Switzerland’s E-voting: The Threat Model

Part 5 of a 5-part series starting here

Switzerland commissioned independent expert reviews of the E-voting system built by Swiss Post.   One of those experts concluded, “as imperfect as the current system might be when judged against a nonexistent ideal, the current system generally appears to achieve its stated goals, under the corresponding assumptions and the specific threat model around which it was designed.”

I have explained the ingenious idea (in the Swiss Post system) behind client-side security:  because the voter’s computer may be quite insecure, because the client-side voting app may be under control of a hacker, keep certain secrets on paper that the computer can’t see.  Professor Ford, the systems-security expert, points out that part of the threat model is:  if the printing contractor is corrupt, that prints the paper and mails it, then the system is insecure.

The new threat model in 2022. But I’ll now add something to the threat model that I would not have thought about last year:  Step one of the voter’s workflow is, “type in a 20-character password from the paper into the voting app.”

In the old days (2020 and before) the voter would do this using a physical or on-screen keyboard.  In the modern era (2022) you might do this using Apple’s “live text”, in which you aim your phone camera at anything with text in it, and then you can copy-paste from the picture.  And, of course, if you do that, then the phone sees all

Read more

Explore the site

More from the blog

Latest News