a code being the transporter and verifier. What we’ve learned the hard way from E-Banking is to always, always two factor authentication. That means two different paths.

Then the computers. We’ve all been there, fixing our relatives computers. They click on everything and can probably not even detect a broken certificate. In fact, one canton has a guide on how to accept false certificates because larger corporations tend to have a man-in-the-middle proxy.

Which is a good thing, because this proxy can then be used to alter the vote.

Then there is the issue of the e-voting server software. You can observe or review the code on that is running on the server but who guarantees that the server actually runs the version of the software you’ve reviewed? And how could you? Accessing that server while counting would be like breaking a seal on a ballot-box. That means you can’t maintain those servers. That means no updates. And I don’t have to tell you what happens if you don’t maintain your servers on a three week polling windows. And doing a post-mortem may not help you as the time voting ends is clearly defined and any such tool could delete it self from the server.

And I’m not even touching the revelations made by Snowden and Reality Winner or the recent leak of NSA tools, after whose you should consider your internal networks as breached by default and safe anymore. Also a script-kiddie with 400 bucks in Bitcoin could probably take the platform down by ordering a DDoS on the infrastructure.

There are three conditions for an E-Voting platform to be considered lawful for full-scale deployment in Switzerland:

  • cast-as-intended, the software needs to submit my vote as was my intention
  • recorded-as-cast, the server needs to have my vote on file as I casted it
  • counted-as-recorded, when counting my vote needs to end up in the right column

Also, but that is not unique to e-voting, the secrecy of the vote needs to be upheld.

To sum it up:

  • E-voting removes transparency from the voting process
  • Results can’t be independently verified
  • It should be opposed as a threat to society.

Thank you very much!