Online voting and turnout in the 2019 European Parliamentary elections

I am grateful to Estonia for publishing detailed turnout statistics online on its official government elections website, in Estonian and English.

The 2019 European Parliament elections have completed.  Estonia was the only country to offer online voting.  There were seven days of online voting available during the advance voting period in Estonia, from May 16 to May 22 inclusive.

The turnout (percentage of eligible voters) for online voting was 17.6%.

Over 80% of eligible Estonian voters chose not to vote online.

The total turnout was 37.6%.

The majority of Estonian voters chose to vote on paper.

Estonian turnout increased 1.1%.  But provisional overall European turnout increased over 8%.

Estonian turnout was 37.6%.  But provisional overall European turnout was 50.97%.

Estonia’s neighbour Finland doesn’t vote online.  Provisional turnout in Finland was 40.7%.

Estonia’s neighbour Lithuania doesn’t vote online.  Provisional turnout in Lithuania was 53.08%.

In fact, with no other country in this election permitting online voting, turnout was higher in 19 of the 27 other countries that voted.

Estonia had lower turnout than 19 of the 27 other countries, lower turnout than overall in Europe, and a lower increase in turnout than overall in Europe.

Online voting doesn’t put Estonia at the top of the pack for turnout.  In fact Estonia was in the bottom third of nations for turnout in the 2019 European Parliamentary elections.

So I don’t know how one could continue to assert that online voting is any kind of solution to increasing turnout.

UPDATE 2019-06-01: I have made a Google Docs spreadsheet of the European Parliamentary elections turnout data, if you want to look at the numbers yourself.  Note that this shows total turnout; as indicated above Estonia votes online and on paper, with the majority voting on paper.  END UPDATE

Data sources:

• • Estonia – Valimised – European Parliament elections 2019 – Voter turnout statistics
  • Estonia – Euroopa Parlamendi valimiste osalusprotsent on 37,6%
  • 2019 European election results – European results – Turnout

Previously:
March 5, 2019  Internet voting doesn’t increase turnout in Estonian elections

online voting is destructive modernization

Is Internet voting beneficial modernization, or destructive modernization?

Let’s use an analogy to urban life and urban planning.  I am all for beneficial modernization.

Philadelphia, like all cities before the 20th century, was a hotbed of infectious disease.  Living in a city meant enduring wave after wave of epidemics, and those who could stayed outside the city until the disease burned itself out.

The departure from Quincy took place in the first week of October [1797], but the Adamses were not to reach the capital for more than a month.  Yellow fever again raged in Philadelphia, as they learned en route, so it was necessary to stop and wait at East Chester…

from John Adams by David McCullough

So the sanitation and medical advances that made cities livable were definitely beneficial modernization.

However, modernization can also be destructive.  After the second World War, a wave of “urban renewal” swept over cities, a wave almost as destructive as any epidemic.  The messy diverse urban reality of the city was to be swept away, there was to be a clean slate, everything would be modern and efficient and the car would be unhindered in its rapid progress through the city.

Philadelphia, why Philadelphia was a blank canvas upon which men could draw their geometric visions, without any of the inconvenient reality of poor people, minorities, women, children or the elderly.

above from Form, Design and the City (1962)

The city would be clean, modern, efficient.  Le Corbusier looked at Paris and instead of seeing beauty, he saw something he needed to fix.  Here’s his idea for Paris, the Plan Voisin

above by SiefkinDR [CC BY-SA 4.0], via Wikimedia Commons

Robert Moses famously pushed highways throughout urban New York, and as in many parts of the US and Canada, the highways often went through poor neighbourhoods, wiping them out or splitting them permanently in two.  Cars would be convenient, cars would go fast. He was only stopped when he wanted the Lower Manhattan Expressway, stopped in part by Jane Jacobs.

Jane Jacobs wrote about the reality of human behaviour in The Death and Life of Great American Cities

This last point, that the sight of people attracts still other people, is something that city planners and city architectural designers seem to find incomprehensible.  They seem to operate on the premise that city people seek the sight of emptiness, obvious order and quiet.

This is part of her explaining her concept of security through “eyes on the street”.

When we look at online voting–you remember this is about online voting, right?–what we see is exactly those same assumptions, that we should remove people from the equation, that we should make everything orderly and “efficient”.

But voting is not a generic service like paying a parking ticket.  Voting is a complex transaction where you need the paradoxical combination of total privacy and total observation.  Voting is also a social contract where a single vote is transformed into trust in the results of an entire national election.  Voting is about being part of your community.  Voting does not need false notions of convenience and speed.  In order to transmute the individual vote into trust in the entire system, voting needs to move at a human pace under watchful human eyes.  Voting is, in other words, a very human activity.  And so when you move it online, when you drive that highway through the messy line of people waiting to vote, you’re engaged in destructive modernization.

One of the things that “urban renewal” and urban highways did was make life worse for the already underprivileged, and better for the already powerful.  In other words, the white middle-class men who did the planning benefited other white middle-class men.

If we apply this same test to online voting, we find exactly the same thing: the people that actually vote online are the ones who would vote anyway: older male voters.

To put it in the words of What drives fidelity to internet voting? Evidence from the roll–out of internet voting in Switzerland

• Lower age cohorts are the least likely to remain faithful to internet voting.
• Senior voters are more likely to remain faithful to internet voting.
• Gender also has an effect, with women less likely to remain faithful to internet voting.

Or in the rather clearer words of the 2014 BC Independent Panel on Internet Voting

research suggests that Internet voting does not generally cause nonvoters to vote. Instead, Internet voting is mostly used as a tool of convenience for individuals who have already decided to vote.

(See Online voting doesn’t increase turnout for more information on who actually votes online.)

So basically online voting removes the diverse participation and personal experience of casting your ballot on paper, it removes the “eyes on the street” of being able to see the process right in front of you (including the ability of scrutineers to watch the ballots being counted), and it benefits the already empowered people who would have voted anyway. It’s destructive modernization.

Swiss voting technology law sets the standard, in theory

Switzerland – Federal Chancellery Ordinance on Electronic Voting 161.116 of 13 December 2013 (Status as of 1 July 2018)

Key Concepts in Theory

• the system must be independently evaluated (Article 7, item 1)
• risk must be assessed (Article 3)
• the system must be evaluated against detailed requirements (Article 2, section a, Article 4, Article 7, item 2 and item 3)
• the source code must be made available (Article 7a and Article 7b)

Also notable is that the default maximum authorised participation in electronic voting is 30%.  From above 30% to 50% additional requirements apply, and above 50% even more requirements apply.

In Practice

Unfortunately in practice, for a 2019 public intrusion test, the conditions on both the general testing and the availability of source code were restrictive.

• Terms, Conditions and Code of Conduct – Public Intrusion Test
• Electronic Voting Solution Source Code Access Agreement (PDF)

There was not in any sense either unrestricted public testing nor unrestricted publically available open source code.

(If you’ve heard that the tested voting system was withdrawn when serious security flaws were found, this is true, but discovery of these security flaws happened through access to the source code outside of the restrictive agreement.)

My Recommendations

The Swiss ordinance has model principles that should be adopted for evaluating online voting.  In particular independent public evaluation and availability of public source code are key (although keep in mind that source code availability doesn’t mean perfect confidence in the code that actually runs).

The Swiss law is however too complex, and it allowed the interpretation loopholes that led to restrictive terms of use in practice.

Therefore the model principles for evaluating online voting must also include clear language on unrestricted public testing and unrestricted public access to source code.

It’s also important that the independent testing include not just funded open hacking competitions (which are useful) but also direct funding to academic research groups.  The cryptography used in modern voting systems is extraordinarily complex; the academics who are expert in it don’t have free time and don’t work for free.

(Even with academics funded to study the voting system, be mindful that nation-state attackers have far more time and resources to devote to finding flaws in systems, as well as having arsenals of zero-day attacks they could choose to deploy during an election.)

Detailed Technical Language

Below are extracts of the technical language from the ordinance.

Voting System Must Meet Requirements

Art 2. … The authorisation for electronic voting in any individual ballot shall be granted provided the following requirements are met:

a.

The system for electronic voting (the system) is implemented and operated so as to guarantee secure and trustworthy vote casting (Annex No 2 and 3).

There Must Be A Risk Assessment

Art 3. … By the means of a risk assessment, the canton must document in detailed and understandable terms that any security risks are within adequate limits. The assessment covers the following security objectives:

a.

the accuracy of the result;

b.

the protection of voting secrecy and non-disclosure of early provisional results;

c.

the availability of functionalities;

d.

the protection of personal information about voters;

e.

the protection of voter information against manipulation;

f.

the non-disclosure of evidence of vote casting behaviour.

Progressively Higher Requirements As Authorised Participation Increases

The ordinance takes an unusual approach which is to set progressively higher bars to increased availability of online voting. By default, the maximum percentage of the Swiss electorate allowed to use online voting is 30 percent (30%).

At 30% participation there is a minimum set of validation requirements

Art 7. ³If no more than 30 per cent of the cantonal electorate are to be authorised to participate in a trial and the system has the property of complete verifiability in terms of Article 5, the system and its operation must be examined in particular detail with regard to the following criteria:

a.

cryptographic protocol (Annex No 5.1);

b.

functionality (Annex No 5.2), whereby the examination may exclude the software in portals of authorities that are linked to a system;

c.

security of infrastructure and operation (Annex No 5.3), whereby the examination may be limited to the infrastructure that registers the vote and creates the proof for the voter in accordance with Article 4 paragraph 2;

d.

protection against attempts to infiltrate the infrastructure (Annex No 5.5);

e.

control components (Annex No 5.4).²

To exceed 30%

Art 4. … ¹If a system is to be authorised to cover more than 30 per cent of the cantonal electorate, the voters must be able to ascertain whether their vote has been manipulated or intercepted on the user platform or during transmission (individual verifiability, Annex No 4.1 and 4.2).

along with other conditions

Above 30% participation there are also different validation requirements

Art 7. ²If more than 30 per cent of the cantonal electorate are to be authorised to participate in a trial (Art. 4 and 5), the system and its operation must be examined in particular detail with regard to the following criteria:

a.

cryptographic records (Annex No 5.1);

b.

functionality (Annex No 5.2);

c.

security of infrastructure and operation (Annex No 5.3);

d.

protection against attempts to infiltrate the infrastructure (Annex No 5.5);

e.

requirements for printing offices (Annex No 5.6);

f.¹

when using a system has the property of complete verifiability in terms of Article 5: control components (Annex No 5.4).

To exceed 50%

Art 5. … ¹If a system is to be authorised to cover more than 50 per cent of the cantonal electorate, it must be ensured that voters or the auditors are able, subject to compliance with voting secrecy, to identify any manipulation that leads to falsification of the result (complete verifiability, Annex No 4.3 and 4.4).

along with other conditions

Independent Assessment

Art. 7 Requirements for examinations

¹ The cantons shall ensure that meeting the requirements is examined by independent agencies. The examination is made in particular if the system or its operation has been changed in such a way that meeting the requirements for authorisation could be called into question.

Publication of Source Code

Publication of source code is required, but it’s tangled in the level of authorised participation and in other attributes, so I will just include the entire section

Art. 7a¹Publication of the source code

¹ The source code for the system software must be made public.

² Publication shall take place when the system has the property of complete verifiability in terms of Article 5, and:

a.

following the examination in accordance with Article 7 paragraph 2 if more than 30 per cent of the cantonal electorate are to be authorised to participate in a trial;

b.

following the examination in terms of Article 7 paragraph 3 if no more than 30 per cent of the cantonal electorate are to be authorised to participate in a trial.

³ There is no requirement to publish the source code of the following:

a.

third-party components such as operating systems, databases, web and application servers, rights management systems, firewalls or routers, provided these are freely available and regularly updated;

b.

portals of authorities that are linked to a system.

---

¹ Inserted by No I of the FCh O of 30 May 2018, in force since 1 July 2018 (AS 2018 2279).

Art. 7b¹Modalities for publishing the source code

¹ The source code must be prepared and documented according to the best practices.

² It must be easily obtainable, free of charge, on the internet.

³ The documentation on the system and its operation must explain the relevance of the individual components of the source code for the security of electronic voting. The documentation must be published along with the source code.

⁴ Anyone is entitled to examine, modify, compile and execute the source code for ideational purposes, and to write and publish studies thereon. The owner of the source code may permit its use for other purposes.

---

¹ Inserted by No I of the FCh O of 30 May 2018, in force since 1 July 2018 (AS 2018 2279).

Official Versions

As English is not an official language of Switzerland, the annexes to the ordinance and explanations about the ordinance are available only in German, French and Italian.  The annexes provide additional technical detail and there was also an explanatory report produced in 2018 providing context about the need to publish the source code.

• Verordnung der BK über die elektronische Stimmabgabe
  • Technische und administrative Anforderungen an die elektronische Stimmabgabe (PDF)
  • Vote électronique: Offenlegung des Quellcodes – Erläuternder Bericht zur Anpassung der Verordnung der Bundeskanzlei über die elektronische Stimmabgabe (PDF)
• Ordonnance de la ChF sur le vote électronique
  • Annexe à l’ordonnance de la ChF du 13 décembre 2013 sur le vote électronique (OVotE, RS 161.116) – Exigences techniques et administratives applicables au vote électronique (PDF)
  • Vote électronique : publication du code source – Rapport explicatif sur la modification de l’ordonnance de la ChF sur le vote électronique (PDF)
• Ordinanza della CaF concernente il voto elettronico
  • Requisiti tecnici e amministrativi relativi al voto elettronico (PDF)
  • Voto elettronico: pubblicazione del codice sorgente – Rapporto esplicativo concernente la modifica dell’ordinanza della CaF concernente il voto elettronico (PDF)

UPDATE 2019-05-24: Also see the E-voting home pages and policy pages for each language

• • https://www.bk.admin.ch/bk/de/home/politische-rechte/e-voting.html (German language e-voting home page)
    • Bundesrechtliche Anforderungen
  • Vote électronique
    • Exigences du droit fédéral
  • Voto elettronico
    • Esigenze del diritto federale

Elections Ontario recommends establishing standards and certification for elections technology

In Ontario, there are no standards in place for choosing, testing, certifying or auditing election technology, including the online voting used in Ontario municipal elections.

This is a huge gap that has opened the door to what is currently basically an unregulated process where individual municipalities choose whether or not to use Internet voting and then procure vendor-based solutions without any guidance.

It is therefore heartening to see Elections Ontario recognize this gap in its Report on Ontario’s 42nd General Election (Modernizing Ontario’s Electoral Process, June 7, 2018).  Elections Ontario makes a long recommendation which I am going to quote in full

Establish common evaluative standards and a certification process for election technology

The Chief Electoral Officer recommends that Ontario establish common evaluative standards and a certification process for technology used in the electoral process in Ontario.

Technology holds a lot of promise for the elections of the future. Increasingly, Ontarians expect that technology will be used to make voting easier, offer more choice to electors for when, where and how to vote, and find efficiencies in the electoral process. Electoral management bodies, including Elections Ontario, are increasingly turning to technology to solve logistical challenges.

In Ontario, the adoption of technology into the electoral process has been done in an ad-hoc way since the late 1980s, and has been led by municipalities. This approach made sense when voting technologies were new and there were no best practices from which to draw. It also allowed municipalities to pioneer technology and discover fit-for-purpose solutions to address their local needs.

With more than 20 years of practical experience at hand, we are at a point where we are actively learning from our past so that we can create best practices and develop future guidelines. Standards can provide consistent guidance for municipalities and the province as we adopt proven technologies using a principled and measured approach.

It is critical that our approach to technology be intentional and evidence-based. Even as the public expects electoral management bodies to find efficiencies through technology, they are also increasingly aware of the possible failures of technology. While there are many benefits to using technology, there are risks involved, as illustrated by recent failures of systems at large organizations.

As the public becomes more informed about software, malware and manipulation of technology data systems, they are increasingly interested in knowing exactly how election technology preserves the integrity of our electoral process and the confidentiality of their personal information. For the public to trust the integrity of the electoral process they must be assured that:

• Technology used to cast a vote will accurately count the vote as intended.
• Technology used to cast a vote will uphold the secrecy of the vote.
• Technology used to tabulate votes will be verifiable and protected from tampering.
• Technology used to transmit election results will be verifiable and protected from tampering.
• Technology will not result in the breach of their confidential and personal information.

To ensure we maintain public trust in our electoral system as we adopt technology, the Chief Electoral Officer recommends that Ontario establish a set of common evaluative standards and guidelines. These will advise election administrators as they consider which technology to adopt, how to evaluate the technology, and the specific technical standards to consider for adopted technology.

This is a very significant step forward for Elections Ontario.  In particular I laud the phrase “It is critical that our approach to technology be intentional and evidence-based.”

There is also a strong statement of principles at the end of the report

We continue to balance making voting easier for Ontarians with the need to preserve the integrity of the electoral process. We want to provide modernized, flexible, and convenient ways to vote, but cannot compromise the core covenants of our democracy: accessibility, one vote per elector, secrecy, integrity and security. As we continue on this modernization journey, these values will continue to be at the centre of the work we do.

As a starting point, the principles above are very good, and to them I would add the implementation criteria from Ontario’s own 2013 report on Alternative Voting Technologies.

Our implementation criteria are:

• Accessibility:
  The voting process is equally accessible to all eligible voters, including voters with disabilities. The voting process will be performed by the voter without requiring any assistance for making their selections.
• Individual verifiability:
  The voting process will provide means for the voter to verify that their vote has been properly deposited inside the virtual ballot box.
• One vote per voter:
  Only one vote per voter is counted for obtaining the election results. This will be fulfilled even in the case where the voter is allowed to cast their vote on multiple occasions (in some systems, people can cast their vote multiple times, with only the last one being counted).
• Voter authentication and authorization:
  The electoral process will ensure that before allowing a voter to cast a vote, that the identity of the voter is the same as claimed, and that the elector is eligible to vote.
• Only count votes from valid voters:
  The electoral process shall ensure that the votes used in the counting process are the ones cast by valid eligible voters.
• Voter privacy:
  The voting process will prevent at any stage of the election the ability to connect a voter and the ballots cast by the voter.
• Results validation:
  The voting process will provide means for verifying if the results clearly represent the intention of the voters that participated in the voting process.
• Service availability:
  The election process and any of its critical components (e.g., voters list information, cast votes, voting channel, etc.) will be available as required to voters, election managers, observers or any other actor involved in the process.

However, those principles need to be refined for a computer-based system, which the report also does

If the implementation of the network voting system does not both support the Chain of Trust and provide auditable evidence, then the process is open to question. This Chain of Trust is a compilation of all the following measures:

1. Source code audit to verify that the code will do only what it is intended to do.
2. Digital signature of the audited source code to protect its authenticity and integrity.
3. Trusted build of the executable code in front of auditors (based on audited source code).
4. Signature of the executable code to protect its authenticity and integrity.
5. Deployment of the executable software in a clean system. Logical sealing of the system to detect any later additions.
6. Logic and accuracy testing of the voting system to validate it works properly.
7. Continuous audit of the voting system during the election, through review and validation of logs and other data. The logs must be protected from external manipulations by using cryptographic measures.
8. Post-election audit that validates that the system behaved correctly by reviewing the logical seals and the protected logs.
9. Individual voter verification that proves their ballots were used in the final tally (by using special receipts).

A strong emphasis must be placed on audit. Independent auditors must be able to review the source code, verify the build and deployment, audit system logs during the election event, and finally to review both the counting process and the results.

Those are strong starting points, and even more so because they emerge from Ontario’s own multi-year research into the subject.
That being said, Ontario also needs to heed the conclusion of the Alternative Voting Technologies report:

At this point, we do not have a viable method of network voting that meets our criteria and protects the integrity of the electoral process.

It is possible that the introduction of standards for municipal online voting could open the door to provincial online voting, and indeed the very-high-level Elections Ontario Strategic Plan 2019 – 2023 (PDF) says

Advance modern elections in a measured and principled manner

• Assess and analyze the environment to inform the modernization of future elections.
• Better understand electors’ needs and behaviours to build modern and responsive services.
• Recommend legislative change to support modernization of electoral services.
• Pilot modernization initiatives through by-elections.

It’s not at all clear what this “modernization” might include.

Conclusion

It is critical that both the current deployment and any potential further expansion of online voting should be subject to extensive analysis by computer security experts.

By applying an evidence-based approach to technology with extensive public, independent, unrestricted testing of election technology, Elections Ontario has the opportunity to move from what it acknowledges has been an ad-hoc approach to one that brings the appropriate levels of standards, testing, certification and auditing in what is a high-risk cybersecurity environment.

Additionally, Elections Ontario needs to close an auditing gap by putting in place risk-limiting audits for the computer vote counting it is now using for provincial elections.  We cannot simply trust the counts produced by the vote tabulators (because computers can be programmed to produce whatever result the programmer wants); we must have a public audit to increase the confidence in the results.

I hope that municipalities and the provincial government will accept that putting standards in place may result in the decertification and withdrawal of voting technology, as has happened when “electronic voting machines” were examined in the United States and when Switzerland made one of its online voting solutions available for public testing.

Questions about online absentee voting in the NWT

The Northwest Territories (NWT) will be introducing the option of online voting for absentee voting in the October 2019 Territorial General Election.

For context, “In total, 12,702 ballots were cast in the 2015 Territorial General Election, representing a 44 percent [44%] voter turnout.”  The total number of registered electors was 28,662.  In the 2015 Territorial General Election the total number of absentee ballots was 110 (one hundred and ten).  – Data from 2015 Official Voting Results, Elections NWT (PDF).

Questions to ask

• What vendor(s) have been procured?
• What regulations and procedures are in place per NWT Elections Act 132.1. and 360.(f) ?
• What has been done to ensure a reliable, practical, tested system?

UPDATE 2019-07-04: From CBC article N.W.T. to be 1st province or territory to use online voting in general election we now have some answers:

Simply Voting will be the vendor.

Hitachi will be testing the website.

However, we still don’t know what kind of testing Hitachi is conducting, and we don’t know whether Hitachi’s report will be released to the public.

There is also still no information about online voting regulations and procedures, even though provisions for these are present in the NWT Elections Act 132.1. and 360.(f).

END UPDATE

Background

The authority to conduct online absentee voting, described in law as “voting by absentee ballot by electronic means”, comes from the NWT Elections and Plebiscites Act, as amended November 20, 2018 (PDF).  There are two relevant sections:

132.1. The Chief Electoral Officer may, in accordance with the regulations, establish procedures in respect of voting by absentee ballot by electronic means. S.N.W.T. 2018,c.16,s.40.

360. The Commissioner, on the recommendation of the Chief Electoral Officer, may make regulations

(f)  respecting voting by absentee ballot by electronic means, including regulations that specify which, if any, of the provisions of this Act regarding absentee ballots are to apply to voting by absentee ballot by electronic means.

S.N.W.T. 2010, c.15,s.50; S.N.W.T. 2018,c.16,s.73.

In reviewing the proposal for online absentee voting before the changes to the NWT Elections Act were made, the Standing Committee on Rules and Procedures provided feedback in 2017

The Committee supports amending the Act to allow for the option of electronic voting for absentee ballots in the NWT when a reliable, practical system can be tested and implemented.

Committee Report 1-18(3) / October 17, 2017 / 18th Legislative Assembly of the Northwest Territories, Standing Committee on Rules and Procedures / Report on the Review of the Chief Electoral Officer’s Report on the Administration of the 2015 Territorial General Election, Supplementary Recommendations, and the White Paper on the Independence and Accountability of Election Administration in the Northwest Territories (PDF)

Regulations and Procedures, Reliable Tested System

Accordingly, there should be regulations per NWT Elections Act 360.(f) and procedures per 136.1.

The system should also be tested and demonstrated to be reliable and practical per the Standing Committee on Rules and Procedures report.

Unfortunately I am unable to locate any regulations, procedures, or testing information online.  This is a major gap in all Canadian online voting to date, with an absence of standards and independent public testing.  I hope that Elections NWT will provide this information and make their system available for testing.

(To be clear, I don’t think there should be online voting at all, but if there is going to be, there must be independent, unrestricted public testing first.)

For more information, see:

• https://www.electionsnwt.ca/
• Twitter: @ElectionsNWT
• Electorhood.ca (forthcoming)

Considering online voting including Estonia

There are three fundamental challenges with public discussions about online voting:

• The majority of computer scientists, particularly computer scientists with expertise in voting systems, recommend again online voting, but journalistic false balance often presents this as one computer scientist vs. one online voting advocate.
• The dedicated resources available from nations and vendors to promote online voting vastly outweigh the nondedicated volunteer resources available from computer security experts to explain the issues with online voting.
• Voting appears simple but is actually complex, with many essential requirements that are hard to capture in a soundbite.  This makes it easier to make a convincing-sounding but incorrect “common sense” convenience argument for online voting than to make the correct technical requirements counter-argument.

Consensus Opinion

Basically if the press were actually representative about this “debate”, it would be like John Oliver’s classic expert-weighted debate, with 97 experts on one side and 3 sceptics on the other.  So any time you see an online voting “debate” on TV or in print, I want you to imagine 97 expert computer scientists recommending against online voting, and 3 promoters with various agendas advocating for it.

I don’t have the ability to construct that kind of visual, but just to make it clear, what I am writing recommending against online voting is not just one voice, and it’s not just 16 leading computer security experts, it’s the overwhelming consensus view. It’s the view in the computer scientist community.  In 2004 the Association for Computing Machinery, the world’s largest scientific and educational  computing society (with a membership now of approximately 100,000) issued a Statement on Voting Systems, which includes the following text

voting systems should enable each voter to inspect a physical (e.g., paper) record to verify that his or her vote has been accurately cast and to serve as an independent check on the result produced and stored by the system.

It’s this consensus view that is summarized by the City of Toronto

The overwhelming consensus among computer security experts is that Internet voting is fundamentally insecure and cannot be safely implemented because of security vulnerabilities inherent in the architecture and organization of both the Internet and commonly used software/hardware

And if you wish there were some process to assemble a scientifically representative consensus into a document, well, I have good news.  The US National Academies of Sciences, Engineering and Medicine (NASEM) knows exactly how to run a process to report on expert consensus, and they did.  Their report recommends against Internet voting.

Secure Internet voting will likely not be feasible in the near future.

So to be blunt, if you’re in favour of online voting, you’re against the scientific consensus.  You’re also against the conclusion of 99.5% of the countries in the world.

National Online Voting Only In One Country

There are approximately 200 countries in the world.  Of those, the number of countries that offer online voting for all citizens in all elections is one.  One country of approximately 1.3 million citizens, where the total number of votes cast in each election is roughly 600,000.  Where the majority of voters still cast their votes on paper, on election day.

One country where offering online voting is part of branding the nation as e-Estonia, including consistent promotion.  Does your country invest in promoting its election system internationally?  Maybe that’s why there aren’t many international news stories about your country’s voting system, but there are lots about Estonia’s.

Computer security experts simply don’t have the scale and reach that a national public relations initiative has.

It takes months of dedicated journalism to do a comprehensive story about the issues with online voting.  Which, fortunately Eric Geller did: Online voting is a cybersecurity nightmare.

Unfortunately, the reality of deadlines, lack of expertise in computer security and lack of expertise in the actual requirements for voting systems means that most articles don’t go into the same depth.

As a result, reporting on Estonia’s online voting tends to be relentlessly positive.

But in article after article there are also a number of things that don’t get said about Estonian elections, including:

• turnout declined in the last national election, in the last two local elections, and in the 2014 European Parliamentary election
• turnout in the 2015 Estonian national election was lower than turnout in Canada and the UK

• the smallest number of votes cast is by the 18-24 year old age group
• online voting is offered for advance voting only, and requires a national digital identification infrastructure
• Although Estonia has observing, auditing and testing procedures, the only time international computer security experts were invited to observe the process was in 2014.  Those outside observers found “There were staggering gaps in procedural and operational security, and the architecture of the system leaves it open to cyberattacks from foreign powers”. Since that report, international computer security experts have not been invited back.

You can read about the 2014 study in Practical Attacks on Real-world E-voting, 7.3.2 Estonia’s Internet Voting System. Or you can watch J. Alex Halderman explain it

• Security Analysis of Estonia’s Internet Voting System (media.ccc.de) – also on YouTube

SIDEBAR: The 2016 study by the Cyber Studies Programme at the Department of Politics and International Relations, University of Oxford.

The University of Oxford conducted a study of Estonia’s Internet voting in 2016, entitled The Estonian Internet Voting System – An Independent Assessment of the Procedural Components.

It’s important to note the “procedural components” part of the description.  The study (PDF) states specifically:

We review the general procedural security components of the system, particularly procedural security controls, …. We therefore do not focus on software engineering or encryption related issues in the computer systems.

Additionally, this study was based on reported procedures, not direct observation.

Finally, we must state that there is one main limitation to our work. This relates to the fact that our research relies on interview reports on voting processes and systems from individuals in Estonia, as opposed to direct observation of the I-Voting system in process.

The 2016 Oxford study is therefore not comparable in either scope or methods to the direct observations of the international experts in the 2014 Independent Report on E-voting in Estonia.

END SIDEBAR

All Countries That Study Online Voting Reject It

At a national level, Internet voting has been studied by the Parliament of Australia, by a Canadian Parliamentary Committee, and by Finland.  Each study recommended against online voting.

Lithuania was considering online voting, but as best I can conclude through a layer of Google translation, has rejected it on national security grounds.

“Interior Minister Eimutis Misiūnas is still skeptical about online voting, according to him, until there is an absolute guarantee of security, elections must take place in a traditional way.”

LRT.lt – E. Misiūnas dėl balsavimo internetu – kol kas skeptiškas (March 1, 2018)

Rytis Rainys, Director of the National Cyber ​​Security Center, is not sure about the security of online voting.
“Fears about cyber security are one of the main reasons why this process stops,” he said. – These fears are not only justified but also based on facts, mass incidents that we have in Lithuania.”

LRT.lt – Internetu balsuojanti estė: tai nepalanku kai kurioms partijoms (February 28, 2019)

Online Voting And National Security

When Deloitte studied cybersecurity as it relates to elections for Australia, they found

The main concern is not the actual damage that cyber attacks can cause to individual electoral system components, although it exposes the individual jurisdiction to significant reputational damage. The bigger concern is that any reports of attempted or successful breaches gives adversaries the ability to sow doubt in the security and integrity of electoral processes.

Australia – Electoral Cyber Security Maturity Review: Whole of Nation Report (Deloitte Touche Tohmatsu report CN3550609 for the Department of Home Affairs – October 2018 – redacted)

So it’s not just that an online election can and will be attacked, it’s that the obscurity and lack of transparency of an online election opens it up to the opportunity of undermining trust in elections as a whole.

These are real threats.  Canada’s Centre for Cyber Security says

In 2018, half of all advanced democracies holding national elections had their democratic process targeted by cyber threat activity. This represents about a three-fold increase since 2015 and we expect the upward trend to continue in 2019.

2019 Update: Cyber Threats to Canada’s Democratic Process – Executive Summary

Online Voting Fails In Independent Testing

But even if you’re not convinced by the fact that the majority of computer scientists, and the majority of nations, and national security advisors are all against online voting, what about a real-world independent test?

Well, Switzerland fortunately has a legal framework in place that requires independent testing of proposed online voting solutions.

And when their online voting was independently examined (outside of the restrictions they had placed on the testing), it was found to be insecure. So they have withdrawn it.

Online Voting Fails When Deployed

Online municipal voting in Ontario failed in 2010 and again in 2018.

Home Computers Are Insecure

And remember you don’t just have to be concerned that the online voting code itself is insecure, people vote from their home computers, over the Internet to centralised servers.  Elections agencies have no control over the security of home computers and the Internet, and they have no control over when major security flaws will be discovered and patches will be released.  Such as for example the week of May 13th, 2019, when there was:

• a monthly security update from Microsoft, including a vulnerability so critical a special patch was released for normally unsupported Windows operating systems
• new operating system security updates for macOS and iOS (the iPhone operating system)
• an Intel processor bug that affects a wide range of computers and systems, including Linux operating systems and virtual machines
• a WhatsApp vulnerability that could allow remote access to your phone, simply by receiving a phone call (you didn’t even have to answer the call to have your phone compromised)
• along with security vulnerabilities that had to be patched in Samba, VMware and Cisco systems

In fact, the US Computer Emergency Readiness Team (US-CERT) listed 99 (yes, ninety-nine) high-severity computer security vulnerabilities just for the week of May 13, 2019 alone.  And all of those computer security vulnerabilities, some of which will take weeks or months for consumers and organisations to patch (if ever), they all took place in the same week that Estonia opened its online voting on May 16th.  So you can be guaranteed that people were voting from insecure computers.

Vendors Control Most Internet Voting

And in addition to all of those factors, the reality in Canada and most other countries is that elections technology is created by third-party, for-profit vendors who shield their code and processes from inspection using intellectual property law.  This means elections are effectively outsourced to opaque third-party organisations.  I’ve written about this in the context of Ontario’s computer vote counting, and I would add that Ontario specifically stated their need to work closely with vendors

Throughout the planning phase, we worked closely with our vendors to establish accurate requirements, conduct necessary testing, determine support, and ensure the integrity of the election was never compromised. We were able to integrate vendors into the design and administration of the election, and we look forward to a strong working relationship with our vendors into the future.

Elections Ontario – Modernizing Ontario’s Electoral Process: Report on Ontario’s 42nd General Election June 7, 2018 – Section 2: Planning a Transformative Election, B. Building the Team, Vendors

Tell me, if you wanted to increase the connection that the public feels with its election system, if you wanted to bridge the gap between the public and its democratic system, would your first choice be less involvement of the public?  Because “integrating vendors” means removing the public from the inner workings of the election system itself.

And if you think at least the vendors must be experts in computer security, their record is abysmal.  In the 2007 Ohio EVEREST study, independent researchers found

“exploitable security weaknesses in all three vendors’ systems”

Ohio EVEREST Voting Study – Statement

Conclusion

With all that to consider, if you only have one takeaway from this entire blog post it is this:

you must demand public, independent, expert testing without restrictions before you place your confidence in online voting

Such testing has not taken place for the online voting in Ontario and Nova Scotia municipal elections.

There are too many other problems with online voting for me to summarize in what is already a long blog post, so I will conclude with two previous summaries I have done:

• a 16-page briefing – Brief submitted to New Brunswick Commission on Electoral Reform – November 2016
• Narrated presentation video – Questions to ask about Internet Voting

Open Source code and Canadian elections

Here’s what I wrote in response to some confusion about Canadian elections in the comments on Schneier on Security blog post DARPA Is Developing an Open-Source Voting System

Sfan and Earnest – In response to Sfan’s statement “FWIW, Elections Canada used a paper & marker ballot system and a human & paper based voter validation system until 2015.”

Elections Canada runs federal elections only, and continues to use hand-marked paper ballots that are hand counted. See e.g. https://twitter.com/ElectionsCan_E/status/1105136418639233024

You might be confusing Elections Canada with Elections ONTARIO, which has recently switched from hand-counted ballots to vote counting computers for provincial elections. With, I might add, zero provision for risk-limiting audits.

Municipal elections in Ontario, which are governed by provincial election law, use a mix of vote counting computers (as in the City of Ottawa) and completely unregulated Internet voting. Internet voting run by third-party for-profit companies with zero public availability of source code, zero public security testing, and no legislative provisions for either.

In terms of the substance of Schneier’s blog post, there are also some issues. He quotes

The system will use fully open source voting software, instead of the closed, proprietary software currently used in the vast majority of voting machines, which no one outside of voting machine testing labs can examine. More importantly, it will be built on secure open source hardware, made from special secure designs and techniques developed over the last year as part of a special program at DARPA [Defense Department’s Defense Advanced Research Projects Agency].

(Emphasis on special mine.)

Issues to consider:

• Open source is better (because it can be inspected) but ultimately useless as a voting computer improvement because you cannot prove what code is running on a computer.
• In theory you can address the issue of what code is running by having secure hardware but there is no perfect hardware security, just like there is no perfect software security.  Additionally, election security is about universally understandable verifiability.  Any citizen should be able to understand the election process and the results.  “Trust us, this special hardware is secure” is no different than “trust us while we go in this special locked room and secretly produce the election results”.
• Similarly, in theory you can use cryptographic techniques to improve the security and verifiability of the election, but the only people who can actually understand them is a tiny set of cryptographers.  To everyone else you’re saying “trust us, this special crypto code is secure” which is no different than “trust us while we go in this special locked room and secretly produce the election results”.

Having open source is better, having public inspection and testing of the code is better, having verified cryptography is better, but none of these improvements to computer vote counting address the fundamental issue which is that you can’t do computer vote counting in a way that is transparently understandable by every voter, and so you shouldn’t be doing computer vote counting at all.

Plus which, in practice you can’t tell what code is running on a computer anyway, because computers can lie.  Computer programs are written by people; people can lie, and so they can tell computers to lie.  You can ask the computer “are you running this open source code” and the computer can say “oh yes, absolutely” even as it triggers the hidden election day malware that slightly alters votes just enough to tip the result to a different candidate.

At most, when you have very complicated ballots as in the US you can consider doing computer vote counting with hand-marked paper ballots and a risk limiting audit.  But for Canada’s extraordinarily simple elections, computer vote counting adds needless complexity, obscurity and risk to an already optimised system.

That being said, if we are stuck with Internet voting in Canadian municipal elections, open source code and public security testing is absolutely essential, as much because it will demonstrate repeatedly that the source code is both ridiculously complicated and insecure, as for the fact that it helps reduce (but definitely not eliminate) security risks.

In other words, open source and public security inspections are only about making something we shouldn’t be doing in the first place less terrible.  They are not an actual solution.  The actual solution is not to have Internet voting and computer vote counting at all in Canadian elections.