Reseach into Cryptographic Vulnerabilities impacting the Swiss Post / Scytl e-voting System.

In March 2019 Sarah Jamie Lewis of the Open Privacy Research Society, along with Vanessa Teague (University of Melbourne), and Olivier Pereira (UCLouvain) published details of critical vulnerabilities impacting evoting systems in Switzerland and Australia. These vulnerabilities were soon confirmed by the vendor Scytl, resulting in an emergency patch being installed during an election in New South Wales, and a “temporary” suspension of evoting offerings by Swiss Post.

In June the Swiss Federal Council, citing these disclosures, delayed the introduction and evoting as an official option, and shortly after SwissPost announced that it would not be offering its system for use in the October federal elections (despite having offered it in previous elections).

Just as math can protect the speech of the marginalized from the powerful, it can also be used to prove to everyone that power is not working as it claims.

Speaking math to power works.

Open Privacy received a share of a bug bounty payment, 2500 Swiss Francs ($3400 CAD) from Swiss Post for disclosing these issues, donated by Sarah Jamie Lewis.

We would like to thank SwissPost for the recognition, especially considering that the researchers did not agree to sign non-disclosure agreements to access the SwissPost/Scytl code base. The researchers instead worked off of a leaked version, which allowed them to publicly disclose democracy-impacting vulnerabilities without the risk of being silenced or having the issues packaged in palatable PR.