A critical flaw in Switzerland's e-voting system is a microcosm of everything wrong with e-voting, security practice, and auditing firms

Switzerland is about to have a national election with electronic voting, overseen by Swiss Post; e-voting is a terrible idea and the general consensus among security experts who don't work for e-voting vendors is that it shouldn't be attempted, but if you put out an RFP for magic beans, someone will always show up to sell you magic beans, whether or not magic beans exist.


Swiss Post contracted with Barcelona firm Scytl to build the system, then consulted with outside security experts and KPMG to audit the system, and then announced a bug-bounty program that would allow people who promised to only disclose defects on Swiss Post's terms to look at some of the source code.


This kind of bug bounty is pretty common, and firms like to assert that they can be trusted to be responsible stewards of bad news about their own products and should have the right to decide who can make truthful disclosures about their mistakes and the defects in their offerings. During the fight over DRM standardization for browsers at the W3C, we pointed out that one side-effect of adding DRM to browsers would be that browser vendors and media companies would acquire a new right to silence security researchers who wanted to make factual statements about security defects in their products. At first, the commercial members and browser vendors denied that this was the case, but eventually they decided that it was true, and that this was a feature, not a bug, and set about trying to craft rules for when it would be OK for companies to decide that users couldn't know about defects in their products.


The belief that companies can be trusted with this power defies all logic, but it persists. Someone found Swiss Post's embrace of the idea too odious to bear, and they leaked the source code that Swiss Post had shared under its nondisclosure terms, and then an international team of some of the world's top security experts (including some of our favorites, like Matthew Green) set about analyzing that code, and (as every security expert who doesn't work for an e-voting company has predicted since the beginning of time), they found an incredibly powerful bug that would allow a single untrusted party at Swiss Post to undetectably alter the election results.

And, as everyone who's ever advocated for the right of security researchers to speak in public without permission from the companies whose products they were assessing has predicted since the beginning of time, Swiss Post and Scytl downplayed the importance of this objectively very, very, very important bug. Swiss Post's position is that since the bug only allows elections to be stolen by Swiss Post employees, it's not a big deal, because Swiss Post employees wouldn't steal an election.

But when Swiss Post agreed to run the election, they promised an e-voting system based on "zero knowledge" proofs that would allow voters to trust the outcome of the election without having to trust Swiss Post. Swiss Post is now moving the goalposts, saying that it wouldn't be such a big deal if you had to trust Swiss Post implicitly to trust the outcome of the election.


You might be thinking, "Well, what is the big deal? If you don't trust the people administering an election, you can't trust the election's outcome, right?" Not really: we design election systems so that multiple, uncoordinated people all act as checks and balances on each other. To suborn a well-run election takes massive coordination at many polling- and counting-places, as well as independent scrutineers from different political parties, as well as outside observers, etc.


And even other insecure e-voting systems like the ones in the USA are not this bad: they decentralized, and would-be vote-riggers would have to compromise many systems, all around the nation, in each poll that they wanted to alter. But Swiss Post's defect allows a single party to alter all the polling data, and subvert all the audit systems. As Matthew Green told Motherboard: "I don't think this was deliberate. However, if I set out to design a backdoor that allowed someone to compromise the election, it would look exactly like this."

Companies like to insist that it's OK for them to set the terms on which their products can be criticized, and assure us that they'll backstop their own internal conflict of interest by hiring giant auditors like KPMG as well as outside security experts, but for many reasons this will never be adequate. When "external auditors" actually work for the company they're auditing, there is always a tendency for those companies to fudge their findings to benefit the companies that are signing their invoices — as the UK public discovered after the multi-billion-pound rupture of Carillion, whose financial health had been attested to right up to the end by all of the Big Four accounting firms (including KPMG).


We don't accept scientific research unless the people who do it show all their work to everyone, publishing data, protocols and analysis in public forums that everyone can critique, even axe-grinding grudge-holders, because, as with whistleblowers, the people with the motivation to really dig into your work and reveal its deficiencies are often people who don't like you and want you to fail, and if we only accept bad news from people with good intentions, we'll miss some of the most important and urgent warnings about flaws that could steal a whole country's government.

"If you're building a voting system where the chief threat is somebody can hack into a server and replace votes, and if the primary mechanism for preventing that is implemented in a way that is wrong—and not just wrong but wrong in a way that I think any experienced cryptographer should have known was wrong—then … it's a disqualifying flaw in a system like this," Green said.

"We have only examined a tiny fraction of this code base and found a critical, election-stealing issue."

Although Lewis said the particular fix Scytl has apparently employed should theoretically solve the issue if the company implements it correctly, there's no reason to trust that Scytl will do it right. And given that the flaw was so fundamental to the system, and that several previous professional audits of the code never caught the problem, it raises serious questions about the rest of the system.

"We have only examined a tiny fraction of this code base and found a critical, election-stealing issue," said Lewis, who is currently executive director of the Open Privacy Research Society, a Canadian nonprofit that develops secure and privacy-enhancing software for marginalized communities. "Even if this [backdoor] is closed its mere existence raises serious questions about the integrity of the rest of the code."

Researchers Find Critical Backdoor in Swiss Online Voting System [Kim Zetter/Motherboard]