Scytl, the vendor behind NSW’s suspended iVote system, has asked state election authorities to “study” a Swiss-run “public intrusion test” of its e-voting technology from 2019 as a way to improve “voter and system integrity”.
NSW shelved iVote after election day glitches in local government polls in late 2021. It is currently testing whether an alternative exists.
In a submission [pdf] to the NSW review of technology-assisted voting options, Scytl said that while NSW “remains a pioneer in the introduction, security, and accessibility of internet voting, some recent developments in Switzerland could also be studied”.
Its suggestions for study included “the organisation of a public intrusion test and publication of the source code, which showcased how hackers could not manage to manipulate the system in the context of a mock election (up to 3000 hackers attempted to exploit the system, unsuccessfully) with financial rewards offered to hackers for their success.”
It’s not immediately clear from the submission whether Scytl thinks NSW authorities should replicate the exercise, or simply take into account the results of the Swiss test.
Researchers previously found vulnerabilities in Scytl’s source code as a result of the Swiss test, which were also confirmed to be present in iVote.
Sctyl, at the time, objected to how the vulnerabilities were disclosed and criticised the intentions of the researchers.
In addition to examining the public intrusion test, Scytl suggested a “scientific expert group to discuss some potential improvements to the regulation and audit of [an] internet voting system” - another Swiss initiative - could also be explored by NSW.
“The group worked for a few months and suggested some mid- and long-term potential improvements to pave the way for internet voting adoption,” Scytl said.
Elsewhere in its submission, Scytl suggests that myGovID could be explored as a way to establish the identity of e-voting participants, though it should not be the only authentication option.
In addition, Scytl said there would be “technical advantages” in more stringent pre-registration of voters, particularly for capacity and load purposes.
Pre-registration with an earlier cut-off, it suggested, could limit the blast radius of a system outage or other issue that might arise.
The problems with iVote in late 2021 were mostly due to a bottleneck in distributing voting numbers to last-minute applicants, meaning they could not cast their votes.
However, Scytl noted that any decision on pre-registration should not be made only on technical grounds.
“[There] is not a solid black and white answer here – whereas a voter who is vision-impaired is likely toknow this prior to an election and can choose to pre-register, those affected by an emergency or unplanned travel may miss their right to vote should the ability to register not be available and the election is running,” it said.
Scytl was against technical standards for vote verifiability being added to election laws, and to the use of geolocation to determine who may or may not cast votes electronically.