Switzerland’s proposed new e-voting system—which isn’t on the blockchain—has a flaw serious enough to allow hackers to steal an election without being detected.
Switzerland’s proposed new e-voting system—which isn’t on the blockchain—has a flaw serious enough to allow hackers to steal an election without being detected.
On March 12, news site Swissinfo.ch reported that white hat hackers participated in a public intrusion test of Swiss Post’s proposed new Internet voting system. They found what the Federal Chancellery described as a “significant flaw” that could refocus attention on the blockchain-based voting system tested recently in the heart of the nation’s crypto-friendly region. Swiss Post stated that the source code error had been fixed the same day.
The small, permissioned blockchain-based e-Vote system tested by 72 voters in the Swiss city of Zug from June 25 to July 1, 2018, was a non-binding vote on several minor local question, such as the use of fireworks at a local festival and ways the municipal government could use the digital IDs it issues.
“We‘ve focused on communicating the value of the technology, privacy and verifiability aspects, as well as ease of use,” says Vasily Suvorov, CTO of Swiss IT firm Luxoft, which built the Zug e-voting system. “Our deployment did not require a public intrusion test, and successfully delivered the requirements.”
The e-Vote system is an open-source, permissioned distributed ledger technology (DLT) solution built on Hyperledger Fabric that anonymizes votes while providing tamper-proof tallying and secure audits. Because the votes are recorded on a blockchain maintained on a number of servers, they cannot be tampered with after the fact.
Suvorov says d his company’s system could be a better choice for Swiss e-voting, which he has in the past called “a fundamental mechanism for direct democracy.” Direct democracy is strong in Switzerland, which votes on constitutional changes, accepting or rejecting new laws, and popular referendums several times a year. A recent government survey found nearly 70 percent of its citizens support e-voting.
Suvorov points out that Luxoft’s blockchain-based e-Vote system is only half of the technology tested in the Zug pilot, which also relied on a mobile voting app built on an Ethereum-based digital ID platform built by uPort, a ConsenSys company. “The goal [was] to understand how end-to-end technology—e-ID and blockchain—would work in a realistic setting,” he says. The Swiss Post system also incorporates a secure digital ID system.
“An e-voting system is a complex software solution and each of its components has to be properly verified,” Suvorov told Modern Consensus. “The only way to achieve progress and ensure e-voting on the blockchain or any other public services system will be secure is to make the systems openly available, drive adoption via controlled pilots, and encourage peer review.”
No more centralized control
While applauding Swiss Post “for opening [its] system for public scrutiny and audit,” Suvorov notes that “one vulnerability was related to centralized control. With a blockchain-based system it’d be mitigated—no single party would be able to change votes without alerting other participants.”
In announcing the findings of its bug bounty program, Swiss Post noted that the government-mandated open testing process—offering rewards of up to 50,000 Swiss francs (about $50,000)—worked exactly as intended. “The error in itself did not make it possible to infiltrate the e-voting system,” Swiss Post pointed out in a statement. “To exploit the weak point the attacker had to override numerous protective measures. They needed control over Swiss Post’s secured IT infrastructure, for example, as well as help from several insiders with specialist knowledge of Swiss Post or the cantons.”
Which is exactly the point, said Sarah Jamie Lewis, executive director of the Canadian non-profit Open Privacy Research Society, in a March 12 Tweet: “Do not let people minimize this issue. This isn’t ‘some random hacker can steal an election’ this is ‘Swiss Post can prove they didn’t steal an election, even if they did.’”
In its research document for the Zug vote, Luxoft noted that because its blockchain-based e-Vote solution is decentralized, “a set of entities validate the votes, and every entity must agree how a vote has been cast before recording it. A validator may not only be the organizer of the poll, a government for example, but it could also be various accredited institutions…. Such a process ensures that even a corrupt government cannot forge the votes. In other words, the decentralized system protects against internal falsification.”
Blockchain-based e-voting systems have been tested in other countries, including the U.S., South Korea, and Japan. Among these was Overstock.com-owned blockchain voting company Voatz’s groundbreaking West Virginia pilot program during the 2018 midterm elections. And Denver and Moscow have both announced they intend to trial the technology in municipal elections this year.
Note: Updated at 6:30 pm EST on March 13 to add comments from blockchain e-voting system creator Luxoft’s CTO Vasily Suvorov.