© 2019 UZH, CSG@IfI

The Swiss Postal Voting Process and its System and Security Analysis

Christian Killer and Burkhard StillerDepartment of Informatics IFI,

Communication Systems Group CSG, University of Zürich UZH[ killer ¦ stiller ]@ifi.uzh.ch

4th E-Vote-ID 2019 E-VOTE-ID, October 1-4, 2019, Bregenz, Austria

1

IntroductionRemote Postal Voting

Threat and Risk AnalysisConclusions

© 2019 UZH, CSG@IfI

Introduction – Advertisement

2

Swiss public initiative on a “Secure and trusted democracy”

© 2019 UZH, CSG@IfI

Proposed Law

... if it is guaranteed that at least the same security againstmanipulation exists as in the case of hand-written voting ...

3

© 2019 UZH, CSG@IfI

Comparing “Systems“

4

© 2019 UZH, CSG@IfI

The Swiss RPV Case

The Swiss RPV is fragmented and difficult to generalize, due to federalism in Switzerland, autonomy, and involvement of many external suppliers

Goal: To identify weaknesses of RPV to allow for “hardening” of the RPV through security and risk assessment.

– Disclaimer: Focus on generalization, may not cover all cantons and processes exactly, leaves room for exceptions.

– Many exchanges with Swiss authorities and external suppliers

5

© 2019 UZH, CSG@IfI

RPV From a Voter’s Perspective

6

© 2019 UZH, CSG@IfI

PVPF: Postal Voting Process Flow

7

© 2019 UZH, CSG@IfI

Federal Government

?? ?

?

Federal ChancelleryCantonal GovernmentMunicipality

Municipal Election OfficeEligible Voter

The Swiss Post

External SupplierSecurity Threat

Identification of Stakeholders

8

© 2019 UZH, CSG@IfI

PVPF Phases

Divided into phases A to G with various stakeholders

9

PVPF: Postal Voting Process Flow

Federal GovernmentFederal ChancelleryCantonal GovernmentMunicipality

Municipal Election OfficeEligible Voter

The Swiss Post

External SupplierSecurity Threat

© 2019 UZH, CSG@IfI

PVPF in Detail

10

PVPF: Postal Voting Process Flow

© 2019 UZH, CSG@IfI

A: Setup, B: Delivery

11

© 2019 UZH, CSG@IfI

A: Setup, B: Delivery

12

TE2: ER master recordsTE3: ER snapshot data

TE4: Forge physical artifacts

TE5: Steal assembled VEs before dispatch

TE1: Delay production of physical artifacts

TE6: Re-route VEs

TE7: Steal VE from voter letterboxes

THREAT EVENTS

© 2019 UZH, CSG@IfI

PVPF in Detail

13

PVPF: Postal Voting Process Flow

© 2019 UZH, CSG@IfI

C: Casting, D: Storage, E: Tallying

14

© 2019 UZH, CSG@IfI

C: Casting, D: Storage, E: Tallying

15

TE8: Steal casted VEs from municipal letterbox

TE9: Re-route VEs

TE10: Cast stolen or forged VEs

TE11: Access stored VEs

TE12: Manipulate tallying

TE13: Manipulate final tally

THREAT EVENTS

© 2019 UZH, CSG@IfI

F: Validation, G: Destruction

16

© 2019 UZH, CSG@IfI

F: Validation, G: Destruction

17

TE13: Initiate premature destruction

THREAT EVENTS

© 2019 UZH, CSG@IfI

Recalling the Comparison

18

© 2019 UZH, CSG@IfI

Conclusions

19

Heterogeneous Processes

Physical Decentralizaton

Substantial Trust in Third

Parties

Distribution of Trust

© 2019 UZH, CSG@IfI

Thank you for your attention.

Many thanks are addressed to Anina Sax, Annina Zimmerli, Dr. Christian Folini, Melchior Limacher, Marco Sandmeier,

and Dr. Benedikt van Spyk for their valuable input.

20

© 2019 UZH, CSG@IfI

Backup Slide

21

© 2019 UZH, CSG@IfI

PVPF in Detail

22

PVPF: Postal Voting Process Flow

© 2019 UZH, CSG@IfI

Future Work

Adapt the PVPF more cantons, which will allow a more granular level and identification of realistic Threat Events

Inquiry of deployed proprietary tools is in progress, in active discussions with Suppliers and Authorities

23

© 2019 UZH, CSG@IfI

RiskAssessment

What would an adversary really do?

24