Category: Links to documents

Internet voting in Switzerland

There is currently no Internet voting in Switzerland, primarily due to security issues.

It’s complicated to write about Internet voting in Switzerland for several reasons:

  • Switzerland has a political structure of cantons, voting is done by canton with different systems in each canton
  • Switzerland does not have a history of voting privacy; historically and in a few locations even today voting is done by a public show of hands
  • Switzerland has many votes throughout the year on what are basically referenda
  • Switzerland has a good, but quite complex, set of regulations around Internet voting

Internet voting has been an option in some cantons.  I believe testing began in 2004.  Because of the Swiss Internet voting regulations, as best I understand the maximum percentage that can vote online is 30%.  (More than 30% voting online triggers additional requirements.)

The 30% figure is a bit misleading however.  Because only some cantons participated in online voting trials, it was open to just 3.8% of the overall electorate in September 2018 (and now is not available at all).1

1 Source – Slides “Trust in e-voting” (PDF, 1 MB, 07.02.2019), from Federal Chancellery FCh > E-Voting

As indicated above, the absolute number of voters was always relatively small.  In my own analysis of reports available online, I find that under 5% of the eligible voters vote online, representing 200,000 or fewer votes per voting period.  (My understanding is that voters have to register in advance to vote online; it’s not clear to me whether the numbers in these reports are just the number of registrations, or the actual number of ballots cast online.)

The map below summarizes the online voting testing that has been done by cantons, as well as making it clear that there is currently no online voting at all (in French « Pour l’instant, il n’est pas possible de voter par voie électronique en Suisse », roughly translated “For the moment, it is not possible to vote online in Switzerland”).

La Suisse - Essais de vote électronique dan le cadre de scrutins fédéraux
La Suisse – Essais de vote électronique dans le cadre de scrutins fédéraux

Above map from Chancellerie fédérale ChF > Vote électronique.

Turnout

Research indicates that turnout did not increase, specifically youth turnout didn’t increase.2

2 Internet voting and turnout: Evidence from Switzerland, by Micha Germann and Uwe Serdült in Electoral Studies, Volume 47, June 2017, Pages 1-12. https://doi.org/10.1016/j.electstud.2017.03.001

Background on Geneva and Swiss Post

Geneva developed two systems, CHvote 1 and CHvote 2.  As best I can understand CHvote 1 has been suspended, and there’s no money to further develop CHvote 2 to the level it would need to reach.

Swiss Post developed two systems, including a new one with a third-party for-profit private vendor.  The old system is being discontinued.  As required by Swiss law, the new system was put to a public intrusion test (with restrictive conditions) and the source code was made available (with restrictive conditions).

Swiss Post makes a remarkable claim about the new system.

The new system with universal verifiability was subject to a public intrusion test (PIT) in spring 2019. During the test, it withstood attacks from over 3,000 international hackers.

This is at best misleading.

The conditions on both the general testing and the availability of source code were restrictive.

There was not in any sense either unrestricted public testing nor unrestricted publicly available open source code.

And, through access to the source code outside of the restrictive agreement, three serious flaws in the system were found.

You can read e.g. Researchers Find Critical Backdoor in Swiss Online Voting System by Kim Zetter.

Three reports are available about the Swiss Post system from the Swiss government site, two in English and one in German.

    • Final report Locher, Haenni and Koenig (English) – (PDF, 1 MB, 29.07.2019) – Members of the e-voting research group at the Bern University of Applied Sciences BFH (Philipp Locher, Rolf Haenni, Reto E. Koenig): analysis of the cryptographic implementation of the Swiss Post voting protocol
    • Final report Teague and Pereira (English) – (PDF, 731 kB, 29.07.2019) – Vanessa Teague (The University of Melbourne, Parkville, Australia) and Olivier Pereira (Université catholique de Louvain, Belgium): analysis of the cryptographic protocol and its implementation according to the system specification
    • Final report Oneconsult (German) – (PDF, 303 kB, 29.07.2019) – Oneconsult: Review of Swiss Post’s operational security measures

Estonian Parliamentary Elections 2019 – ODIHR Election Expert Team Final Report – Internet Voting

The Office for Democratic Institutions and Human Rights (ODIHR) is a division of the Organization for Security and Co-operation in Europe.  The ODIHR has produced a report on the 3 March 2019 Estonian Parliamentary Elections.

ODIHR Election Expert Team Final Report – Estonia – Parliamentary Elections 3 March 2019 (PDF)

The ODIHR reviews a wide range of election conduct against international standards.  I will only extract selected parts of their report from section VII. Internet voting.  Numerous issues were identified.

In extracts below, EET = Election Expert Team and SEO = Estonian State Electoral Office.

Internal Attacks

the detection and prevention of internal attacks has been largely omitted. A review of operational and technical frameworks by the ODIHR EET indicates that an internal attacker with privileged access to digital ballots could break the vote secrecy of any voter who published an image of the QR code online, even after the expiry of the code’s validity. This contradicts national legislation and international standards pertaining to vote secrecy.21

RECOMMENDATION: The SEO could develop strategies to mitigate the risk of internal attacks, conduct third-party risk assessments, and publish any findings and audit reports well ahead of the next elections.

21 See Article 1(2) of the Election Act. Paragraph 7.4 of the OSCE Copenhagen Document requires that votes are cast by secret ballot or by equivalent free voting procedure. Paragraph 19 of the Council of Europe Committee of Ministers Recommendation CM/Rec(2017)5 on standards for e-voting requires that “E-voting shall be organized in such a way as to ensure that the secrecy of the vote is respected at all stages of the voting procedure”.

above from page 8 of the report

Software Errors May Cause Election Errors

The Internet voting system is not software independent, meaning that software errors in its components, such as the key generation system or the processor, may cause undetected errors in the election results. Considering publicly available records the system has undergone quality control activities but, contrary to international good practice, no reports were published on the SEO’s website, while updates to the source code were made as recently as three days before election day and well after Internet voting commenced.22

In addition, a limited source code review of the system by the ODIHR EET indicated issues regarding the treatment of concurrency, error handling, and error reporting.

RECOMMENDATION: The SEO could integrate quality assurance activities into the maintenance schedule of the voting solution and publish the security rationale and all quality assurance results, including design review, security analysis, and penetration testing results.

22 Paragraph 42 of the Recommendation CM/Rec(2017)5 on standards for e-voting states that “Before any e-election takes place, the electoral management body shall satisfy itself that the e-voting system is genuine and operates correctly.”

above from page 8 of report

External Auditors Did Not Audit All Operations

A team of external auditors was dispatched to assist the SEO with establishing vote secrecy during the computation of preliminary Internet voting results and the integrity of final Internet voting results by verifying the correctness of the cryptographic shuffle and decryption proofs. The team did not audit other critical operations, most notably the correct transmission of the final aggregation of the decrypted Internet votes.23

RECOMMENDATION: The SEO could strengthen its auditing process by developing a complete strategy and requiring auditors to implement critical auditing tools independently and from scratch.

23 Software independence requires that other operations are also independently audited, such as digital signature checking of all e-votes, removal of all duplicate and other ineligible votes from the digital ballot box, revocation, and anonymization. Paragraph 39 of the Recommendation CM/Rec(2017)5 on standards for e-voting states that “the audit system shall be open and comprehensive, and actively report on potential issues and threats.”

above from page 9

Technical Specifications Need Improvement

some key properties are not precisely formulated and left open to interpretation by the SEO and the vendor tasked to implement the Internet voting system, including minimal acceptable levels of cryptographic strength, and accountability and verifiability requirements. This may negatively impact the system’s overall performance and future innovation. The specifications also lack information about timelines and milestones for software development and deployment, and quality assurance.25

RECOMMENDATION: The technological specifications accompanying the legal framework could define acceptable voting systems in more general terms, but include additional requirements related to cryptographic strength, quality assurance, software development and deployment, as well as accountability and verifiability.

25 The Supreme Court considered two post-election appeals against NEC decisions related to Internet voting. While appeals were rejected, the Court recognized the need for more clear procedures and called for a legal clarification of rules on the implementation of Internet voting, in particular regarding counting and mixing of electronic ballots.

above from page 9

Internet voting in Norway

Norway conducted trials of Internet voting in 2011 and 2013.

Internet voting was discontinued after the trials found no improvement in turnout (including no increase in youth turnout), combined with security concerns.

An archive of reports in Norwegian and English is available: The e-vote trial.

Here are some highlights of the reports:

Evaluation of the e-voting trial in 2011 – English summary of Institutt for Samfunnsforskning (ISF) report

we find no evidence that groups of voters have been mobilized to take part in the election as a result of internet voting.

The analyses, in sum, indicate that the trial did not have an effect on voter turnout.

young voters prefer to walk to the polling station on Election Day. They defined traditional voting as a symbolic and ceremonial act that indicates adultness.

Evaluation of the e-voting trial in 2013 (PDF) – English text begins on p 135 (p 137 in PDF)

In line with previous research, our findings indicate that the trial with internet voting does not lead to increased turnout in elections.

The government announced in 2014 that Internet voting trials would be discontinued.

June 25, 2014 – Internet voting pilot to be discontinued

As there is no broad political desire to introduce internet voting, the Government has concluded that it will would be inappropriate to spend time and money on further pilot projects.

The Institute for Social Research evaluated the pilot project in 2013… The report shows that the voters have limited knowledge about the security mechanisms in the system.

“This shows how important it is that elections are conducted at polling stations where election officials make sure that the principle of free and fair elections and the secrecy of the vote is respected,” says [Minister of Local Government and Modernisation Jan Tore] Sanner.

In Norwegian – Ikke flere forsøk med stemmegivning over Internett

The BBC reported this as E-voting experiments end in Norway amid security fears.


As part of the project, in 2009 there was a report on security.  It notes the added risks from remote voting.

The system is no longer by necessity confined to the local polling station; conceivably it is accessible world-wide, thus increasing the potential number of attackers and attack vectors dramatically.

Also as part of the project, in 2012 there was 196-page report International Experience with E-Voting [with a focus on Internet Voting] (PDF).

Swiss voting technology law sets the standard, in theory

Switzerland – Federal Chancellery Ordinance on Electronic Voting 161.116 of 13 December 2013 (Status as of 1 July 2018)

Key Concepts in Theory

  • the system must be independently evaluated (Article 7, item 1)
  • risk must be assessed (Article 3)
  • the system must be evaluated against detailed requirements (Article 2, section a, Article 4, Article 7, item 2 and item 3)
  • the source code must be made available (Article 7a and Article 7b)

Also notable is that the default maximum authorised participation in electronic voting is 30%.  From above 30% to 50% additional requirements apply, and above 50% even more requirements apply.

In Practice

Unfortunately in practice, for a 2019 public intrusion test, the conditions on both the general testing and the availability of source code were restrictive.

There was not in any sense either unrestricted public testing nor unrestricted publically available open source code.

(If you’ve heard that the tested voting system was withdrawn when serious security flaws were found, this is true, but discovery of these security flaws happened through access to the source code outside of the restrictive agreement.)

My Recommendations

The Swiss ordinance has model principles that should be adopted for evaluating online voting.  In particular independent public evaluation and availability of public source code are key (although keep in mind that source code availability doesn’t mean perfect confidence in the code that actually runs).

The Swiss law is however too complex, and it allowed the interpretation loopholes that led to restrictive terms of use in practice.

Therefore the model principles for evaluating online voting must also include clear language on unrestricted public testing and unrestricted public access to source code.

It’s also important that the independent testing include not just funded open hacking competitions (which are useful) but also direct funding to academic research groups.  The cryptography used in modern voting systems is extraordinarily complex; the academics who are expert in it don’t have free time and don’t work for free.

(Even with academics funded to study the voting system, be mindful that nation-state attackers have far more time and resources to devote to finding flaws in systems, as well as having arsenals of zero-day attacks they could choose to deploy during an election.)

Detailed Technical Language

Below are extracts of the technical language from the ordinance.

Voting System Must Meet Requirements

Art 2. … The authorisation for electronic voting in any individual ballot shall be granted provided the following requirements are met:

a.
The system for electronic voting (the system) is implemented and operated so as to guarantee secure and trustworthy vote casting (Annex No 2 and 3).

There Must Be A Risk Assessment

Art 3. … By the means of a risk assessment, the canton must document in detailed and understandable terms that any security risks are within adequate limits. The assessment covers the following security objectives:

a.
the accuracy of the result;
b.
the protection of voting secrecy and non-disclosure of early provisional results;
c.
the availability of functionalities;
d.
the protection of personal information about voters;
e.
the protection of voter information against manipulation;
f.
the non-disclosure of evidence of vote casting behaviour.

Progressively Higher Requirements As Authorised Participation Increases

The ordinance takes an unusual approach which is to set progressively higher bars to increased availability of online voting. By default, the maximum percentage of the Swiss electorate allowed to use online voting is 30 percent (30%).

At 30% participation there is a minimum set of validation requirements

Art 7. 3If no more than 30 per cent of the cantonal electorate are to be authorised to participate in a trial and the system has the property of complete verifiability in terms of Article 5, the system and its operation must be examined in particular detail with regard to the following criteria:

a.
cryptographic protocol (Annex No 5.1);
b.
functionality (Annex No 5.2), whereby the examination may exclude the software in portals of authorities that are linked to a system;
c.
security of infrastructure and operation (Annex No 5.3), whereby the examination may be limited to the infrastructure that registers the vote and creates the proof for the voter in accordance with Article 4 paragraph 2;
d.
protection against attempts to infiltrate the infrastructure (Annex No 5.5);
e.
control components (Annex No 5.4).2

To exceed 30%

Art 4.1If a system is to be authorised to cover more than 30 per cent of the cantonal electorate, the voters must be able to ascertain whether their vote has been manipulated or intercepted on the user platform or during transmission (individual verifiability, Annex No 4.1 and 4.2).

along with other conditions

Above 30% participation there are also different validation requirements

Art 7. 2If more than 30 per cent of the cantonal electorate are to be authorised to participate in a trial (Art. 4 and 5), the system and its operation must be examined in particular detail with regard to the following criteria:

a.
cryptographic records (Annex No 5.1);
b.
functionality (Annex No 5.2);
c.
security of infrastructure and operation (Annex No 5.3);
d.
protection against attempts to infiltrate the infrastructure (Annex No 5.5);
e.
requirements for printing offices (Annex No 5.6);
f.1
when using a system has the property of complete verifiability in terms of Article 5: control components (Annex No 5.4).

To exceed 50%

Art 5.1If a system is to be authorised to cover more than 50 per cent of the cantonal electorate, it must be ensured that voters or the auditors are able, subject to compliance with voting secrecy, to identify any manipulation that leads to falsification of the result (complete verifiability, Annex No 4.3 and 4.4).

along with other conditions

Independent Assessment

Art. 7 Requirements for examinations

1 The cantons shall ensure that meeting the requirements is examined by independent agencies. The examination is made in particular if the system or its operation has been changed in such a way that meeting the requirements for authorisation could be called into question.

Publication of Source Code

Publication of source code is required, but it’s tangled in the level of authorised participation and in other attributes, so I will just include the entire section

Art. 7a1Publication of the source code

1 The source code for the system software must be made public.

2 Publication shall take place when the system has the property of complete verifiability in terms of Article 5, and:

a.
following the examination in accordance with Article 7 paragraph 2 if more than 30 per cent of the cantonal electorate are to be authorised to participate in a trial;
b.
following the examination in terms of Article 7 paragraph 3 if no more than 30 per cent of the cantonal electorate are to be authorised to participate in a trial.

3 There is no requirement to publish the source code of the following:

a.
third-party components such as operating systems, databases, web and application servers, rights management systems, firewalls or routers, provided these are freely available and regularly updated;
b.
portals of authorities that are linked to a system.

1 Inserted by No I of the FCh O of 30 May 2018, in force since 1 July 2018 (AS 2018 2279).

Art. 7b1Modalities for publishing the source code

1 The source code must be prepared and documented according to the best practices.

2 It must be easily obtainable, free of charge, on the internet.

3 The documentation on the system and its operation must explain the relevance of the individual components of the source code for the security of electronic voting. The documentation must be published along with the source code.

4 Anyone is entitled to examine, modify, compile and execute the source code for ideational purposes, and to write and publish studies thereon. The owner of the source code may permit its use for other purposes.

1 Inserted by No I of the FCh O of 30 May 2018, in force since 1 July 2018 (AS 2018 2279).

Official Versions

As English is not an official language of Switzerland, the annexes to the ordinance and explanations about the ordinance are available only in German, French and Italian.  The annexes provide additional technical detail and there was also an explanatory report produced in 2018 providing context about the need to publish the source code.

UPDATE 2019-05-24: Also see the E-voting home pages and policy pages for each language