Here’s what I wrote in response to some confusion about Canadian elections in the comments on Schneier on Security blog post DARPA Is Developing an Open-Source Voting System
Sfan and Earnest – In response to Sfan’s statement “FWIW, Elections Canada used a paper & marker ballot system and a human & paper based voter validation system until 2015.”
Elections Canada runs federal elections only, and continues to use hand-marked paper ballots that are hand counted. See e.g. https://twitter.com/ElectionsCan_E/status/1105136418639233024
You might be confusing Elections Canada with Elections ONTARIO, which has recently switched from hand-counted ballots to vote counting computers for provincial elections. With, I might add, zero provision for risk-limiting audits.
Municipal elections in Ontario, which are governed by provincial election law, use a mix of vote counting computers (as in the City of Ottawa) and completely unregulated Internet voting. Internet voting run by third-party for-profit companies with zero public availability of source code, zero public security testing, and no legislative provisions for either.
In terms of the substance of Schneier’s blog post, there are also some issues. He quotes
The system will use fully open source voting software, instead of the closed, proprietary software currently used in the vast majority of voting machines, which no one outside of voting machine testing labs can examine. More importantly, it will be built on secure open source hardware, made from special secure designs and techniques developed over the last year as part of a special program at DARPA [Defense Department’s Defense Advanced Research Projects Agency].
(Emphasis on special mine.)
Issues to consider:
- Open source is better (because it can be inspected) but ultimately useless as a voting computer improvement because you cannot prove what code is running on a computer.
- In theory you can address the issue of what code is running by having secure hardware but there is no perfect hardware security, just like there is no perfect software security. Additionally, election security is about universally understandable verifiability. Any citizen should be able to understand the election process and the results. “Trust us, this special hardware is secure” is no different than “trust us while we go in this special locked room and secretly produce the election results”.
- Similarly, in theory you can use cryptographic techniques to improve the security and verifiability of the election, but the only people who can actually understand them is a tiny set of cryptographers. To everyone else you’re saying “trust us, this special crypto code is secure” which is no different than “trust us while we go in this special locked room and secretly produce the election results”.
Having open source is better, having public inspection and testing of the code is better, having verified cryptography is better, but none of these improvements to computer vote counting address the fundamental issue which is that you can’t do computer vote counting in a way that is transparently understandable by every voter, and so you shouldn’t be doing computer vote counting at all.
Plus which, in practice you can’t tell what code is running on a computer anyway, because computers can lie. Computer programs are written by people; people can lie, and so they can tell computers to lie. You can ask the computer “are you running this open source code” and the computer can say “oh yes, absolutely” even as it triggers the hidden election day malware that slightly alters votes just enough to tip the result to a different candidate.
At most, when you have very complicated ballots as in the US you can consider doing computer vote counting with hand-marked paper ballots and a risk limiting audit. But for Canada’s extraordinarily simple elections, computer vote counting adds needless complexity, obscurity and risk to an already optimised system.
That being said, if we are stuck with Internet voting in Canadian municipal elections, open source code and public security testing is absolutely essential, as much because it will demonstrate repeatedly that the source code is both ridiculously complicated and insecure, as for the fact that it helps reduce (but definitely not eliminate) security risks.
In other words, open source and public security inspections are only about making something we shouldn’t be doing in the first place less terrible. They are not an actual solution. The actual solution is not to have Internet voting and computer vote counting at all in Canadian elections.
Paper Vote Canada 2 