E-voting: democracy at risk?

So-called e-voting systems are very complex: It must be possible to clearly prove to all participating voters that their vote was counted exactly once correctly and anonymously. This is not fully guaranteed with today's postal and ballot box voting either, but there at least established and socially accepted control processes are in place. Therefore, a new, technical system should not be worse than its predecessors, but better. In addition, voters understand a sheet of paper with a blank field even without further digital aids, which they would also have to trust "blindly".

Even tests are of little use

Moreover, IT systems are known to be error-prone. There is no reason to believe that this should be any different with digital voting systems. Errors can occur in the algorithm, in the implementation, in the underlying hardware and software components and/or in the operation, maintenance or monitoring. A test (even for a significant prize money) is not meaningful even in the sense of a snapshot for the future: For on the one hand, such tests can only prove the presence of errors, but not their absence. On the other hand, the knowledge of a possible manipulability of elections and votes (possibly with an effect on Switzerland's foreign relations) would be worth much more to states and hackers - they would therefore probably rather use the knowledge of vulnerabilities tacitly and not disclose it for a one-time payment.

No safety guarantees

Furthermore, an e-voting system is always embedded in an additionally complex ICT infrastructure. It extends from the end systems of the users (PC, tablet, cell phone), which are not known to the operators, to a dynamic chain of Internet network providers, and finally to the central e-voting systems. In this complex end-to-end chain, conclusive and sufficient security and availability guarantees cannot be given. Attacks on shared infrastructures ("denial of service" against Internet providers, central DNS servers, etc.) are to be expected for political and ideological reasons. Even large corporations today can only protect themselves against such attacks with difficulty and by using external supplementary services. It cannot therefore be assumed without further ado that Switzerland will be able to build up appropriate redundancies here without calling on (possibly foreign) auxiliary services. And this for an election or vote in Switzerland!

Comparison with e-banking lags

The comparison with e-banking, which is assumed to be secure, is also flawed. The banks have invested a great deal of money and effort in ongoing security monitoring and improvements for about 20 years, and will continue to invest heavily in the future. However, it is generally accepted here that even these systems are not completely secure, primarily because customers' terminal devices are involved outside the banks' jurisdiction and secure user behavior plays a large role that can hardly be influenced. Moreover, the corresponding, often rather one-sided shifting of risk through e-banking contracts and GTCs would hardly be acceptable for national e-voting.

Consequences of possible election interference

 These technical vulnerabilities pose significant threats to the orderly, comprehensible and sufficiently accessible conduct of elections and votes. What happens if the software client or browser crashes in the middle of casting a vote? How can the person voting be sure that all or part (or none) of his or her vote has been cast and counted? What should happen if access to the relevant network or server infrastructures is not possible or severely slowed down at the time of voting? Workarounds such as voting in person at the polling station, which is then probably still just possible in terms of time, clearly show the limits of digitization. A large number of declining voter turnout and complaints would probably be pre-programmed. In addition, even a rumor (quickly generated by fake news on the following day) of an influence on a very close election result would provoke great uncertainty and immediate calls for the cancellation or repetition of elections and votes. There have already been successful and (presumably) not illegally influenced electronic votes both cantonally in Switzerland and in other countries. However, to immediately extrapolate these as a major success and an imperative for action is neither statistically nor substantively permissible. Perhaps these pilot tests were simply not attractive enough for hackers to attack. Large neighboring countries such as France and Germany are not slowing down their e-voting efforts without reason, and countries such as Norway have decided not to introduce electronic voting systems for fear of possible interference.

Conclusion

 There are significant concerns about the security and availability of e-voting that need to be addressed carefully, even if this takes time. Creating time pressure for political reasons is rarely helpful and leads to dangerous solo efforts in individual cities or cantons. Only incompatible subsystems would emerge, for each of which very specific and expensive know-how would have to be built up and maintained. E-voting will therefore not save any costs in the short and medium term, as neither postal voting nor ballot box voting can be replaced until 100 percent of voters are "online" or want to be. On the contrary, significant additional project-related and operational costs are incurred. The argument of greater participation of the younger generation in political decision-making also seems only superficially valid. The complexity of voting proposals and the observed disenchantment with politics among sections of the population can hardly be remedied by simply providing digital access. Not every opponent of e-voting is an "ossified" traditionalist or has not understood digitization. With regard to digitization, there would certainly be other fields of activity that could be addressed with less risk to one of the essential pillars of direct democracy. There is no need for Switzerland to rush ahead here, except in the context of a limited and closely monitored pilot: for example, to better engage the significant group of Swiss abroad who are eligible to vote (e.g., in countries with restrictions on participation in a postal vote). It would also be conceivable to use and test e-voting in more depth for consultative voting (but with presumably low participation and statistical significance). A compromise between the idea of a general moratorium and an immediate blanket coverage of e-voting would therefore be entirely possible without any pressure of time or action.

About the author: Prof. P. Lubich is a lecturer in ICT systems and service management at the University of Applied Sciences Northwestern Switzerland. He is also a consultant for IT strategies, information security and risk management.