top | item 45406907

(no title)

Switzerland is transitioning to online voting, and having a digital ID for authentication is helpful for that. I hope it is used as part of the voting process.

My understanding is that the current approach for e-voting in Switzerland works with voters being sent a PIN in the mail [1]. Then the voter uses the PIN to log into the system and vote. Unfortunately that means that insecurely discarded letters from non-voters could be used to cast votes on behalf of these voters.

Some jurisdictions try to use a second factor to prevent these attacks. In Ontario, for example, many municipalities use a combination of the voter's PIN in the mail + the voter's date of birth. But a date of birth isn't really secret. Lots of people know your date of birth (especially insiders at organizations that collect this data), and it may appear in data breaches or even publicly on social media. If you're curious about this, I recently co-authored a paper which is all about security problems relating to online voting credentials in Ontario -- It's relevant to the Swiss case as well: https://link.springer.com/chapter/10.1007/978-3-032-05036-6_...

Long story short, using a digital ID to authenticate to the system (like Estonia does) goes a long way to mitigate this authentication problem. However, there are still plenty of other potential risks with online voting that are unrelated to authentication (how do you prevent ballot stuffing, clientside-vote-altering malware, falsified counts, etc). And there may be privacy risks with digital ID depending on the practical implementation.

[1] https://digital-solutions.post.ch/en/e-governmenthttps/digit...

discuss

elric|5 months ago

How do any of these schemes ensure that votes can't be traced back to individuals? Secrecy is an important part of voting.

cool_cherry|5 months ago

Different systems have different approaches. If you're a voter, you can use your web browser's developer tools to see what's going on, and part of my research is essentially doing that with systems like this.

With one Ontario online voting system used by dozens of municipalities, your choice is sent via a form submission (POST) to the server. The POST contains your choice in its body (in plain text) and your browser also sends a cookie/authorization header which contains a token which was generated by the server and given to the client when the client logged in with the PIN/birthday. In that case, the online voting system could identify you and who you voted for at the time the request is made (they receive both the authorization token linked to your identity and the vote in the same request). The vendors then takes procedural steps to then separate you from your vote, and the elections authority running the election receives a report of the totals (but not who each voter voted for) from the vendor.

However, other systems are a bit more complicated. They'll serve you client-side javascript which does cryptography with your PIN / voting choice such that you can prove to the server you are authorized and made a valid vote, but the server can't link your vote to your identity. Then there's a lot of stuff that happens to mix votes together before they are unsealed and counted. I'm not a cryptographer, so I can't give you the best explanation off the dome.

The Swiss system does try to do something that looks like the latter approach, and they hire cryptographers and security professionals (and have public testing) to ensure the system's design meets requirements for ballot secrecy and if the implementation is correct.

There's a video about how ballot secrecy is ensured with the Swiss system which you can watch at this link:

https://digital-solutions.post.ch/en/e-governmenthttps/digit...

patrickmay|5 months ago

As always, relevant xkcd: https://xkcd.com/2030

cool_cherry|5 months ago

There's a nugget of truth there, but I will say that the Swiss government has taken a very thorough/careful approach to implementing online voting. There are legislated cybersecurity standards for e-voting, individual and universal verifiability, pilot programs, meaningful observation, everything is open source, funding is set aside to incentivize researchers to find vulnerabilities [1].

When critical vulnerabilities were found with the previous implementation done by a private vendor, they dropped their vendor and restarted from scratch, doing everything in-house [2,3].

Not all jurisdictions are so careful. Over 200 municipalities in Ontario do voting online, despite no legislated standards (though a voluntary standard was recently developed). The voting systems are offered by private vendors, no organization is responsible for certifying these systems, and many systems do not offer any cryptographic verification of the results. It's quite interesting [4].

[1] https://digital-solutions.post.ch/en/e-government/blog/volls...

[2] https://openprivacy.ca/assets/knightsandknaves.pdf

[3] https://www.swissinfo.ch/eng/politics/swiss-post-set-to-rela...

[4] https://whisperlab.org/ontario-online.pdf