
Public hacker test on Swiss Post’s e-voting system - donohoe
https://www.evoting-blog.ch/en/pages/2019/public-hacker-test-on-swiss-post-s-e-voting-system
======
a-dub
"Other attacks are not permitted to be used and no compensation will be
granted if used. These include:

Attacks on other Swiss Post systems or applications

Attacks on the voter’s end device

Attacks based on the assumption that voters do not keep to instructions, e.g.
a voter does not check the ballot casting key"

so like... they pass the test, and then they declare "it's secure! we did a
'hacker' test!". but then they deemed these giant vectors out of scope...

seems dangerous in that it fails to demonstrate that the thing is actually end
to end secure, yet creates a straw man that sounds awfully close...

sure it's a hard problem. that's the point.

~~~
xyzzy123
The scope has to end somewhere.

Attacks on other Swiss Post stuff are probably out of scope because it's hard
to get agreement from all the stakeholders involved.

The other stuff sounds like things they can't reasonably control (voter device
security and behaviour).

Going into the Ts&Cs, this looks more like a good faith effort than a blatant
Telegram or BitFi style publicity stunt.

~~~
closeparen
No, it absolutely doesn't. The scope for an electronic voting system is
anything and everything that a hostile world power's intelligence agency might
be able to try. If you want to use a bounty program to convince people a
voting system is secure, it needs to include immunity for kidnapping and
torturing key staff members and their families, and other real-world
activities, in addition to all the electronic attack surface in the universe.

This is clearly unreasonable... and so is electronic voting.

~~~
rjf72
When comparing one system to another you should generally do just that. Not
compare one system to an absolutely perfect and flawless system. The NYT had a
pretty solid article [1] on the fiasco that happened in Florida in their 2018
elections. But I think a couple of paragraphs cut to the heart of the issue:

 _Florida’s protracted 2018 midterm election has revealed the warts of an
imperfect voting system that normally go unnoticed. This time, the world is
watching, and South Florida election officials are being exposed for sloppy
processes that in some cases, a judge found this week, violated both state law
and the Constitution. Yet those very procedures are common during elections,
political analysts in Florida say; they just don’t get much attention most of
the time because most elections end with wide enough margins of victory that
few people scrutinize them._

Our current election systems are pretty bad, as illustrated by the numerous
examples in that article. And that's all just a mixture of internal ineptitude
and maybe a pinch of decentralized maliciousness. If you're going to measure
the security of a system by some standard of 'cannot be broken by enemy states
kidnapping and torturing key staff members and their families [to coerce
exploitable action]' then it should be clear that our current system fails
abysmally. So you need to compare the pros, and indeed the cons, of both
systems _relative_ to one another.

[1] - [https://www.nytimes.com/2018/11/11/us/florida-recount-
electi...](https://www.nytimes.com/2018/11/11/us/florida-recount-elections-
scott-nelson-desantis-gillum.html)

------
transpa-regency
Generally, the Swiss concept of democracy is based on the maxim that citizens
can observe and influence any political process (notwithstanding that lobby
groups are typically more effective).

So in most municipalities, anyone (!) can be present during the vote
collection and counting procedures. The right is rarely used, but is the
foundation of (1) trusting and (2) accepting the voting outcome.

This leads to a lot of stability and trust, even if you may not agree with the
result of the vote.

With eVoting, we are doing away with that fundamental right and a process
understandable to every single voter. Even given Universal Verifiability, the
number of people understanding the concept (not even thinking about the
implementation) is probably fewer than does understanding quantum gravity.

Just the rumors of things having run afoul will be able to substantially
destabilise the trust in democracy and thus the country.

I do not think we should follow that slippery slope, especially as the major
claims that started the eVoting debate have been refuted:

\- eVoting does not add increase the voter turnout; charging 6 francs for not
voting however increases it by 10%

\- eVoting is not cheaper; the production and mailing of the required tamper-
proof materials is more expensive than before

\- eVoting is not simpler; in fact, the process includes many steps which look
tedious and unnecessary

------
hocuspocus
For people not familiar with voting in Switzerland, we already trust the Swiss
Post, given that most ballots are mailed in. I've never been at a physical
polling booth in my life, and we vote at least four times a year.

We also have an online voting platform already, which has been launched by the
canton of Geneva in 2003. It has known several upgrades, security audits, and
has been targeted by hackers a few times. It's proven quite successful and it
is used by a few cantons besides Geneva. Sadly, due to a lack of federal
support, Geneva doesn't want to bear the costs anymore.

~~~
sgc
Is there a historical list of the items you vote on each election? I am
curious to see a real world example of such regular voting.

~~~
oneon
The most broad collection from all cantons was just now published into a
smartphone app called VoteInfo, see
[https://www.admin.ch/](https://www.admin.ch/) site for more details.

Otherwise information is usually scattered on the various canton's (districts)
websites.

~~~
sgc
Thanks for the head start. Looking around on admin.ch I found
[https://www.bk.admin.ch/ch/f/pore/va/vab_2_2_4_1_gesamt.html](https://www.bk.admin.ch/ch/f/pore/va/vab_2_2_4_1_gesamt.html)
with results from 1848-present.

~~~
transpa-regency
These are the federal subject votes; it does not include federal elections or
cantonal/communal votes/elections. So I would guess one has about six topics
on average to decide on, 4-5 times a year.

~~~
sgc
Sometimes I think we need to be realistic and accept that there are
populations on the planet which have a hundred - or hundreds - of years of
work to evolve past their current mindset. I can think of a number of
countries where the general population does not seem to have the capacities
for this type of responsibility. If every issue devolves into a a cutthroat
battle rather than a serious discussion at the end of which opinions are
expressed, society cannot handle regular voting since it is primed for
corruption.

A deep education on civic duty rather than nationalism is one obvious piece of
the puzzle, but also a safety net and affluence where people are not desperate
and can remain free of basic economic pressure to conform is another big one.
Perhaps the biggest one that I have seen missing from my own country and
others is a true desire for personal excellence, one that is even greater than
the desire for success. Including philosophy in education from a younger age
can help with instilling that mindset.

What do you think has helped Switzerland as a society succeed as a democracy?

------
zepearl
I'm swiss, so I guess that soon I'll have to vote about this voting system :)

E.g. chapter 3.4.3 of the architecture PDF might be interesting to end-
users/voters:

>End-to-end verifiability: Voters should be able to verify that their vote has
been recorded-as-cast and cast-as-intended; and both observers and independent
auditors should be able to check that votes are counted as recorded without
compromising voter's privacy.

>>Recorded-as-cast verifiability: This verifiability level is achieved by
means of vote confirmation receipts which are displayed to voters after their
last vote has been cast and can be looked for once the election is closed on a
Receipts Portal or a Receipts List made available to voters.

>>Cast-as-intended verifiability: This verifiability is achieved by means of
Choice Return Codes, which are sent by mail to the voter before the election
starts and univocally represent voter's valid options. The server can generate
these Choice Return Codes and send them back to the voter while voting without
knowing their real option reservation. This way, the voter can check if these
codes match with the ones contained in the paper voting card.

~~~
orthoxerox
Can it verify that votes that have been added to the system have been cast by
the actual voters and not by anyone else?

~~~
nohillside
No. But this is the same with ballot or mail votes in Switzerland, identity is
not verified. So in theory you could fake paper voter cards already today, but
it's difficult to scale this onto a useful level.

The verification system for the proposed eVoting system works with
verification codes individual to a voter. So even if you and I vote YES on a
certain topic we will have different verification codes.

------
harryf
Cool that they do this although fundamentally subscribe to the point of view
advocated by Tom Scott in "Why Electronic Voting is a BAD Idea"
[https://www.youtube.com/watch?v=w3_0x6oaDmI](https://www.youtube.com/watch?v=w3_0x6oaDmI)
which argues that it's hard to scale up an large-scale attack against paper-
based systems among other things.

~~~
leppr
It may be a bad idea for a vote so important that it happens only once every 5
years and citizens have no recourse in the periods between.

But if we want to scale Democracy to the modern world, where today tens of
thousands of important decisions are taken without any citizen input during
those 5 years, electronic voting is a necessity.

~~~
anoncake
Without a secret ballot, you cannot have democracy. Instead, you have a rule
of those who bought the most votes.

If voting does not happen in public, you cannot have democracy either.
Instead, you have a rule of those who are best at manipulating the vote.

Electronic voting is either not secret or not public. You cannot use it to
scale democracy, it destroys it.

~~~
gpm
I wonder if this is just a case of preferring the devil we know.

"Without regular (daily) votes you cannot have a democracy. Instead, you have
a series of temporary dictators selected from those with the connections,
charisma, and budget to run campaigns and get put in charge."

Experimenting with something as important as our form of government is really
scary, but it's not clear to me that it's more likely to destroy it than
improve it.

------
shaki-dora
I yearn for the times when the tech community still believed e-voting was a
bad solution in search of a problem.

I mark my votes with a pen on a piece of paper. No polling place in my country
is more than 300 yards from the voter, at least in cities and towns. I can
stick around and watch the counting close enough to verify the count. Costs
are neglible compared to the overall budget, with most of the staff being
volunteers.

Maybe it’s different with some ballot initiative every second week, or
whatever the Swiss are doing. Maybe it doesn’t work as well if you vote for 26
up and down the government from president to dog catcher, to dog-to-be-caught.

But in those cases, I‘d still rather give up that surplus of choice, rather
than the system that is not just safe, but so obviously safe even old people
don’t believe conspiracy theories about it.

------
wieghant
So I hear the cons for e-voting all the time. It's absolutely true no system
is sound and secure. However consider this: most politicians aren't exactly
tech-savy. There are way more cost-effective methods to "rig" elections (for
the Swiss scale). Dead people voting. Volunteering staffers. Depending on
country method of vote transfer. Human error when counting.

Having helped with an e-election system myself, I saw first-hand how it caught
"bugs" in the process. For example some district entering wrong information
(lots of cross-referencing checks tripped an "alarm").

In the U.S sure, I can see why people would be concerned. No offence, but the
systems in place for social and other citizen-related info ain't excellent. If
there's an entire market for false identities it's saying something. Taxes not
being done automatically. Social security number being the one way to
identify. Online banking being a pain in the ass.

Scalability is an issue. If a system is open to billions, there is more
incentive to work on "theoretical" exploits. But let's not pretend paper-
voting is a better alternative. E-voting doesn't solve the corruption problem,
but it makes it easier to find.

Tom Scott and some of the pen-testers that shit on on the concept have good
points. However they all are based on the idea that staffers manually counting
works better. Tom Scott's New Hampshire example is anecdotal – that system was
an insult to the word naïve. The pen-testers taking a dump on Estonian system
were picking on stuff like WiFi passwords being visible and seeing over the
shoulder an admin's terminal. The systems responsible for the counting weren't
connected to the WiFi and it was there for guests. Lot of good staring at a
terminal did with no access to the actual machines holding the program.

I don't see e-voting becoming a thing due to all the FUD spreading. But I hope
it will be reviewed as a means of double-checking. Perhaps some studious
people might actually go out and study the actually proposed architecture.
It's really never as simple as one program doing the counting with a flavor of
auditing. At least when done right(ish).

~~~
oneon
Paper voting has a big advantange: any random person from the street can
understand all parts of it, and can think of virtually all possible
manipulations.

You don't have the same on electronic voting systems. There you need to ask
experts, [which again need experts [which again need experts [...]] to explain
to you what is going on.

~~~
anarazel
Paper based voting also excludes me, a Swiss person living abroad, from
reliably voting.

I don't understand why these discussions are done in this black/white manner.
There's valid policy discussions to be had, but treating the other side as
maliciously dumb isn't helpful.

~~~
nohillside
The proposed eVoting solution will not do you much good then. It still relies
on paper mail getting to you in time, and untampered with.

I understand the problem Swiss persons living abroad have with voting, but
there are better ways to solve this than putting the whole vote at risk due to
unsecurable Internet voting.

------
transpa-regency
Yes, indeed, we do vote around 5 times a year on several more or less
important subjects and elect officials. That does not mean that a mistake can
be fixed quickly, because the entire lawmaking process is (deliberately) slow:

\- All members of parliament do that only part-time; during the rest of the
year, they do work (mostly) normal jobs.

\- Once the (national) parliament has passed a law, the citizens have 100 days
to collect the names of 50,000 opponents. If they achieve this, it that will
mean the law is delayed for at least another year.

------
anarazel
I have serious concerns about electronic voting. But: One of the predecessor
systems allows me to vote in referenda from abroad, and it significantly
increases the likelihood I vote successfully. Having to send back the paper
ballot weeks in advance (to be sure it arrives in time) makes it easy to miss
the deadlines, and also requires to skip over discussion still happening at
that stage.

------
davidbanham
So it looks like the property that the Swiss system sacrifices is receipt
freeness. In short, there is nothing to protect voters against someone
coercing them to reveal their vote.

In a first world country like Switzerland it's unlikely this coercion would
take place with an AK47 at the ballot box. It is, however, conceivable that it
could take place on the shop floor by either a boss or a trade union
representative threatening to withhold work or pay.

I wouldn't be comfortable using a system like this for a state level election.
The stakes are too high. That said, I do actually offer a product that
sacrifices the same property and is designed to be used in elections for
community organisations, companies, etc.

My digital election product: [https://scrut.in/](https://scrut.in/)

More information on the concept of receipt freeness:
[http://www.lsv.fr/Publis/PAPERS/PDF/DKR-
csfw06.pdf](http://www.lsv.fr/Publis/PAPERS/PDF/DKR-csfw06.pdf)

~~~
oneon
As long as voters have to click votes in clear text on a screen, the security
of the system is fundamentally screwed.

As long as voters have to enter cryptic signs instead of clear text votes, the
usability of the system is fundamentally screwed.

So it's either fundamentally screwed or fundamentally screwed. Which one do
you want? That's what the Swiss research on the topic basically boils down
after 20 years of trials.

Can we just stop it? Wanna help with the Initiative to stop e-voting in
Switzerland? [https://evoting-moratorium.wecollect.ch/](https://evoting-
moratorium.wecollect.ch/)

More info at [https://e-voting-moratorium.ch/](https://e-voting-
moratorium.ch/)

------
gpm
The contract you are required to agree to view the source code [0] is
unreasonable:

It _requires_ that you work for free if you think you find a problem (i.e. you
are not allowed to just stop):

> Participants who have found or believe they have found a vulnerability are
> obliged to submit a report in the GitLab platform as an issue set explicitly
> to confidential

> Researchers shall provide sufficient information to reproduce the
> Vulnerability so that the Owners can act as quickly as possible. Usually, a
> vulnerability description is sufficient, but for more complex
> vulnerabilities, more detailed information may be needed.

> The Researcher accepts to provide support to the Owners to verify the
> potential Vulnerability,

It requires that you agree to an indefinite NDA, that extends to not
disclosing issues you discover:

> No Vulnerability shall be published within a period of forty five (45) days
> since the last communication exchanged with the Owners with regards to such
> potential Vulnerability, unless the Owners have agreed to a shorter period
> or defined a longer period.

(In other words they can extend the NDA indefinitely by pinging you every 45
days, and the last sentence means they might not even need to bother pinging
you every 45 days). Also:

> the information received in the Researcher e-mail account must not be shared
> with or forwarded to any other e-mail account.

It requires that you are not a company (or government) or acting on behalf of
one, despite various companies providing, for free, some of the best security
research (see project zero)

> Registration for the Program is open to all natural persons willing to
> comply with the Agreement, with the exception of natural persons who do not
> act under their own responsibility, but as employees, civil servants,
> officers or any other subordinate capacity. Registration is therefore not
> open to organizations, associations, institutions, administrations,
> governments, government agencies, foreign states, or any other entity that
> is not a natural person.

On the contrary to the article (which currently states "The source code is
published permanently to ensure Swiss Post meets the legal requirements."),
source code access is not permanent, but only until the end of the production
release. I.e. research into past vulnerabilities appears to be forbidden:

> The Agreement and Source Code Access expires at the termination of the
> productive use of the release to which the Program is dedicated.

I'm not a lawyer, I'm certainly not a Swiss lawyer, but it is my understanding
that the purpose of this program is to comply with article 7a and 7b of [1]
(which is linked from [0]). I hope someone who _is_ a Swiss lawyer (some
equivalent of the EFF) is looking closely at this, because I don't see how it
complies. I don't see how it can be said that "The source code for the system
software must [has] be[en] made public" when companies are not allowed to view
it and access is temporary. I don't see how it can be said that "Anyone is
entitled to examine, modify, compile and execute the source code for
ideational purposes, and to write and publish studies thereon." when you
aren't allowed to publish vulnerabilities until they choose to release you
from the indefinite NDA you signed.

[0]
[https://www.post.ch/-/media/post/evoting/dokumente/nutzungsb...](https://www.post.ch/-/media/post/evoting/dokumente/nutzungsbedingungen-
quellcode.pdf?la=en&vs=1)

[1]
[https://www.bk.admin.ch/dam/bk/de/dokumente/pore/Federal_Cha...](https://www.bk.admin.ch/dam/bk/de/dokumente/pore/Federal_Chancellery_Ordinance_on_Electronic_Voting_V2.0_July_2018.pdf.download.pdf)

~~~
nairboon
This program doesn't comply with VEleS 7b but it doesn't have to, yet. The
requirement for publishing the source code only applies when the system is
actually authorized for a real trial.

~~~
gpm
Oh, interesting.

Do you know what sort of time frame a "real trial" will happen in? I'd love to
give the source a once over when I can do so on reasonable terms.

~~~
nairboon
I don't know about the time frame, there is a current proposition which would
allow e-voting at the national level which is up for public comments until the
30.4.2019, but then it'll go back to parliament and at some point should be up
for a vote. So it may take another year or two.

But you can check out the source code as it is, the lawyers of swiss post just
added all kinds of random stuff to that TOS. I think this TOS only applies if
you participate in the pentest. Otherwise it makes absolutely no sense. The
propositions that the researchers shall conduct tests etc. would create a
contract for work, which only applies for the pentest due to the potential
compensation.

But Swiss post clearly state that they publish the source code to comply with
VEleS 7a, therefore it is public as in "It must be easily obtainable, free of
charge, on the internet." any restrictions like we must conduct tests is
clearly a charge and thus not valid with 7a.

~~~
gpm
Access to the source _without participating in the pen test_ is clearly
governed by the contract I linked, both because that's what the page you need
to click through to access the source says [0], and there is a different
contract governing participants in the pentest [1].

I'm frankly more concerned with the indefinite NDA than the "you must continue
to work for free clause". I'm reasonably confident that Swiss law doesn't
allow for a clause to force me to work without compensation, and I'm quite
confident that local law does not regardless of what Swiss law says. The
indefinite NDA though strikes me as legally valid, and could plausibly put me
in a situation where I'm stuck between keeping silent about vulnerabilities
and civil disobedience [2].

I emphasized "without participating in the pen test" above because I just
noticed an amusing loophole in the contract that makes the NDA somewhat (not
completely, and still not the rest of the contract) reasonable.... The pen
test agreement states

> If you sign up to the source code access programme and there is a conflict
> between the E-Voting Solution Source Code Access Agreement and the TC&CoC,
> the latter shall take precedence.

It also states

> Participants / researchers are allowed to publish their findings following a
> publication date agreed with the organizers. This date will be 45 days after
> the initial confirmation of the reported finding at the latest.

As such I think if I sign up for _both_ programs the NDA on disclosing
vulnerabilities is not indefinite.

[0] [https://www.post.ch/en/business/a-z-of-subjects/industry-
sol...](https://www.post.ch/en/business/a-z-of-subjects/industry-
solutions/swiss-post-e-voting/e-voting-source-code?shortcut=evoting-
sourcecode)

[1] [https://onlinevote-pit.ch/conduct/](https://onlinevote-pit.ch/conduct/)

[2] A similar example in Finland where companies and government agencies
conspired to try and keep vulnerabilities secret:
[https://www.reddit.com/r/talesfromtechsupport/comments/9m8fz...](https://www.reddit.com/r/talesfromtechsupport/comments/9m8fzj/cant_approve_payroll_blackhat_sysadmin_when_my/)

This story is largely verifiable via Google - The author has asked that his
reddit account/recounting not be directly linked to his name, please respect
that here as well.

~~~
nairboon
>I'm reasonably confident that Swiss law doesn't allow for a clause to force
me to work without compensation, and I'm quite confident that local law does
not regardless of what Swiss law says.

Yes, this is not a valid clause.

> The indefinite NDA though strikes me as legally valid,

There isn't a indefinite NDA,

>"The expiry or termination of the Agreement shall not affect the validity of
the obligations of the Researcher entered into under the Agreement (including
but not limited to the Fair Use Restrictions, the Reporting Procedure and the
Responsible Disclosure)."

With the termination of the Agreement, the contract is void, these obligations
can't be prolonged. There is only an exception for trade secrets which will
continue even after a work contract. But this is no work contract. And second
there are no trade secrets in here.

Anyways the whole agreement is fuzzy, this clause > "The Owners grant access
to the EV Solution Source Code in the Program to the extent required by the
(Swiss) Federal Chancellery Ordinance on Electronic Voting (“the Ordinance”)
(1). No part of this Agreement shall be construed as to provide surpassing
rights or to permit its use for other purposes. "

gives full public access, with no strings attached. The later clauses are
contradictory to this one.

~~~
gpm
This is part of the reporting procedure/responsible disclosure, and thus lasts
past the end of the agreement. It is an NDA. It can be extended indefinitely
by the owners without my consent.

> No Vulnerability shall be published within a period of forty five (45) days
> _since the last communication exchanged with the Owners_ with regards to
> such potential Vulnerability, unless the Owners have agreed to a shorter
> period or defined a longer period.

The later clauses being contradictory is an interesting point, but not one I
would want to personally litigate.

------
kmlx
i’m also waiting to hear more on

“Japan gears up for mega hack of its own citizens

Unprecedented cyber attack on 200m internet enabled devices is designed to
test the nation’s vulnerability”

[https://www.google.co.uk/amp/s/amp.ft.com/content/7d57b8d8-2...](https://www.google.co.uk/amp/s/amp.ft.com/content/7d57b8d8-294e-11e9-a5ab-
ff8ef2b976c7)

~~~
b_tterc_p
I didn’t know about that. Great story!

------
oneon
Our press release in response: Swiss Post e-voting intrusion test: a farce!

[https://e-voting-moratorium.ch/swiss-posts-e-voting-
intrusio...](https://e-voting-moratorium.ch/swiss-posts-e-voting-intrusion-
test/)

The Swiss Post, totally unimpressed by the previous devastating hacker attacks
on the e-voting system, is now about to launch its own official hacking
„intrusion test”. For a pocket money, 400 people from all over the world are
to test the proven unsafe system in a more controlled and limited setting. The
initiators of the popular initiative «For a secure and trustworthy democracy
(e-voting moratorium)» are dismayed at the useless exercise.

The Swiss Confederation is trying to establish e-voting since 2000. By 2019 it
wanted to see two thirds of the cantons to provide electronic voting. But
cantons are far from jumping the bandwagon as expected. Several of them have
again withdrawn from the experiment — the latest being the Canton of Jura.
Previously, the Canton of Geneva had decided to abandon development of its own
e-voting system by 2020 after more than 10 years of development, allegedly for
cost reasons. Previously, this e-voting system had been demonstratively hacked
by the Chaos Computer Club Switzerland (CCC-CH) showing its weaknesses by all
rules of cyber art: the demo hack passed the system like a hot knife through
butter. The CCC-CH is unsurprisingly one of the most vehement supporters of
the e-voting moratorium.

For Jean Christoph Schwaab, former SP National Councillor from the Canton of
Vaud and co-initiator of the e-voting moratorium, the intrusion test is “a
farce costing 250,000 Swiss francs. The idea of being able to exclude all
relevant hacking methods is a well-intentioned illusion.”

Adding even further to the absurdity of the staged «intrusion test», all known
weak spots of the system, those which easily permit to falsify votes and
elections, are forbidden attack surfaces. It remains to be seen if organized
criminals and secret services will also stick to these rules. Much higher sums
than those offered by the Swiss are taken to hands by criminals and strategic
organizations to develop attacks. It is unlikely that these actors will ever
disclose their cyber arsenal to the Swiss for a 100 to 50.000 Swiss francs.

National Councillor Franz Grüter, head of the committee, commented that “the
security of e-voting cannot be bought. Professional darknet hackers would
never show themselves in public, thus never register for such a test. In
addition, so-called nation-state hackers act at a much more sophisticated
level and never take part in public penetration tests.”

Also Nicolas A. Rimoldi, campaign leader of the popular initiative sees
nothing positive in this large-scale hacking trial with 400 participants: “The
decisive findings have long been available: Swiss e-voting is fundamentally
insecure, and the goals associated with it (generally higher voter turnout,
motivation of internet-savvy young people) were all not achieved. Swiss Post
is only interested in pushing out the project, while security has no priority
whatsoever. The fundamental attacks pointed out by the CCC-CH haven’t been
fixed and are still feasible today on both systems in use as of the current
voting term on the 10th of february (Geneva’s system in in use for six cantons
and Swiss Post’s for four cantons); the official claim — security before speed
— is not enforced. Regardless of this, the Confederation is keeping the
e-voting platforms up and running which is irresponsible. Ironically, Swiss
Post is now disclosing the cyber risks for which it has no remedy. Swiss Post
and the software supplier Scytl have no remedy against all those banned attack
surfaces that often and successfully occur in the real world. Thus, they
openly admit that the security of e-voting cannot be guaranteed.”

Rimoldi thinks it is overhearted of the authorities to invite potential
attackers — not even excluding foreign secret services and criminal
organizations — to test their attack tools for a little payment. “The so-
called intrusion test is a pure PR campaign by Swiss Post to divert attention
from fundamental and proven flaws in the system,” said Rimoldi.

The limited accessibility to the source code is also impractical: security
holes and issues cannot be openly debated and thus hardly be closed, instead
they should be reported exclusively to Swiss Post. This approach is out of
touch with reality and does not correspond to the working principles of IT
security engineering. Especially in an area as sensitive as democracy, maximum
transparency and a free software license would have been appropriate. Swiss
Post together with Scytl is failing in both respects.

The Swiss Federal Government’s insistence on e-voting has isolated Switzerland
internationally. With the exception of Estonia, where a minority of the voting
population votes electronically, all European states have rejected or
abandoned e-voting.

------
patte
our investigative report about the e-voting at swiss post and its technology
partner scytl: [https://www.republik.ch/2019/02/07/the-tricky-business-of-
de...](https://www.republik.ch/2019/02/07/the-tricky-business-of-democracy)

> The Tricky Business of Democracy - For its prestigious electronic voting
> project, Swiss Post is relying on technology provided by the Spanish company
> Scytl. But reporting by Republik shows that the e-voting market leader has
> misused EU funds, bungled elections and encountered security problems during
> voting.

disclaimer: I work for Republik

