Vote page does not warn voters about risks of spyware on their device

[arianabuilds]

Un-patchable, but out-of-scope for the security SIV claims to offer

[dsernst]

We did reference this issue on https://docs.siv.org/mitigating-attacks/privacy

For even stronger confidence that no plaintext information can leak out, all the encryption work (Step 2 of the SIV Protocol) can be performed on an air gapped device.

A simple version of this can be achieved using an Incognito window and turning off the device's internet, then preparing the encrypted ciphertexts, copying them out of the Incognito window, closing the Incognito window to destroy any private material, and then turning the internet back on before submitting. This protects against the SIV voter software exfiltrating private data, but note it does not protect against the device itself (e.g. from malware).

[emphasis added]

[dsernst]

Potentially we could add a clearer note about this to the top of vote page instructions, but that's kind of annoying (additional noise) for the vast majority of people who won't have spyware.

And for the subset that is running a corrupted device, in theory it could actually modify our page to remove any such warning anyway, so it would be a pretty wet-noodle of a defense.

• [ ] Could offer it as an option for election admin to toggle on? No one has asked for it though. More general form of this would just be making it more clear that election admin can add whatever custom instruction text they want. [technically they already can with e.g. ballot_design.description advanced fields, but not well advertised in UI]

Much more resilient defense would be to include a short note about this on paper-printed invitations mailed to voters, for the most intense elections that opt for that form of voter auth.

[dsernst]

Closing as out-of-scope for now. But we can revisit if this comes up again.

[dsernst]

https://docs.siv.org/compare also notes about this: