Finding a Security Flaw in Internet Voting is a Good Thing

Swiss law guarantees that every Swiss citizen has the right to vote, whether or not they currently live in the country. Overseas citizens have previously pushed for e-voting, arguing that postal methods are frequently delayed, making them unreliable. Votes are also a much more common occurrence in Switzerland, whose system of direct democracy calls for as many as a dozen national votes every two years.

Switzerland is not the only country to have consider online voting, but the threat of security scares or privacy problems, fueled by anti-Internet voting activists, have caused election officials to drop their plans. For example France and the U.K. dropped their Internet voting plans. In the United States, an email voting method, which they call Internet voting, is available to overseas service personnel in 25 states. However, in most of these states they must submit their ballots via email, which is more insecure than Internet voting. In some, they are actually required to sign a waiver giving up their privacy in order to vote by email. The one exception is the state of West Virginia, which engaged an Internet voting technology company, Voatz, to enable overseas Internet voting for military personnel. The implementation worked quite well, with dozens of military voters voting from dozens of countries, yes countries, not counties. Despite criticisms from the anti-Internet voting activists warning it was unsafe, the voting was secure, private, and verifiable.

The Swiss government is taking an innovative approach to Internet voting. Rather than wait for the normal criticisms from the anti-Internet voting activists, the country offered “bug bounties” of around $50,000 to any registered “white hat” hacker who could find vulnerabilities in its Internet-based e-voting system. The Swiss Post system for Internet voting was open for a dummy election between February 24th and March 24th, the length of a typical Swiss federal vote, during which time any registered “white hat” hackers were free to discover and report vulnerabilities. Thousands signed up to do so.

A top security expert last week published an article titled, “Critical Flaw in Swiss Internet Voting System”. I consider the “bug bounty” to be a great success. The flaw which was discovered was real, but one which some (including me) would consider a hypothetical flaw. It was real but not easily exploited. Few if any have the knowledge to challenge the expert’s logic for why the newly proposed Internet voting system should not be implemented in Switzerland. However, my view is the election should go on and be carefully monitored with regard to the flaw.

The basic problem I see is the anti-Internet voting activists are comparing the Swiss Internet voting system to a perfect system, which Switzerland (or any country) will never have. The Internet voting system should be compared to the old-fashioned paper-based error-prone system we use today. It is very far from perfect, and many millions of people do not get to vote because of it.

Security, privacy, and verifiability should not be ignored and finding and fixing vulnerabilities should be a top priority. Security experts should be listened to. Few, if any, persons have the knowledge to challenge the expert’s logic. However, we should all expect more than the sky is falling fears offered. In addition, security experts should offer suggestions on how to proceed with the least possible risk, but not necessarily zero risk. Otherwise, we continue to disenfranchise the millions who cannot vote because they can’t get to the polls or who believe a paper ballot may not get to the polling place on time or even be counted unless there is a tie. West Virginia and other trials have shown what is possible.

Tagged with: , , ,