Swiss Post’s e-voting source code now publicly released
Swiss Post’s e-voting project is moving into the next phase: Swiss Post is publishing a further system component – the source code of its beta version – and is launching a global bug bounty programme. The company is consistently publishing the details of its e-voting system. This is to ensure its system meets the highest security standards. Experts and system testers around the world have been invited to share their ideas and the findings of their analysis with Swiss Post.
With the publication of the revised source code and the launch of its bug bounty programme, Swiss Post’s e-voting system is entering an important security process. Swiss Post is publishing the source code of one of the core components of its e-voting system in the coming days. The company will be displaying the source code in full, i.e. all 150,000 dense lines of code. The code shows how the software is written with each cryptographic component, and how it works. IT experts and cryptographers from around the world are being invited to check the documents, to identify any issues and to share their ideas. Anyone who successfully finds a vulnerability can expect a reward of up to 250,000 francs depending on how major the bug is.
Since the start of the year, Swiss Post has consistently published key parts of the beta version of its system in full. This ensures any changes in development are visible to everyone. External experts can carry out tests to help ensure the system is capable of meeting the highest security standards today. This process is an internationally recognized best practice. The transparency of the process also meets the Confederation’s requirements regarding e-voting in Switzerland. The law stipulates trials can only be carried out on those e-voting systems that are published in full and on a consistent basis. Swiss Post expects to be able to make its system available to those cantons interested in 2022.
Transition to the digital world
Today, in its role as a trusted conveyor of sensitive data and documents, Swiss Post delivers around 20 million election and voting documents to households and voting authorities every year. The company also wants to be able to provide this service in the digital world, while respecting postal and mail secrecy. To do so, Swiss Post, a state-owned, neutral corporation, is developing a Swiss solution for those cantons interested. Since 2020, a specialist team of Swiss Post cryptographers and software engineers based at the Neuchâtel cryptography center have been working on the development of the e-voting system. Specifically, the e-voting team has either rewritten, tweaked or completely overhauled the core elements of the system. Seeing as Neuchâtel is well known for its castle, let’s use that as a metaphor: Swiss Post has applied its own experience and insights from the previous system, but it has not completely rebuilt the castle from the ground up. Instead, it has taken the most important walls, ramparts and passageways and connected them to the new sections of the castle, so to speak, and incorporated them into the new system of defence. The IT teams in Zollikofen in the Canton of Bern and the Swiss locations of Swiss Post’s two data centers are responsible for running the system and its infrastructure. All data used, including during future operations, will remain on Swiss Post servers or the servers of Swiss cantons.
“Looking forward to feedback”
Even though work on some further aspects of Swiss Post’s e-voting system behind the scenes is scheduled over the coming months, the excitement is building with the publication of the source code and the launch of the bug bounty programme. This is especially true of the team led by Denis Morel,
Head of E-Government in Swiss Post’s Communication Services unit. He is the project manager in charge of developing the e-voting system. Being a pragmatic mathematician, he knows that one plus one can only possibly equal two, and not three or four. That said, he welcomes the public release of the codes and formulas: “I’m looking forward to seeing the findings submitted by the expert community worldwide. The system is still in development, and involving external specialists will help us to make improvements and identify vulnerabilities in the system quickly,” says Morel. “It’s an important step in order for us to meet the high security standards for e-voting in Switzerland”.