Author: rakerman

Elections Quebec consultation on Internet voting

Elections Quebec (Élections Québec) is consulting on Internet voting (vote par internet).

https://www.electionsquebec.qc.ca/internetvoting/

The consultation closes November 3, 2019

You can answer a survey in English or en français.

You can also submit a position paper in English or French by email to

consultation_vpi@dgeq.qc.ca

Information en français https://www.electionsquebec.qc.ca/voteparinternet/

There is also a short URL which will land you on the French page http://voteparinternet.quebec/

Moratorium on electronic voting

I think it’s important to remember that in its 2005 elections, Quebec had severe problems with electronic voting.

“We all remember the events that marked the municipal elections of November 6, 2005,” recalled the Chief Electoral Officer. “Not only did the systems fail, but the corrective measure proposed were insufficient, poorly adapted and often came too late. … “

« Nous nous souvenons tous des événements qui ont marqué les scrutins municipaux du 6 novembre dernier », a rappelé le directeur général des élections. « Non seulement des systèmes ont fait défaut, mais les correctifs proposés étaient insuffisants, mal adaptés et souvent tardifs. … »

The problems were so severe that the Directeur général des élections du Québec (DGEQ) declared a moratorium on electronic voting in Quebec.

Many Canadian Internet Voting Studies

It is also worth noting that Ontario, British Columbia, New Brunswick and the Government of Canada all did various types of extensive studies or consultations on online voting at the provincial or national level, and all of them rejected it.  Nova Scotia and PEI have also examined online voting at the provincial level and rejected it.

See Canadian reports recommending against Internet voting.

Many National Internet Voting Studies

In addition, Finland studied and recommended against national Internet voting, Norway actually did trials of Internet voting and then rejected it, and Switzerland (which never had very much Internet voting) now has none because of security issues.

See Internet voting at the national level.

No Internet Voting in Canadian Federal Elections

For an overview of why Canada doesn’t have national Internet voting, including questions about turnout and security, see Why is there no online voting in Canadian federal elections?

Internet voting in Switzerland

There is currently no Internet voting in Switzerland, primarily due to security issues.

It’s complicated to write about Internet voting in Switzerland for several reasons:

  • Switzerland has a political structure of cantons, voting is done by canton with different systems in each canton
  • Switzerland does not have a history of voting privacy; historically and in a few locations even today voting is done by a public show of hands
  • Switzerland has many votes throughout the year on what are basically referenda
  • Switzerland has a good, but quite complex, set of regulations around Internet voting

Internet voting has been an option in some cantons.  I believe testing began in 2004.  Because of the Swiss Internet voting regulations, as best I understand the maximum percentage that can vote online is 30%.  (More than 30% voting online triggers additional requirements.)

The 30% figure is a bit misleading however.  Because only some cantons participated in online voting trials, it was open to just 3.8% of the overall electorate in September 2018 (and now is not available at all).1

1 Source – Slides “Trust in e-voting” (PDF, 1 MB, 07.02.2019), from Federal Chancellery FCh > E-Voting

As indicated above, the absolute number of voters was always relatively small.  In my own analysis of reports available online, I find that under 5% of the eligible voters vote online, representing 200,000 or fewer votes per voting period.  (My understanding is that voters have to register in advance to vote online; it’s not clear to me whether the numbers in these reports are just the number of registrations, or the actual number of ballots cast online.)

The map below summarizes the online voting testing that has been done by cantons, as well as making it clear that there is currently no online voting at all (in French « Pour l’instant, il n’est pas possible de voter par voie électronique en Suisse », roughly translated “For the moment, it is not possible to vote online in Switzerland”).

La Suisse - Essais de vote électronique dan le cadre de scrutins fédéraux
La Suisse – Essais de vote électronique dans le cadre de scrutins fédéraux

Above map from Chancellerie fédérale ChF > Vote électronique.

Turnout

Research indicates that turnout did not increase, specifically youth turnout didn’t increase.2

2 Internet voting and turnout: Evidence from Switzerland, by Micha Germann and Uwe Serdült in Electoral Studies, Volume 47, June 2017, Pages 1-12. https://doi.org/10.1016/j.electstud.2017.03.001

Background on Geneva and Swiss Post

Geneva developed two systems, CHvote 1 and CHvote 2.  As best I can understand CHvote 1 has been suspended, and there’s no money to further develop CHvote 2 to the level it would need to reach.

Swiss Post developed two systems, including a new one with a third-party for-profit private vendor.  The old system is being discontinued.  As required by Swiss law, the new system was put to a public intrusion test (with restrictive conditions) and the source code was made available (with restrictive conditions).

Swiss Post makes a remarkable claim about the new system.

The new system with universal verifiability was subject to a public intrusion test (PIT) in spring 2019. During the test, it withstood attacks from over 3,000 international hackers.

This is at best misleading.

The conditions on both the general testing and the availability of source code were restrictive.

There was not in any sense either unrestricted public testing nor unrestricted publicly available open source code.

And, through access to the source code outside of the restrictive agreement, three serious flaws in the system were found.

You can read e.g. Researchers Find Critical Backdoor in Swiss Online Voting System by Kim Zetter.

Three reports are available about the Swiss Post system from the Swiss government site, two in English and one in German.

    • Final report Locher, Haenni and Koenig (English) – (PDF, 1 MB, 29.07.2019) – Members of the e-voting research group at the Bern University of Applied Sciences BFH (Philipp Locher, Rolf Haenni, Reto E. Koenig): analysis of the cryptographic implementation of the Swiss Post voting protocol
    • Final report Teague and Pereira (English) – (PDF, 731 kB, 29.07.2019) – Vanessa Teague (The University of Melbourne, Parkville, Australia) and Olivier Pereira (Université catholique de Louvain, Belgium): analysis of the cryptographic protocol and its implementation according to the system specification
    • Final report Oneconsult (German) – (PDF, 303 kB, 29.07.2019) – Oneconsult: Review of Swiss Post’s operational security measures

Why is there no online voting in Canadian federal elections?

The short answer is that a Parliamentary Special Committee on Electoral Reform studied the issue and recommended against online voting in federal elections in their 2016 report

Recommendation 4
The Committee recommends that online voting not be implemented at this time.

and in 2017 the Government accepted the recommendation in its response to the report

We will not implement online voting at this time.

Here are some Frequently Asked Questions:

  1. Q: Don’t many countries offer online voting in national elections?
  2. Q: Won’t online voting increase turnout, including increasing youth turnout?
  3. Q: Aren’t there studies showing smartphone mobile voting increases turnout?
  4. Q: What standards does Canada have for online voting and computer vote counting?
  5. Q: Don’t we already have the security needed to conduct online transactions?
  6. Q: Aren’t these kinds of attacks on online voting theoretical?
  7. Q: Maybe we need more study of Internet voting in Canada?
  8. Q: What do computer scientists say about online voting?

Please feel free to ask additional questions.

Q: Don’t many countries offer online voting in national elections?

A: No, the only country in the entire world that offers online voting for all citizens in national elections is Estonia, population 1.3 million. The majority of Estonians still choose to cast their votes on paper; only 247,232 votes were cast online in the 2019 Estonian Parliamentary election.

Estonia’s turnout in its 2015 national election was 64.2%.  That’s turnout lower than Canada in its own 2015 national election; Canada’s turnout in 2015 was 68.3%.

Estonia’s 37.6% turnout in the 2019 European Parliamentary elections ranked it 20th of 27 countries for turnout.

For more information see:

In terms of other countries and national online voting:

Q: Won’t online voting increase turnout, including increasing youth turnout?

A: No.  Over and over again, at different levels of government in different countries, no.

Estonia’s turnout is generally declining.

Switzerland saw no effect on turnout.

For many other examples see Online voting doesn’t increase turnout.

I understand that it seems intuitive that voting is about convenience, so online would increase turnout, or that voting is about familiarity, so making it online would increase voting by young people who are already used to doing things online.  This mental model of voting convenience increasing turnout is simply not supported by the evidence.  People choose to vote or not vote for complex reasons.

Q: Aren’t there studies showing smartphone mobile voting increases turnout?

A: No, there was a single study. With a sample size of 144 (one hundred and forty-four) votes.

The paper was presented at the 2019 Election Sciences, Reform, & Administration Conference (ESRA 2019), in the section Public Trust in Elections.  Promises and Perils of Mobile Voting – Anthony Fowler (Univ. of Chicago).

You can see the sample size on page 7: “In total, 144 votes were cast with a mobile device in the November election.”  You can see the total number of votes cast at https://sos.wv.gov/news/Pages/11-16-2018-A.aspx (or archived version in the Internet Archive).

Here’s some advice on citing scientific studies: be very careful when citing a single study that has a small sample size.

It’s also important to note that in the exact same paper, on page 2, Fowler states:

Several European countries abandoned internet voting after seeing that the increases in turnout were not as large as expected…

Q: What standards does Canada have for online voting and computer vote counting?

A: Canada has no standards whatsoever for online voting and computer vote counting (vote tabulation).  Really.

Sometimes systems for computer vote counting at the Canadian municipal level are certified to voluntary US standards, often extremely dated (2005) voluntary standards.

Ontario has finally recognized this as an issue, with Elections Ontario recommending establishing standards and certification for elections technology.

Q: Don’t we already have the security needed to conduct online transactions?

A: Voting is a unique interaction due to the need to both verify that an individual is eligible to vote AND ensure that each individual’s vote is completely anonymous.  This is a very different problem from e.g. online banking, where transactions are not anonymous, in fact they are known to both the bank and the individual.  Banking online is actually not completely secure, but the shared knowledge of transactions enables false or erroneous transactions to be reversed.

The US National Academies of Sciences, Engineering and Medicine (NASEM) has a comprehensive study process, used to arrive at a scientific consensus.  In their report Securing the Vote, they find “There is no realistic mechanism to fully secure vote casting and tabulation computer systems from cyber threats.” and “the risks currently associated with Internet voting are more significant than the benefits”.  For more information see Securing the Vote – US National Academies 2018 consensus report.

The requirement for anonymity is based on the history of voting, where voting was heavily coerced.  People used to have to vote by public declaration, and would be paid or rewarded for voting a certain way (or punished if they didn’t vote for the desired candidate).  For an overview of some of that history from a US perspective, see Andrew Appel’s video Internet Voting? Really?.  For an extensive account from an Australian perspective, including the history of the creation of the secret ballot (also known as the Australian ballot) see Judith Brett’s book From Secret Ballot to Democracy Sausage.

If the idea of someone trying to compromise a Canadian election seems improbable to you, please check out Canadian reports on election security and misinformation, including two reports from Canada’s government cybersecurity agency.

If the idea of someone attacking Canadian government computers seems theoretical to you, it’s important to know that key Canadian government departments including the Finance Department, Treasury Board Secretariat, Defense Research and Development Canada and the National Research Council have all been successfully hacked.

Q: Aren’t these kinds of attacks on online voting theoretical?

A: No, see Practical Attacks on Real-world E-voting (including Internet voting in section 7.3) by J. Alex Halderman and e.g. Researchers Find Critical Backdoor in Swiss Online Voting System by Kim Zetter.

Q: Maybe we need more study of Internet voting in Canada?

A: Online voting has been studied and rejected at the provincial level by New Brunswick, PEI, British Columbia, Ontario, and Nova Scotia.  It has also been studied and rejected at the municipal level by Toronto and Waterloo, amongst other municipalities.

See Canadian reports recommending against Internet voting.

Q: What do computer scientists say about online voting?

Computer scientists, particularly computer security experts who specialise in election security, are overwhelmingly opposed to online voting.

For more information see Internet voting and computer security expertise.

Internet voting must be about public evidence not belief

Internet voting, and indeed any kind of trusted election must be about public evidence, not belief.

If we wanted to conduct elections based on belief, we’d just take all the ballots into a secret room and say “trust us, we believe we have all the right counting and integrity in place”, and then produce the final count of the votes basically out of nowhere.

If we did that with paper ballots people would be incredibly suspicious.  Who did the counting?  How can we be sure the ballots were honestly counted?  Where was the oversight?  Where are the ballots to provide the evidence?  Can we even trust the ballots now that they have been held in secret?  What if they were changed?

This seemingly-ridiculous scenario is actually a pretty accurate description of where Canada is now with Internet voting.

A typical “debate” scenario has a Chief Electoral Officer or city councillor or city staffer on one side, and a computer scientist on the other.  Not only is this a totally artificial “balance” of views, the main issue becomes assertions of belief without evidence, on both sides.

The electoral officer says believe us, we have all the necessary measures in place to make Internet voting trustworthy.  The computer scientist says they believe there are possible attacks.  And that’s it.  You’re left to try to decide which belief to believe.

Fundamentally elections are not supposed to work like this.  Elections are not about trust and belief, they’re about evidence.

Maybe after having the anonymous paper ballot for so long we’ve forgotten that it was designed to provide public evidence, it’s not just a haphazard system we ended up with.

So Internet voting must provide public evidence, but it doesn’t.  Internet voting in Canada should provide public source code, but it doesn’t.  Internet voting in Canada should provide a public opportunity to conduct realistic attacks on the real system, or a very close model of the real system, but it doesn’t.  Internet voting in Canada in fact produces zero public evidence.  In fact, both the provision of public source code and public attacks on the real system are illegal, the former because of intellectual property law and the latter because of cybersecurity law.  Which is why the computer scientist can only say “believe me, there are potential attacks” rather than actually demonstrating real attacks.

So for Internet voting, you now have to entirely transfer your trust to the election organisation, but actually it is worse than that, because with the third-party vendor model of Internet voting that Canada uses actually you’re entirely transferring your trust to the third-party, for-profit vendor.

What security tests are conducted on the vendor?  Sorry, that’s a secret.

What security measures are taken by the elections organisation?  Sorry, that’s a secret.

What security measures are in the code and the servers and the network the vendor provides?  Sorry, that’s a secret.

To be clear, I have a high degree of confidence that Canada’s public election organisations are doing their job with all necessary diligence and expertise.  But my confidence is irrelevant.  Confidence is not how you run elections, evidence is.  And in the transition to computer vote counting and Internet voting, we have totally changed our trust model without any meaningful public discussion (as I have mentioned before specifically about computer vote counting).

Maybe from now until the end of time, our public election organisations and their private vendors with secret code and secret testing will conduct themselves perfectly.

But this seems unlikely given human history plus the fact that every single time voting code is made available for inspection or opened to public attack, the code is shown to be insecure.  This ranges from Washington, DC in 2010 as documented by J. Alex Halderman, to Switzerland in 2019.

There are very good computer-theoretic reasons that you can’t trust Internet voting even if the code is found to be secure, including under real-world attack; there is as yet no solution for secure Internet voting.  But it is perfectly reasonable to experiment in low-risk, small-turnout situations.

An actual experiment would place Internet voting in the same space of public evidence as paper ballots.  Which means that Canada would need standards, public code and public testing.  You may be shocked to find out that unlike pretty much everything from your municipal water supply to any product you may buy, Canada has no, none, zero standards for Internet voting.  No mandatory requirements.  No mandatory testing.  No nothing.  Internet voting typically shows up as a single line about “electronic voting” in an alternative voting methods law or bylaw.  That’s it.

The absolute critical first step to bringing public evidence back to elections in the Internet voting era is to have some very basic foundational standards and requirements, starting for example with the Swiss model that requires both public source code and public security testing.

In the absence of bringing public evidence to the conversation about Internet voting, we’re just going to have year after year of the same pointless back and forth about election beliefs, a conversation that can never be resolved because there’s no actual evidence to draw conclusions from.

 

 

Estonian Parliamentary Elections 2019 – ODIHR Election Expert Team Final Report – Internet Voting

The Office for Democratic Institutions and Human Rights (ODIHR) is a division of the Organization for Security and Co-operation in Europe.  The ODIHR has produced a report on the 3 March 2019 Estonian Parliamentary Elections.

ODIHR Election Expert Team Final Report – Estonia – Parliamentary Elections 3 March 2019 (PDF)

The ODIHR reviews a wide range of election conduct against international standards.  I will only extract selected parts of their report from section VII. Internet voting.  Numerous issues were identified.

In extracts below, EET = Election Expert Team and SEO = Estonian State Electoral Office.

Internal Attacks

the detection and prevention of internal attacks has been largely omitted. A review of operational and technical frameworks by the ODIHR EET indicates that an internal attacker with privileged access to digital ballots could break the vote secrecy of any voter who published an image of the QR code online, even after the expiry of the code’s validity. This contradicts national legislation and international standards pertaining to vote secrecy.21

RECOMMENDATION: The SEO could develop strategies to mitigate the risk of internal attacks, conduct third-party risk assessments, and publish any findings and audit reports well ahead of the next elections.

21 See Article 1(2) of the Election Act. Paragraph 7.4 of the OSCE Copenhagen Document requires that votes are cast by secret ballot or by equivalent free voting procedure. Paragraph 19 of the Council of Europe Committee of Ministers Recommendation CM/Rec(2017)5 on standards for e-voting requires that “E-voting shall be organized in such a way as to ensure that the secrecy of the vote is respected at all stages of the voting procedure”.

above from page 8 of the report

Software Errors May Cause Election Errors

The Internet voting system is not software independent, meaning that software errors in its components, such as the key generation system or the processor, may cause undetected errors in the election results. Considering publicly available records the system has undergone quality control activities but, contrary to international good practice, no reports were published on the SEO’s website, while updates to the source code were made as recently as three days before election day and well after Internet voting commenced.22

In addition, a limited source code review of the system by the ODIHR EET indicated issues regarding the treatment of concurrency, error handling, and error reporting.

RECOMMENDATION: The SEO could integrate quality assurance activities into the maintenance schedule of the voting solution and publish the security rationale and all quality assurance results, including design review, security analysis, and penetration testing results.

22 Paragraph 42 of the Recommendation CM/Rec(2017)5 on standards for e-voting states that “Before any e-election takes place, the electoral management body shall satisfy itself that the e-voting system is genuine and operates correctly.”

above from page 8 of report

External Auditors Did Not Audit All Operations

A team of external auditors was dispatched to assist the SEO with establishing vote secrecy during the computation of preliminary Internet voting results and the integrity of final Internet voting results by verifying the correctness of the cryptographic shuffle and decryption proofs. The team did not audit other critical operations, most notably the correct transmission of the final aggregation of the decrypted Internet votes.23

RECOMMENDATION: The SEO could strengthen its auditing process by developing a complete strategy and requiring auditors to implement critical auditing tools independently and from scratch.

23 Software independence requires that other operations are also independently audited, such as digital signature checking of all e-votes, removal of all duplicate and other ineligible votes from the digital ballot box, revocation, and anonymization. Paragraph 39 of the Recommendation CM/Rec(2017)5 on standards for e-voting states that “the audit system shall be open and comprehensive, and actively report on potential issues and threats.”

above from page 9

Technical Specifications Need Improvement

some key properties are not precisely formulated and left open to interpretation by the SEO and the vendor tasked to implement the Internet voting system, including minimal acceptable levels of cryptographic strength, and accountability and verifiability requirements. This may negatively impact the system’s overall performance and future innovation. The specifications also lack information about timelines and milestones for software development and deployment, and quality assurance.25

RECOMMENDATION: The technological specifications accompanying the legal framework could define acceptable voting systems in more general terms, but include additional requirements related to cryptographic strength, quality assurance, software development and deployment, as well as accountability and verifiability.

25 The Supreme Court considered two post-election appeals against NEC decisions related to Internet voting. While appeals were rejected, the Court recognized the need for more clear procedures and called for a legal clarification of rules on the implementation of Internet voting, in particular regarding counting and mixing of electronic ballots.

above from page 9

Internet voting at the national level

National-level Internet voting

  • Norway discontinued Internet voting trials in 2014.
  • Australia recommended against Internet voting in 2014.
  • Canada recommended against Internet voting in 2016.  The 2019 national Parliamentary election will have hand-marked paper ballots, counted by hand.
  • Finland studied and recommended against Internet voting in 2017.
  • Lithuania has decided not to proceed with Internet voting in 2019.
  • Switzerland has decided to redesign Internet voting trials, rather than making Internet voting a standard option.  However the Swiss Post system has been “temporarily suspended” after critical errors were found in the source code, and the use of the Geneva system has also been suspended pending a review.  i.e. Switzerland has no Internet voting at all at the moment.

UPDATE 2019-07-07: Swiss Post has made a confusing press release, basically to say that it will continue with its new system and discontinue its old one.  The “new system” is the one that had the public testing.  The public testing in which, through access to the source code outside of the restrictive agreement, three serious flaws in the system were found.

Swiss Post has decided to pool its strengths in the e-voting sector and work solely on the new system with universal verifiability. It plans to make the system available to the cantons for trial operation from 2020. Swiss Post will no longer offer the system that was previously in use.

END UPDATE

Estonia continues to be the only country in the entire world that has national-level Internet voting for all voters (during the advance voting period).  And it has numerous issues with procedures and specifications, as well as low and declining turnout.

Although not directly about Internet voting, also note:

Internet voting in Norway

Norway conducted trials of Internet voting in 2011 and 2013.

Internet voting was discontinued after the trials found no improvement in turnout (including no increase in youth turnout), combined with security concerns.

An archive of reports in Norwegian and English is available: The e-vote trial.

Here are some highlights of the reports:

Evaluation of the e-voting trial in 2011 – English summary of Institutt for Samfunnsforskning (ISF) report

we find no evidence that groups of voters have been mobilized to take part in the election as a result of internet voting.

The analyses, in sum, indicate that the trial did not have an effect on voter turnout.

young voters prefer to walk to the polling station on Election Day. They defined traditional voting as a symbolic and ceremonial act that indicates adultness.

Evaluation of the e-voting trial in 2013 (PDF) – English text begins on p 135 (p 137 in PDF)

In line with previous research, our findings indicate that the trial with internet voting does not lead to increased turnout in elections.

The government announced in 2014 that Internet voting trials would be discontinued.

June 25, 2014 – Internet voting pilot to be discontinued

As there is no broad political desire to introduce internet voting, the Government has concluded that it will would be inappropriate to spend time and money on further pilot projects.

The Institute for Social Research evaluated the pilot project in 2013… The report shows that the voters have limited knowledge about the security mechanisms in the system.

“This shows how important it is that elections are conducted at polling stations where election officials make sure that the principle of free and fair elections and the secrecy of the vote is respected,” says [Minister of Local Government and Modernisation Jan Tore] Sanner.

In Norwegian – Ikke flere forsøk med stemmegivning over Internett

The BBC reported this as E-voting experiments end in Norway amid security fears.


As part of the project, in 2009 there was a report on security.  It notes the added risks from remote voting.

The system is no longer by necessity confined to the local polling station; conceivably it is accessible world-wide, thus increasing the potential number of attackers and attack vectors dramatically.

Also as part of the project, in 2012 there was 196-page report International Experience with E-Voting [with a focus on Internet Voting] (PDF).