Month: August 2019

Internet voting must be about public evidence not belief

Internet voting, and indeed any kind of trusted election must be about public evidence, not belief.

If we wanted to conduct elections based on belief, we’d just take all the ballots into a secret room and say “trust us, we believe we have all the right counting and integrity in place”, and then produce the final count of the votes basically out of nowhere.

If we did that with paper ballots people would be incredibly suspicious.  Who did the counting?  How can we be sure the ballots were honestly counted?  Where was the oversight?  Where are the ballots to provide the evidence?  Can we even trust the ballots now that they have been held in secret?  What if they were changed?

This seemingly-ridiculous scenario is actually a pretty accurate description of where Canada is now with Internet voting.

A typical “debate” scenario has a Chief Electoral Officer or city councillor or city staffer on one side, and a computer scientist on the other.  Not only is this a totally artificial “balance” of views, the main issue becomes assertions of belief without evidence, on both sides.

The electoral officer says believe us, we have all the necessary measures in place to make Internet voting trustworthy.  The computer scientist says they believe there are possible attacks.  And that’s it.  You’re left to try to decide which belief to believe.

Fundamentally elections are not supposed to work like this.  Elections are not about trust and belief, they’re about evidence.

Maybe after having the anonymous paper ballot for so long we’ve forgotten that it was designed to provide public evidence, it’s not just a haphazard system we ended up with.

So Internet voting must provide public evidence, but it doesn’t.  Internet voting in Canada should provide public source code, but it doesn’t.  Internet voting in Canada should provide a public opportunity to conduct realistic attacks on the real system, or a very close model of the real system, but it doesn’t.  Internet voting in Canada in fact produces zero public evidence.  In fact, both the provision of public source code and public attacks on the real system are illegal, the former because of intellectual property law and the latter because of cybersecurity law.  Which is why the computer scientist can only say “believe me, there are potential attacks” rather than actually demonstrating real attacks.

So for Internet voting, you now have to entirely transfer your trust to the election organisation, but actually it is worse than that, because with the third-party vendor model of Internet voting that Canada uses actually you’re entirely transferring your trust to the third-party, for-profit vendor.

What security tests are conducted on the vendor?  Sorry, that’s a secret.

What security measures are taken by the elections organisation?  Sorry, that’s a secret.

What security measures are in the code and the servers and the network the vendor provides?  Sorry, that’s a secret.

To be clear, I have a high degree of confidence that Canada’s public election organisations are doing their job with all necessary diligence and expertise.  But my confidence is irrelevant.  Confidence is not how you run elections, evidence is.  And in the transition to computer vote counting and Internet voting, we have totally changed our trust model without any meaningful public discussion (as I have mentioned before specifically about computer vote counting).

Maybe from now until the end of time, our public election organisations and their private vendors with secret code and secret testing will conduct themselves perfectly.

But this seems unlikely given human history plus the fact that every single time voting code is made available for inspection or opened to public attack, the code is shown to be insecure.  This ranges from Washington, DC in 2010 as documented by J. Alex Halderman, to Switzerland in 2019.

There are very good computer-theoretic reasons that you can’t trust Internet voting even if the code is found to be secure, including under real-world attack; there is as yet no solution for secure Internet voting.  But it is perfectly reasonable to experiment in low-risk, small-turnout situations.

An actual experiment would place Internet voting in the same space of public evidence as paper ballots.  Which means that Canada would need standards, public code and public testing.  You may be shocked to find out that unlike pretty much everything from your municipal water supply to any product you may buy, Canada has no, none, zero standards for Internet voting.  No mandatory requirements.  No mandatory testing.  No nothing.  Internet voting typically shows up as a single line about “electronic voting” in an alternative voting methods law or bylaw.  That’s it.

The absolute critical first step to bringing public evidence back to elections in the Internet voting era is to have some very basic foundational standards and requirements, starting for example with the Swiss model that requires both public source code and public security testing.

In the absence of bringing public evidence to the conversation about Internet voting, we’re just going to have year after year of the same pointless back and forth about election beliefs, a conversation that can never be resolved because there’s no actual evidence to draw conclusions from.