People must weigh up the risks of e-voting

People must weigh up the risks of e-voting 01.12.17

A parliamentary motion has the goal of submitting e-voting systems to public penetration testing with a bug bounty. However it’s a fallacy to assume that this can prove that the solutions are secure. A realistic, transparent and honest risk assessment is more important, argues Stefan Friedli, cyber-security specialist.

If a controversial vote comes up over the next few years, such as one on joining the EU, would you as a voter be prepared to make this decision electronically?

As part of its direct democracy, Switzerland regularly makes decisions that can have an enormous impact. With this in mind, the fact that the digitization of this process is not finding universal approval is perfectly understandable. Efforts to date by supporters to appease critics and to convince those who are undecided are just as understandable, but miss the point.

A good example of this is a parliamentary motion from the end of September which has the goal of submitting the e-voting systems used in Switzerland to public penetration testing. In a simulated, yet realistic environment, “hackers” would be challenged over the course of two votes to prove that manipulation is possible. Whoever can manage that is in line to win 250,000 Swiss francs, out of a pool of a million Swiss francs in total. If no weaknesses are found, this “confidence-building measure”, as the proposal calls it, is evidence that e-voting is safe.

The idea in itself is not a bad one: these kinds of public challenges and structured, long-term programmes for reporting weaknesses in exchange for public recognition and a financial reward can indeed also be found in the corporate environment, under the term “Bug Bounty”. In those environments, they serve to complement internal tests, analyses and risk assessments, which are already very extensive.

But the fallacy comes from assuming that the absence of reports of weaknesses during this process automatically proves that a solution is secure. And it is exactly this assumption of a binary result, i.e. secure or insecure, that is unacceptable given the number of ways a vote could be manipulated.

The parliamentary proposal is therefore certainly well-meaning, but is more of a “confidence-building measure” to convince those undecided than a real step towards secure e-voting. Instead of accepting what is purported to be evidence, Swiss voters need to make a realistic, transparent and honest risk assessment: how high is the risk that the system being used can be manipulated by third parties in spite of all efforts and in spite of all the investments made? How high is the likelihood that an optimally organized election observer system can reveal this manipulation? What would be the impact of this kind of manipulation? And if such an incident happened, what would the crisis management concept look like which would protect direct democracy in this crisis scenario? And the duty to provide information would not end there: before each referendum, the Confederation would need to inform voters transparently about the risk of voting manipulation online and, in case of doubt, would need to accept that voters are no longer able to or want to bear the risks in certain crucial proposals – such joining the EU.

The history of information security teaches us that every system – regardless of the efforts of its operators – is vulnerable. Of course the Confederation prescribes strict security specifications, which are reviewed regularly. But absolute security is an utopia, which e-voting cannot turn into reality. The decision for or against e-voting depends on whether and to what extent well informed citizens are ready to bear the associated risks, in order to benefit from the advantages promised by such a system.

It is now up to the supporters to create the basis for trust in a system, with facts and concrete concessions to transparency, and not just to persuade people that it should be introduced.

Stefan Friedli has been identifying weaknesses in the products and infrastructure of Fortune Global 500 companies and a multitude of Swiss companies for over a decade. He is a co-owner of the Zurich-based company scip AG, which specializes in cyber-security services.