View article

Paper ballot voting with its fully-reviewable paper-trail is usually considered as more secure than their e-voting counterparts, given the large number of recent incidents. In this work, we explore the security of paper voting and show that paper voting, as it is implemented today, is surprisingly vulnerable to cyber-attacks. In particular, the aggregation methods of preliminary voting results of various countries rely on insecure communication channels like telephone, fax or non-secure e-mail. Furthermore, regulations typically do not mandate the use of secure channels for the transmission of preliminary results. We illustrate that preliminary results, despite their temporary nature, may have a severe impact on real-world decisions during the 3 to 30 days window until the final results are declared. An attacker exploiting this discrepancy can, e.g., benefit from stock market manipulation or call into question the legitimacy of the elections. This work investigates the cyber-risks in paper voting in a systematic manner by reviewing procedures in several countries (Estonia, France, Germany, the United Kingdom, and the United States of America) and through a comprehensive case-study of Switzerland. We examine the transmission systems currently in use through inquires from election officials. Moreover, we illustrate the feasibility of attacks by analyzing the frequent historical discrepancies between preliminary and final results. Considering our results and recent reports about easily modifiable preliminary results in Germany and the Netherlands, we conjecture similar weaknesses in other countries as well.