
CHVote: Open-source e-voting system from Switzerland - porker
https://republique-et-canton-de-geneve.github.io/chvote-1-0/index-en.html
======
yason
For giving a guiding vote from the citizens to assist in parliamentary or
local decisions, yes.

For electing state officials, no. A voting scheme needs to be designed for the
worst possible circumstances which practically means a bordering civil war,
and where trust between voters is zero at best. Voting allows revolution to
take place peacefully.

Therefore the method of voting needs to be understood, carried over, and be
verifiable by the common (wo)man. No electronic scheme can do that: anything
that runs in software means that the correctness of the system depends on the
experts' word only, and that word is likely to mean nothing when half the
population is already collecting arms.

~~~
andrepd
> No electronic scheme can do that: anything that runs in software means that
> the correctness of the system depends on the experts' word only.

No paper ballot in box scheme can do that: anything that is run by officials
means that the correctness of the system depends on the officials' word only.

~~~
specialist
What is truth? What is reality? Turtles all the way down?

Please sign up and observe your local elections. The Australian Ballot system
(private voting, public counting) is time proven, battle hardened.

Paper ballots cast at precincts counted when the polls close is the gold
standard. It works because opposing belligerents agree on the outcome. Trust
forged from mutual distrust.

Paper ballots _permit_ guaranteeing the physical chain of custody. You should
show up and help keep that guarantee.

~~~
smokeyj
But how do you verify that each voter is authorized to vote, and that only one
vote was cast? It seems if you involve a digital system you're kicking the
trust bucket down the road.

The security of a digital systems is "good enough" IMO, especially if there's
a public cryptographically verifiable ledger. We bank online where the banks
essentially only hold cash in the form of a database entry. The benefits of
digital voting means we can have more granular input in our government's
operations. I don't see paper ever scaling to meet that demand.

~~~
geofft
> _public cryptographically verifiable ledger_

This is a thing you actively don't want. You don't want to be able to prove to
anyone else how you voted. Otherwise it would be absolutely trivial for your
boss to say, "So, you voted for that anti-union candidate, right?" (Or your
boss to not _say_ that, but just happen to give promotions to people who show
proof of voting the way the boss wants.)

The right to a secret ballot is demanded by the Universal Declaration of Human
Rights.

Yes, this renders the electronic voting problem - and honestly the voting
problem in general - very close to impossible. _That 's why it's hard._

~~~
smokeyj
>> Put a thousand pre-known keys in a hat, one thousand people draw keys from
a hat, the key is activated on the blockchain and points to a user-defined
voting wallet. Now you have anonymous cryptographically verifiable voting with
double spend protection

I just invented a scheme to anonymize votes in 5 minutes. I'm sure if smarter
people tried we could definitively solve this. I'm not convinced this is hard
as much as people are saying it's hard.

~~~
geofft
1\. As others said, the private key proves how you voted. If you can verify it
with the private key, you can show the proof to someone else. And if it's a
single-use private key, there's no reason for me not to share the private key
once I voted.

You need to have _deniability_ ; I need to be able to revoke my ability to
prove how I voted, and moreover I need to be _required_ to revoke it
(otherwise I can be compelled not to revoke it). Right now, I am unable to
leave the voting booth with any receipt of how I voted, even if I wanted to
(i.e, even if someone else wanted me to). I can see my vote, and election
monitors prevent anyone else from seeing it until it leaves my hands. In most
places in the US, I can't even take a cell phone photo of my votes, and that's
a good thing because nobody can ask me to take a cell phone photo of my votes.

2\. If they're pre-known, anonymous, single-use keys, nothing prevents a
corrupt election official from keeping a copy of the key and voting before the
voter gets home. The voter has no way to prove that they _didn 't_ vote and
that someone stole their key.

~~~
patmorgan235
a solution to 1 would be ring signatures as used by many crypto note base
currency. They group unrelated input and outputs to give all the parties
involved plausible deniability to who paid what to who. So your vote would be
mixed with a group of others so no one can tell exactly who vote for just that
the right number of votes were cast.

------
StreakyCobra
While I appreciate the effort of putting it open-source, and even more to do
it on GitHub, I hope they will hire someone who knows how to use Git/GitHub,
like using tags for versioning instead of repository name [0], or using
meaningful commit messages [1].

For the future let's see how they will manage external contributions. Opening
the code for transparency is a good point (even if this still doesn't ensure
you that the same version of the code is running in production on trusted
hardware), but doing this on GitHub will certainly bring some contributions.
Will they refuse everything? Or accept external contributions? Will they use
GitHub as the central development process? If not how are they going to handle
the development in intern in regards with external contributions? Also are
they going to do all commits with this dedicated state-account? Who will be
part and what would be the process for reviewing and accepting external
contributions, to be sure they are not adding backdors purposely desguised as
mistakes? Having a state starting to work on open-sourcing such a sensitive
software in Switzerland opens a wide range of interesting questions. Maybe,
and probably, this has already been discussed in other countries or even other
part of Switzerland, but in the state of Valais (Switzerland) this is at least
not the case.

It's not the first project under state control in Switzerland that is on
GitHub. I'm also aware of geo-admin [2] who have their sources there. As far
as I saw, they are handling GitHub much more professionally.

[0] [https://github.com/republique-et-canton-de-
geneve/chvote-1-0](https://github.com/republique-et-canton-de-
geneve/chvote-1-0)

[1] [https://github.com/republique-et-canton-de-
geneve/chvote-1-0...](https://github.com/republique-et-canton-de-
geneve/chvote-1-0/commits/master)

[2] [https://github.com/geoadmin](https://github.com/geoadmin)

------
PaulRobinson
The system overview is in the github repo here:
[https://github.com/republique-et-canton-de-
geneve/chvote-1-0...](https://github.com/republique-et-canton-de-
geneve/chvote-1-0/blob/master/docs/system-overview.md)

For me, they haven't fixed the problem GUN.FREE highlighted when they decided
to shut down
([https://www.gnu.org/software/free/](https://www.gnu.org/software/free/)),
but they have highlighted the risks and made them harder to exploit.

I need to sit down and think about attack vectors properly, as the process is
quite convoluted, but it seems to me there are multiple opportunities for key
personnel to change votes and to identify whom voted for each outcome - the
scope is limited, and within a very small step due to ballot shuffling, but it
definitely is there on a first read-through.

~~~
sooheon
You would be doing a service to interested laypeople by writing down and
sharing your thoughts on this. Experts often forget that things that are very
obvious to them can be very enlightening to others.

------
tauntz
Estonia's E-Voting systems backend code is also on GitHub (for already quite
some years): [https://github.com/vvk-ehk/evalimine](https://github.com/vvk-
ehk/evalimine)

~~~
toppy
Without a single unit test how can this piece of software be called "system"?

~~~
VMG
Simple, just add a singleton: [https://github.com/vvk-
ehk/evalimine/blob/master/ivote-serve...](https://github.com/vvk-
ehk/evalimine/blob/master/ivote-server/common/singleton.py)

~~~
SanFranManDan
How they use the singleton is strange also.

[https://github.com/vvk-ehk/evalimine/blob/master/ivote-
serve...](https://github.com/vvk-ehk/evalimine/blob/master/ivote-
server/evui/evui.py)

> Election().count_questions()

> Election().is_hes()

> for el in Election().get_questions()

> Election().is_voters_list_disabled()

Election is a singleton so they keep reinstantiating it every time they want
to use it instead of just doing

> election = Election()

at the module level and having a more idiomatic singleton (module variable are
singletons). But a singleton design probably isn't the best approach.

The singleton example isn't that bad of code since it assumes that one server
will run one election which is a valid assumption, but reading through this
code makes me weary about e-voting. I think this proves that OpenSource
doesn't always mean good code. There is little incentive for people outside of
Estonia to contribute to the project.

------
ElijahLynn
I have been very interested in Open Voting Systems for quite some time now and
have been following Open Voting Consortium, Alan Dechert and more for many
years now. It is a problem that I think could have better solutions. There are
many good ideas out there for this, and many include paper and open source
software.

I have compiled a list of reading materials here for those who are interested.

[https://github.com/ElijahLynn/open-source-voting-
systems](https://github.com/ElijahLynn/open-source-voting-systems)

------
splike
But how does a voter verify that this is really the software running in the
background?

~~~
PaulRobinson
How do you know the ballot box you put your vote into is being taken to be
counted and recorded, and not simply destroyed and another ballot box
introduced?

There is always going to be a weak point where you have to trust somebody -
this is why party members should not be involved in every step from setting
constituency borders, all the way to being in charge of any balloting and
reporting results. It needs to be independent (e.g. in the UK it is fiercely
independent of party members' involvement at any level).

The interesting attack vector here is your ISP could trick you. That can be
mitigated with certificates and some of the measures banks use to identify
themselves to customers (strings that you added at registration being
displayed at login that only you know, etc.)

But yes, a hard problem to solve.

~~~
Klathmon
>How do you know the ballot box you put your vote into is being taken to be
counted and recorded, and not simply destroyed and another ballot box
introduced?

You can watch it.

With a "ballot box" system, you could get there, put your vote in the box,
then sit there and watch it all day until it's counted. Hell if you want you
could get there and inspect the box before they start voting.

And it's not just you that can do that, everyone can do that regardless of
profession, age, race, background, education, etc...

~~~
tribaal
To clarify on top of Klathmon's point: this actually happens in Switzerland,
it's not just a theoretical argument.

Actually, the government is _required_ to have some people watching the
counting (specific rules vary on a per-canton basis). Some states select
random citizens for that (similar to jury duty in the US - you get fined if
you don't show up, but get paid for your time). Other states have a pool of
people they choose from randomly (you volunteer for the pool).

EDIT: Furthermore, Swiss people vote in their community. It's not like you
need to go out of your way to watch the counting - it happens in your town
hall or (sometimes) the school. It always happens on Sundays (which is a
required day off in Switzerland except in some rare cases).

~~~
Klathmon
That's nice to know!

If you don't mind me asking, how does Switzerland handle those which are
required to work on election days?

That's one of the ugliest parts of the US election system to me, is the fact
that many people need to fit the election around their work schedule, and I
know of at least 3 people that couldn't get time to vote this year, and my
state makes it so you basically need to be actively deployed in the military,
or be hospitalized to get an absentee ballot.

~~~
tribaal
Like I added in my edit, there is almost no such case: Sundays are a mandatory
day off for most. That means you can't go shopping on a Sunday, except in very
few shops (train station shops have exceptions). Doctors, pharmacies and most
other emergency things operate on a reduced schedule.

I'm not certain what would happen if say a nurse working a shift in an ICU was
selected. I'm pretty sure it's either announced early enough that the hospital
would have to switch shiftees or they would be given a pass for free. I
suspect a person working in a train station shop on a Sunday would tell their
boss, and would simply be shifted to another time (it's not like the boss or
the employee can do anything about it - it's law).

EDIT: to clarify once again - I'm pretty sure it _does_ happen, but the case
is probably rare enough for it not to matter too much. The rule works for a
good 90% of cases, exceptions can certainly be done on a case-by-case basis at
community level.

~~~
JorgeGT
In Spain, where the system is similar to what you described (staff for the day
is chosen at random from all citizens in that voting district, and similar to
jury duty), some professionals (doctors, nurses, air controllers, etc.) can
decline the request if they will be on watch, and there are assigned
replacements for them.

A non-critical worker cannot refuse but:

a) Chosen citizens are paid, even if not much (60€ I think).

b) Chosen citizens have the following Monday morning free, should they need to
travel back to their job site, etc.

c) Chosen citizens have strong legal protections should their boss try
anything.

In practice, when an employee is chosen for election duty the boss just deals
with it as best as they can, since it's a case where judges and police are
super strict: messing with election duty will get you heavy fines and/or jail
time. So no-one is going to fire you or retaliate if you are assigned election
duty.

------
pedrocr
Besides the usual comment that e-voting is a really bad idea[1] this sentence
in their copy is delicious:

"CHVote, entirely developed, hosted and _exploited_ by the Geneva Canton"

[1]
[https://news.ycombinator.com/item?id=13143302](https://news.ycombinator.com/item?id=13143302)

~~~
livatlantis
Almost certainly a mistranslation from French, where 'exploité' would be
something like 'operated'. That whole paragraphe reads like French.

~~~
habi
Let's see what they make of this pull request: [https://github.com/republique-
et-canton-de-geneve/chvote-1-0...](https://github.com/republique-et-canton-de-
geneve/chvote-1-0/pull/2)

~~~
livatlantis
Merged! :)

------
specialist
These fix all, cure all novel voting systems are like recurring announcements
of perpetual motion. Catnip for nerds.

Please, study how election administration (in the USA) works to better assess
these new technologies, techniques, systems.

TLDR: Electronic (mediated) voting schemes cannot guarantee both the secret
ballot and public count. Tech which may do one, or perhaps even both, hasn't
even been conceived, must less invented.

------
homarp
java8 based. AGPL. currently used by 4 cantons in Switzerland: Basel-City,
Bern, Geneva and Luzern, either for votations or elections.

------
xiphias
Shouldn't it be using cryptographic proofs for voting?

Ring signatures are good for it for example:

[https://en.wikipedia.org/wiki/Ring_signature#cite_note-
FS07-...](https://en.wikipedia.org/wiki/Ring_signature#cite_note-FS07-5)

------
dttrgrr
There are necessary requirements in a voting system:

1\. Authenticity - One vote per citizen.

2\. Secrecy - no one, not even the government, should know who voted for who.

3\. Verifiability - I know my vote counts.

So if you have a login/password, #2 (logs are too easy) and #3 are out.

With a Blockchain, #1 is out (how do you verify that a private key is owned by
a citizen)?

~~~
Cshelton
You have a seperate blockchain that is used to verify a citizen. You can put
many things there (marriage status, SSN..not needed anymore with this, any
other info), which would include a voting key. The voting blockchain would
check the citizen ID blockchain, to verify that citizen and all ensure the
same voting key would not be used twice and that the citizen has proper status
(like...is the person alive...legal...not a current felon, etc.)

Theoretically, we have figured out the entire thing pretty damn well, we just
need someone to try it ;)

Also, explaining blockchain to the general population and "assuring" them will
be the hardest part. People will revolt and think it's rigged and have no
understanding of how it works. Even politicians are clueless...so, yeah, not
sure how far off we are on this hah.

~~~
dispose13432
>You have a seperate blockchain that is used to verify a citizen. You can put
many things there (marriage status, SSN..not needed anymore with this, any
other info), which would include a voting key. The voting blockchain would
check the citizen ID blockchain, to verify that citizen and all ensure the
same voting key would not be used twice and that the citizen has proper status
(like...is the person alive...legal...not a current felon, etc.)

So how is the citizen ID blockchain linked with the voting blockchain?

------
lo-enterprise
Most interesting document of CHVote documentation is this one
[https://github.com/republique-et-canton-de-
geneve/chvote-1-0...](https://github.com/republique-et-canton-de-
geneve/chvote-1-0/blob/master/docs/system-overview.md)

At the moment, the open sourced part is the "offline administration
application" in the green box at the top right.

[https://github.com/republique-et-canton-de-
geneve/chvote-1-0...](https://github.com/republique-et-canton-de-
geneve/chvote-1-0/blob/master/docs/system-overview.md#architecture-overview)

------
bikamonki
A successful challenge to the results of an election will most likely end up
in a civil war. In other words, whoever is _officially_ announced as winner
will remain so, even if proof of fraud is found; accepting fraud would
question the capabilities/transparency/independene of the electoral
authorities. This situation is aggravated by electronic voting, not because of
the possibilities of hacking the system, but because the results come to damn
fast: victims of fraud do not have a chance to react. While they are barely
starting the legal paper work to ask for a recount, the winner is already
giving his/her triumphant speech!

~~~
flexie
Civil war? Last time America had a civil war was 150 years ago, and not due to
election fraud. Who exactly in today's America do you see potentially engaging
themselves in civil war? Most young people - those that would usually be
recruited as soldiers - are busy studying, working (debt off). There is no
generation of idle, dead poor or undereducated youngsters to pick soldiers
from. Many of the young people are really out of shape and have lived
comfortable indoor lives. Most importantly they have better options than to
fight a war. In what scenario would more than a few thousand crazy people take
to arms because, for example Trump was caught in election fraud and impeached?
I just cannot imagine that happening.

~~~
jylam
why are you talking about America ? Parent did not. You also seem to confuse
America with USA.

~~~
briandear
America is the USA. Mexico is Mexico, the United States of Mexico to be exact.
If you're thinking of the continent North America and South America, that's a
different thing. Besides, America is a common name for the USA. You don't call
Peruvians "Americans." But you do call the United States nationality
"American."

North America isn't "the north part of America" \-- the continent is named
"North America."

So the nationality is American but citizens of the continent are North
American or South American respectively.

The people's of North and South Americans aren't collectively known as
"Americans." In French americain refers to "one who is from the United
States." It's the same in multiple languages. Even Spanish refers to people
from the US as americanos.

This is a subtle thing and in the grand scheme really makes no difference
unless someone feels so strongly about it that they want to change multiple
languages.

The American Embassy is not referred to anywhere (in English) as The United
States Embassy --

edit: actually "US Embassy" is common, sorry for the misstatement. However
American Embassy is very commonly used by diplomatic personnel and in general
conversation. \--

I don't understand why a certain subset of people, generally from South and
Central America have such an obsession with this. Canadians never refer to
themselves as Americans. In fact, many would resent such a thing.

~~~
rodorgas
Basically, USA is a country without name. Every federalist country from
America is an united states of America. South America, Central America and
North America are subcontinents. The continent is called America.

~~~
seppin
> The continent is called America.

Never, not once in writing or in speaking heard it referenced this way.
American by itself references the USA, North or South America references the
regions.

~~~
rodorgas
From en.Wikipedia: "North America is a continent entirely within the Northern
Hemisphere and almost all within the Western Hemisphere. It can also be
considered a northern subcontinent of the Americas." In most countries
(including Brazil), we are taught that America is a single continent and
North, Central and South Americas are subcontinents (classical view).[1] Now I
see that people from USA are taught that North America is a single continent,
and the reason seems obvious now. [https://www.quora.com/Are-people-taught-
that-the-Americas-No...](https://www.quora.com/Are-people-taught-that-the-
Americas-North-and-South-are-a-single-continent-in-some-countries)

~~~
tathougies
The Americas is the name of the entire continent. For example, you cannot say
"I'm going to America" to mean you're going to north or South America but you
can say "I'm going to the Americas". This is similar to how you can say "I'm
going to the Philippines" but you cannot say "I'm going to phillipines"

------
sandGorgon
The world's largest elections in india are all electronic.. including voting
boxes shipped on elephant, camel, horses and canoe.

is there a comparison of this voting system versus the others that exist?

~~~
nickik
The voting system of India has been heavily criticized by Hackers. People from
the German CCC have gone there showed how easy these systems are to exploit.
Indian authorities have reacted pretty hostile of course.

Nobody says you can not run electronic voting, its just hard to do it
securely. India does not do it securely.

See here for lots of information (India should be mentioned somewhere:
[https://media.ccc.de/search/?q=voting](https://media.ccc.de/search/?q=voting))

~~~
sandGorgon
i know that - but it is guarded by actual physical security. The election
commission of india is unanswerable to anyone - including the judiciary or the
legislature.. and does its job brilliantly.

Which is why I was asking the question on comparison. Because I'm not able to
figure out if it is yet-another-voting-system... or something this is peer
reviewed and secure.

------
Synaesthesia
I would like to say I think e-voting is a very good thing and could be
transformative to society, given the political will. We have a very weak form
of democracy in which we elect representatives and then entrust them to make
decisions for us (yes I know we can lobby and petition govt). However this
could allow a form of government where the population actually ratifies
decisions made by government - a direct form of democracy.

~~~
VLM
You specifically used the word "ratify" which could be very important. The
other commenters are assuming you mean voting on individual policy issues. A
more generic weekly vote of confidence or no confidence in the government in
general is somewhat more practical, although only somewhat.

The problem with a weekly vote of confidence is you're just going to motivate
massive chronological engineering such as doing everything unpopular the same
week and taking the lumps and hoping no one notices, or playing mixing games
that have nothing to do with good governance to ram something unpopular thru
the same week something happy happens (or possibly refusing to do something
popular until a stockpile of equal and opposite unhappiness accumulates).

Its not bad that both good and bad things happen simultaneously, its bad that
they have to be stockpiled and delayed until they match up for weekly election
reasons.

I can only imagine how awful this would work for situation where the
government is sort of expected to lie for awhile, longer than a week anyway.
Foreign diplomacy, military action, negotiations of all kinds, sometimes
faking people out for more than a week is necessary to achieve victory in the
longer term (like on a scale of months years decades centuries)

Another problem with weekly confidence votes is what happens if the government
gets tossed out three times in a month, as could happen if the electorate are
generally pissed off. You can't really form a government and operate and judge
its operation in a mere week.

Now maybe an annual confidence vote is achievable. Maybe. Or maybe one weekly
no confidence vote means little more than internal "WTF are we doing"
conversations, but more than 7 no confidence in a 13 week quarter means they
all resign, something like that.

~~~
Synaesthesia
Not every decision literally needs to be ratified by the public but maybe only
the major ones.

~~~
VLM
You mean ratify in the veto sense, perhaps. That's an interesting option.

------
triangleman
The electronic voting system in Brazil is pretty well thought-out, IMO:

[https://en.wikipedia.org/wiki/Electronic_voting_in_Brazil](https://en.wikipedia.org/wiki/Electronic_voting_in_Brazil)

Still, I would not trust an electronic system unless it printed a paper
receipt behind a glass window, and dropped it into a box when I hit the submit
button.

------
coldcode
Why build an open source voting system, why not go all the way and build an
open source election system? That way no one can complain about voting or not
voting. Assuming you could find a bunch of people eligible who are willing to
do the work, building some kind of AI system would at least eliminate the
hassle, though I imagine not the complaining.

------
pksadiq
I don't know how are they going to make a Java based application to be AGPLv3
compliant.

And I don't know if the source code be provided to every voter on request, as
voting is the service provided by the machine.

Edit: Yeah, there are exemptions for voting machines in [A]GPLv3.

------
rvdm
I've always been intrigued by Swiss software.

I'd love to know what the Swiss themselves think about this system.

To any Swiss people on HN :

— Do you feel this had a positive impact on society?

— Maybe more important, would you recommend this to other governments?

------
ljk
relevant Tom Scott video on E-voting
[https://www.youtube.com/watch?v=w3_0x6oaDmI](https://www.youtube.com/watch?v=w3_0x6oaDmI)

------
grondilu
What proves that the published code is the one that is actually running?

------
brazzledazzle
Off-topic: This one is kind of a curve ball for the temporary ban on political
posts.

~~~
Klathmon
that experiment has ended already.

~~~
brazzledazzle
My mistake. Sorry about that. Time really flies sometimes.

~~~
Klathmon
I don't think they announced it like they did the start of the experiment, it
was at the top of a comment section one a bit ago.

So there's no fault in not knowing!

