Category: Canada

NWT Chief Electoral Officer’s Report on the Administration of the 2019 Territorial General Election

The Legislative Assembly of the Northwest Territories will hold a public briefing on the Chief Electoral Officer’s Report on the Administration of the 2019 Territorial General Election on Tuesday June 30, 2020 at noon Eastern time.  This report is significant because this was the first Canadian general election in which online voting was permitted at a provincial or territorial level.

The Standing Committee on Rules and Procedure, …, will hold a public briefing regarding the Chief Electoral Officer’s Report on the Administration of the 2019 Territorial General Election on Tuesday, June 30, [2020] at 10:00 AM MDT [noon Eastern time]. Dr. Aleksander Essex will be in attendance.

To watch the meeting, tune in to the live stream on ntassembly.ca, or on the Legislative Assembly’s Facebook, Youtube, or Twitter accounts.

They identify five election technology systems:

  1. Elections NWT website hosted by GNWT
  2. Electorhood website hosted by ColdFront Labs (was electorhood . ca, but website is now gone)
  3. Elections NWT Learning Management System (LMS) hosted by Kellett Communications
  4. Elections NWT Elections Management System (EMS) hosted by DataFix
  5. Online Voting Platform hosted by Simply Voting

In case this terminology isn’t clear, the online voting was procured from the third-party, for-profit company Simply Voting, which ran the entire online voting system.  The code is proprietary and has not been made available for independent analysis.  This model of handing over the entire operation of online voting to a private for-profit company is the one used in all Canadian online voting to date.

I will quote part of the Security section of the report

To ensure the security and integrity of all Elections NWT online environments, and the election process as a whole, a security assessment was conducted on all five of Elections NWT online Platforms.

An agreement was made with Hitachi Systems Security to perform a Web Application Assessment and Penetration Test of the Elections NWT online systems.

This is a routine measure to secure an ordinary web server used for government services.  It treats online voting as if it is any other web-based government service.  But online voting has a uniquely higher level of risk and may attract sophisticated attackers, who will do a lot more than a vulnerability scan in order to compromise a system.

The Hitatchi Systems Security report has not been made public, even though there is no security in obscurity.

Overall, the Election Technology section of the report does not propose any threat model.  Without a threat model, there is no way to determine what assessments should be used.

The most basic possible online voting model must include:

  • the client
  • the network
  • the online voting server
  • the code running on the online voting server

Security – The Client

The client (the voter casting the vote) is a huge security gap that is simply not considered in most online voting security analysis conducted by governments.  Votes are cast from personal computers and smartphones.  Computers and smartphones that are notoriously insecure.  And often not updated with operating system and software application patches for known vulnerabilities.  Where is the vulnerability scan and assessment for every single voter?

In the absence of client security, there are a wide variety of possible attacks, including software that watches for voting activity and alters the votes cast.  If this sounds theoretical, this is exactly what banking trojan software does.  F5 identifies over a dozen different major named banking trojans, it’s not an uncommon type of attack.  In another type of attack, realistic-looking false websites are set up to direct voters to fake voting websites or applications for a variety of malicious purposes.  If this sounds theoretical, it’s exactly what some ransomware attackers did when a Canadian COVID-19 contact tracing application was announced.

If you want an analogy, considering online voting secure if the server and network were somehow secure, but without client security, is like having thousands of dollars visible in the front window of your unlocked house, but then transporting it by armored car to a bank vault.  Where do you think a thief is going to target their attack?

But of course the network and the server aren’t secure.

Security – The Network

From the client’s router through to the core network hardware, there are continuous vulnerabilities in networks.  How continuous?  Well here are three different network vulnerabilities from just the past week:

Security – The Server

There are very sophisticated attackers that target specific government activities.  You don’t have to believe me.  You can read e.g. the Canadian Centre for Cyber Security Cyber threats to Canadian health organizations (AL20-008 – Update 1).  The counter-argument to that is usually “why would anyone attack my election?”  But that is no counter-argument.  To quote the Centre for Cyber Security

Sophisticated threat actors may choose to target Canadian organizations

There’s nothing about elections that would prevent them from being targeted; if anything they are potentially a very attractive target for many reasons.

Patching the kind of routine web vulnerabilities a penetration test is going to find is a necessary measure but almost meaningless against sophisticated attackers who can exploit much more challenging and obscure vulnerabilities using entire teams of people trained in compromising computer systems.

In addition to this, Canada has no mechanism whatsoever for inspecting the actual code that the third-party vendors are running on their servers.  Even if somehow the entire chain of client through network to server were secure, the online voting code itself could have bugs.

Look to Switzerland

We need much stronger security assessment of Canadian online voting, including independent security analysis with access to the actual online voting code.  Switzerland has been a world leader in putting in place the legislative framework for this kind of inspection, as I outline in my blog post

Swiss voting technology law sets the standard, in theory

and finding even that inadequate, Switzerland has now surveyed international experts for guidance on how to further enhance the legislative framework for examining the security of online voting systems.  And notably Switzerland has paused all online voting until they can get a system that passes that assessment.

Security – Summary

It is good that the Northwest Territories conducted penetration testing

All tested applications showed good resilience against known Web attacks and were not vulnerable to any injection flows, privileged escalation, broken access controls or sensitive data exposure.

Many Canadian municipalities procuring online voting don’t conduct even this very most basic security measure.

However, this level of basic web server security is wildly inadequate for online voting.  The threat actors are much more sophisticated, the level of risk is much higher, and the integrity of the system requires the entire voting process to be secure, end-to-end.  Canada needs to examine online voting security using a threat model that includes every step actually involved, including the client, the network, and the online voting code.  Collaboration with Canada’s Centre for Cyber Security and developing much more extensive independent assessment criteria based on the Swiss model would be a starting point.

The Actual Online Voting Numbers and Countries

Online voting was made available for absentee voting only.  489 ballots were cast, making this voting channel 3.7% of all ballots cast.

In the table “Absentee Poll Electronic Ballot Turnout by Country” the report indicates that ballots were cast from Canada (459 ballots), the US, France, Philippines, Denmark, Serbia, Spain, Japan, Norway, New Zealand, Zambia, Switzerland, Italy, Mexico, Morocco, and Germany.

Keep in mind how much additional, uncontrolled, non-Canadian Internet infrastructure some of these online voting interactions had to traverse.

Analysis of Recommendations for Legislative Changes

Many of the recommendations are about clearly separating voting by mail from voting online.

43 Powers of the Chief Electoral Officer – Create – report page 94

The Chief Electoral Officer may establish procedures in respect of voting by online ballot.

This would effectively make online voting a permanent option for Territorial elections, with basically no parameters around what the procedures should be.

If we are to have online voting (and to be clear, I don’t think we should), this lack of requirements and standards is a huge gap that could be addressed with a Swiss model that is much more prescriptive about assessing online voting.

45 Security of the Ballot Box – Section 153 (2) – Create – report page 95

The Chief Electoral Officer shall take precautions to ensure the safekeeping and security of the ballot box and ballots used for voting by online ballot.
S.N.W.T. 2010,c.15,s.17; S.N.W.T. 2014, c.19,s.20, 21.

As above, this is better than nothing, but far from the level of prescriptive requirements that would be needed, starting with an actual threat model including every step and participant in online voting, and advancing with Canadian Centre for Cyber Security guidance to a model much more like Switzerland where there is outside independent assessment by experts.

Just compare the level of requirements actually needed with the current model, which is a routine web server penetration test, with results in a secret report not provided to the public, and no assessment whatsoever of the vendor’s secret computer code that actually runs the online voting.

How can we have trust in an election where the security measures are a secret assessment of only the web servers, an assessment that didn’t even include looking at the actual computer code?

There is more in the recommendations but quite frankly I’m out of time.

Next Election

The next Territorial General Election is expected on October 2nd, 2023.

SIDEBAR: The Chief Electoral Officer’s Report on the Administration of the 2019 Territorial General Election is also available from the Elections NWT website (PDF).  END SIDEBAR

Previously:
May 21, 2019  Questions about online absentee voting in the NWT

Newfoundland Select Committee on Democratic Reform

The Newfoundland and Labrador House of Assembly has a Select Committee on Democratic Reform.

The Committee is charged, amongst other things, to

review and make recommendations on voting systems and methods

The Committee’s report is due before the end of the Winter-Spring sitting of the House, 2021.

Committee members would do well to read the Internet Voting Privacy and Security Risks report from OIPC Newfoundland.

Creation of the Committee

There was a private members’ motion passed on December 4, 2019 to dissolve the previous All-Party Committee and create the Select Committee.

THEREFORE BE IT RESOLVED that this House urge Government to disband the All-Party Committee on Democratic Reform;

BE IT FURTHER RESOLVED that this House establish a Select Committee on Democratic Reform, with a mandate to review and make recommendations on:  voting systems and methods; voting age; funding of political parties; the role of third party groups in election campaigns; timing/date of elections; and other items at the Committee’s discretion;

Internet Voting Privacy and Security Risks report from OIPC Newfoundland

The Newfoundland and Labrador Office of the Information and Privacy Commissioner (OIPC) has released a very clear report that explains the unique characteristics of the secret ballot and elections, and examines the risks that would be introduced by implementing Internet voting.

Internet Voting – Privacy and Security Risks (PDF)

It also asks a very fundamental question: what problem is Internet voting trying to solve?

In reviewing reports and public documentation from Canadian jurisdictions where internet voting has been implemented it appears that there has been little to no concerted effort on the part of governments, prior to implementing internet voting, to 1) identify the problem to be addressed and 2) understand what has caused the problem.

In the case of internet voting, it is not even clear that there is a problem [that is being solved]. If the problem can be framed as lack of participation in the democratic process, this is a much broader problem than the method of voting.

The report was authored by Sean Murray, Director of Research and Quality Assurance.

The report is particularly timely as Newfoundland and Labrador has established a Select Committee on Democratic Reform that is to review voting systems and methods.

For more on OIPC Newfoundland and Labrador, see:

How to enact remote voting for the Canadian House of Commons

The Standing Committee on Procedure and House Affairs (PROC) is meeting to study how to enact remote voting for the Canadian House of Commons.  Meetings can be viewed on video (ParlVU).

See List of Meetings below.

For details of the specific language of the request for the study, see later section Government Request.

With the disclaimer that I don’t read every single line of Hansard, I gather the Government’s request passed on May 26, 2020.

So the Standing Committee on Procedure and House Affairs, otherwise known as PROC, is charged to produce a report on enacting remote voting by June 23, 2020, which is very little time indeed to gather evidence and analyse it.

UPDATE 2020-06-18: PROC has requested that the deadline for the report be extended from June 23, 2020 to July 21, 2020.  END UPDATE

They have already produced a report recommending a “secure electronic voting system” by which they presumably mean Internet voting.  I examined some of the issues they will need to consider in detail in my previous blog post.

It’s not clear the extent to which they understand the amount of effort that will be needed, given the complexity of implementing a remote voting system with robust authentication in a Canadian context with the technology we actually have in place, as the discussion on the previous report included statements such as:

I think this section [on remote voting], given the recommendation, is really substantiated by the U.K. Parliament and how quickly it moved to implement an electronic remote voting procedure.

What’s interesting about the things that I think are really relevant is that Karen Bradley is quoted in that letter. I would recommend that this quote appear in our report. She said, “The Committee is satisfied with the assurances it has been given about the security of the system.”

Also, I did a bunch of Google searching—

The UK uses a completely different technology infrastructure than Canada, their Parliamentary votes are conducted differently, and they have a dedicated Parliamentary technology team, the Parliamentary Digital Service. The situations are not interchangeable.

As I’ve said in my previous post:

There really needs to be a separate, dedicated, technology-focused report just on electronic voting (Internet voting) for the House of Commons that gives more specific guidance including an assessment of risks and risk mitigations.

As I indicated in my post about the UK system, you have to consider a variety of complex issues when introducing a voting system.

Considerations for a voting system include the chain-of-custody, as multiple systems are most likely involved with the transmission and counting of the vote, concerns about auditability and concerns about security, as well as usability.

So it’s good that there will be a separate report, but there isn’t enough time to do much of an investigation.

At a minimum, PROC needs to consider:

  1. For every voting scenario, how remote voting would work, or if it would not be possible to replicate the attributes of the in-House voting scenario remotely.  (I link to all the different ways a vote can be conducted — Putting the Question as it is called — at the end of this post.)
  2. How to deal with authentication, to reduce the risk that someone other than the Member of Parliament is voting.
  3. Whether they want simultaneous voting, or traditional one-by-one voting.  One-by-one is highly preferable in terms of simplicity and ease of auditing and counting.
  4. How to make the system usable, including reducing the risk of Parliamentarians voting the opposite of the way they intend (it took all of a day for this to happen in the UK).  This can be done by avoiding most additional technology altogether, using the videoconference and having Parliamentarians raise their hands one-by-one to vote.
  5. If they decide they need a software system, considering how to implement the system using modern software development approaches, learning the lessons of previous failed IT systems.
  6. For voting beyond Putting the Question, how to handle other situations.  For example, the Speaker is elected by secret ballot.  This is not possible using online voting, because the anonymity of a secret ballot cannot be replicated online (this is why voting in a general election is not possible online).
  7. How to detect and deal with situations in which the Parliamentarian is voting under duress.

Hopefully their duress solution will be better than the April 2020 U.S. Senate staff report‘s idea:

Another option would be to provide senators with a code word that they could use to make clear to those in the chamber that they were voting under duress.

I would also note that that same staff report indicated:

that system will become a prime target for adversaries … wishing to disrupt the system to undermine confidence in the country’s institutions, or to alter the outcome of significant votes. Therefore, any system the Senate adopts must provide a level of security that would ensure confidence in the validity of senators’ identities and votes similar to that which exists on the Senate floor.

In conducting its analysis PROC will be continuing the Parliamentary Duties and the COVID-19 Pandemic work.

Keeping in mind that remote Parliamentary voting is not at all the same as voting in a general election, most notably because Parliamentary votes are public, with no anonymity and no secret ballot, here is information about Submitting a brief to a Committee:

Guide for submitting briefs to House of Commons Committees

The Clerk of PROC is Justin Vaive, and the email address is PROC@parl.gc.ca

Previous Posts

For more information see my previous posts:

List of Meetings

Government Request – How to Enact Remote Voting

As best I understand, the Government requested on May 25, 2020:

(f) the Standing Committee on Procedure and House Affairs be instructed to review and make recommendations on how to modify the Standing Orders for the duration of the COVID-19 pandemic as part of an incremental approach beginning with hybrid sittings of the House as outlined by the report provided to the committee by the Speaker on Monday, May 11, 2020, including how to enact remote voting, provided that (i) the provisions applying to committees enumerated in paragraph (e) shall also apply to the committee, (ii) the committee be instructed to present a report no later than Tuesday, June 23, 2020, (iii) any report which is adopted pursuant to this paragraph may be submitted electronically at any time with the Clerk of the House, and shall be deemed to have been duly presented to the House on that date, (iv) following the presentation of any report pursuant to this paragraph, the House leaders of all four recognized parties may indicate to the Speaker that there is an agreement among the parties to implement one or several of the recommendations of the committee and the Speaker shall give effect to that agreement;

Putting the Question

As one might expect, Bosc and Gagnon provides a detailed explanation of the voting process in the House.

Chapter 12 – The Process of Debate – Decisions of the House – Putting the Question

You can read all the details there, but I have to include the marvelous Figure 12.3 Putting the Question. Law as code, if you will.

Figure 12.3 Putting the Question
Image depicting, in a series of boxes linked by lines, the steps required for the House to make a decision on a question. It begins with debate concluding, followed by the Speaker putting the question, then listing options for voice votes or recorded divisions. If necessary, the Speaker casts a deciding vote. At the end, the Speaker declares that the motion has been adopted or rejected.

(Above section copied from previous blog post.)