Comments about Orillia Internet voting

The City of Orillia has invited comments about its proposal for Internet voting in the 2018 Ontario municipal election.

The website is City of Orillia Voting Method – Public Comments and the deadline is Monday May 1, 2017 at 10am Eastern.

They have included a link to their staff report: Clerk’s Department Report CD 17-08 – Alternative Voting Method Options (PDF).

Below is my submission.

COMMENT

Dear Mayor and Council (c/o Janet Nyhof, Deputy Clerk):

I am writing in response to the request for comments about the recommended City of Orillia voting method.

http://orillia.ca/en/news/index.aspx?feedId=6f58f980-7799-42a7-9149-7b35d865e9ee&newsId=c90efff1-5ce5-4d2e-9ee5-40b300572e08

I recommend against using Internet voting.

I have reviewed the Clerk’s Department Report CD-17-08 2018 Municipal Election – Voting Method Options.

http://icreate4.esolutionsgroup.ca/230002_iCreate_NewsModule//Management/Attachment/Download/2f0783f2-adf9-4b98-acc5-53b09cfff307

I have the following concerns with this report, which does not cite computer science and computer security evidence:

* it appears to minimize the disadvantages

* it selectively reports on municipal adoption of Internet voting

* it does not provide a comprehensive analysis of the system-wide security and error risks

I agree with the following conclusions of the report, which are well-supported by social science evidence:

* Internet voting will not increase turnout, nor will it change the voter profile

I have provided additional detail in an appendix below.

Thank you,

Richard Akerman

Appendix

I would like to examine the disadvantages cited in more detail:
*System may be perceived as vulnerable to hackers

All systems are vulnerable to hackers.  This is not perception, this is reality.  This is the nature of computers.  Microsoft, with huge resources, nevertheless releases patches every single month for critical errors (vulnerabilities) in Windows and associated Microsoft software.  The situation is so bad that the Economist magazine recently did a cover story proclaiming “Why computers will never be safe”.
http://www.economist.com/news/leaders/21720279-incentives-software-firms-take-security-seriously-are-too-weak-how-manage

http://www.economist.com/news/science-and-technology/21720268-consequences-pile-up-things-are-starting-improve-computer-security

I want to emphasize that this is not just about e.g. foreign hackers attacking the voting server.  It’s about two significant issues: 1) all systems have errors (bugs), and require extensive examination in order to ensure that errors have been minimized 2) the entire voting system, which in the case of Internet voting means the voter’s personal home computer or computing device, must be secure in order for the vote to be secure

How many hundreds or thousands of insecure home computers might be involved with a municipal Internet vote?  We really have no way of knowing; it would require a survey of a representative sample of users.  The Internet voting vendors almost never mention this security aspect of the election.  We do know that very large numbers of computers are compromised worldwide, due to lack of technical expertise combined with challenges in downloading what may be very large patches, as well as due to older systems such as Windows XP no longer receiving security updates.

Just this month the US Department of Justice began dismantling a network (“botnet”) of compromised computers that numbered in the tens of thousands of machines.  That’s just one example, of many.

https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0

Canadian government and corporate computers are hacked all the time.  Even Loblaw PC Plus points were hacked.

https://www.thestar.com/business/2017/02/20/loblaw-resets-all-pc-plus-passwords-after-breach-steals-member-points.html

Of course, decisionmaking is always about balancing risks versus benefits.  I can tell you that when computer security experts examine online voting, they basically universally find that the risks are too high.  See for example Scientific American from February 2016

https://www.scientificamerican.com/article/pogue-the-challenges-of-digital-voting/

and a consensus statement from US computer scientists advising against Internet voting

http://usacm.acm.org/evoting/category.cfm?cat=30&E-Voting – “At the present, paper-based systems provide the best available technology….”

* Voter authentication
* Unsupervised voting

The combination of unsupervised voting and the inability to conclusively authenticate individual voters raises a number of very significant democratic issues: 1) voter credentials can now be bought and sold 2) since voting is unsupervised, even legitimate voters can be coerced by their friends or family to vote a particular way

* Role of the candidates/scrutineers change

In fact, any meaningful role for candidates and scrutineers in examining the conduct of the election is gone.  Their scrutineer role hasn’t changed, it’s been eliminated.  The entire trust that used to be established by watching physical ballots being counted in public is replaced by a transfer of trust to the black box of a third-party, for-profit, Internet voting technology vendor.  There is nothing to examine, there is nothing to recount.  A vote count comes out of the computer that cannot be challenged or changed.

* a summary of other municipalities’ 2014 Voting Method and 2018 Proposed Voting Methods

Not cited in the list in the Orillia report are:

[Correction to email, should say] Not cited in the list in the Orillia report (or changed since the report was released) are:

* Kitchener – no Internet voting in 2014, no Internet voting in 2018

* Waterloo – no Internet voting in 2014, no Internet voting in 2018

* Guelph – advance Internet voting in 2014, no Internet voting in 2018 (following an extensive debate with over 200 submissions and over a dozen deputants)
* Toronto – no Internet voting in 2014, no Internet voting in 2018

* Ottawa – no Internet voting in 2014, no Internet voting in 2018

https://web-beta.archive.org/web/20140217203039/http://www.therecord.com/news-story/2617898-kitchener-rejects-internet-voting/

http://www.therecord.com/news-story/4236054-waterloo-rejects-online-voting-in-2014-municipal-election/

http://www.therecord.com/news-story/6980847-waterloo-council-rejects-internet-voting-for-2018/

https://www.guelphtoday.com/local-news/guelph-city-council-deletes-online-voting-for-2018-municipal-election-596779

https://www.thestar.com/news/city_hall/toronto2014election/2014/07/23/toronto_cancels_plan_to_allow_online_phone_voting_for_disabled_citizens_in_2014.html

http://www.toronto.ca/legdocs/mmis/2016/ex/bgrd/backgroundfile-98545.pdf

Toronto’s report states, in part:

Internet Voting

Fundamentally, the Internet was designed to share information, not to secure it. Though an increasing amount of daily commercial life—from shopping to banking—has moved online, Internet voting poses security challenges that are unique and, in their current state, insurmountable.

The overwhelming consensus among computer security experts is that Internet voting is fundamentally insecure and cannot be safely implemented because of security vulnerabilities inherent in the architecture and organization of both the Internet and commonly used software/hardware:

  • *  Internet voting is extremely vulnerable to a wide range of cyber-attacks, and many of these are impossible to detect.
  • *  Internet voting poses extraordinary and unnecessary risks to election integrity, and even a small issue—were it even detectable—could completely undermine public trust.
Lastly, I will look at the security aspect of the Orillia report:
* The implementation of an electronic voting solution must ensure that the process is secure, provides confidentiality of the individual voter and provides accurate and reliable results.
The above statement is correct.  However, the report then fails to cover all aspects of “the process” including the home computer.  Securing a central server without securing all of the home computers that connect to it is like protecting a single big tree in a forest and declaring the forest is totally secure from damage, ignoring the fact that many of the smaller trees in the forest could be cut down.

Similarly, the ability to truly, provably separate the identity of an individual voter from the vote they cast is not possible with a computer-based systems.  Computers are designed to track changes made.  It is extraordinarily difficult to make a system that can simultaneously determine that an individual has permission to vote, while then not recording somewhere in the system which user cast which vote.  Lastly, accurate and reliable results require strong evidence.  The computer can’t be inspected in any meaningful way; it’s a black box.  The municipality is transferring the entire trust in the election from a process of open casting and counting of paper ballots to a closed system that exists entirely within the computer and is controlled entirely by the third-party voting technology vendor.

If Orillia nevertheless decides to proceed with Internet voting and is truly confident in the security of its system, I urge you in the spirit of open government to conduct an open, public test of the full online voting system well in advance of the election, with permission for anyone around the world to remotely examine the system in detail for security vulnerabilities and to publicly report their findings.  There is no security in obscurity.
ENDCOMMENT

Comments about Guelph Internet voting

A letter submitted for the April 24, 2017 Guelph Council meeting, agenda item COW – CS – 2017.04 2018 Municipal Election: Methods of Voting.

COMMENT

Dear Mayor and Councillors:

The Internet threat environment has changed since 2013 when Guelph did its initial analysis of online voting.  Since then, Ontario, British Columbia, New Brunswick and the federal government have all released reports on online voting, and all have recommended against it at the provincial or national level.  Threats have gotten worse while security technology has not advanced at the same pace, to the extent that the Economist magazine just did a cover story proclaiming “Why computers will never be safe”.

http://www.economist.com/news/leaders/21720279-incentives-software-firms-take-security-seriously-are-too-weak-how-manage

http://www.economist.com/news/science-and-technology/21720268-consequences-pile-up-things-are-starting-improve-computer-security

Of course, decisionmaking is always about balancing risks versus benefits.  I can tell you that when computer security experts examine online voting, they basically universally find that the risks are too high.  See for example Scientific American from February 2016

https://www.scientificamerican.com/article/pogue-the-challenges-of-digital-voting/

If you do choose to continue with online voting, I urge you in the spirit of open government to conduct an open, public test of the full online voting system well in advance of the election, with permission for anyone around the world to remotely examine the system in detail for security vulnerabilities and to publicly report their findings.  There is no security in obscurity.

In staff report CHR – 2013 – 30 “2014 Municipal Election:  Methods of Voting”, principles for a municipal election are outlined.  Here is my evaluation of online voting against three of those principles:

  • the secrecy and confidentiality of the voting process is paramount;

Use of a third-party vendor for online voting compromises voting secrecy and confidentiality.  Even if the voting systems were developed and hosted in-house, the information necessary to cast a vote (the voter identification) is extremely difficult to completely separate inside the computer from the vote cast.  Additionally, unsupervised remote voting opens the potential for anyone to view a vote that is being cast (and indeed to coerce the vote, or to pay someone for their voting credentials).

  • the integrity of the process shall be maintained throughout the election;
  • there is to be certainty that the results of the election reflect the votes cast;

The chain-of-custody for an Internet ballot extends from the personal computing device, across the Internet, and through to the voting servers.  There are potential threats to the integrity of the process at every stage, from compromised (“hacked”) home computers, through to denial-of-service attacks and potential vote alteration or addition of votes (“ballot stuffing”) at the server end.  Or the computer code could simply have errors in it (all computer programs have errors).  There is no way to observe the entire process; it is a black box.  Therefore there can be no real certainty that the results of the election reflect the votes cast.

Additional information supporting the above statements is available in an appendix to this email.

Thank you,

Richard Akerman

Appendix

Changes since 2013 report

The primary report is the July 16, 2013 “An Analysis of Alternative Voting Methods“.  http://guelph.ca/wp-content/uploads/AnalysisOfAlternativeVotingMethods.pdf

Both Elections Canada and Elections Ontario have been actively exploring the prospect of implementing an online voting channel for a number of years and have since allocated resources to undertake a detailed investigation and feasibility review of doing so.

As of 2017, neither Elections Canada nor Elections Ontario has implemented online voting, nor are they actively exploring the possibility.

A consultation by the Canadian Parliamentary Special Committee on Electoral Reform recommended against online voting[1], and the Canadian government accepted the recommendation.[2]  On March 2, 2017 Elections Canada released an RFP which included the statement “Elections Canada has no plans to introduce electronic casting or counting of votes. Polling places will continue using paper ballots, marked and counted by hand.”[3]

Ontario’s Alternative Voting Technologies Report, released June 2013, recommends against online voting and there is no online voting in provincial elections in Ontario.[4]

[1] December 2016 – Strengthening Democracy in Canada : Principles, Process and Public Engagement for Electoral Reform – http://www.parl.gc.ca/HousePublications/Publication.aspx?Language=e&Mode=1&Parl=42&Ses=1&DocId=8655791&File=291#87 – “Recommendation 4: The Committee recommends that online voting not be implemented at this time.”

[2] April 2017 – Government Response to Report Strengthening Democracy in Canada : Principles, Process and Public Engagement for Electoral Reform – http://www.parl.gc.ca/HousePublications/Publication.aspx?Language=e&Mode=1&Parl=42&Ses=1&DocId=8853290 – “The Government accepts this recommendation.  We will not implement online voting at this time.”

[3] March 2017 – Elections Canada RFP – https://buyandsell.gc.ca/cds/public/2017/03/02/967d72343b6234a0571287c709b7ae1f/ecrs-rfp-16-0167_-_anpp_-_ec-vsm-pppe_-_bilingual.pdf – “Elections Canada has no plans to introduce electronic casting or counting of votes. Polling places will continue using paper ballots, marked and counted by hand.”

[4] June 2013 – Alternative Voting Technologies Report – Ontario Chief Electoral Officer’s Submission to the Legislative Assembly (PDF) – http://www.elections.on.ca/content/dam/NGW/sitecontent/2014/reports/Alternative%20Voting%20Technologies%20Report%20%282012%29.pdf – “At this point, we do not have a viable method of network voting that meets our criteria and protects the integrity of the electoral process.”

Additional Context

In fact, there is no provincial online voting anywhere in Canada, and there is only municipal online voting in Nova Scotia and Ontario.  Reports from Nova Scotia [5], New Brunswick [6] and British Columbia [7] have all recommended against provincial online voting.  Quebec has had a moratorium on provincial online voting since investigating problems with its electronic voting machines in 2005.[8]

[5] Elections Nova Scotia: Annual Report of the Chief Electoral Officer April 1, 2012 – March 31, 2013 (PDF) – https://electionsnovascotia.ca/sites/default/files/ENS%20AR%20Web%202012_13.pdf – specifically pp. 14-16 Appendix I: Internet and Telephone Voting in Nova Scotia.

[6] March 2017 – A pathway to an inclusive democracy (PDF) – http://www2.gnb.ca/content/dam/gnb/Departments/eco-bce/Consultations/PDF/PathwayToAnInclusiveDemocracy.pdf – specifically pp. 20-21 E-voting

[7] February 2014 – Independent Panel on Internet Voting: Recommendations Report to the Legislative Assembly of British Columbia (PDF) – http://www.internetvotingpanel.ca/docs/recommendations-report.pdf

[8] October 2006 – Electronic voting – Le Directeur général des élections du Québec (DGEQ)http://www.electionsquebec.qc.ca/english/municipal/media/electronic-voting.php

There is a consensus statement from US computer scientists advising against Internet voting.[9]

[9] http://usacm.acm.org/evoting/category.cfm?cat=30&E-Voting – “At the present, paper-based systems provide the best available technology….”

END COMMENT

Here are additional documents I tracked down as part of writing the above comment:

2014 Election Cycle

July 16, 2013 — An Analysis of Alternative Voting Methods (PDF) — by Blair Labelle, City Clerk

July 16, 2013 — Staff Report CHR – 2013 – 30 — 2014 Municipal Election:  Methods of Voting (PDF) — Prepared and Recommended by Blair Labelle, City Clerk

June 2, 2014 (Amended September 15, 2014) — Procedures for Voting and Vote  Counting Equipment for the 2014  Municipal Election (PDF)

2018 Election Cycle

September 6, 2016 — Staff Report CS-2016-73 –Municipal  Election  Modernization,  Service  Expansion  and  Ranked  Ballot  Election (PDF; pp. 255-289) – Prepared by Jennifer Slater, Approved by Stephen O’Brien, City Clerk

April 3, 2017 — 2018 Municipal Election Voting Methods  (PDF; pp. 99-109) – by Stephen O’Brien, City Clerk and Returning Officer

April 3, 2017 — Staff Report CS  -2017.51 — 2018  Municipal Election: Methods of Voting (PDF, pp. 110-115) — Prepared by Tina Agnello, Deputy City Clerk; Approved by Stephen O’Brien, City Clerk

Other Reports Cited by Guelph

June 23, 2005 — Risk Analysis of Traditional, Internet, and other Types of Voting  Alternatives for Town of Markham — by Harry M. Kim

British Columbia Internet voting

British Columbia had an Independent Panel on Internet Voting, whose report was submitted in February 2014.  The report is a comprehensive review of the topic.  It recommends against Internet voting for provincial and municipal elections.

1. Do not implement universal Internet voting for either local government or provincial government elections at this time.

It also provides an excellent list of criteria against which any Internet voting system should be evaluated, and indicates that these principles must be met in addition to any standards a technical committee would establish.

Accessibility

The Internet voting process must be readily available to, and usable by, all voters eligible to vote by Internet voting, even in the presence of Internet voting-specific threats.

Ballot anonymity

The voting process must prevent at any stage of the election the ability to connect a voter and the ballot(s) cast by the voter.

Individual and independent verifiability

The voting process will provide for the voter to verify that their vote has been counted as cast, and for the tally to be verified by the election administration, political parties and candidate representatives.

Non-reliance on trustworthiness of the voter’s device(s)

The security of the Internet voting system and the secrecy of the ballot should not depend on the trustworthiness of the voter’s device(s).

One vote per voter

Only one vote per voter is counted for obtaining the election results.
This will be fulfilled even in the case where the voter is allowed to cast their vote on multiple occasions (in some systems, people can cast their vote multiple times, with only the last one being counted).

Only count votes from eligible voters

The electoral process shall ensure that the votes used in the counting process are the ones cast by eligible voters.

Process validation and transparency

The procedures, technology, source code, design and implementation details, and documentation of the system must be available in their entirety for free and unconstrained evaluation by anyone for testing and review for an appropriate length of time before, during and after the system is to be used. Policies and procedures must be in place to respond to issues that arise. Appropriate oversight and transparency are key to ensuring the integrity of the voting process and facilitating stakeholder trust.

Service availability

The election process and any of its critical components (e.g., voters list information, cast votes, voting channel, etc.) will be available as required to voters, election administrators, observers or any others involved in the process. If Internet voting should become unavailable or compromised, alternative voting opportunities should be available.

Voter authentication and authorization

The electoral process will ensure that before allowing a voter to cast a vote, that the identity of the voter is the same as claimed, and that the voter is eligible to vote.

Above from Independent Panel on Internet Voting – Recommendations Report to the Legislative Assembly of British Columbia – February 2014 (PDF) – principles are specifically from Recommendation 4

All Internet voting systems currently in use in Canada fail to meet one or more of these principles. In particular, the systems used for municipal voting in Ontario and Nova Scotia are provided by third-party private for-profit vendors, and do not provide any of the process validation and transparency described above.

New Brunswick Internet voting

New Brunswick had a Commission on Electoral Reform that took online submissions starting at the end of 2016, held meetings in January 2017, and submitted its report at the beginning of March 2017.

The Commission recommended against Internet voting.

Therefore, the commission makes the following recommendations:

  • The government not proceed with electronic voting at this time, due to concerns related to security, confidentiality and privacy.

above from A pathway to an inclusive democracy (PDF) – Goal 3: E-voting – pages 20-21

La Commission fait donc les recommandations suivantes :

  • Que le gouvernement n’aille pas de l’avant avec le vote électronique pour le moment, en raison des préoccupations relatives à la sécurité, à la confidentialité et au respect de la vie privée.

En voie vers une démocratie inclusive (PDF) – Troisième but : le vote électronique/par Internet – de la page 20 à la page 21

I submitted a 16-page briefing to the Commission.

Previously:
January 1, 2017  New Brunswick Electoral Reform Commission meeting dates
November 27, 2016  Brief submitted to New Brunswick Commission on Electoral Reform – November 2016
November 20, 2016  New Brunswick electoral reform consultation including Internet voting

Internet voting filter bubbles

From a Canadian perspective, there are basically three groups that examine Internet voting:

  • social scientists that examine people’s attitudes, feelings and behaviours associated with Internet voting
  • staff at municipalities that have chosen Internet voting and see it as just another digital service to offer, and the vendors they procure Internet voting from
  • computer scientists that examine Internet voting from the perspective of requirements and threat risk assessment

These three communities basically don’t interact.  The social scientists cite one another.  The municipal staff and vendors reference other municipalities and vendor analysis.  The computer scientists cite one another.  This gives three basically different filtered world views.

  • The social science perspective indicates some level of popularity of Internet voting either conceptually or in practice, and associated levels of satisfaction.  It also documents the expectations of turnout (high) and the reality of turnout (no change).  Additionally and unfortunately it sometimes reports on perceptions of security, which are meaningless.  It doesn’t matter how safe you feel jumping off a cliff, the same thing will still happen at the bottom when you encounter reality.
  • At best, municipalities approach Internet voting from a digital services perspective, and do the standard things one does for a transactional service, including security buzzwords like firewalls and encryption, obtaining vendor assurances, and contracting confidential security assessments.  One of their primary sources of technical information is the vendors themselves.  Two issues are that Internet voting is not a standard transactional service, and that vendors have literally millions of dollars in sales at stake.
  • Computer scientists look at the requirements for voting systems, e.g. the Computer Technologists’ Statement on Internet Voting.  When they evaluate real Internet voting systems against those requirements, they always find that current systems cannot meet the requirements.  In order to provide the best security assessment of the real systems, they seek the ability to conduct truly independent and public security assessments of the technology being used (this is almost always denied).  They also assess the full spectrum of potential risks against a system.  That includes technical risks and non-technical risks.  An often overlooked risk is the risk of coercion when voting no longer takes place in private in a supervised location (the polling place).  They also examine techniques used by very sophisticated attackers, as well as very basic but successful techniques (e.g. phishing) and the risk of insider attacks.  For a service where there is no way for the end user to verify their intended result (due to the combination of secret ballot and coercion avoidance), the inevitable conclusion is that there are no adequate risk mitigation measures.

So the answer you get about Internet voting depends on which community you ask.  If you ask social scientists, it’s popular.  If you ask municipalities that have implemented it, they assure you that everything is going fine.  If you ask computer scientists, they will tell you that it is not a regular transactional digital service, and that using Internet voting introduces catastrophic risk.

You can get a pretty easy indication of which community is talking by looking for language clues.  If the discussion is around popularity, it’s probably a social science analysis.  If the discussion is around firewalls and encryption and security assurances, it’s probably municipalities.  If the discussion is around risks, it’s probably computer scientists.

It may seem odd that computer scientists would speak in less technical language, but that’s because specific technical measures are much less important than a system-wide requirements and threat analysis, particularly in an environment including home computing devices and non-technical online service users.

The result of having these different communities means that basically only consultations that include the computer science community recommend against voting using computers, which may be an unexpected outcome.  But it is the outcome of any serious consultation, including e.g. New Brunswick, Nova Scotia, Quebec, Ontario, British Columbia, the Government of Canada, and the Government of Australia.

The Ontario municipal association AMCTO is holding a 2017 event for municipal clerks, featuring a session about the security of Internet voting.  The presenters will be

  • a clerk from a municipality that has approved Internet voting
  • an Internet voting vendor representative
  • a second Internet voting vendor representative

I leave it to you to conclude which filter bubble will be in operation.

 

Internet voting in Finland

Finland has announced its intention to implement Internet voting in national elections.  The working group has been struck as of February 2017 and its report is due by end of November 2017.

In its strategy session on Monday 24 October [2016], the Government of Finland outlined that electronic voting will be introduced in Finland as an alternative to the traditional voting in all elections.

above from Ministry of Justice, Finland – Finnish Government: Introduction of internet voting set as goal – October 27, 2016 – also available in Finnish: Hallitus: Tavoitteeksi nettiäänestyksen käyttöönotto and Swedish: Regeringen: Införande av internetröstning som mål

Finnish Election Director Arto Jääskeläinen further expanded on their national plan through the Ministry of Justice blog in December 2016, but in Finnish only: Nettiäänestyksessä paljon pohdittavaa: Selvitys käyntiin

Google Translate struggles with Finnish, but here is a part of the post in translation

– Can the on-line voting system to protect your launch cyber-attacks and how the voter has the assurance that the resolution of his voice remains in the system and there is calculated in such a way as he is meant? Since the election shall be submitted at any given time, a successful denial of service attack would have serious consequences. Online Voting differs significantly from many other online services: voters and his its sound is not explicitly allowed to be able to connect to each other and the election may vote only at the end of the voting period even if the links were playing again.

Many security experts have recently expressed very critical views about the safety of online vote and were of the opinion that completely secure system does not exist. These speeches are in my opinion, should be treated with respect and take them into account in the development of on-line voting.

The working group was struck on February 21, 2017.

The working group is tasked with conducting a study on the potential system to be used for online voting in general elections and consultative referendums. The study will, among other things, examine the operating environment, market and data security of online voting, analyse the related risks, and present proposals for further measures.

above from the Ministry of Justice, republished on the elections site – Working group to conduct feasibility study on online voting – also available in Finnish: Työryhmä tekee esiselvityksen nettiäänestyksen toteuttamisesta and in Swedish: Arbetsgrupp gör förutredning om internetröstning

At this point I should probably note that etunimi.sukunimi@om.fi is not an actual email address (I made this mistake myself), it’s just a formula for constructing an email address with firstname (etunimi) dot lastname (sukunimi).

There is a page with more details but it is only available in Finnish and Swedish.

In document Työryhmän asettaminen (“Setting up a working group”) it gives the membership. It is good to see that there are many members from cybersecurity, ICT and computer science organisations.

Name Organisation Role Notes
Johanna Suurpää Ministry of Justice Chair
Arto Jääskeläinen Ministry of Justice Vice-Chair
Markus Rahkola Ministry of Finance member
Mikko Viitaila Finnish Communications Regulatory Agency FICORA – Cybersecurity (Viestintäviraston Kyberturvallisuuskeskus) member
Anniina Tjurin Legal Register Centre, responsible for information systems in the Ministry of Justice (Oikeusrekisterikeskus) member
Juha Mäenalusta Legal Register Centre, responsible for information systems in the Ministry of Justice (Oikeusrekisterikeskus) member
Tommi Simula Government ICT Centre (Valtion tieto- ja viestintätekniikkakeskus Valtori) member
Pauli Pekkanen Population Register Centre (Väestörekisterikeskus) member
Tuomas Aura Aalto University, Department of Computer Science (Aalto yliopisto, Tietotekniikan laitos) member
Seppo Virtanen University of Turku, Faculty of Mathematics and Natural Science / Department of Mathematics and Statistics (Turun yliopisto, Matematiikan ja tilastotieteen laitos) member
Marianne Kinnula University of Oulu, Faculty of Information Technology and Electrical Engineering ITEE (Oulun yliopisto, Tieto- ja sähkötekniikan tiedekunta) member
Hanna Wass Election Study Consortium (Kansallinen vaalitutkimuskonsortio) member
Timo Karjalainen Electronic Frontier Finland ry EFFI member
Anneli Salomaa Ministry of Justice Project Manager
Heini Huotarinen Ministry of Justice Inspector General ? (Ylitarkastaja)

Chair of the working group may appoint a technical sub-group practice for preparatory work.

Inquiries:
Johanna Suurpää, chair of the working group, Director, Ministry of Justice, tel. 02951 50534
Anneli Salomaa, secretary of the working group, Project Manager, tel. 02951 50164
email: firstname.lastname@om.fi

Electronic voting in the Canadian House of Commons

While I am not a fan of electronic voting in the House of Commons, it would be possible to design a system that would mitigate potential risks, whereas it is not possible to design a system that will adequately mitigate the risks of Internet voting in a public election.  Comparing the two may be illustrative.

Voting in the House of Commons

A decision on a motion before the House can be made with no dissenting voices, in which case the motion is adopted and no division is taken.[255] When there are dissenting voices, a vote (or division) is taken. This can be either a voice vote or a recorded vote[256] where the House is called upon to divide into the “yeas” and the “nays”.[257]

above from House of Commons Procedure and Practice – Decisions of the House

When consensus isn’t heard on a voice vote, votes are cast by individual Members of Parliament (I think this is sometimes called “on division”).  The vote is cast by MPs standing one-by-one and saying their vote out loud.

Three key things about these votes:

  • they are not anonymous
  • they are not secret
  • they can be coerced

Because an individual MP stands up and states their vote in front of everyone, their votes are not anonymous or secret. Because of that, their vote can additionally be coerced, which is to say they can be incentivized to vote a particular way, and then rewarded or punished once they cast their vote (the Canada the system of whipped votes, with a Party Whip, is the very definition of coerced votes).

Designing Electronic Voting in the House of Commons

Technologically this is straightforward.  Each MP should be able to vote once and only once.  Everyone should be able to see the individual votes.  It should be hard to vote the opposite of how you intend.  Preferably the MP should be physically present in the House, ideally at their seat.  No other MP should be able to cast a vote on another’s behalf.

The obvious way to do this is low-technology.  Have voting buttons at each MP’s seat.  Have them well-designed, ideally physically separated with different shapes and colours to distinguish the yes vote from the no vote, so that you don’t press the wrong button by accident.  You could have e.g. a round green yes button on the left hand of the seat, and a red octagonal no button on the right hand side of the seat.

In case you think people can’t make mistakes:

In May 2010, however, [Paula] Fletcher accidentally voted against a proposal to install bike lanes on University Avenue in downtown Toronto. The proposal failed on a 15-13 vote. She said she had intended to vote in favour of the proposal and cited fatigue and city hall technology for her mis-vote.[15][16]

above from Wikipedia – Paula Fletcher

Now, the question becomes whether MPs still vote one-by-one or whether they now all vote simultaneously.  One-by-one is much better as you get much more time for everyone involved to check that the vote was cast as expected.  But this doesn’t save much time over standing to vote.  The inclination will be for simultaneous votes.  In this case, there would ideally be a display (e.g. red and green lights, right and left) at each MP’s station to show how they just voted, plus a screen listing each MP and their vote, plus a summary screen, plus possibly a line display in front of the MP displaying either YES/OUI or NO/NON back to them.  This is so that individual MPs can verify their vote was cast as intended and also so that MPs can check on one another.

In case you think MPs won’t be tempted to vote for absent members, watch this US video of representatives voting for absent members:

So the system should have individual member voting buttons activated if they are (at least) physically in the chamber and (ideally) physically at their desk. This means a lot of monitoring who goes in and out. And there needs to be frequent testing of the buttons. And they should be hard-wired and electro-mechnical, with a sensory and possibly audible click when pushed, in addition to lighting up.

Hard-wired is to make them impossible to tamper with from outside. Electro-mechanical is because you want them to last a really long time, which means they have to be outside the very rapid technology obsolence cycle of computing devices. You do still need some central counting and display technology, but it should also be very very simple.

You need to make sure that the final vote tallies match the individual votes as cast.  Preferably through both verification in the House as well as after-the-fact spot checks (independent audits) by third parties checking the votes cast against the tallies.

When casting a vote, you want a mechanical click, because you want intentionality.
This has nothing to do with technology, it’s about humans.
Standing and speaking your vote is a very strong human statement. It is a physical risk, it is a social statement. It’s a very deep part of how humans behave. “Stand and be counted” is an expression for a reason. Standing up and making a statement requires a very deliberate choice.

It’s very hard to capture that level of accountability and deliberation in any kind of electronic voting situation. The best I can do is to have the voting system be physical with feedback, so that you have to be quite deliberate about pushing the button.

What you absolutely don’t want is iPads with wifi.
What they will want to do is iPads with wifi. Because innovation! progress!

iPads with wifi is terrible on many many fronts. In brief:

  • it introduces the risk that the voting system can be attacked from outside
  • it introduces a constant cycle of technological maintenance and upgrades, with associated never-ending costs and ever-escalating risks
  • it introduces the risk that MPs can vote without being physically in the chamber
  • it introduces the risk that MPs can vote for other members
  • it removes the physical intention that standing to vote embodies
  • it moves the vote into a noisy distraction space where people are used to clicking without consequences: to buy things, to select news headlines, to play music, etc.
  • it introduces a huge potential distraction in front of MPs, unless the iPad is extremely locked-down in terms of its features

To mitigate this you could physically wire the iPads into the desks and have the vote only possible to be cast by transmission over the iPad connector, but there is pretty much zero chance they would design it this way.

If it’s not iPads with wifi, the temptation will be to use “clickers” because they are easy to procure.  However clicker systems break down all the time.

The error was caused by the electronic clickers used in voting, said  General Synod Chancellor David Jones.

above from Anglican Journal –  Voting error reveals Anglican same-sex marriage motion passed after all

All of the voting data would have to be published as open data (which it already is), ideally with analysis ongoing to check for anomalies.

Summary of Electronic Voting in the House of Commons

In summary, it is possible to design a system because you can have visible indicators and checks.  Each individual MP can check that their vote was properly cast and counted, and the House as a whole can observe the votes and validate them against expectations.  Because the vote is not secret and not anonymous, it’s possible for multiple individuals and groups to validate the vote.

I’m not saying it’s a good idea.  I’m saying you could design it to mitigate risks.

My ideal system would have:

  • one-by-one voting
  • clear indication of how each member has voted, with cross-checking
  • design that limits the possibility of accidentally voting the wrong way
  • design that forces you to be very intentional and physically aware of your vote

The current stand-and-speak division voting has these properties, but a very-well-designed electromechanical system could come close.

Internet Voting in a Public Election

Internet voting (or voting in a public election in general) is very different from voting in the House of Commons.  Voting is secret.  If only the Elections Act said it that clearly.  Oh wait, it does:

Secrecy
Secret vote
163 The vote is secret.

above from Canada Elections Act
Sidebar: The Canada Elections Act is beautiful. Readable and extremely well-designed to mitigate risks to voting. END Sidebar

Not only is the vote secret, but individual voters are not permitted to share how they voted, in order to limit coercion.

  • Secrecy at the poll
    (2) Except as provided by this Act, no elector shall

    • (a) on entering the polling station and before receiving a ballot, openly declare for whom the elector intends to vote;
    • (b) show his or her ballot, when marked, so as to allow the name of the candidate for whom the elector has voted to be known; or
    • (c)before leaving the polling station, openly declare for whom the elector has voted.

above from Canada Elections Act

Votes used to be cast by individual voters stating their vote out loud (the exact system that is still in use in the House of Commons). This led to voters being coerced in many different ways. You can see more about the history of how we ended up with secret ballots in Andrew Appel’s presentation and my presentation.

Therefore in order to meet the same standards we have for paper ballots, the Internet vote in a public election must be

  • secret
  • anonymous
  • difficult to coerce

It is, simply put, not possible to do this with Internet voting systems today.  It may never be possible.  The risks can’t be mitigated in the way that they can for the very different requirements of non-secret, non-anonymous, possible-to-coerce electronic voting in the House.

Background

In case you’re wondering why this discussion comes up now, electronic voting in the House is proposed in the March 2017 document Reforming the Standing Orders of the House of Commons.