Fact and fiction 20.12.2018
The recent decision by the Geneva authorities to abandon the development of their e-voting application is stirring a debate in which legitimate concerns citizens have are met with a tide of incoherent information that combines politics and technological confusion. A guest column from Christian Matthey.
First, a bit of history
In 2001, the Swiss Confederation commissioned three trial cantons (Geneva, Zurich and Neuchâtel) to carry out testing of e-voting on a limited number of voters. In 2005, Neuchâtel allowed its voters to take part in the very first electronic federal vote. Then, in 2013, the very first cantonal e-vote took place in Neuchâtel.
The principle of the development of e-voting
A specialist unit from the Swiss Federal Chancellery monitors developments by defining different stages and requirements (on security and certification), and it authorizes the cantons to give the vote to increasingly large sections of their population. This refers to individual verifiability, where the system allows everyone to ensure that their vote has been cast in the electronic ballot box without having been tampered with. At this level and with all the necessary certifications, 50% of the population is authorized to vote electronically. Universal verifiability on the other hand, which is in its final stages of development, involves additional security features that ensure any attempt to tamper with an e-voting ballot box is instantly detectable.
The problems of Zurich and Geneva
Given that the complexity and development costs associated with reaching varying requirement levels is increasing, the fact the Zurich solution has been ruled out and the fact the Geneva solution is slowly running out of steam show just how tough it is for a single canton (or even a group of cantons) to take on such a task alone. This is why the canton of Neuchâtel has entrusted Swiss Post with the task of working on its e-voting solution. Swiss Post uses the same technology that was tested in Neuchâtel, the core of which was developed by the global leader in the field. Several other cantons have also begun collaborating with Swiss Post.
Responses to comments in the press and on social media
A private company should not be responsible for counting votes.
There is a major misunderstanding here. The sovereignty of the cantons is fully guaranteed across the board in the case of e-voting as well. The cantons are responsible for all the political processes that e-voting involves (i.e. preparing, configuring, deciphering and counting the votes). The system operator plays no role at all.
Furthermore, Swiss Post, which is owned entirely by the Swiss Confederation, is not a typical private company. The voting processes and systems involved are monitored by a group of specialists from the Swiss Federal Chancellery. These processes must meet the requirements of recognized certifications. The fact of the matter is that a public service cannot develop its own standards or security software. Even a solution developed by a governmental body, which is what the canton of Geneva did, would incorporate components from the industry and draw on external resources as well. Would a cantonal government really be capable of monitoring the developers and their associates? Would it be able to analyse the product code very carefully and ensure the system is secure?
For Geneva, it is the size that is the problem. The prospect of developing an electronic ballot system that meets the strictest criteria is very dim, even if several cantons were to be involved. Swiss Post itself relies on solutions that involve dozens of specialists working on them (such as cryptographers, mathematicians, IT technicians).
This makes Swiss Post an acceptable compromise in that it is a company monitored by the Swiss Federation and acts as a genuine supplier, and which is contractually obliged to ensure a shared solution is both developed and maintained. In the event of a change in Swiss Post’s status, it is conceivable that a new, mixed entity could be created to safeguard sensitive services for the Swiss Confederation.
We must not have a “black box” where nothing is clear.
Following the Geneva example, Swiss Post intends to publish its software sources so that they can be verified by impartial experts.
E-voting is not entirely secure.
The notion of absolute security itself is quite a problematic one. Is postal voting entirely secure? Envelopes could be intercepted in letterboxes (belonging to “private” companies, Swiss Post, etc.) or by unscrupulous individuals in municipal offices. Results are already transmitted electronically between municipalities and cantons. Individual and universal verifiability would ensure security is at a level where, if there is an attempt at tampering, it would be detected.
Geneva is stopping work on the solution because it is not secure.
In the strictest sense of the word, the e-voting system in Geneva was not actually hacked. Nobody accessed the ballot box to carry out any modifications. The experiment simply showed that it was possible to trick a user into thinking that they were connected to the voting system in order to intercept their vote. If the user had been vigilant, they would have noticed the change in server address in their browser. What’s more, if such a thing were ever to take place, the user would not receive correct verification codes from the server in return (individual verifiability). As with any IT system, a degree of vigilance is required on the part of the user.
E-voting should be banned.
This is really an absurd idea. After spending tens of millions since 2001, which has made it possible to carry out hundreds of votes without major problems, why would we abandon a system called for by the population, and which is broadly supported by those who use it? E-voting also strengthens democracy by making it easier for Swiss nationals to vote abroad (postal voting is often not fast enough for the return trip). E-voting is also likely to encourage younger voters to exercise their democratic rights.
E-voting strengthens the overall security of our voting system.
As a matter of fact, and this is the crux, with multiple voting systems (by post, online or in person), you have mutually assured security. Any global or local attempt to tamper with one of the voting systems would reveal unusual differences in the results of each voting method. This in turn would indicate that there is a problem, which would allow checks to be carried out or even for the vote to be cancelled outright. This argument would not hold firm if everyone voted electronically. This means we ought to introduce a process whereby a representative sample of the population has to vote by post.
The only other solution is to take two steps backwards and make cantonal assembly voting commonplace, though this would be a tall order for the cities.
E-voting therefore strengthens the overall security of our democratic system.
This article is an outside contribution. The content does not necessarily reflect the official stance of Swiss Post.