Further, vote privacy is threatened at the client side. The fact that they specifically exclude client vulnerabilities is telling: "... known and accepted characteristics of the system will however not be accepted. Such “issues” include: Any operation compromising the vote privacy on the client-side (e.g. browser extension);" They even met "issues" in quotes, even tough these are a common attack vector. They are real and dangerous.
It's common in Switzerland to vote by mail, so there's the possibility that people get pressured into voting in a certain way by their relatives. But the scale is very different when people must expose their voting preferences to a machine they already know watches them.
On the counting side though, I don't fully agree. Paper voting sees some enormous mistakes. Whether they are intentional or not, but it has happened before where an entire town's votes for a candidate missed a zero. No election observers or people sent from either party noticed it until a volunteer pointed it out. Electronic voting isn't going to make such mistakes and I believe that if the process is handled well, then the secrecy of the vote shouldn't be an issue from the server side.
But again, there's nothing you can do about the client side attack vector.
Who has the skill to be able to assess such a system ? And among those, who has the time ?
I've been a programmer for 15 years and I'm pretty sure I would not be able to look at such a system and feel confident there is no error. And definitly not in the reasonable time period required for voting.
I believe the parent's example was to show that it was missed by the system that was intended to catch it. That the catch in itself was a fluke, lucky.
It should bring into question "How many times have we missed and not caught it?" not "Well it worked this time, it must always work." In fact, we can only recognize cases if we catch them. Therefore it is confirmation bias to use this example as a "proof of it working". It can only serve as an example of "We have caught failures in the system" and suggest that we should be wary of others existing (neither proving nor disproving fault in the system).
In electronic voting, you just have to trust the machine to do it right. There are multiple layers of manipulation available that are hard to detect. Sure, the bar is higher, but so are the opportunities for doctoring by the involved actors. What are the watchers to do? They simply can't watch the ballot box when it's inside a machine where no single human can fully understand its machinations.
There is an out. If no single person can prove their vote but people in aggregate can.
If a voting platform has such a trail, what becomes of ballot secrecy? And if it doesn't, how will the process be reliably audited?
I'm sure a simple, transparent, and bullet-proof blockchain solution is just around the corner. /s
There was this interesting talk years ago. https://www.youtube.com/watch?v=ZDnShu5V99s
Does anyone in the space have a more up to date reference on where things are at ?
Contrast this with a box where you can watch the pieces of paper as they are put inside. And as they are taken out again. As long as you can watch the box, you can can verify the process.
The central issue with electronic voting is that it is centralized.
> Scalable manipulation of votes that is undetectable by voters and trusted auditors;
Such a bug would be a complete worst-case failure and if you report it, it would net you up to 50'000 CHF. This is a ridiculously low amount for such a critical infrastructure.
The expected black market value of such a vulnerability is way way higher. Just to give you a frame of reference, in Switzerland we have 4 national votes a year and depending on the topic, affected interest groups and parties spend between 3 to 6 Mio CHF per vote for ads and influence. Now do the math yourself, whats the expected value of a vulnerability "undetectable by voters and trusted auditors" in a 10-20 Mio/y market (just at the national level) for influence?
Still the 150,000 CHF maximum bounty is way too low. Even though the system has already been pen-tested, there could still be dozens of undetectable vote manipulation bugs out there and they should not reduce the incentive of finding them by capping the payouts.
At the moment I see the project quite positive. For example in Germany they used a closed sourced software called "PC Wahl" and the ccc had quite some difficulties to get the source code. And when they got it the catastrophe just began. The software included such funny things like a 1 byte (sic!) hash as checksum. Then it had a weird encryption created by the guy who coded the software, which wouldn't even met 80's standards. Also the software was distributed via a cheap, hosted web server with the login credentials "test" "test" (sic!) and there wasn't any signatures for the updates nor for the transmitted results. To see the hole catastrophe you can watch "PC Wahl Hack" with Linus Neumann. It's quite funny especially when you hear that the software company (from that one guy who coded it since the 90s) was sold for about 1 Mio. €.
You might be low balling it yourself. The influence market has a limited value because players who would want to influence towards outlandish outcomes (ex. a union with Russia, declaring war to Germany or simply self-destruction via civil war) know they are wasting their money since their desired outcome is essentially impossible to achieve.
A system where you can enforce a change of leadership in a OECD country with 700 billion GDP is worth at least billions, if not tens of billions. You could recover most of your costs simply by influencing government purchasing for 4 years, and get any politically desired outcomes for free.
Would you mind explaining what Mio means in this context.
6 million x 3 to 6 million CHF = I’m confused.
1 CHF = about 1 USD?
36,000,000,000,000 CHF four times a year. M
I know I’m very tired. Did I miss something?
Thanks for clearing that up.
The paper ballot and manual counting here is Switzerland works and needs no fixing.
Seems to me like this is the wrong approach. Essentially, they’re saying they they have no idea how much they can pay per bug.
A sensible approach would be to insure bug bounties, at least up to the amount that a black hat could profit from compromising the system.
I'm guessing the 150'000 means they'll stop paying for new bugs once they've reached that amount.
Source:  -> Q&A regarding the public intrusion test -> Is the federal government allowed to pay for hacker attacks?
To those who think that 150’000 Fr. compensation is too low — think of the prestige! Hacking the Swiss voting system, the only direct democracy in the world! No amount of money is equal to that.
I can't say I'm 100% sure that's the best strategy, but I think it makes at least some sense.