Swiss Post’s e-voting system to be used for the first time in elections this autumn following further development and successful hacker test

Swiss Post’s e-voting system will be used for the first time in the federal elections in autumn 2023. Today, the Federal Council granted the cantons of Basel-Stadt, St. Gallen and Thurgau the relevant initial authorization. This comes after the system was put through its paces again in recent months: between 8 and 31 July 2023, 2,650 hackers attempted to identify vulnerabilities in the e-voting system in what is known as a public intrusion test. Despite around 55,000 attacks, no one succeeded in penetrating the e-voting system, or even the electronic ballot box. A further audit was also carried out on behalf of the Confederation, and Swiss Post has carried out ongoing developments to its system on this basis.

In another important step for Swiss Post following the votes in June, the company’s system will be used for the first time in federal elections in Basel, St. Gallen and Thurgau on 22 October. “You can do almost everything online these days. Thanks to Swiss Post’s e-voting solution, secure electronic voting will soon be possible again. I’m proud that we are promoting the digital empowerment of the Swiss public and contributing to the ongoing development of democracy in Switzerland,” says Nicole Burth, Head of Communication Services at Swiss Post. The premiere in June was successful, with 4,239 people casting their votes electronically. And more than half of the Swiss citizens living abroad who cast their votes did so electronically.

The search for security gaps continues – renewed endurance test successfully passed

Even though the system is already up and running, the public search for security vulnerabilities continues on an ongoing basis. Between 8 and 31 July, ethical hackers from all over the world were able to put the latest version of the e-voting system through its paces as part of a public intrusion test. In such tests, hackers attack an application and aim to detect vulnerabilities, with those who succeed earning a financial reward. The test is a key tool for Swiss Post and part of its bug bounty programme, which ensures that the system undergoes continuous improvement. IT specialists from all over the world use it to identify potential vulnerabilities in the e-voting system. It means Swiss Post can fix them early on and make the system even more secure. Regular tests of this type are a legal requirement stipulated by the Confederation. In 2023, an intrusion test was conducted, during which 2,650 hackers attempted to crack the e-voting system. Following more than 55,000 attacks, none of the participants succeeded in penetrating the e-voting system, or even the electronic ballot box.

The findings in the e-voting bug bounty programme and, in turn, in the intrusion test are assigned one of four levels of severity: low, medium, high or critical. No findings classified as “medium”, “high” or “critical” were received or confirmed during the intrusion test.  Following verification, Swiss Post confirmed just one of four submitted findings. This was classified as “low”. The finding did not relate to any security-related aspects and indicated an improvement in web navigation in the background. Swiss Post has already implemented this improvement. The hacker received a bounty of 1,000 francs. He also received a bonus of CHF 3,000 for being the first hacker to report a confirmed finding.

Swiss Post has already paid out around 170,000 francs in rewards

Swiss Post has developed the system in Switzerland, for Switzerland. Security is our top priority and is an area that Swiss Post is continually monitoring. Besides the public intrusion test, which Swiss Post conducts on a recurring basis, there is an ongoing public review of the programming code, the specifications and other essential documentation of the e-voting system. The latest versions of these documents are always publicly available for specialists to check. Swiss Post has already received over 285 reports this way and paid out over 170,000 francs in rewards to IT specialists and ethical hackers. Swiss Post continued to develop its system after another test commissioned by the Confederation in the second quarter of 2023. Swiss Post has examined the expert reports in detail and already started implementing the suggested improvements. It will continuously develop the system in accordance with the areas of action outlined in the catalogue of measures. The expert’s audit reports and Swiss Post’s response reports are publicly available.

 

The test platform for electronic voting is now available to all interested parties

In the run-up to the federal elections, Swiss Post has adjusted the functions on its e-voting test platform so that any interested parties can now run an electronic election to see how e-voting works. Unlike a vote, the process is more complex as there are more choices. Voting works just like on paper. Interested parties can, for example, try electronically replacing candidates on a list (“splitting the vote”) or listing a name twice (“accumulating”).

 

Link to the test platform: demo.evoting.ch

How the e-voting test platform works:

In an initial step, users need to download a digital voting card. They can print it out or use a digital version. For real contests, voters receive the voting card with the information on e-voting and the other official voting papers by post. Users log in to the e-voting system by entering the start voting key, which can be found on the voting card, as well as an additional authentication feature. For a real contest, this feature may differ from canton to canton for real votes: for example, the year or date of birth. All users use the pre-defined year of birth 1980 on the test platform. In a few steps, the test person is taken through the process to the end where the trial vote is cast.

Further links:

Categorised in:

Related Posts