Fully automated, secure systems for electronic voting are technically feasible, but implementing them remains a challenge. Security breaches have resulted in a lot of scepticism. For the moment a completely paperless system is not on, computer experts say.
«Systems currently used in Switzerland do not allow voters any way to check what has happened with their vote. They have no option but to trust the system,» says Rolf Haenni, a professor of computer science at the Research Institute for Security in the Information Society (RISIS) of Bern Technical College, based in the town of Biel.
«Great importance has been attached to some of the security aspects,» explains Haenni’s colleague, RISIS director Eric Dubuis.
«But the first-generation systems lack a feature which we have been calling for for years – verifiability – that is, the option for the voter to check whether his vote has really been cast in the way he intended.»
Putting it very simply, an electronic voting system consists of a central computer, which counts votes, and the personal computers used by the voters.
In theory, an election result could be manipulated by a hacker attack on the main computer or by infecting the individual voters’ computers with malware. Malware could bring it about that the unsuspecting voter enters a «yes» on the screen, but the central computer registers a «no».
Stealing votes
In elections and votes, there are often strong interests at stake. An unscrupulous lobby group could infect thousands of unprotected computers and thus steal the vote. Computer scientists have been warning of such a scenario for the past ten years.
At first glance, the simple solution would seem to involve the central computer sending each voter an acknowledgement of his or her vote as cast, just like an online shop confirming a customer order.
But this is not an option, because the secrecy of the ballot has to be maintained. «The system is not allowed to know how I vote, nor is the system administrator for that matter. Which makes things a lot more difficult,» explains Haenni.
It is expected that the second generation of e-voting will gradually be introduced in Switzerland next year. This time, along with the voting papers, eligible voters will get an individualised four-digit code for «no» and another code for «yes».
Once the voter has cast his or her vote, the system sends back what is called a verification code. This can be compared with the code on the voting papers. Any manipulation will be immediately apparent.
Right direction
This development is going in the right direction, says Dubuis. «Because people would notice, it is no longer worth anyone’s while to plant malware. That is a huge difference from the present system, for the risk is there as it stands that manipulation could go unnoticed.»
However, with this new system, the effort required to ensure the central security of data and the correct counting of the votes is considerable.
Errors still cannot be completely excluded, and manipulations – say when the code is printed – are still possible in theory. Dubuis and Haenni therefore also argue for a further change to the system, involving «openness of the data, specifically of the encrypted votes».
The problem that remains is the possible tracing of data back to their sender, and therefore loss of the secrecy of the ballot. The solution is by analogy with the transparent ballot-boxes used in France.
«You see at the beginning that they are empty, then they are shaken, so no-one can tell who voted or how,» says Dubuis.
Transparency
In electronic terms, that means openness or transparency of encrypted data, but making the data anonymous before they are decrypted.
«The data are mixed several times cryptographically. The mixed votes can no longer be matched with the order in which the original votes were cast. In terms of content, however, they are identical. This can be proved mathematically,» says Haenni.
These procedures are scientifically certified and recognised as valid and 100% reliable, and the secrecy of the ballot is maintained, according to Haenni.
Such a mixing system is highly complicated, he adds.
«We have used such systems here for elections to student councils. We are still working on them. There is no off-the-shelf solution available. Norway has recently been doing pilot studies using a mixing system.»
Dubuis is assuming that this system – if the political will is there – could be introduced to Switzerland in two to three years.
Paperwork
One big drawback remains. In spite of all the technology deployed, conventional postal mail is needed to maintain confidence, says Haenni. The codes have to reach the voter on paper, electronic transmission having to be excluded for security reasons.
Researchers have been working for years on the third generation of e-voting, which will involve an extra device.
«A computer or smartphone can always play tricks on me, in theory. One cannot trust these devices 100%. The problem is basically insoluble,» says Haenni.
So two years ago the RISIS researchers were commissioned by the Federal Chancellery to develop a model based on a purely electronic system that dispenses with the costly and labour-intensive use of conventional postal mail.
Their solution is an additional piece of machinery, like the devices which banks give their e-banking customers, a device «with as few functions as possible, which is not hooked up to the Internet, and is as restricted as possible, not programmable, and inexpensive,» says Haenni.
These devices photograph the ballot, that is, the vote code on the computer screen, and then send it by the USB interface for portable devices – or wireless technology to the computer and from there to the central computer. The data package remains encrypted throughout the process. Access to the data by these devices is protected by a secret numeric password (PIN).
As good as a banknote
The confidence in such a device must be as great as the confidence in a Swiss banknote.
«The devices will have to be certified by the Federal Chancellery,» says Dubuis. He admits that a few questions are still open, but it is certainly not a pie in the sky.
«We still have to do some research work, and it is a matter of the political will too. We could also combine several different functions,» he adds.
The open questions are about the logistics of distribution, and costs, not only for production and distribution, but also for day-to-day management: PIN codes can be lost, a device not regularly used can easily be misplaced, or batteries may run down.
Dubuis is also thinking of a device which would allow other electronic contacts with government and the user’s bank. So why not try out the device that almost everyone now has on them all the time, the smartphone?
«Makers of smartphones could build in a second, non-programmable operating mode. That would be technically doable,» says Haenni. The first mode would be programmable – with apps and other software, so there could be malware there too. Only the second, non-programmable operating mode would be secure. Here no malware could creep in.
Yet this is an ideal scenario which is unlikely to become a reality. «The manufacturers are looking at the world market, and Switzerland doesn’t count,» says Dubuis.