Cyber-Risks in Paper Voting.

Considering a large number of vulnerabilities reported in the news and the importance of elections and referendums, the general public as well as a number of security researchers consider paper ballot voting with its fully verifiable paper trail as more secure than current e-voting alternatives. In this paper, we add to this discussion and explore the security of paper voting. Although individual examples of vulnerabilities of the software used for paper voting were already reported, this work looks at the cyber-risks in paper voting in a more systematic manner by reviewing procedures in several countries and through a case study of Switzerland. We show that paper voting, as it is implemented today is surprisingly vulnerable to cyber-attacks. In particular, we show that in different countries the aggregation of preliminary voting results relies on insecure communication channels like telephone, fax or non-secure e-mail. Furthermore, we observe that regulations typically do not mandate the use of secure channels. We further introduce two new attacks: vote report delay and front-running, both of which can lead to different compromise of election results. Even if preliminary results are later corrected through paper trail, this 3 to 30 day window during which incorrect results are perceived as final by the public has significant influence on financial and political decision making. An attacker exploiting this inconsistency can, e.g., benefit from stock market manipulation or call into question the legitimacy of the elections. Although our case study focuses on the example of Switzerland, the attacks and issues that we report appear to be wide spread. Given recent reports about easily modifiable preliminary results in Germany and the Netherlands, we conjecture similar weaknesses in other countries as well.