“I took the e-voting documents to the beach”

“I took the e-voting documents to the beach” 23.02.2023

Two years ago, Swiss Post launched its e-voting community programme. To mark the occasion, the company invited an active member of the community, Jura-based cryptographer Pascal Junod, to an interview. The self-employed entrepreneur explains why he is interested in e-voting and even checks the system documents when he is on holiday. He goes on to emphasize the importance of transparency, open source, and open handling of vulnerabilities in today’s software development.

You’ve been involved with the community programme since the beginning and have already submitted various findings. What’s your interest in e-voting?

I’ve been interested in the topic of e-voting for a long time. I did my PhD in computer science, specializing in cryptography, at the Federal Institute of Technology Lausanne (EPFL) in the early 2000s. This is around the time that we first started discussing e-voting in Switzerland. I looked at the e-voting solution of the Canton of Geneva at the time, as well as the source code for the former Swiss Post system. When Swiss Post began to disclose its new system in 2021, I was immediately interested – in practice, there are not many systems that apply such complex and ambitious cryptographic principles. This challenge appealed to me. I have also been involved with e-voting as a citizen. Compared to physical voting, e-voting is complex. Non-experts can’t understand how it works for themselves. This aspect interests me from a political and philosophical perspective.

You are an entrepreneur and a university lecturer. How much time does that leave you for ethical hacking?

Two years ago, I was on a professional break. It was precisely at this time that Swiss Post published the first documents on its new e-voting system. I wanted to learn more about it and had the time to take a closer look at the code and the specification. I also started to write verification software myself. But that turned out to be too much work.

Nowadays, alongside my professional activities, I have very little time to check the system. That’s why I take the documents with me on holiday. I sit on the beach or in a mountain chalet with a highlighter in one hand and the printed source code or specification in the other.

What specifically interests you about the e-voting system and Swiss Post’s community programme?

E-voting is an ambitious project from cryptographic perspective. At the time of my PhD, “zero knowledge proofs” [a cryptographic method for proving that a piece of information is correct without disclosing the information itself, note added by Swiss Post] were a theoretical concept in academia. It had not yet really been applied in a practical context. Swiss Post was one of the first companies to use these kinds of proofs. I am interested in the interface between science and practical application. It was from this perspective that I wanted to look at Swiss Post’s e-voting system.

What struck me most about the community programme was the high level of transparency – in terms of the disclosure of the system, but also the handling of any vulnerabilities that were uncovered. Things aren’t always like that.

What would you change about the programme?

There are details that Swiss Post could still improve. From my perspective, the write-ins [entering a name in a free-text field, used in elections, note added by Swiss Post] were not sufficiently documented in the security specifications, which caused more workload for me personally. I also think that the documentation structure could be improved. This would enable Swiss Post to further simplify access to this complex topic for external parties. Otherwise, the community and bug bounty programmes are organized in an extremely participant-friendly way.

And finally, what is your experience of knowledge transfer between the academic world and the IT industry? Do open source projects and bug bounty programmes help with the practical application of expertise from the world of science?

This question directly reflects my professional career so far between academia and industry. Open source can be a powerful driver for software development. I have personally co-founded a start-up based on an open source initiative.

We can see how profitable open source is in the field of artificial intelligence. The large global companies have focused on software releases with free licences and proximity to the world of science. In machine learning, this means that a great deal of progress has been made in a short time. Open source and bug bounty programmes are therefore, in my view, essential success factors, both from a development perspective and when it comes to creating trust in digital solutions.