A shocking truth?
Twelve cantons implemented internet voting at yesterday’s federal vote. According to the federal Chancellery 22 586 voters did actually vote via internet out of the 158 500 authorized ones. Two cantons, Geneva and Neuchâtel, authorized both (a fraction of) residents and their Swiss abroad to vote via internet. The other ten cantons only used i-voting for their expatriates. Up to 58.45 % of the Swiss abroad who voted did so via internet clearly showing that this is becoming their preferred voting channel.
Yesterday’s i-voting brought the number of trials up to 151, since the beginning of the project in 2004. Cantons and the federal Chancellery, which supervises and coordinates i-voting projects, have gathered important experience over the years. A much expected report of the federal Government – the third one on i-voting- was adopted last June. A proposal by the federal Chancellery to modify the federal Ordinance on political rights to reflect the report’s main conclusions was submitted to a public consultation proces.
According to the report it is worth pursuing efforts to extend i-voting use. It contains a detailed time-table and conditions for upgrading i-voting from the current experimental voting channel to a fully-fledged one open to all voters. Of course, i-voting is only intended as a complement to polling station and postal voting.
The Government also committed federal money to help cantons upgrade their systems to so-called second generation systems which offer individual and universal verifiability. This is the precondition allowing for a total liberalization of i-voting. Verifiability is based on mathematical algorithms. It is expected to offer the voter and her/his representatives unambiguous proof that everything went well or that a problem occurred, the so-called individual and universal verifiability. Systems offering both types of verifiability are yet in an embryonic stage. Norway used a similar one at their parliamentary elections earlier this month.
The federal report was greeted by the i-voting cantons as a welcomed clarification of the internet voting perspectives. Canton Zurich, owner of one of the three systems currently in use in the country, decided to resume trials in 2014 after a three years’ suspension. Other i-voting cantons announced plans to gradually extend it to resident voters, in addition to expatriates. New i-voting cantons such as Vaud and Valais initiated work to introduce it.
Amid such developments, Sébastien Andrivet, an ethical hacker based in Geneva, gave a talk at a hackers gathering event on June 22, in Paris. The talk was on how to successfully hack the Geneva i-voting system. A possible attack which exploits the weaknesses of both what is considered to be i-voting’s Achille’s heel- the private computer, and of the confirmation code used by the Geneva system was presented.
Aware of the penal implications of a real attack, the ethical hacker had first set-up a copy of the Geneva internet voting system on his own computers. He had then created a virus capable of infecting personal computers and modifying the voting choices of their users. Andrivet showed how the virus, used in his own test-system, thwarted security checks. Such attack – he said – would go unnoticed by the voter as well as voting authorities.
The information spread rapidly both in the specialized and general press. Despite the fact that the attack was only “virtual”, authorities were quick to react. Some by putting the problem in the context and into perspective , others by clarifying that their own system was not affected.
The Geneva authorities explained that the problem had been known since the beginning and that the electorate’s limitations in place as well as other checks made it unlikely that such a problem would occur or get through unnoticed. Indeed a higher than usual number of requests to modify a vote – the technique used by the virus – would have ringed bells at i-voting supervisory levels. Neuchâtel promptly explained that its own system was not affected as it uses another sort of confirmation codes in connection with end-to-end encryption.
Two members of canton Zurich’s cantonal parliament, representing two “unnatural allies”, the People’s Party and the Greens, joined to launch an initiative to cancel the cantonal legal basis which allows for internet voting trials. Both parties have enough votes at the cantonal Parliament to have the initiative treated. If Zurich is to abolish internet voting that would be a severe set-back also for the seven other Consortium cantons which use the system owned by Zurich and look into that direction for its future development.
Geneva’s problem attracted federal attention too. In a press conference which took place last week, four young MPs from 4 political parties (People’s Party, Social democrats, Greens and Green liberals) explained the reasons of their defiance towards i-voting and promised to introduce two motions during the current session of the parliament to slow down its development (Motion Schwaab “Pas de précipitation en matière d’extension du vote électronique” and Motion Glättli “Kein unsicheres E-Voting. Nur Systeme mit Verifizierbarkeit und offenem Source Code zulassen”).
Motion Schwaab asks the Federal Council to abandon its plans to liberalize internet voting in the near future (extending limits for the use of i-voting from 30 to 50% of the electorate). The modification of the federal Ordinance on political rights is its main target. Motion Glättli requires the Confederation to ban existing systems and introduce second generation ones offering the verifiability option.
The federal Chancellor appeared confident that the federal Government would go ahead as foreseen with i-voting and that no moratorium was on the agenda. Cantons also reacted by declaring plans to introduce second-generation verifiable i-voting by 2014 already.
I-voting acquis. Don’t throw it away!
To those who have taken the trouble to carefully read the first two federal reports of 2002 and 2006 on i-voting, the weakness of the private computer is a well-known problem. It has so far been circumvented with organizational measures such as system-monitoring ones. It is probably the main reason why the federal Council has so far authorized only a small percentage of the electorate to do i-voting (on three different systems) thus making hacking attacks similar to the one described by Andrivet less appealing.
A few years ago the federal Chancellery commissioned a study on the weaknesses of the private platform in the i-voting context. The study was conducted at the Swiss Federal Institute of Technology in Zurich. Results are expected to be published this Fall.
All future extension of i-voting must, according to the Government’s report, be subject to the introduction of verifiability which would allow the voter and his/her representatives to notice possible attacks which modified a/their vote. The proposed modification of the Ordinance goes in this direction. Second-generation, verifiable systems is also what the movers of the two motions and their respective parties are asking for. So, where is the problem?
In Geneva, the Greens have been asking for a moratorium on i-voting. The pirate party, critical of current i-voting system, replies that a moratorium is a bad solution which denigrates the important work achieved so far. Instead i-voting development should be pursued by introducing more transparency (such as source code publication) and allowing citizens to participate in its design.
Back to the hackers’event last June in Paris. At the end of his intervention, Andrivet expressed his frustration that public money is spent in such i-voting experiments. To use the meeting’s moderator words, experimenting new voting channels and adapting voting to evolving social needs, does perhaps not produce perfect results immediately, but has nevertheless the merit to expand our thinking and knowledge. And it’s much better than having a commission which calls a sub-commission, which produces a report, which sleeps in a drawer… And, we would add, it’s in the interest of a living direct democracy.