In Ontario, there are no standards in place for choosing, testing, certifying or auditing election technology, including the online voting used in Ontario municipal elections.
This is a huge gap that has opened the door to what is currently basically an unregulated process where individual municipalities choose whether or not to use Internet voting and then procure vendor-based solutions without any guidance.
UPDATE 2022-05-23: The standards committee has been created, see blog post Elections Ontario Advisory Committee on Standards for Voting Technologies. END UPDATE
It is heartening to see Elections Ontario recognize the gap in standards for voting technology in its Report on Ontario’s 42nd General Election (Modernizing Ontario’s Electoral Process, June 7, 2018). Elections Ontario makes a long recommendation which I am going to quote in full
Establish common evaluative standards and a certification process for election technology
The Chief Electoral Officer recommends that Ontario establish common evaluative standards and a certification process for technology used in the electoral process in Ontario.
Technology holds a lot of promise for the elections of the future. Increasingly, Ontarians expect that technology will be used to make voting easier, offer more choice to electors for when, where and how to vote, and find efficiencies in the electoral process. Electoral management bodies, including Elections Ontario, are increasingly turning to technology to solve logistical challenges.
In Ontario, the adoption of technology into the electoral process has been done in an ad-hoc way since the late 1980s, and has been led by municipalities. This approach made sense when voting technologies were new and there were no best practices from which to draw. It also allowed municipalities to pioneer technology and discover fit-for-purpose solutions to address their local needs.
With more than 20 years of practical experience at hand, we are at a point where we are actively learning from our past so that we can create best practices and develop future guidelines. Standards can provide consistent guidance for municipalities and the province as we adopt proven technologies using a principled and measured approach.
It is critical that our approach to technology be intentional and evidence-based. Even as the public expects electoral management bodies to find efficiencies through technology, they are also increasingly aware of the possible failures of technology. While there are many benefits to using technology, there are risks involved, as illustrated by recent failures of systems at large organizations.
As the public becomes more informed about software, malware and manipulation of technology data systems, they are increasingly interested in knowing exactly how election technology preserves the integrity of our electoral process and the confidentiality of their personal information. For the public to trust the integrity of the electoral process they must be assured that:
- Technology used to cast a vote will accurately count the vote as intended.
- Technology used to cast a vote will uphold the secrecy of the vote.
- Technology used to tabulate votes will be verifiable and protected from tampering.
- Technology used to transmit election results will be verifiable and protected from tampering.
- Technology will not result in the breach of their confidential and personal information.
To ensure we maintain public trust in our electoral system as we adopt technology, the Chief Electoral Officer recommends that Ontario establish a set of common evaluative standards and guidelines. These will advise election administrators as they consider which technology to adopt, how to evaluate the technology, and the specific technical standards to consider for adopted technology.
This is a very significant step forward for Elections Ontario. In particular I laud the phrase “It is critical that our approach to technology be intentional and evidence-based.”
There is also a strong statement of principles at the end of the report
We continue to balance making voting easier for Ontarians with the need to preserve the integrity of the electoral process. We want to provide modernized, flexible, and convenient ways to vote, but cannot compromise the core covenants of our democracy: accessibility, one vote per elector, secrecy, integrity and security. As we continue on this modernization journey, these values will continue to be at the centre of the work we do.
As a starting point, the principles above are very good, and to them I would add the implementation criteria from Ontario’s own 2013 report on Alternative Voting Technologies.
Our implementation criteria are:
The voting process is equally accessible to all eligible voters, including voters with disabilities. The voting process will be performed by the voter without requiring any assistance for making their selections.
- Individual verifiability:
The voting process will provide means for the voter to verify that their vote has been properly deposited inside the virtual ballot box.
- One vote per voter:
Only one vote per voter is counted for obtaining the election results. This will be fulfilled even in the case where the voter is allowed to cast their vote on multiple occasions (in some systems, people can cast their vote multiple times, with only the last one being counted).
- Voter authentication and authorization:
The electoral process will ensure that before allowing a voter to cast a vote, that the identity of the voter is the same as claimed, and that the elector is eligible to vote.
- Only count votes from valid voters:
The electoral process shall ensure that the votes used in the counting process are the ones cast by valid eligible voters.
- Voter privacy:
The voting process will prevent at any stage of the election the ability to connect a voter and the ballots cast by the voter.
- Results validation:
The voting process will provide means for verifying if the results clearly represent the intention of the voters that participated in the voting process.
- Service availability:
The election process and any of its critical components (e.g., voters list information, cast votes, voting channel, etc.) will be available as required to voters, election managers, observers or any other actor involved in the process.
However, those principles need to be refined for a computer-based system, which the report also does
If the implementation of the network voting system does not both support the Chain of Trust and provide auditable evidence, then the process is open to question. This Chain of Trust is a compilation of all the following measures:
- Source code audit to verify that the code will do only what it is intended to do.
- Digital signature of the audited source code to protect its authenticity and integrity.
- Trusted build of the executable code in front of auditors (based on audited source code).
- Signature of the executable code to protect its authenticity and integrity.
- Deployment of the executable software in a clean system. Logical sealing of the system to detect any later additions.
- Logic and accuracy testing of the voting system to validate it works properly.
- Continuous audit of the voting system during the election, through review and validation of logs and other data. The logs must be protected from external manipulations by using cryptographic measures.
- Post-election audit that validates that the system behaved correctly by reviewing the logical seals and the protected logs.
- Individual voter verification that proves their ballots were used in the final tally (by using special receipts).
A strong emphasis must be placed on audit. Independent auditors must be able to review the source code, verify the build and deployment, audit system logs during the election event, and finally to review both the counting process and the results.
Those are strong starting points, and even more so because they emerge from Ontario’s own multi-year research into the subject.
That being said, Ontario also needs to heed the conclusion of the Alternative Voting Technologies report:
At this point, we do not have a viable method of network voting that meets our criteria and protects the integrity of the electoral process.
It is possible that the introduction of standards for municipal online voting could open the door to provincial online voting, and indeed the very-high-level Elections Ontario Strategic Plan 2019 – 2023 (PDF) says
Advance modern elections in a measured and principled manner
- Assess and analyze the environment to inform the modernization of future elections.
- Better understand electors’ needs and behaviours to build modern and responsive services.
- Recommend legislative change to support modernization of electoral services.
- Pilot modernization initiatives through by-elections.
It’s not at all clear what this “modernization” might include.
It is critical that both the current deployment and any potential further expansion of online voting should be subject to extensive analysis by computer security experts.
By applying an evidence-based approach to technology with extensive public, independent, unrestricted testing of election technology, Elections Ontario has the opportunity to move from what it acknowledges has been an ad-hoc approach to one that brings the appropriate levels of standards, testing, certification and auditing in what is a high-risk cybersecurity environment.
Additionally, Elections Ontario needs to close an auditing gap by putting in place risk-limiting audits for the computer vote counting it is now using for provincial elections. We cannot simply trust the counts produced by the vote tabulators (because computers can be programmed to produce whatever result the programmer wants); we must have a public audit to increase the confidence in the results.
I hope that municipalities and the provincial government will accept that putting standards in place may result in the decertification and withdrawal of voting technology, as has happened when “electronic voting machines” were examined in the United States and when Switzerland made one of its online voting solutions available for public testing.