Month: November 2016

Canada’s Chief Electoral Officer wants electronic counting option

The Chief Electoral Officer has made his Recommendations following the 42nd General Election.  Buried in it is recommendation A3, which would in my opinion open the door to unaccountable experimentation with Canada’s (federal) vote-counting system, a system that is currently extremely fast and high-integrity.  In particular it opens the door to introduce electronic counting (vote counting computers).  I don’t know why one would want to fix something that is not broken, and why Canada would want to give the sole authority to make that change to the Chief Electoral Officer (CEO).

Recommendation A3: Subsection 283(3) should be replaced with a general provision that allows the ballot-counting process to proceed according to the CEO’s instructions.

These recommendations are being discussed in closed sessions of the Parliamentary PROC (Procedure and House Affairs Committee).  It is not clear how the public can provide input into the discussions, other than by contacting PROC.

At the time of this writing, the next closed meeting will be meeting 42, November 24, 2016.  You can find the list of all PROC meetings for the current Parliamentary session at

Recommendations Report

An Electoral Framework for the 21st Century: Recommendations from the Chief Electoral Officer of Canada Following the 42nd General Election


From Table A—Recommendations Discussed in Chapters 1 and 2

Issues with Vote Counting Computers

The only way to be sure that votes have been counted is to

  1. Vote on paper
  2. Count the paper

If you have very complex counting, with either many positions being voted upon at once, or with an indirect allocation of results based on calculations, then you might choose vote counting computers that scan the paper ballots.  But be aware that you then MUST

  • extensively test vote counting computers before and after the election
  • remove voting computers from service during the live election and test them (in order to test under true voting conditions)
  • conduct risk-limiting audits of the paper ballots
  • keep the computers secure at all times, including between elections
  • keep the computers well-maintained at all times, including between elections

Which is to say, using vote counting computers may be faster for complex elections, but it is definitely not cheaper when done with proper risk management.

It is possible to take a hybrid approach, although no jurisdiction I know of does so.  In a hybrid approach, particularly important votes would be separately hand marked and hand counted (e.g. in the USA it would make sense to separate the Presidential ballot and count from all other vote casting and counting).

Note that in Canada we don’t (yet) have complex elections, meaning there is literally no justification for computer counting of ballots.  You’re introducing greater security risk, along with the need to continuously warehouse, maintain and secure the voting computers.

And note I said voting computers not some incorrect term like “voting machines” or “electronic counting devices” or “electronic tabulators” or “optical mark-sense scanners”.  These are full-fledged computers with optical scanners attached.  Computers that are vulnerable to all the regular and routine sorts of attacks and errors that happen every day.

Now think about this concept of “efficiency”.  How often does an election take place?  Once every four years?  And how long does it take to do the count?  With a simple ballot, you might save a few minutes on the entire count.  And then what do you do with the computers?

To save a few minutes every four years, you have to spend millions of dollars to warehouse and maintain vote counting computers.  And warehouse them securely, if you care about elections security.  And technology goes obsolete quickly.  So basically you’re paying for computers to sit in warehouses going obsolete, in pursuit of some illusory time and efficiency savings.

Aleksander Essex on Internet Voting in Canada

Aleksander Essex’s submission to the ERRE Special Committee on Electoral Reform is now available:

Some key areas of concern he identifies include:

  • Vote selling and Coercion
  • Phishing
  • Automation bias
  • Denial of Service
  • Client-side malware/spyware
  • Network attacks
  • Server penetration
  • Insider influence
  • State-level actors

He cites the recommendations in the 2015 Utah iVote Advisory Committee Report (PDF), specifically the call for public trials (white hat hacking) of any proposed Internet voting system. Here’s the relevant paragraph from the Utah report:

We recommend that Utah build requirements for an open, public trial for any proposed voting system. The requirements should clearly state the level of integrity and auditability that is required for acceptance along with the overall security and integrity goals for the system. Be aware that even with open, public penetration trials, an Internet voting system would still be subject to malware, phony voter, DDoS, phishing, and insider attacks. So we further recommend that any requirements for an Internet voting system address these concerns specifically and require that vendors satisfy them. In addition, Utah should strongly consider that source code for the entire voting system be made open source so that it can be subjected to review, build, and test by computing professionals not under the influence or supervision of the vendor.

For more about Aleksander Essex see my list of computer science experts

Online course about Internet voting security risks

The free online Coursera course Securing Digital Democracy is about “the security risks–and future potential — of electronic voting and Internet voting”.

The next session starts November 28, 2016.

The course is taught by J. Alex Halderman.  You can find out more about him in my list of computer science experts

ERRE Electoral Reform Committee – MP reports, Briefs, Witnesses, Meetings

The ERRE Special Committee on Electoral Reform has a page that has MP reports (“Members Reports”), Briefs submitted by Canadians, a list of Witnesses including direct links to their testimony (click on the microphone icon), and Meetings.
It’s a very useful page, but unfortunately kind of buried unless you know about it.
You can find it at

Copied from original post on legacy blog

New Brunswick electoral reform consultation including Internet voting

You can submit comments or submit your name to be an expert witness e.g. by email to
The deadline is November 30, 2016.

The New Brunswick Commission on Electoral Reform consultation page states

The commission has been given the following mandates:

  • Assess commitments made by the provincial government in 2014 to contribute to making a more effective Legislature by:
    – eliminating barriers to entering politics for underrepresented groups; and
    – investigating means to improve participation in democracy, such as preferential ballots and online voting.
  • Assess other electoral reform matters that have been raised recently, namely:
    – the voting age;
    – political contribution rules; and
    – political spending rules.

To its credit (and unlike the Federal electoral reform consultation) the NB government has issued a discussion paper, which includes two pages covering Internet voting reasonably well.

The discussion paper is called “Strengthening New Brunswick’s Democracy” and is available from the Government of New Brunswick website ( at
The Internet voting section is pages 18-19.

For the French version of the discussion paper, see
Vote par Internet – de la page 20 à la page 21 dans « Renforcer la démocratie au Nouveau-Brunswick » (PDF)

The discussion paper is also available in print bilingual and in PDFs in both official languages, here are the ISBNs
ISBN 978-1- 4605-1033-9 (Print Bilingual)
ISBN 978-1- 4605-1034-6 (PDF English)
ISBN 978-1- 4605-1035-3 (PDF French)

The Commissioners have been announced in a November 9, 2016 press release

The individuals are Carolyn MacKay, Bev Harrison, Gaétane Johnson, Jason Alcorn and Constantine Passaris.

None of the commissioners has a technical (computer science) background.

According to a July 2016 news release

It is expected that hearings will take place in the fall [2016] with a report due by early 2017. The plan is to allow for any changes to be implemented in advance of the 2018 general election.

However the November 9, 2016 press release makes no mention of hearings, and says just

The public has been encouraged to participate in the process by reading the discussion paper Strengthening New Brunswick’s Democracy and submitting comments. The information received will be compiled and analyzed by the commission. Recommendations will be submitted to the clerk of the Executive Council by March 1, 2017.

This posting adapted and expanded from original on legacy blog

Toronto Internet voting

UPDATE 2016-12-02: On December 1, 2016 Toronto Executive Committee adopted report EX20.5, which includes a recommendation against Internet voting. The report will next be considered by Toronto City Council on December 13, 2016. ENDUPDATE

To its credit, Toronto had computer scientists Aleksander Essex and Jeremy Clark examine available online voting systems in 2014 (to the extent that one can examine a system primarily from an architecture perspective, without being able to actively hack in).  The resulting report concluded that none of the systems were adequate for the requirements.

As part of a regular process, Ontario municipalities are now individually reviewing their voting processes, with a particular emphasis on whether to use ranked ballots and Internet voting.

I am told that Toronto’s 2016 staff report on the topic will shortly be available as part of Executive Committee meeting 20 on December 1, 2016, which means it should be linked at

UPDATE 2016-11-24: The agenda for the December 1, 2016 Executive Committee meeting has been released, including item EX20.5 – Changes to the Municipal Elections Act and Related Matters Impacting the 2018 Election.  It maintains the City Clerk’s recommendation against Internet voting.

This report also advises that there have been insufficient advances in Internet security to accept the risks of implementing Internet voting for the 2018 general election. The challenges identified by both City staff and security experts in 2014 remain unresolved. Internet voting continues to be vulnerable to security threats and attacks while raising concerns about secrecy of the vote, verifiability and overall election integrity.

The report itself is available, consisting of a main report and multiple appendices, of which I will highlight:

From the main report I will highlight just part of the excellent Part B section 3. Internet Voting

3. Internet Voting

Fundamentally, the Internet was designed to share information, not to secure it. Though an increasing amount of daily commercial life—from shopping to banking—has moved online, Internet voting poses security challenges that are unique and, in their current state, insurmountable.

The overwhelming consensus among computer security experts is that Internet voting is fundamentally insecure and cannot be safely implemented because of security vulnerabilities inherent in the architecture and organization of both the Internet and commonly used software/hardware:

  • Internet voting is extremely vulnerable to a wide range of cyber-attacks, and many of these are impossible to detect.
  • Internet voting poses extraordinary and unnecessary risks to election integrity, and even a small issue—were it even detectable—could completely undermine public trust.
  • Every jurisdiction whose Internet voting system has been thoroughly examined by security experts—including the long-running system in Estonia—has revealed major vulnerabilities that could allow the system to be hacked, to reverse election outcomes, or to selectively disenfranchise voters, all while going completely undetected.
  • Many jurisdictions that ran Internet voting pilots—including Washington, DC, France, and Norway—cancelled the projects due to security issues.

The recommendations from the City Clerk will first be considered by Executive Committee December 1, 2016 and then in the normal course of events will proceed to Council for final approval December 13, 2016.


UPDATE 2016-11-25:

The main report cites the following sources about Internet voting



Note that Internet voting is used by a substantial number (I believe 97) of municipalities in Ontario, for which

  • they are small municipalities (e.g. a few tens of thousands of people)
  • they have limited in-house IT capacity and expertise
  • they have not conducted any public computer scientist review of the systems (unlike Toronto)
  • they are all using private, third-party, for-profit companies as the Internet voting providers (i.e. they procure Internet voting, as if it were any other kind of customer service)

Internet voting and computer security expertise

There are people trained in computer science, computer security and/or voting technology who can bring evidence and experience to any analysis of online voting.  Canadians first but otherwise no particular order.




Barbara Simons

Ph.D. in computer science from the University of California, Berkeley

Barbara Simons is a computer scientist and past president of the Association for Computing Machinery (ACM). She is founder and former Chair of USACM, the ACM U.S. Public Policy Committee. Her main areas of research are compiler optimization and scheduling theory. Together with Douglas W. Jones, Simons co-authored a book on electronic voting entitled Broken Ballots.

Key documents:

Key videos:


Twitter: not an active personal Twitter user, however there are tweets from book account @BrokenBallots

Konstantin Beznosov

Ph.D. in Computer Science from Florida International University

Dr. Beznosov served on the BC Independent Panel on Internet Voting

Konstantin (Kosta) Beznosov is a Professor at the Department of Electrical and Computer Engineering, University of British Columbia (UBC), Vancouver, where he founded and directs the Laboratory for Education and Research in Secure Systems Engineering (LERSSE).  His primary research interests are distributed systems security, usable  security, secure software engineering, and access control.

Key documents: British Columbia Independent Panel on Internet VotingRecommendations Report (PDF)


Twitter: not an active Twitter user

Valerie King

Ph.D. in Computer Science and a J.D., both from the University of California at Berkeley

Dr. King served on the BC Independent Panel on Internet Voting

Valerie King is Professor of Computer Science at the University of Victoria and has been a faculty member there since 1992.  She received an A.B. degree in Mathematics from Princeton University and a Ph.D. in Computer Science and a J.D., both from the University of California at Berkeley.  She was a post-doctoral fellow at the University of Toronto and Princeton University, a Research Scientist at NECI, Compaq SRC and HP Labs, a Visiting Researcher at Microsoft Research SVC, and a Visiting Professor at the University of Copenhagen and Hebrew University.

Key documents: British Columbia Independent Panel on Internet VotingRecommendations Report (PDF)


Jeremy Clark

Ph.D. in computer science from the University of Waterloo

Assistant professor at the Concordia Institute for Information Systems Engineering

Key document: City of Toronto RFP #3405-13-3197 – Internet Voting for Persons with Disabilities – Security Assessment of Vendor Proposals (PDF)

Twitter: @pulpspy

Aleksander Essex

Ph.D. in computer science from the University of Waterloo

Assistant professor of software engineering in the Department of Electrical and Computer Engineering at Western University

Key document: City of Toronto RFP #3405-13-3197 – Internet Voting for Persons with Disabilities – Security Assessment of Vendor Proposals (PDF)


Twitter: @aleksessex

J. Alex Halderman

Ph.D. in Computer Science, Princeton University

Dr. Halderman has extensive expertise in examining Internet voting systems, including Estonia’s system

J. Alex Halderman is an assistant professor of Computer Science and Engineering at the University of Michigan, where his research spans applied computer security and tech-centric public policy. Halderman has studied topics ranging from web security, data privacy, digital-rights management, and cybercrime to technological aspects of intellectual-property law and government regulation. He is known for helping to introduce the ”cold-boot attack,” which breaks encryption by literally freezing a computer’s memory, and for exposing Sony’s rootkit digital-rights management and other harmful copy-protection technologies. A noted expert on electronic voting security, Halderman demonstrated the first voting-machine virus and helped lead California’s ”top-to-bottom” electronic-voting review. He has uncovered vulnerabilities in numerous deployed voting systems. He holds a Ph.D. from Princeton University.

Key quotes:

Key documents:

Key videos:


Twitter: not an active Twitter user

David Dill

Ph.D. in Computer Science, Carnegie-Mellon University

David Dill is Professor Emeritus of Computer Science at Stanford University.  Dr. Dill retired from Stanford in 2017.  He was named a Fellow of the Institute of Electrical and Electronics Engineers (IEEE) in 2001 for his contributions to verification of circuits and systems, and a Fellow of the ACM in 2005 for contributions to system verification and for leadership in the development of verifiable voting systems. In 2008, he received the first “Computer-Aided Verification” award, with Rajeev Alur, for fundamental contributions to the theory of real-time systems verification. In 2013, he was elected to the National Academy of Engineering and the American Academy of Arts and Sciences.

He has been on the faculty at Stanford since 1987. He has an S.B. in Electrical Engineering and Computer Science from Massachusetts Institute of Technology (1979), and an M.S and Ph.D. from Carnegie-Mellon University (1982 and 1987).

Prof. Dill has been working actively on policy issues in voting technology since 2003. He is the author of the “Resolution on Electronic Voting”, which calls for a voter-verifiable audit trail on all voting equipment, and which has been endorsed by thousands of people, including many of the top computer scientists in the U.S. He has testified on electronic voting before the U.S. Senate and the Commission on Federal Election Reform, co-chaired by Jimmy Carter and James Baker III. He is the founder of the Verified Voting Foundation and and is on the board of those organizations. In 2004, he received the Electronic Frontier Foundation’s “Pioneer Award” for “for spearheading and nurturing the popular movement for integrity and transparency in modern elections.”

Key quotes:

  • elections must feature “non-coercibility” … “The system goes to great lengths to destroy the link between my name and the ballot that I cast.  That’s a property that’s special to elections that almost no other system of electronic transactions deals with in the U.S.” – from The Daily Dot – Online voting is a cybersecurity nightmare – by Eric Geller – June 6, 2016
  • “From the perspective of election trustworthiness, Internet voting is a complete disaster.” – from Stanford Engineering News – Why Online Voting Is a Danger to Democracy – June 3, 2016
  • “Basically, [online voting] relies on the user’s computer being trustworthy. If a virus can intercept a vote at keyboard or screen, there is basically no defense.” – from MIT Technology ReviewWhy You Can’t Vote Online – November 5, 2012

Key documents:


Avi Rubin

Ph.D., Computer Science and Engineering, University of Michigan

Avi Rubin is Professor of Computer Science at Johns Hopkins University and Technical Director of the JHU Information Security Institute. His primary research area is Computer Security, and his latest research focuses on security for healthcare IT systems. He is Director of the Health and Medical Security (HMS) Lab at Johns Hopkins. He also founded Harbor Labs, a company that provides security consulting, professional training, and technical expertise and testimony in high tech litigation.

He is a frequent speaker on Information Security. Some highlights include TED talks in October, 2011 and September, 2015 about hacking devices, a TED Youth talk, testimony in Congressional hearings, and a high level security briefing at the Pentagon to the Assistant Secretary of the Army and a group of generals.  Authored a book on electronic voting entitled Brave New Ballot: The Battle to Safeguard Democracy in the Age of Electronic Voting.

Key quotes:

Key documents:


Twitter: @avirubin

David Jefferson

Ph.D. in Computer Science from Carnegie-Mellon University

David Jefferson is computer scientist in the Center for Applied Scientific Computing, where he works on parallel entity-based simulation. He is interested in scalable parallel “middleware” supporting high-performance computing applications, including scalable operating system and communication software, discrete simulation engines, Java platforms, load balancing, checkpointing, performance instrumentation.

David has served (and continues to serve) on a number of government panels at the state and federal levels, advising on election security issues, especially with regard to electronic and Internet voting. He also sits on the board of directors of the California Voter Foundation.

Key quotes:

  • “We do not know how to build an internet voting system that has all of the security and privacy and transparency and verifiability properties that a national security application like voting has to have” – from The Daily Dot – Online voting is a cybersecurity nightmare – by Eric Geller – June 6, 2016
  • “Internet voting is a serious threat to national security. Neither the U.S. nor any other democratic country should open the door to Internet voting — not now, and not in the foreseeable future — until such distant time as all of the fundamental security problems are satisfactorily resolved.” – from Lawrence Livermore National Laboratory News – Security risks and privacy issues are too great for moving the ballot box to the Internet – March 10, 2015


Twitter: not an active Twitter user

Ron Rivest

Ph.D. in Computer Science from Stanford University

Ron Rivest is a cryptographer and an Institute Professor at MIT. He is a member of MIT’s Department of Electrical Engineering and Computer Science (EECS) and a member of MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL). He was a member of the Election Assistance Commission’s Technical Guidelines Development Committee, tasked with assisting the EAC in drafting the Voluntary Voting System Guidelines.

Rivest is one of the inventors of the RSA algorithm (along with Adi Shamir and Len Adleman). He is the inventor of the symmetric key encryption algorithms RC2, RC4, RC5, and co-inventor of RC6. The “RC” stands for “Rivest Cipher”, or alternatively, “Ron’s Code”.

Rivest is a member of the National Academy of Engineering, the National Academy of Sciences, and is a Fellow of the Association for Computing Machinery, the International Association for Cryptologic Research, and the American Academy of Arts and Sciences. Together with Adi Shamir and Len Adleman, he has been awarded the 2000 IEEE Koji Kobayashi Computers and Communications Award and the Secure Computing Lifetime Achievement Award. He also shared with them the Turing Award.

Key quotes:

  • “We do need to be concerned about the integrity of our voting systems in the face of possible attacks by foreign nation-states.” – from Boston Globethe hacking of an American election – July 27, 2016
  • “Vendors may come and they may say they’ve solved the Internet voting problem for you, but I think that, by and large, they are misleading you, and misleading themselves as well.” – from MIT Technology ReviewWhy You Can’t Vote Online – November 5, 2012

Key documents:


Twitter: not active on Twitter

Andrew Appel

PhD in computer science from Carnegie Mellon University

Andrew W. Appel is Eugene Higgins Professor of Computer Science at Princeton University, where he has been on the faculty since 1986. He served as Department Chair from 2009-2015. His research is in software verification, computer security, programming languages and compilers, and technology policy. He received his A.B. summa cum laude in physics from Princeton in 1981, and his PhD in computer science from Carnegie Mellon University in 1985. He has been Editor in Chief of ACM Transactions on Programming Languages and Systems and is a Fellow of the ACM (Association for Computing Machinery). He has worked on fast N-body algorithms (1980s), Standard ML of New Jersey (1990s), Foundational Proof-Carrying Code (2000s), and the Verified Software Toolchain (2010s).

Key documents:

Key videos:


Bruce Schneier

Master’s in Computer Science from American University in Washington, DC

Bruce Schneier is an internationally renowned security technologist, called a “security guru” by The Economist. He is the author of 13 books–including Data and Goliath: The Hidden Battles to Collect Your Data and Control Your World–as well as hundreds of articles, essays, and academic papers. His influential newsletter “Crypto-Gram” and his blog “Schneier on Security” are read by over 250,000 people. He has testified before Congress, is a frequent guest on television and radio, has served on several government committees, and is regularly quoted in the press.  Schneier is a fellow at the Berkman Klein Center for Internet & Society at Harvard University; a Lecturer in Public Policy at the Harvard Kennedy School; a board member of the Electronic Frontier Foundation, AccessNow, and the Tor Project; an Advisory Board Member of the Electronic Privacy Information Center and; and a special advisor to IBM Security.

Key quotes:

  • “Everything we know about voting machines, electronic ones, computerized ones is they’re not very secure. They’re not tested. They’re not designed rigorously. And in many cases there’s no way to detect or recover from fraud.” – from NPR Science Friday (audio) – How Secure Are U.S. Voting Systems? – August 5, 2016

Key documents:


Twitter: the automatic (non-interactive) account @schneierblog tweets links to new blog entries on his website

Vanessa Teague

Ph.D. in computer science (cryptography and game theory) from Stanford University

Her main research interest is in electronic voting, with a focus on cryptographic schemes for end-to-end verifiable elections and a special interest in complex voting schemes such as STV. She was a major contributor to the Victorian Electoral Commission’s end-to-end verifiable electronic voting project, the first of its kind to run at a state level anywhere in the world, joint work with Chris Culnane, Peter Ryan and Steve Schneider. She discovered, with Alex Halderman, serious security vulnerabilities in the NSW iVote Internet voting system.

She has been invited to appear before several Australian parliamentary inquiries into elections at the state and federal level, to answer questions on electronic voting.

She is on the advisory board of and has been co-chair of the USENIX Electronic Voting Technologies Workshop and the International conference on E-voting and identity.

Key quotes:

  • “Voting over the Internet is a really bad idea. We haven’t yet solved important issues like authentication, dealing with malware, ensuring privacy and allowing voters to verify their votes.” – from USA TodayInternet voting is just too hackable, say security experts – January 28, 2016

Key documents:


Joe Kiniry

Ph.D. in Computer Science from the California Institute of Technology

Dr. Kiniry is the CEO and Chief Scientist of Free & Fair, a Galois spin-out focusing on high-assurance elections technologies and services.  He is also the Research Lead at Galois of several programs: Rigorous Software Engineering, Verifiable Elections, High-assurance Cryptography, and Audits-for-Good.

Prior to joining Galois in 2014, Dr. Kiniry was a Full Professor at the Technical University of Denmark (DTU). There, he was the Head of DTU’s Software Engineering section. Dr. Kiniry also held a guest appointment at the IT University of Copenhagen. Over the past decade, he has held permanent positions at four universities in Denmark, Ireland, and The Netherlands.

Dr. Kiniry has around fifteen years experience in the design, development, support, and auditing of supervised and internet/remote electronic voting systems while he was a professor at various universities in Europe. He co-led the DemTech research group at the IT University of Copenhagen and has served as an adviser to the Dutch, Irish, and Danish governments in matters relating to electronic voting.  He now advises the U.S. government on these matters via his participation in the EAC-NIST VVSG public working groups.

Key quotes:

  • “The tricky bit for people to grasp is that the set of requirements around elections look and taste different than any other modern online system.” – from The Daily Dot – Online voting is a cybersecurity nightmare – by Eric Geller – June 6, 2016

Twitter: @kiniry

Jeremy Epstein

Master’s in Computer Sciences from Purdue University

Mr. Epstein is Deputy Division Director of US National Science Foundation Computer and Information Science and Engineering (CISE)/Division of Computer and Network Systems (CNS), where he oversees research in a range of computer science programs, including cybersecurity, cyber physical systems, smart and connected communities, computer systems, networking, computer science education, technology transition, and other assorted topics.

Previously a senior computer scientist with SRI International in Arlington, Virginia. At SRI, he has been principal investigator on the NSF-funded ACCURATE research program ( and supported the Department of Homeland Security Science & Technology cybersecurity research program. He is also a member of the US Election Assistance Commission’s Voting Security Risk Assessment (VSRA) team. Prior to joining SRI, Jeremy spent almost nine years as head of product security for Software AG, a global business software company.

Key quotes:

Key documents:


Expanded from original on legacy blog