Month: October 2020

Canada’s great and terrible election systems

Overview

Canada’s federal elections, with hand-counted paper ballots, are great.  The election trifecta of security, anonymity and verifiability is elegantly and simply attained.  Canadians can be rightfully proud of our professionally-run, non-partisan, rules-based federal elections.

Canada’s municipal elections in Ontario and Nova Scotia, with municipalities able to choose paperless Internet voting, are terrible.  These Internet voting elections, conducted entirely by opaque for-profit third-party companies, are unverifiable.  Canadians should be alarmed about the level of risk our municipalities are taking, and about the total lack — yes literally total lack — of mandatory rules, standards, requirements, processes or procedures associated with municipal Internet voting.

Canadians will, as is our nature, put some energy into lecturing the US about how they should adopt our federal voting system.  That energy would be better directed into addressing the very substantial flaws with our use of provincial vote counting computers and our totally insecure use of unverifiable municipal Internet voting.

What You Can Do

The best interventions need to be made provincially.  While intervening at your local council deliberations is also vitally important, the municipal election framework is set provincially.  There needs to be advocacy to reinforce Ontario’s direction to introduce voting technology standards, and to encourage Nova Scotia to do the same.

(This is if we’re going to have Internet voting at all, which from a security perspective we really shouldn’t anyway.)

Details

Canadian federal elections are governed by the Canada Elections Act, which provides very detailed procedures for paper ballot elections.  These procedures have been carefully thought out to mitigate risks to the election.  Their elegant simplicity is a thing of beauty.  As any process designer knows, complexity is easy, it’s simplicity that is hard.  Hand counted paper ballot elections give an extremely high degree of confidence in the results of the election.

There is a monster lurking in the basement of Canada’s happy elections household however, in that provincial and in particular municipal elections are moving to increasing use of 21st century technology, while still retaining a 20th century legal framework that is ill-suited for the task.

Lack of Risk-Limiting Audits

In the US, painful lessons are slowly being learned about the risks of vote counting computers (vote tabulators, often misleading called “voting machines”) and fully-computerised paperless Direct Recording Electronic (DRE) technology.  In particular, thanks to tremendous efforts by US computer security experts, US states are returning to paper-based elections.  Due to the complexity of US ballots, hand counting would not be practical, so vote counting computers are used.  However, you cannot trust “the computer”, because “the computer” is just code written by humans.  Code that may be flawed, or that may be — undetectably — replaced with malicious code.

For these reasons, US states are also adding Risk-Limiting Audits (RLAs).  A risk-limiting audit is a process for manually analysing a sample of the computer-counted paper ballots in order to demonstrate, with strong statistical evidence, that the computer count has a high probability of being correct.

Canada has introduced vote counting computers provincially, for example in Ontario and New Brunswick, but with no provisions for Risk-Limiting Audits.  This means that the provincial computer counts, while professionally conducted, have a much lower degree of verifiability than a hand count.  British Columbia has said it will conduct Risk-Limiting Audits, but this statement comes in a single tweet:

One would like to see a lot more public communication from Elections BC about this issue.

Of note, unlike in the US where the complex ballots basically mean it is impractical to count ballots by hand, in Ontario and New Brunswick they could still be counting Canada’s simple provincial ballots by hand.  The limitation is primarily a lack of volunteers, which one would think could be solved in many creative ways, not by introducing vote counting computers with basically no public discussions.  Vote counting computers that are a radically different trust model from a hand count.

Totally Unregulated Municipal Internet Voting

Municipalities, in Canadian law, basically don’t exist in any significant sense.  Accordingly, municipal elections are governed by provincial law.  Ontario and Nova Scotia have the option for “alternative voting” at the municipal level, as decided by individual municipal councils.  In practice alternative voting means totally paperless Internet (and telephone) voting.  Totally paperless as in no paper ballot options whatsoever.

One might think that in putting such a provision in place, there would be extensive guidance about security, verifiability, and procurement.  One would be wrong.  There is none.  That’s not hyperbole.  There are absolutely no standards, no guidance, no processes, no procedures, no requirements in law related to Internet voting.  It is a free-for-all.  A brief phrase in each municipal elections act has opened the door to totally unregulated Internet voting.  Canada has — unintentionally — created one of the least verifiable municipal election systems in the world.

It’s particularly striking in Ontario, which spent three years investigating provincial Internet voting and decided against it.  Nova Scotia also studied provincial Internet voting, albeit much less extensively, and also decided against it.  So that makes it pretty clear that municipal elections are second class, considered less important than provincial elections.  Do you feel comfortable voting in a second class election?

Ontario has at least belatedly realised this is a significant issue:

In Ontario, the adoption of technology into the electoral process has been done in an ad-hoc way since the late 1980s, and has been led by municipalities. This approach made sense when voting technologies were new and there were no best practices from which to draw. It also allowed municipalities to pioneer technology and discover fit-for-purpose solutions to address their local needs.

With more than 20 years of practical experience at hand, we are at a point where we are actively learning from our past so that we can create best practices and develop future guidelines. Standards can provide consistent guidance for municipalities and the province as we adopt proven technologies using a principled and measured approach.

But having made that announcement, I have seen zero public conversation in Ontario about any processes to actually create voting technology standards.

Canada would do well to look to Switzerland, which has been a leader in requiring independent public security analysis of any Internet voting solutions before they can be deployed.  (Perhaps somewhat to Switzerland’s chagrin, as every solution proposed to date has inevitably been found to have fatal security issues.)

Canada would also do well to bring its election technology to the US Voting Village, or to create its own Canadian Voting Village event, where public interest technologists can examine the technology and code in order to find security vulnerabilities.

Even worse, if it’s possible to be even worse than terrible, the municipal elections are not run by the municipality, but instead are entirely contracted out to for-profit third-party vendors.  Vendors whose code is shielded from inspection by intellectual property law.  We have no idea what’s going on inside the code that runs municipal Internet voting elections.

Lack of Discussion About Internet Voting

In general, there is minimal discussion about Internet voting issues in Canada, or to be frank about most technology issues other than privacy.  As a case in point, Quebec did a study of provincial Internet voting and as far as I can tell, there was zero coverage of it in major English-language newspapers, and minimal coverage in French-language newspapers.

Even if Canadian governance is dominated by a social sciences lens, I would have thought that the expertise Canada has in professional public administration would make the total lack of standards, requirements, and processes for Internet voting a red flag.

Risks for the Future

At the federal level, we almost had Internet voting trials by 2013 (Toronto Star headline “Elections Canada backs online voting”), so don’t think that Canada is immune to federal Internet voting.  A number of members of the federal Electoral Reform Committee went into their study of online voting expecting that it would be an easy solution, and it is only just barely that they got the advice they needed to realise its security risks (despite a distressingly small number of computer security expert witnesses).  That institutional knowledge about the risks of Internet voting will inevitably fade, and with remote voting in the House of Commons (which is totally fine because votes are public and therefore verifiable) one can expect members will wonder why they can’t have Internet voting in their own federal elections (which is totally not fine, because votes must be secret, which is an incredibly hard computer science problem).

Provinces will continue to switch to vote counting computers, arguing that this is modernisation but actually to address a lack of polling place volunteers.  There will continue to be a lack of a risk-limiting audit framework to provide a high level of statistical confidence that the computer count is correct.  And despite the detailed previous Canadian and international studies demonstrating that the risks of Internet voting are too high, provinces including Quebec will continue to study the issue in an attempt to get approval for implementation.

Municipalities will continue to procure Internet voting as if they were procuring office supplies, and with fewer standards to guide them.

Background – Municipal Election Acts

These few lines are all that governs the extensive paperless Internet voting that takes place in Ontario and Nova Scotia municipalities.  Other than this, there is, I have to emphasize again, no other guidance whatsoever about security, verifiability, testing, or any other requirements governing Internet voting.

In the text below, “alternative voting method” or “electronically” ends up in practice meaning Internet voting.

Ontario – Municipal Elections Act, 1996, S.O. 1996, c. 32, Sched.

By-laws re voting and vote-counting equipment, alternative voting methods

42 (1) The council of a local municipality may pass by-laws,

(a)  authorizing the use of voting and vote-counting equipment such as voting machines, voting recorders or optical scanning vote tabulators;

(b)  authorizing electors to use an alternative voting method, such as voting by mail or by telephone, that does not require electors to attend at a voting place in order to vote. 1996, c. 32, Sched., s. 42 (1).

Nova Scotia Municipal Elections Act (PDF)
CHAPTER 300 OF THE REVISED STATUTES, 1989

Vote by mail or other voting method
146A (1) A council may by by-law authorize voters to vote by mail, electronically or by another voting method.

If you’re wondering where is all the other stuff, where is the Internet voting equivalent of the section after section, page after page of detailed procedures the Acts require for paper voting… there is nothing else. There are no other public documents whatsoever providing municipalities with any guidance on deciding about Internet voting or any standards for implementing Internet voting.