The 2018 Ontario Provincial Election taking place on June 7, 2018 will for the first time use vote counting computers province-wide. This replaces hand-counting of ballots.
The computer vote tabulators use optical scan technology to read hand-marked paper ballots.
This is the least-worst use of computer technology for vote counting as the hand-marked ballots are still available to be counted. However, these are still computers that have to be programmed, which means there is always the potential for errors or malicious code.
Fundamentally in elections, you don’t trust anyone. That means you don’t trust the computer vote tabulator either. Use of computer vote tabulators introduces the following key questions:
- Will there be a public hand-counted risk-limiting audit following every election, to test the computer count?
- In the case of a recount, will the ballots be hand-counted under judicial supervision, or will the ballots be run through the computer vote tabulators again? (It appears that the legislation requires
a hand count of the recounts to use a manual hand-count of the paper ballots.)
The new voting procedures were launched with a May 9, 2018 press release (PDF) and accompanying media event.
Elections Ontario is modernizing the voting process and putting the needs of electors first by introducing technology in the polls. Election officials will be using electronic poll books (e -Poll books) and vote tabulators across the province for advance voting. On election day, 50% of the polls will have vote tabulators and e-Poll books … serving 90% of electors.
There was a Canadian Press story by Liam Casey, see e.g. CBC News – Ontario to use electronic voting machines for first time in spring election – May 9, 2018.
The tabulator is a Dominion Voting ImageCast® Precinct computer optical scan vote tabulator.
The history is buried in the post-event reports for two byelections that tested the technology:
It is very clear from the Proposal that the key issue is staffing; the technology is being introduced to address poll staffing issues.
Additional Questions and Considerations
Disclaimer: I am not a lawyer.
Additional questions raised by the use of computer vote counting equipment:
- Are there provisions for erasing the digital copies of the ballots stored by the vote counting equipment? (I see no procedures described in law. Organisations often do not consider the security implications of digital copies of scans, see e.g. CBS News – Digital Photocopiers Loaded With Secrets – April 19, 2010.)
- What are the security implications, in particular the chain-of-custody implications, of sharing computer vote counting equipment with other jurisdictions (e.g. Ontario municipalities)? Doesn’t the risk of computer code alteration increase with each new jurisdiction that has access to the machine?
- What are the procedures for transmitting the results of the computer count to Elections Ontario? Is the count based on printouts from the vote tabulators, the vote tabulator memory cards, or transmission over a network? What are the security implications of permitting the computer vote counting equipment to be connected to a network in order to transmit the count? See e.g. Freedom to Tinker – Are voting-machine modems truly divorced from the Internet? – February 22, 2018.
- What are the procedures for handling the vote tabulator memory cards?
In the March 22, 2018 Guelph Mercury article Ontario’s voting system secure, chief election official says the following statement is made by the Chief Electoral Officer:
“The Ontario government has hired a cybersecurity team to assist any of the ministries with private security — and we’ve been working with that team over the last year, year and a half, and they’ve been working with all of our systems,” he said.
“They’ve been doing penetration testing, vulnerability testing … to ensure that our systems are up-to-date and secure. There have been some slight alterations based on their recommendations, and we are very confident and we take security very, very seriously.
“I want to make sure that all the systems and all the personal information that we have is protected.”
- Will these tests be made available to the public? Including both the test procedures and the results?
- Why doesn’t the Ontario Election Act section 4.5 (3) 3. include independent security and integrity testing for computer vote tabulators, in addition to logic and accuracy testing, as is required for accessible voting equipment in 44.1 (5)?
- Will the independent security and integrity reports required by 44.1 (5) be made available to the public?
- Will the machines be made available for independent expert testing, by Canadian academics who are computer security experts?
- Will the machines be made available for independent expert testing by hackers, e.g. in DefCon Voting Village or at e.g. Canadian Hackfest?
- As the computer vote tabulators stack ballots in sequence in a bin, in theory it is possible to de-anonymise the votes by carefully tracking voters as they cast ballots. Is there any provision for randomising the stacked ballots in order to prevent this potential risk?
For more about what it means to change from public hand-counted ballots to ballots counted by a computer from a private for-profit company, see computer vote counting is a radically different trust model.
The governing law is the Ontario Election Act, R.S.O. 1990, c. E.6
The relevant sections, modified in 2016 (Election Statute Law Amendment Act, 2016, S.O. 2016, c. 33 – Bill 45) and in force as of January 1, 2017 are:
- Authority to share equipment and resources – 4.0.3 (1) The Chief Electoral Officer may make equipment, advice, staff, or other resources available to other electoral authorities in Canada.
- Use of vote counting equipment – 4.5 (1) The Chief Electoral Officer may issue a direction requiring the use of vote counting equipment during an election and modifying the voting process established by this Act to permit the use of the equipment.
Next section blockquoted due to complexity:
Restrictions re equipment
4.5 (3) The following restrictions apply with respect to the use of vote counting equipment:
1. The equipment must not be part of or connected to an electronic network, except that the equipment may be securely connected to a network after the polls close, for the purpose of transmitting information to the Chief Electoral Officer.
2. The equipment must be tested,
i. before the first elector uses the equipment to vote, and
ii. after the last elector uses the equipment to vote.
3. For the purpose of paragraph 2, testing includes, without limitation, logic and accuracy testing.
4. The equipment must not be used in a way that enables the choice of an elector to be made known to an election official or scrutineer.
- Recount conducted manually – 74.1 A recount that is made from the actual ballots shall be conducted manually, even if the original count was done by vote counting equipment. 2010, c. 7, s. 31.
The only section that speaks about voting equipment security appears to apply solely to section 44.1 Accessible voting equipment
Accessible voting equipment, etc.
44.1 (1) At an election, accessible voting equipment and related vote counting equipment shall be made available in accordance with this section and in accordance with the Chief Electoral Officer’s direction under subsection (2). 2010, c. 7, s. 24 (1).
(5) Despite subsection (1), accessible voting equipment and related vote counting equipment shall not be made available unless an entity that the Chief Electoral Officer considers to be an established independent authority on the subject of voting equipment and vote counting equipment has certified that the equipment meets acceptable security and integrity standards. 2010, c. 7, s. 24 (1).
There is no analogous section under 4.5 vote counting equipment. Disclaimer: I am not a lawyer.