Month: March 2017

British Columbia Internet voting

British Columbia had an Independent Panel on Internet Voting, whose report was submitted in February 2014.  The report is a comprehensive review of the topic.  It recommends against Internet voting for provincial and municipal elections.

1. Do not implement universal Internet voting for either local government or provincial government elections at this time.

It also provides an excellent list of criteria against which any Internet voting system should be evaluated, and indicates that these principles must be met in addition to any standards a technical committee would establish.

Accessibility

The Internet voting process must be readily available to, and usable by, all voters eligible to vote by Internet voting, even in the presence of Internet voting-specific threats.

Ballot anonymity

The voting process must prevent at any stage of the election the ability to connect a voter and the ballot(s) cast by the voter.

Individual and independent verifiability

The voting process will provide for the voter to verify that their vote has been counted as cast, and for the tally to be verified by the election administration, political parties and candidate representatives.

Non-reliance on trustworthiness of the voter’s device(s)

The security of the Internet voting system and the secrecy of the ballot should not depend on the trustworthiness of the voter’s device(s).

One vote per voter

Only one vote per voter is counted for obtaining the election results.
This will be fulfilled even in the case where the voter is allowed to cast their vote on multiple occasions (in some systems, people can cast their vote multiple times, with only the last one being counted).

Only count votes from eligible voters

The electoral process shall ensure that the votes used in the counting process are the ones cast by eligible voters.

Process validation and transparency

The procedures, technology, source code, design and implementation details, and documentation of the system must be available in their entirety for free and unconstrained evaluation by anyone for testing and review for an appropriate length of time before, during and after the system is to be used. Policies and procedures must be in place to respond to issues that arise. Appropriate oversight and transparency are key to ensuring the integrity of the voting process and facilitating stakeholder trust.

Service availability

The election process and any of its critical components (e.g., voters list information, cast votes, voting channel, etc.) will be available as required to voters, election administrators, observers or any others involved in the process. If Internet voting should become unavailable or compromised, alternative voting opportunities should be available.

Voter authentication and authorization

The electoral process will ensure that before allowing a voter to cast a vote, that the identity of the voter is the same as claimed, and that the voter is eligible to vote.

Above from Independent Panel on Internet Voting – Recommendations Report to the Legislative Assembly of British Columbia – February 2014 (PDF) – principles are specifically from Recommendation 4

All Internet voting systems currently in use in Canada fail to meet one or more of these principles. In particular, the systems used for municipal voting in Ontario and Nova Scotia are provided by third-party private for-profit vendors, and do not provide any of the process validation and transparency described above.

New Brunswick Internet voting

New Brunswick had a Commission on Electoral Reform that took online submissions starting at the end of 2016, held meetings in January 2017, and submitted its report at the beginning of March 2017.

The Commission recommended against Internet voting.

Therefore, the commission makes the following recommendations:

  • The government not proceed with electronic voting at this time, due to concerns related to security, confidentiality and privacy.

above from A pathway to an inclusive democracy (PDF) – Goal 3: E-voting – pages 20-21

La Commission fait donc les recommandations suivantes :

  • Que le gouvernement n’aille pas de l’avant avec le vote électronique pour le moment, en raison des préoccupations relatives à la sécurité, à la confidentialité et au respect de la vie privée.

En voie vers une démocratie inclusive (PDF) – Troisième but : le vote électronique/par Internet – de la page 20 à la page 21

I submitted a 16-page briefing to the Commission.

Previously:
January 1, 2017  New Brunswick Electoral Reform Commission meeting dates
November 27, 2016  Brief submitted to New Brunswick Commission on Electoral Reform – November 2016
November 20, 2016  New Brunswick electoral reform consultation including Internet voting

Internet voting filter bubbles

From a Canadian perspective, there are basically three groups that examine Internet voting:

  • social scientists that examine people’s attitudes, feelings and behaviours associated with Internet voting
  • staff at municipalities that have chosen Internet voting and see it as just another digital service to offer, and the vendors they procure Internet voting from
  • computer scientists that examine Internet voting from the perspective of requirements and threat risk assessment

These three communities basically don’t interact.  The social scientists cite one another.  The municipal staff and vendors reference other municipalities and vendor analysis.  The computer scientists cite one another.  This gives three basically different filtered world views.

  • The social science perspective indicates some level of popularity of Internet voting either conceptually or in practice, and associated levels of satisfaction.  It also documents the expectations of turnout (high) and the reality of turnout (no change).  Additionally and unfortunately it sometimes reports on perceptions of security, which are meaningless.  It doesn’t matter how safe you feel jumping off a cliff, the same thing will still happen at the bottom when you encounter reality.
  • At best, municipalities approach Internet voting from a digital services perspective, and do the standard things one does for a transactional service, including security buzzwords like firewalls and encryption, obtaining vendor assurances, and contracting confidential security assessments.  One of their primary sources of technical information is the vendors themselves.  Two issues are that Internet voting is not a standard transactional service, and that vendors have literally millions of dollars in sales at stake.
  • Computer scientists look at the requirements for voting systems, e.g. the Computer Technologists’ Statement on Internet Voting.  When they evaluate real Internet voting systems against those requirements, they always find that current systems cannot meet the requirements.  In order to provide the best security assessment of the real systems, they seek the ability to conduct truly independent and public security assessments of the technology being used (this is almost always denied).  They also assess the full spectrum of potential risks against a system.  That includes technical risks and non-technical risks.  An often overlooked risk is the risk of coercion when voting no longer takes place in private in a supervised location (the polling place).  They also examine techniques used by very sophisticated attackers, as well as very basic but successful techniques (e.g. phishing) and the risk of insider attacks.  For a service where there is no way for the end user to verify their intended result (due to the combination of secret ballot and coercion avoidance), the inevitable conclusion is that there are no adequate risk mitigation measures.

So the answer you get about Internet voting depends on which community you ask.  If you ask social scientists, it’s popular.  If you ask municipalities that have implemented it, they assure you that everything is going fine.  If you ask computer scientists, they will tell you that it is not a regular transactional digital service, and that using Internet voting introduces catastrophic risk.

You can get a pretty easy indication of which community is talking by looking for language clues.  If the discussion is around popularity, it’s probably a social science analysis.  If the discussion is around firewalls and encryption and security assurances, it’s probably municipalities.  If the discussion is around risks, it’s probably computer scientists.

It may seem odd that computer scientists would speak in less technical language, but that’s because specific technical measures are much less important than a system-wide requirements and threat analysis, particularly in an environment including home computing devices and non-technical online service users.

The result of having these different communities means that basically only consultations that include the computer science community recommend against voting using computers, which may be an unexpected outcome.  But it is the outcome of any serious consultation, including e.g. New Brunswick, Nova Scotia, Quebec, Ontario, British Columbia, the Government of Canada, and the Government of Australia.

The Ontario municipal association AMCTO is holding a 2017 event for municipal clerks, featuring a session about the security of Internet voting.  The presenters will be

  • a clerk from a municipality that has approved Internet voting
  • an Internet voting vendor representative
  • a second Internet voting vendor representative

I leave it to you to conclude which filter bubble will be in operation.

 

Internet voting in Finland

UPDATE 2018-02-28: Finland will not implement Internet voting.  The working group report recommended against Internet voting due to the risks.  END UPDATE

Finland has announced its intention to implement Internet voting in national elections.  The working group has been struck as of February 2017 and its report is due by end of November 2017.

In its strategy session on Monday 24 October [2016], the Government of Finland outlined that electronic voting will be introduced in Finland as an alternative to the traditional voting in all elections.

above from Ministry of Justice, Finland – Finnish Government: Introduction of internet voting set as goal – October 27, 2016 – also available in Finnish: Hallitus: Tavoitteeksi nettiäänestyksen käyttöönotto and Swedish: Regeringen: Införande av internetröstning som mål

Finnish Election Director Arto Jääskeläinen further expanded on their national plan through the Ministry of Justice blog in December 2016, but in Finnish only: Nettiäänestyksessä paljon pohdittavaa: Selvitys käyntiin

Google Translate struggles with Finnish, but here is a part of the post in translation

– Can the on-line voting system to protect your launch cyber-attacks and how the voter has the assurance that the resolution of his voice remains in the system and there is calculated in such a way as he is meant? Since the election shall be submitted at any given time, a successful denial of service attack would have serious consequences. Online Voting differs significantly from many other online services: voters and his its sound is not explicitly allowed to be able to connect to each other and the election may vote only at the end of the voting period even if the links were playing again.

Many security experts have recently expressed very critical views about the safety of online vote and were of the opinion that completely secure system does not exist. These speeches are in my opinion, should be treated with respect and take them into account in the development of on-line voting.

The working group was struck on February 21, 2017.

The working group is tasked with conducting a study on the potential system to be used for online voting in general elections and consultative referendums. The study will, among other things, examine the operating environment, market and data security of online voting, analyse the related risks, and present proposals for further measures.

above from the Ministry of Justice, republished on the elections site – Working group to conduct feasibility study on online voting – also available in Finnish: Työryhmä tekee esiselvityksen nettiäänestyksen toteuttamisesta and in Swedish: Arbetsgrupp gör förutredning om internetröstning

At this point I should probably note that etunimi.sukunimi@om.fi is not an actual email address (I made this mistake myself), it’s just a formula for constructing an email address with firstname (etunimi) dot lastname (sukunimi).

There is a page with more details but it is only available in Finnish and Swedish.

In document Työryhmän asettaminen (“Setting up a working group”) it gives the membership. It is good to see that there are many members from cybersecurity, ICT and computer science organisations.

Name Organisation Role Notes
Johanna Suurpää Ministry of Justice Chair
Arto Jääskeläinen Ministry of Justice Vice-Chair
Markus Rahkola Ministry of Finance member
Mikko Viitaila Finnish Communications Regulatory Agency FICORA – Cybersecurity (Viestintäviraston Kyberturvallisuuskeskus) member
Anniina Tjurin Legal Register Centre, responsible for information systems in the Ministry of Justice (Oikeusrekisterikeskus) member
Juha Mäenalusta Legal Register Centre, responsible for information systems in the Ministry of Justice (Oikeusrekisterikeskus) member
Tommi Simula Government ICT Centre (Valtion tieto- ja viestintätekniikkakeskus Valtori) member
Pauli Pekkanen Population Register Centre (Väestörekisterikeskus) member
Tuomas Aura Aalto University, Department of Computer Science (Aalto yliopisto, Tietotekniikan laitos) member
Seppo Virtanen University of Turku, Faculty of Mathematics and Natural Science / Department of Mathematics and Statistics (Turun yliopisto, Matematiikan ja tilastotieteen laitos) member
Marianne Kinnula University of Oulu, Faculty of Information Technology and Electrical Engineering ITEE (Oulun yliopisto, Tieto- ja sähkötekniikan tiedekunta) member
Hanna Wass Election Study Consortium (Kansallinen vaalitutkimuskonsortio) member
Timo Karjalainen Electronic Frontier Finland ry EFFI member
Anneli Salomaa Ministry of Justice Project Manager
Heini Huotarinen Ministry of Justice Inspector General ? (Ylitarkastaja)

Chair of the working group may appoint a technical sub-group practice for preparatory work.

Inquiries:
Johanna Suurpää, chair of the working group, Director, Ministry of Justice, tel. 02951 50534
Anneli Salomaa, secretary of the working group, Project Manager, tel. 02951 50164
email: firstname.lastname@om.fi