San Francisco Internet voting

By a unanimous 6-0 vote, on April 19, 2017 the San Francisco Elections Commission recommended against Internet voting at all levels of government:

RESOLVED, That it be the policy of the Elections Commission to oppose allowing votes in United States local, state, and federal elections to be cast over the internet, including by email.

See San Francisco Elections Commission – Resolution on Internet Voting (PDF)

Canadian reports recommending against Internet voting

Internet voting has been studied.  Again and again.  Any time there is a comprehensive study, it recommends against online voting.

Here are the Canadian federal and provincial reports:

  • New Brunswick (A pathway to an inclusive democracy) – 2017
  • Government of Canada (Strengthening Democracy In Canada: Principles, Process And Public Engagement For Electoral Reform) – 2016
  • Prince Edward Island (Considerations for Applying E-Voting Options [Internet voting] in Canadian Public Elections – Independent Technical Panel on Voting Integrity) – 2016
  • British Columbia (Independent Panel on Internet Voting) – 2014
  • Ontario (Alternative Voting Technologies Report) – 2013
  • Nova Scotia (Internet and Telephone Voting in Nova Scotia) – 2012
  • Quebec (Evaluation Report of the New Methods of Voting that were Used during the Municipal Elections of November 2005 / Élections municipales de novembre 2005 : Rapport d’évaluation des nouveaux mécanismes de votation) – 2006

I can’t list every municipality, but here are a few municipal reports as well:

  • Toronto (EX20.5 – Changes to the Municipal Elections Act and Related Matters Impacting the 2018 Election – Part B – Voting Technology) – 2016
  • Waterloo (CORP2016-105 Alternative Voting Methods (Internet Voting)) – 2016

I don’t know how many times you have to study the exact same thing, year after year, decade after decade, before you eventually agree with the conclusion that we should not implement Internet voting.  Apparently many times.

It is very unfortunate that both Ontario and Nova Scotia, having investigated and rejected Internet voting at the provincial level, have left it to individual municipalities to decide whether to adopt Internet voting municipally, without any briefing or guidance or standards.  Basically municipalities are left to google and decide.  If the provinces had set even basic requirements, such as an independent public security test of all Internet voting systems, things would have gone very differently.  (If you think having independent public security tests of the systems would have too much risk, it’s worth mentioning that even the US Department of Defence has an official “Hack the Pentagon” initiative.)

Canadian reports on election security and misinformation

Government of Canada

Academia

Finland recommends against Internet voting

Finland did an extensive study in 2017, running from February to November, and reported its final results in December.

The report concluded that the risks of online voting outweigh its benefits.

The original government web page has been replaced by a new page: Nettiäänestyksen esiselvitys. Documents are in section Asiakirjat (“Documentation”).
SIDEBAR: The last archive of the previous Nettiäänestys page is from June 16, 2017. END SIDEBAR

Press releases

Reports

Key Statements

Online voting technology and the development of the structures required for the system are not yet at a level that would enable a sufficiently secure implementation and introduction of the system. There are still open questions in terms of verifiability and the secrecy of the ballot. It is not expected that the key risks related to online voting would be solved in the next few years.
The monitoring group came into the conclusion that online voting should not be introduced in general elections, because the risks involved are greater than the benefits. Online voting would not resolve the current problems, such as the low voter turnout.

Previously:
March 14, 2017  Internet voting in Finland

PEI 2016 Plebiscite Voting Integrity Audit Report recommends against federal and provincial Internet voting

Prince Edward Island (PEI) – 2016 Plebiscite on Democratic Renewal – Voting Integrity Audit Report – from the Independent Technical Panel on Voting Integrity (ITPVI) – November 30, 2016

This report is Section 3 Appendix in the 2016 Annual Report of the Chief Electoral Officer of PEI  (PDF), starting on page 35.

Section 11 of the Voting Integrity Audit Report is Considerations for Applying E-Voting Options [Internet voting] in Canadian Public Elections.

The report recommends against Internet voting at the federal and provincial levels, except for absentee voters.

There is a need to maintain an acute level of awareness of the risks to electoral integrity that these new voting methods present. The implications of a breach of the public trust that exists today suggests strongly that internet and telephone voting in Canadian provincial and federal parliamentary elections be considered channels that should be limited to use only by absentee voters for the immediate foreseeable future. …

It is important that leaders in Canadian electoral administration manage public expectations and articulate their concerns about the fact that a perfectly secure and fool-proof electronic voting system does not yet exist.

This recommendation was picked up in the news media, e.g. CBC News PEI – Online voting not ready for federal, provincial election: officials – May 4, 2017.

The group concluded a high-stakes provincial or federal election could attract groups looking to intervene in illicit ways through cyber-attacks, hacking or other means.

The report also does an excellent job of showing the “additional risks and controls associated with online electronic voting” [Internet voting]. These include (highlighting by me):

1. Trusted digital voter identification and authentication is a requisite additional control. An irrefutable digital identity is the first safeguard in ensuring that eligible voters can vote (and can vote only once), and in ensuring that ineligible voters are not permitted to vote. Establishing this identity with a robust ‘shared secret’ is a mandatory prerequisite.

2. The onus is on the buyers, designers, developers, maintainers and operators of any electronic voting system to demonstrate rigor in the specifications, certifications, accreditations, testing and operation of the e-voting system to ensure it is able to mitigate the full range of risks to a reasonable and acceptable level. This has to be achieved to a level of satisfaction regarding both hardware and software risk mitigation. The remaining level of risk needs to be accepted by all stakeholders.

3. With the elimination of the controls that were previously implemented in manually controlled voting processes (refer Appendix ‘G’: Controls C1 – C5), traditional risks are not as fully mitigated as before. In fact, the following risks are difficult to mitigate in any meaningful way:
a. Vote buying / vote secrecy (“I’ll just take a selfie in front of my screen”)
b. Voter coercion (Unless reported, it is impossible to determine if a vote is being coerced)

4. The risk of a voter voting with stolen credentials can only be partially mitigated by effective voters list management and the implementation of a trusted digital voter identification and authentication scheme. Digital voter identification must be robust, but it must also be easily managed so as not to become a barrier to voting because it is overly complex for a voter to use as seldom as once every four years.

5. The additional risks of compromised end-user hardware or software, or a broad regional or national attack on internet infrastructure, remain unmitigated.

The report also identifies the extremely high standard to which we must hold Internet voting, as the transparency provided by conducting paper ballot voting and counting in public are lost when using completely computerized processes.  Highlighting added by me.

The onus is also completely on the online electronic voting system implementer to ensure that controls are established within the e-voting system that meet the legislative requirements of the jurisdiction, and provide an adequate level of transparency for all stakeholders. Simply depositing electronic votes into a ‘black-box’ where they are stored and counted is unlikely to meet stakeholder demands for maintaining a high level of public confidence, unlikely to publicly show that voting risks are continuing to be
managed responsibly, and unlikely to prove to candidates and political parties that the electoral process and controls continue to deliver a trusted and accurate result.

SIDEBAR on turnout:
A demonstration of the reality of Internet voting turnout was the 2016 Prince Edward Island Plebiscite on Democratic Renewal which had 10 days of online voting in addition to two days of in-person voting. Not only was the overall turnout low at 36.5%, but the turnout for ages 18-24 was the lowest of any age range, at 25.47%.

Numbers from McLeod, G. B. (2016, November 9). Interim Report of the Chief Electoral Officer for the 2016 Plebiscite on Democratic Renewal. http://www.gov.pe.ca/photos/original/elec_demrefpleb.pdf
END SIDEBAR

Estonian municipal council elections 2017 – Kohalikud valimised 2017

Estonian municipal council elections finished at 8pm on October 15, 2017.

I’m writing now at 10:37pm Estonian time, as the results have been posted online.  I will update this post if there are changes.

UPDATE 2017-10-17:  Some information for context

  • Eligible voters for Parliamentary elections and eligible voters for Local elections are not the same, so the two types of elections are difficult to compare.  Local elections draw from a larger electorate.
    • 2013 Local elections – Eligible voters – 1,086,935
    • 2015 Parliamentary elections – Eligible – 899,793
    • 2017 Local elections – Eligible voters – 1,100,648
      Also I believe the 2017 local election is the first one in which 16 and 17 year olds could vote.
  • It’s important to be careful whether one is talking about voting as a percentage of total eligible voters, or voting as a percentage of actual voters.

END UPDATE

Summary: ONLINE VOTING IS NOT A SOLUTION FOR INCREASING TURNOUT.

There is no Internet voting on election day in Estonia, the online voting system is only available for advance voting.

The total number of Internet votes cast was 186,034 (one hundred eighty-six thousand thirty-four).  I don’t like comparing different types of elections as they have different characteristics, but just for the sake of a complete picture, the total number of Internet votes cast in the Parliamentary elections in 2015 was 176,329.  So the total increase is 9,705 (nine thousand seven hundred and five).  UPDATE 2017-10-17: However note that the local elections draw from a much larger pool of eligible voters.  END UPDATE

So while 186k online votes is indeed a record for Estonia, it is a relatively small absolute increase.  And I would caution strongly against projecting this result of under 200k online votes to jurisdictions with tens or hundreds of millions of voters.

The total number of votes cast was 367,199 (three hundred sixty-seven thousand, one hundred and ninety-nine), for a total turnout of 53.2%.

UPDATE 2017-10-17: The total number of votes cast was 586,523 (five hundred eight-six thousands five hundreds and twenty-three), for a total turnout of 53.3%.

Turnout DROPPED from the 2013 local elections, which had a turnout of 58%, for a turnout DROP of 4.7%.

So just to make my point super clear: Estonia has had online voting since 2005. After 12 years of offering online voting, they have managed a turnout of just over 50%, and that turnout dropped from the previous local election.
ONLINE VOTING IS NOT A SOLUTION FOR INCREASING TURNOUT.

You can see turnout percentages for this election at https://kov2017.valimised.ee/osavotu-statistika.html and details for past elections at http://vvk.ee/voting-methods-in-estonia/engindex/statistics/

UPDATE 2017-10-17: You can see the total number of eligible voters, the total number of votes cast, and the total number of Internet votes at https://kov2017.valimised.ee/valimistulemus-vald.html  END UPDATE

On https://kov2017.valimised.ee/osavotu-statistika.html the turnout for online voting seems to be is a separate item called E-HÄÄLI but I have to say I don’t really understand the numbers other than total turnout shown in the bottom right and the Internet voting turnout (as a percentage of TOTAL eligible voters) is 16.9%.  That is to say, only 16.9% of eligible Estonian voters chose to cast their ballot online.

There were seven days of advance voting (including Internet voting) in total, from October 5 to October 11.  You can see an overview of the voting schedule at https://www.valimised.ee/et/kohaliku-omavalitsuse-volikogu-valimised-2017 or in English at https://www.valimised.ee/en/municipal-council-election-2017

Previously:
July 8, 2016 Estonian Internet voting and turnout myths

Estonian ID card vulnerability and upcoming election

On September 5, 2017 the Estonian Information Systems Authority – Riigi Infosüsteemi Ametit (RIA) reported that researchers have found a vulnerability in the Estonian digital ID card:

Possible Security Vulnerability Detected in the Estonian ID-card Chip

This is a serious issue in general, as the card is at the heart of citizen digital interactions with the government, but has particular implications for Internet voting, as the ID card is key to the functioning of the voting system, enabling amongst other features the unique Estonian ability to vote multiple times with only the last vote counting (including choosing to vote in person on election day, cancelling all previous Internet votes).

There are local government council elections coming up soon, with online voting starting in a month, running from 5 October 2017 to 11 October 2017 (online voting is only available for advance polls, not on election day).

Estonia Local Gov Council Elections 2017

above from Municipal council election 2017

According to the Is the ID-card safe? FAQ, the National Electoral Committee (Vabariigi Valimiskomisjon) will decide whether to proceed with online voting.

UPDATE 2017-09-06: In its September 6, 2017 meeting, the National Electoral Committee decided to proceed with online voting in the October elections.  Reported by err.ee – Electoral committee: Online voting in October elections still on / Valimiskomisjon: e-hääletamine toimub.  ENDUPDATE

The analysis of the ID-card vulnerability, by “[a]n international group of cryptography scientists from recognized universities” will be “published in the coming autumn at an international scientific conference” according to the ID-card safety FAQ.

UPDATE 2017-09-06: There’s more detail about the specific vulnerability, which is appears to be a computationally-intensive, technically-challenging way to determine the private key from the security chip, in Postimees article Hackers could have made digital clones / Häkkerid võinuks luua eestlastest digikloonid.  ENDUPDATE

Links in English

Links in Estonian

Additional Context

Original story via Bruce Schneier – Security Flaw in Estonian National ID Card

As Estonia is the only country in the world with national Internet voting, I have written about it many times:

June 16, 2017  evaluation of Predicting the Future – online voting – Estonia
July 8, 2016 Estonian Internet voting and turnout myths
March 8, 2011 Estonian vote-counting system fails
November 11, 2004 e-voting in Estonia

For a perspective on security concerns with the Estonian system that predate the ID card issue, it is also important to read the materials on the website Independent Report on E-voting in Estonia as well as