Author: rakerman

Canada’s great and terrible election systems

Overview

Canada’s federal elections, with hand-counted paper ballots, are great.  The election trifecta of security, anonymity and verifiability is elegantly and simply attained.  Canadians can be rightfully proud of our professionally-run, non-partisan, rules-based federal elections.

Canada’s municipal elections in Ontario and Nova Scotia, with municipalities able to choose paperless Internet voting, are terrible.  These Internet voting elections, conducted entirely by opaque for-profit third-party companies, are unverifiable.  Canadians should be alarmed about the level of risk our municipalities are taking, and about the total lack — yes literally total lack — of mandatory rules, standards, requirements, processes or procedures associated with municipal Internet voting.

Canadians will, as is our nature, put some energy into lecturing the US about how they should adopt our federal voting system.  That energy would be better directed into addressing the very substantial flaws with our use of provincial vote counting computers and our totally insecure use of unverifiable municipal Internet voting.

What You Can Do

Raising concerns with the  province directly will be the most impactful.  While intervening at your local council deliberations is also vitally important, the municipal election framework is set provincially.  There needs to be advocacy to reinforce Ontario’s direction to introduce voting technology standards, and to encourage Nova Scotia to do the same.

(This is if we’re going to have Internet voting at all, which from a security perspective we really shouldn’t anyway.)

Details

Canadian federal elections are governed by the Canada Elections Act, which provides very detailed procedures for paper ballot elections.  These procedures have been carefully thought out to mitigate risks to the election.  Their elegant simplicity is a thing of beauty.  As any process designer knows, complexity is easy, it’s simplicity that is hard.  Hand counted paper ballot elections give an extremely high degree of confidence in the results of the election.

There is a monster lurking in the basement of Canada’s happy elections household however, in that provincial and in particular municipal elections are moving to increasing use of 21st century technology, while still retaining a 20th century legal framework that is ill-suited for the task.

Lack of Risk-Limiting Audits

In the US, painful lessons are slowly being learned about the risks of vote counting computers (vote tabulators, often misleading called “voting machines”) and fully-computerised paperless Direct Recording Electronic (DRE) technology.  In particular, thanks to tremendous efforts by US computer security experts, US states are returning to paper-based elections.  Due to the complexity of US ballots, hand counting would not be practical, so vote counting computers are used.  However, you cannot trust “the computer”, because “the computer” is just code written by humans.  Code that may be flawed, or that may be — undetectably — replaced with malicious code.

For these reasons, US states are also adding Risk-Limiting Audits (RLAs).  A risk-limiting audit is a process for manually analysing a sample of the computer-counted paper ballots in order to demonstrate, with strong statistical evidence, that the computer count has a high probability of being correct.

Canada has introduced vote counting computers provincially, for example in Ontario and New Brunswick, but with no provisions for Risk-Limiting Audits.  This means that the provincial computer counts, while professionally conducted, have a much lower degree of verifiability than a hand count.  British Columbia has said it will conduct Risk-Limiting Audits, but this statement comes in a single tweet:

One would like to see a lot more public communication from Elections BC about this issue.

Of note, unlike in the US where the complex ballots basically mean it is impractical to count ballots by hand, in Ontario and New Brunswick they could still be counting Canada’s simple provincial ballots by hand.  The limitation is primarily a lack of volunteers, which one would think could be solved in many creative ways, not by introducing vote counting computers with basically no public discussions.  Vote counting computers that are a radically different trust model from a hand count.

Totally Unregulated Municipal Internet Voting

Municipalities, in Canadian law, basically don’t exist in any significant sense.  Accordingly, municipal elections are governed by provincial law.  Ontario and Nova Scotia have the option for “alternative voting” at the municipal level, as decided by individual municipal councils.  In practice alternative voting means totally paperless Internet (and telephone) voting.  Totally paperless as in no paper ballot options whatsoever.

One might think that in putting such a provision in place, there would be extensive guidance about security, verifiability, and procurement.  One would be wrong.  There is none.  That’s not hyperbole.  There are absolutely no standards, no guidance, no processes, no procedures, no requirements in law related to Internet voting.  It is a free-for-all.  A brief phrase in each municipal elections act has opened the door to totally unregulated Internet voting.  Canada has — unintentionally — created one of the least verifiable municipal election systems in the world.

It’s particularly striking in Ontario, which spent three years investigating provincial Internet voting and decided against it.  Nova Scotia also studied provincial Internet voting, albeit much less extensively, and also decided against it.  So that makes it pretty clear that municipal elections are second class, considered less important than provincial elections.  Do you feel comfortable voting in a second class election?

Ontario has at least belatedly realised this is a significant issue:

In Ontario, the adoption of technology into the electoral process has been done in an ad-hoc way since the late 1980s, and has been led by municipalities. This approach made sense when voting technologies were new and there were no best practices from which to draw. It also allowed municipalities to pioneer technology and discover fit-for-purpose solutions to address their local needs.

With more than 20 years of practical experience at hand, we are at a point where we are actively learning from our past so that we can create best practices and develop future guidelines. Standards can provide consistent guidance for municipalities and the province as we adopt proven technologies using a principled and measured approach.

But having made that announcement, I have seen zero public conversation in Ontario about any processes to actually create voting technology standards.

Canada would do well to look to Switzerland, which has been a leader in requiring independent public security analysis of any Internet voting solutions before they can be deployed.  (Perhaps somewhat to Switzerland’s chagrin, as every solution proposed to date has inevitably been found to have fatal security issues.)

Canada would also do well to bring its election technology to the US Voting Village, or to create its own Canadian Voting Village event, where public interest technologists can examine the technology and code in order to find security vulnerabilities.

Even worse, if it’s possible to be even worse than terrible, the municipal elections are not run by the municipality, but instead are entirely contracted out to for-profit third-party vendors.  Vendors whose code is shielded from inspection by intellectual property law.  We have no idea what’s going on inside the code that runs municipal Internet voting elections.

Lack of Discussion About Internet Voting

In general, there is minimal discussion about Internet voting issues in Canada, or to be frank about most technology issues other than privacy.  As a case in point, Quebec did a study of provincial Internet voting and as far as I can tell, there was zero coverage of it in major English-language newspapers, and minimal coverage in French-language newspapers.

Even if Canadian governance is dominated by a social sciences lens, I would have thought that the expertise Canada has in professional public administration would make the total lack of standards, requirements, and processes for Internet voting a red flag.

Risks for the Future

At the federal level, we almost had Internet voting trials by 2013 (Toronto Star headline “Elections Canada backs online voting”), so don’t think that Canada is immune to federal Internet voting.  A number of members of the federal Electoral Reform Committee went into their study of online voting expecting that it would be an easy solution, and it is only just barely that they got the advice they needed to realise its security risks (despite a distressingly small number of computer security expert witnesses).  That institutional knowledge about the risks of Internet voting will inevitably fade, and with remote voting in the House of Commons (which is totally fine because votes are public and therefore verifiable) one can expect members will wonder why they can’t have Internet voting in their own federal elections (which is totally not fine, because votes must be secret, which is an incredibly hard computer science problem).

Provinces will continue to switch to vote counting computers, arguing that this is modernisation but actually to address a lack of polling place volunteers.  There will continue to be a lack of a risk-limiting audit framework to provide a high level of statistical confidence that the computer count is correct.  And despite the detailed previous Canadian and international studies demonstrating that the risks of Internet voting are too high, provinces including Quebec will continue to study the issue in an attempt to get approval for implementation.

Municipalities will continue to procure Internet voting as if they were procuring office supplies, and with fewer standards to guide them.

Background – Municipal Election Acts

These few lines are all that governs the extensive paperless Internet voting that takes place in Ontario and Nova Scotia municipalities.  Other than this, there is, I have to emphasize again, no other guidance whatsoever about security, verifiability, testing, or any other requirements governing Internet voting.

In the text below, “alternative voting method” or “electronically” ends up in practice meaning Internet voting.

Ontario – Municipal Elections Act, 1996, S.O. 1996, c. 32, Sched.

By-laws re voting and vote-counting equipment, alternative voting methods

42 (1) The council of a local municipality may pass by-laws,

(a)  authorizing the use of voting and vote-counting equipment such as voting machines, voting recorders or optical scanning vote tabulators;

(b)  authorizing electors to use an alternative voting method, such as voting by mail or by telephone, that does not require electors to attend at a voting place in order to vote. 1996, c. 32, Sched., s. 42 (1).

Nova Scotia Municipal Elections Act (PDF)
CHAPTER 300 OF THE REVISED STATUTES, 1989

Vote by mail or other voting method
146A (1) A council may by by-law authorize voters to vote by mail, electronically or by another voting method.

If you’re wondering where is all the other stuff, where is the Internet voting equivalent of the section after section, page after page of detailed procedures the Acts require for paper voting… there is nothing else. There are no other public documents whatsoever providing municipalities with any guidance on deciding about Internet voting or any standards for implementing Internet voting.

Elections Canada confirms no federal Internet voting

In Impact of COVID-19, Changes in the context of a pandemic (updated August 27, 2020 at the time of this writing) Elections Canada outlines how they would conduct an election during a pandemic. They state:

Elections Canada did not consider introducing Internet voting. Implementing such a change would require significant planning and testing in order to ensure that the agency preserves certain aspects of the vote, including confidentiality, secrecy, reliability and integrity. Given the current operational and time constraints, this option cannot be explored properly at this time.

or in French:

Élections Canada n’a pas envisagé d’instaurer le vote par Internet. La mise en œuvre d’un tel changement exigerait beaucoup de planification et des tests importants afin de garantir la confidentialité, le secret, la fiabilité et l’intégrité du vote. Compte tenu des limites opérationnelles et des contraintes de temps, nous ne pouvons explorer cette option adéquatement pour le moment.

NWT Chief Electoral Officer’s Report on the Administration of the 2019 Territorial General Election

The Legislative Assembly of the Northwest Territories will hold a public briefing on the Chief Electoral Officer’s Report on the Administration of the 2019 Territorial General Election on Tuesday June 30, 2020 at noon Eastern time.  This report is significant because this was the first Canadian general election in which online voting was permitted at a provincial or territorial level.

The Standing Committee on Rules and Procedure, …, will hold a public briefing regarding the Chief Electoral Officer’s Report on the Administration of the 2019 Territorial General Election on Tuesday, June 30, [2020] at 10:00 AM MDT [noon Eastern time]. Dr. Aleksander Essex will be in attendance.

To watch the meeting, tune in to the live stream on ntassembly.ca, or on the Legislative Assembly’s Facebook, Youtube, or Twitter accounts.

They identify five election technology systems:

  1. Elections NWT website hosted by GNWT
  2. Electorhood website hosted by ColdFront Labs (was electorhood . ca, but website is now gone)
  3. Elections NWT Learning Management System (LMS) hosted by Kellett Communications
  4. Elections NWT Elections Management System (EMS) hosted by DataFix
  5. Online Voting Platform hosted by Simply Voting

In case this terminology isn’t clear, the online voting was procured from the third-party, for-profit company Simply Voting, which ran the entire online voting system.  The code is proprietary and has not been made available for independent analysis.  This model of handing over the entire operation of online voting to a private for-profit company is the one used in all Canadian online voting to date.

I will quote part of the Security section of the report

To ensure the security and integrity of all Elections NWT online environments, and the election process as a whole, a security assessment was conducted on all five of Elections NWT online Platforms.

An agreement was made with Hitachi Systems Security to perform a Web Application Assessment and Penetration Test of the Elections NWT online systems.

This is a routine measure to secure an ordinary web server used for government services.  It treats online voting as if it is any other web-based government service.  But online voting has a uniquely higher level of risk and may attract sophisticated attackers, who will do a lot more than a vulnerability scan in order to compromise a system.

The Hitatchi Systems Security report has not been made public, even though there is no security in obscurity.

Overall, the Election Technology section of the report does not propose any threat model.  Without a threat model, there is no way to determine what assessments should be used.

The most basic possible online voting model must include:

  • the client
  • the network
  • the online voting server
  • the code running on the online voting server

Security – The Client

The client (the voter casting the vote) is a huge security gap that is simply not considered in most online voting security analysis conducted by governments.  Votes are cast from personal computers and smartphones.  Computers and smartphones that are notoriously insecure.  And often not updated with operating system and software application patches for known vulnerabilities.  Where is the vulnerability scan and assessment for every single voter?

In the absence of client security, there are a wide variety of possible attacks, including software that watches for voting activity and alters the votes cast.  If this sounds theoretical, this is exactly what banking trojan software does.  F5 identifies over a dozen different major named banking trojans, it’s not an uncommon type of attack.  In another type of attack, realistic-looking false websites are set up to direct voters to fake voting websites or applications for a variety of malicious purposes.  If this sounds theoretical, it’s exactly what some ransomware attackers did when a Canadian COVID-19 contact tracing application was announced.

If you want an analogy, considering online voting secure if the server and network were somehow secure, but without client security, is like having thousands of dollars visible in the front window of your unlocked house, but then transporting it by armored car to a bank vault.  Where do you think a thief is going to target their attack?

But of course the network and the server aren’t secure.

Security – The Network

From the client’s router through to the core network hardware, there are continuous vulnerabilities in networks.  How continuous?  Well here are three different network vulnerabilities from just the past week:

Security – The Server

There are very sophisticated attackers that target specific government activities.  You don’t have to believe me.  You can read e.g. the Canadian Centre for Cyber Security Cyber threats to Canadian health organizations (AL20-008 – Update 1).  The counter-argument to that is usually “why would anyone attack my election?”  But that is no counter-argument.  To quote the Centre for Cyber Security

Sophisticated threat actors may choose to target Canadian organizations

There’s nothing about elections that would prevent them from being targeted; if anything they are potentially a very attractive target for many reasons.

Patching the kind of routine web vulnerabilities a penetration test is going to find is a necessary measure but almost meaningless against sophisticated attackers who can exploit much more challenging and obscure vulnerabilities using entire teams of people trained in compromising computer systems.

In addition to this, Canada has no mechanism whatsoever for inspecting the actual code that the third-party vendors are running on their servers.  Even if somehow the entire chain of client through network to server were secure, the online voting code itself could have bugs.

Look to Switzerland

We need much stronger security assessment of Canadian online voting, including independent security analysis with access to the actual online voting code.  Switzerland has been a world leader in putting in place the legislative framework for this kind of inspection, as I outline in my blog post

Swiss voting technology law sets the standard, in theory

and finding even that inadequate, Switzerland has now surveyed international experts for guidance on how to further enhance the legislative framework for examining the security of online voting systems.  And notably Switzerland has paused all online voting until they can get a system that passes that assessment.

Security – Summary

It is good that the Northwest Territories conducted penetration testing

All tested applications showed good resilience against known Web attacks and were not vulnerable to any injection flows, privileged escalation, broken access controls or sensitive data exposure.

Many Canadian municipalities procuring online voting don’t conduct even this very most basic security measure.

However, this level of basic web server security is wildly inadequate for online voting.  The threat actors are much more sophisticated, the level of risk is much higher, and the integrity of the system requires the entire voting process to be secure, end-to-end.  Canada needs to examine online voting security using a threat model that includes every step actually involved, including the client, the network, and the online voting code.  Collaboration with Canada’s Centre for Cyber Security and developing much more extensive independent assessment criteria based on the Swiss model would be a starting point.

The Actual Online Voting Numbers and Countries

Online voting was made available for absentee voting only.  489 ballots were cast, making this voting channel 3.7% of all ballots cast.

In the table “Absentee Poll Electronic Ballot Turnout by Country” the report indicates that ballots were cast from Canada (459 ballots), the US, France, Philippines, Denmark, Serbia, Spain, Japan, Norway, New Zealand, Zambia, Switzerland, Italy, Mexico, Morocco, and Germany.

Keep in mind how much additional, uncontrolled, non-Canadian Internet infrastructure some of these online voting interactions had to traverse.

Analysis of Recommendations for Legislative Changes

Many of the recommendations are about clearly separating voting by mail from voting online.

43 Powers of the Chief Electoral Officer – Create – report page 94

The Chief Electoral Officer may establish procedures in respect of voting by online ballot.

This would effectively make online voting a permanent option for Territorial elections, with basically no parameters around what the procedures should be.

If we are to have online voting (and to be clear, I don’t think we should), this lack of requirements and standards is a huge gap that could be addressed with a Swiss model that is much more prescriptive about assessing online voting.

45 Security of the Ballot Box – Section 153 (2) – Create – report page 95

The Chief Electoral Officer shall take precautions to ensure the safekeeping and security of the ballot box and ballots used for voting by online ballot.
S.N.W.T. 2010,c.15,s.17; S.N.W.T. 2014, c.19,s.20, 21.

As above, this is better than nothing, but far from the level of prescriptive requirements that would be needed, starting with an actual threat model including every step and participant in online voting, and advancing with Canadian Centre for Cyber Security guidance to a model much more like Switzerland where there is outside independent assessment by experts.

Just compare the level of requirements actually needed with the current model, which is a routine web server penetration test, with results in a secret report not provided to the public, and no assessment whatsoever of the vendor’s secret computer code that actually runs the online voting.

How can we have trust in an election where the security measures are a secret assessment of only the web servers, an assessment that didn’t even include looking at the actual computer code?

There is more in the recommendations but quite frankly I’m out of time.

Next Election

The next Territorial General Election is expected on October 2nd, 2023.

SIDEBAR: The Chief Electoral Officer’s Report on the Administration of the 2019 Territorial General Election is also available from the Elections NWT website (PDF).  END SIDEBAR

Previously:
May 21, 2019  Questions about online absentee voting in the NWT