Category: comment

comment on The Agenda – Is Online Voting the Future?

TVO – The Agenda – Is Online Voting the Future? – May 17, 2017

COMMENT

In future I hope that TVO will invite computer scientists who specialise in elections security when the topic is online voting.

There were a number of things we didn’t hear in the segment, such as the fact that Toronto, Kitchener and Waterloo have always rejected Internet voting, and that Guelph and Orillia just rejected online voting for the 2018 elections.

We also didn’t hear about the many Canadian expert consultations and reports about online voting, consultations where unlike municipal online voting decisions, there was more time to draw on a variety of election expertise.

In every such case, without exception, the recommendation is against online voting. This includes Nova Scotia, New Brunswick, Ontario, and British Columbia, as well as the federal government.

END COMMENT

Also see my longer email with links – email to TVO about online voting.

email to TVO about online voting

Here is an edited version of an email sent to TVO about their May 17, 2017 The Agenda segment on online voting.

EMAIL

I was pleased to see Steve Paikin ask a variety of questions about online voting, Internet security and electoral fraud in the May 17, 2017 The Agenda segment on the topic.

http://tvo.org/video/programs/the-agenda-with-steve-paikin/is-online-voting-the-future

There were many things we didn’t hear in the segment, such as the fact that Toronto, Kitchener and Waterloo have always rejected Internet voting, or that municipalities have to make the decision about online voting without any comprehensive background briefing about the computer security risks, or that Guelph and Orillia just rejected online voting for the 2018 elections.

We also didn’t hear about the many Canadian expert consultations and reports about online voting, consultations where unlike municipal online voting decisions, there was more time to draw on a variety of election expertise.  In every such case, without exception, the recommendation is against online voting.

This includes Nova Scotia, New Brunswick, Ontario, and British Columbia, as well as the federal government.
[added for the web: recommendations on Internet voting from government consultations]

In addition, Quebec has a total moratorium on all forms of electronic voting, including online voting.

As well there is the recent expert study of the PEI referendum, which also recommended against online voting.

Just to give you a flavour of these kinds of expert assessments, here’s what Toronto had to say in its analysis http://www.toronto.ca/legdocs/mmis/2016/ex/bgrd/backgroundfile-98545.pdf

The overwhelming consensus among computer security experts is that Internet voting is fundamentally insecure and cannot be safely implemented because of security vulnerabilities inherent in the architecture and organization of both the Internet and commonly used software/hardware:

  • Internet voting is extremely vulnerable to a wide range of cyber-attacks, and many of these are impossible to detect.
  • Internet voting poses extraordinary and unnecessary risks to election integrity, and even a small issue—were it even detectable—could completely undermine public trust.
  • Every jurisdiction whose Internet voting system has been thoroughly examined by security experts—including the long-running system in Estonia—has revealed major vulnerabilities that could allow the system to be hacked, to reverse election outcomes, or to selectively disenfranchise voters, all while going completely undetected.
  • Many jurisdictions that ran Internet voting pilots—including Washington, DC, France, and Norway—cancelled the projects due to security issues.

Should you have a future segment about online voting, I urge you to include computer science expertise.  Here is a list of contact information for experts specifically in the risks of online voting, including Canadian experts such as Dr. Simons and Dr. Essex:

[embedded list replaced with web link: Internet voting and computer security expertise]

END EMAIL

comment on News 1130 Online voting the future for smoother BC elections?

I don’t have the exact comment, but it was something like

COMMENT

BC already extensively studied and comprehensively rejected online voting.  You can see the results in the February 2014 Recommendations Report to the Legislative Assembly of British Columbia from the Independent Panel on Internet Voting.

http://www.internetvotingpanel.ca/

And Internet security has only gotten worse since 2014.

ENDCOMMENT

You can also listen to my interview about online voting with Ottawa’s 1310 News Radio.

Comments about Orillia Internet voting

The City of Orillia has invited comments about its proposal for Internet voting in the 2018 Ontario municipal election.

The website is City of Orillia Voting Method – Public Comments and the deadline is Monday May 1, 2017 at 10am Eastern.

They have included a link to their staff report: Clerk’s Department Report CD 17-08 – Alternative Voting Method Options (PDF).

Below is my submission.

COMMENT

Dear Mayor and Council (c/o Janet Nyhof, Deputy Clerk):

I am writing in response to the request for comments about the recommended City of Orillia voting method.

http://orillia.ca/en/news/index.aspx?feedId=6f58f980-7799-42a7-9149-7b35d865e9ee&newsId=c90efff1-5ce5-4d2e-9ee5-40b300572e08

I recommend against using Internet voting.

I have reviewed the Clerk’s Department Report CD-17-08 2018 Municipal Election – Voting Method Options.

http://icreate4.esolutionsgroup.ca/230002_iCreate_NewsModule//Management/Attachment/Download/2f0783f2-adf9-4b98-acc5-53b09cfff307

I have the following concerns with this report, which does not cite computer science and computer security evidence:

* it appears to minimize the disadvantages

* it selectively reports on municipal adoption of Internet voting

* it does not provide a comprehensive analysis of the system-wide security and error risks

I agree with the following conclusions of the report, which are well-supported by social science evidence:

* Internet voting will not increase turnout, nor will it change the voter profile

I have provided additional detail in an appendix below.

Thank you,

Richard Akerman

Appendix

I would like to examine the disadvantages cited in more detail:
*System may be perceived as vulnerable to hackers

All systems are vulnerable to hackers.  This is not perception, this is reality.  This is the nature of computers.  Microsoft, with huge resources, nevertheless releases patches every single month for critical errors (vulnerabilities) in Windows and associated Microsoft software.  The situation is so bad that the Economist magazine recently did a cover story proclaiming “Why computers will never be safe”.
http://www.economist.com/news/leaders/21720279-incentives-software-firms-take-security-seriously-are-too-weak-how-manage

http://www.economist.com/news/science-and-technology/21720268-consequences-pile-up-things-are-starting-improve-computer-security

I want to emphasize that this is not just about e.g. foreign hackers attacking the voting server.  It’s about two significant issues: 1) all systems have errors (bugs), and require extensive examination in order to ensure that errors have been minimized 2) the entire voting system, which in the case of Internet voting means the voter’s personal home computer or computing device, must be secure in order for the vote to be secure

How many hundreds or thousands of insecure home computers might be involved with a municipal Internet vote?  We really have no way of knowing; it would require a survey of a representative sample of users.  The Internet voting vendors almost never mention this security aspect of the election.  We do know that very large numbers of computers are compromised worldwide, due to lack of technical expertise combined with challenges in downloading what may be very large patches, as well as due to older systems such as Windows XP no longer receiving security updates.

Just this month the US Department of Justice began dismantling a network (“botnet”) of compromised computers that numbered in the tens of thousands of machines.  That’s just one example, of many.

https://www.justice.gov/opa/pr/justice-department-announces-actions-dismantle-kelihos-botnet-0

Canadian government and corporate computers are hacked all the time.  Even Loblaw PC Plus points were hacked.

https://www.thestar.com/business/2017/02/20/loblaw-resets-all-pc-plus-passwords-after-breach-steals-member-points.html

Of course, decisionmaking is always about balancing risks versus benefits.  I can tell you that when computer security experts examine online voting, they basically universally find that the risks are too high.  See for example Scientific American from February 2016

https://www.scientificamerican.com/article/pogue-the-challenges-of-digital-voting/

and a consensus statement from US computer scientists advising against Internet voting

http://usacm.acm.org/evoting/category.cfm?cat=30&E-Voting – “At the present, paper-based systems provide the best available technology….”

* Voter authentication
* Unsupervised voting

The combination of unsupervised voting and the inability to conclusively authenticate individual voters raises a number of very significant democratic issues: 1) voter credentials can now be bought and sold 2) since voting is unsupervised, even legitimate voters can be coerced by their friends or family to vote a particular way

* Role of the candidates/scrutineers change

In fact, any meaningful role for candidates and scrutineers in examining the conduct of the election is gone.  Their scrutineer role hasn’t changed, it’s been eliminated.  The entire trust that used to be established by watching physical ballots being counted in public is replaced by a transfer of trust to the black box of a third-party, for-profit, Internet voting technology vendor.  There is nothing to examine, there is nothing to recount.  A vote count comes out of the computer that cannot be challenged or changed.

* a summary of other municipalities’ 2014 Voting Method and 2018 Proposed Voting Methods

Not cited in the list in the Orillia report are:

[Correction to email, should say] Not cited in the list in the Orillia report (or changed since the report was released) are:

* Kitchener – no Internet voting in 2014, no Internet voting in 2018

* Waterloo – no Internet voting in 2014, no Internet voting in 2018

* Guelph – advance Internet voting in 2014, no Internet voting in 2018 (following an extensive debate with over 200 submissions and over a dozen deputants)
* Toronto – no Internet voting in 2014, no Internet voting in 2018

* Ottawa – no Internet voting in 2014, no Internet voting in 2018

https://web-beta.archive.org/web/20140217203039/http://www.therecord.com/news-story/2617898-kitchener-rejects-internet-voting/

http://www.therecord.com/news-story/4236054-waterloo-rejects-online-voting-in-2014-municipal-election/

http://www.therecord.com/news-story/6980847-waterloo-council-rejects-internet-voting-for-2018/

https://www.guelphtoday.com/local-news/guelph-city-council-deletes-online-voting-for-2018-municipal-election-596779

https://www.thestar.com/news/city_hall/toronto2014election/2014/07/23/toronto_cancels_plan_to_allow_online_phone_voting_for_disabled_citizens_in_2014.html

http://www.toronto.ca/legdocs/mmis/2016/ex/bgrd/backgroundfile-98545.pdf

Toronto’s report states, in part:

Internet Voting

Fundamentally, the Internet was designed to share information, not to secure it. Though an increasing amount of daily commercial life—from shopping to banking—has moved online, Internet voting poses security challenges that are unique and, in their current state, insurmountable.

The overwhelming consensus among computer security experts is that Internet voting is fundamentally insecure and cannot be safely implemented because of security vulnerabilities inherent in the architecture and organization of both the Internet and commonly used software/hardware:

  • *  Internet voting is extremely vulnerable to a wide range of cyber-attacks, and many of these are impossible to detect.
  • *  Internet voting poses extraordinary and unnecessary risks to election integrity, and even a small issue—were it even detectable—could completely undermine public trust.
Lastly, I will look at the security aspect of the Orillia report:
* The implementation of an electronic voting solution must ensure that the process is secure, provides confidentiality of the individual voter and provides accurate and reliable results.
The above statement is correct.  However, the report then fails to cover all aspects of “the process” including the home computer.  Securing a central server without securing all of the home computers that connect to it is like protecting a single big tree in a forest and declaring the forest is totally secure from damage, ignoring the fact that many of the smaller trees in the forest could be cut down.

Similarly, the ability to truly, provably separate the identity of an individual voter from the vote they cast is not possible with a computer-based systems.  Computers are designed to track changes made.  It is extraordinarily difficult to make a system that can simultaneously determine that an individual has permission to vote, while then not recording somewhere in the system which user cast which vote.  Lastly, accurate and reliable results require strong evidence.  The computer can’t be inspected in any meaningful way; it’s a black box.  The municipality is transferring the entire trust in the election from a process of open casting and counting of paper ballots to a closed system that exists entirely within the computer and is controlled entirely by the third-party voting technology vendor.

If Orillia nevertheless decides to proceed with Internet voting and is truly confident in the security of its system, I urge you in the spirit of open government to conduct an open, public test of the full online voting system well in advance of the election, with permission for anyone around the world to remotely examine the system in detail for security vulnerabilities and to publicly report their findings.  There is no security in obscurity.
ENDCOMMENT

Comments about Guelph Internet voting

A letter submitted for the April 24, 2017 Guelph Council meeting, agenda item COW – CS – 2017.04 2018 Municipal Election: Methods of Voting.

COMMENT

Dear Mayor and Councillors:

The Internet threat environment has changed since 2013 when Guelph did its initial analysis of online voting.  Since then, Ontario, British Columbia, New Brunswick and the federal government have all released reports on online voting, and all have recommended against it at the provincial or national level.  Threats have gotten worse while security technology has not advanced at the same pace, to the extent that the Economist magazine just did a cover story proclaiming “Why computers will never be safe”.

http://www.economist.com/news/leaders/21720279-incentives-software-firms-take-security-seriously-are-too-weak-how-manage

http://www.economist.com/news/science-and-technology/21720268-consequences-pile-up-things-are-starting-improve-computer-security

Of course, decisionmaking is always about balancing risks versus benefits.  I can tell you that when computer security experts examine online voting, they basically universally find that the risks are too high.  See for example Scientific American from February 2016

https://www.scientificamerican.com/article/pogue-the-challenges-of-digital-voting/

If you do choose to continue with online voting, I urge you in the spirit of open government to conduct an open, public test of the full online voting system well in advance of the election, with permission for anyone around the world to remotely examine the system in detail for security vulnerabilities and to publicly report their findings.  There is no security in obscurity.

In staff report CHR – 2013 – 30 “2014 Municipal Election:  Methods of Voting”, principles for a municipal election are outlined.  Here is my evaluation of online voting against three of those principles:

  • the secrecy and confidentiality of the voting process is paramount;

Use of a third-party vendor for online voting compromises voting secrecy and confidentiality.  Even if the voting systems were developed and hosted in-house, the information necessary to cast a vote (the voter identification) is extremely difficult to completely separate inside the computer from the vote cast.  Additionally, unsupervised remote voting opens the potential for anyone to view a vote that is being cast (and indeed to coerce the vote, or to pay someone for their voting credentials).

  • the integrity of the process shall be maintained throughout the election;
  • there is to be certainty that the results of the election reflect the votes cast;

The chain-of-custody for an Internet ballot extends from the personal computing device, across the Internet, and through to the voting servers.  There are potential threats to the integrity of the process at every stage, from compromised (“hacked”) home computers, through to denial-of-service attacks and potential vote alteration or addition of votes (“ballot stuffing”) at the server end.  Or the computer code could simply have errors in it (all computer programs have errors).  There is no way to observe the entire process; it is a black box.  Therefore there can be no real certainty that the results of the election reflect the votes cast.

Additional information supporting the above statements is available in an appendix to this email.

Thank you,

Richard Akerman

Appendix

Changes since 2013 report

The primary report is the July 16, 2013 “An Analysis of Alternative Voting Methods“.  http://guelph.ca/wp-content/uploads/AnalysisOfAlternativeVotingMethods.pdf

Both Elections Canada and Elections Ontario have been actively exploring the prospect of implementing an online voting channel for a number of years and have since allocated resources to undertake a detailed investigation and feasibility review of doing so.

As of 2017, neither Elections Canada nor Elections Ontario has implemented online voting, nor are they actively exploring the possibility.

A consultation by the Canadian Parliamentary Special Committee on Electoral Reform recommended against online voting[1], and the Canadian government accepted the recommendation.[2]  On March 2, 2017 Elections Canada released an RFP which included the statement “Elections Canada has no plans to introduce electronic casting or counting of votes. Polling places will continue using paper ballots, marked and counted by hand.”[3]

Ontario’s Alternative Voting Technologies Report, released June 2013, recommends against online voting and there is no online voting in provincial elections in Ontario.[4]

[1] December 2016 – Strengthening Democracy in Canada : Principles, Process and Public Engagement for Electoral Reform – http://www.parl.gc.ca/HousePublications/Publication.aspx?Language=e&Mode=1&Parl=42&Ses=1&DocId=8655791&File=291#87 – “Recommendation 4: The Committee recommends that online voting not be implemented at this time.”

[2] April 2017 – Government Response to Report Strengthening Democracy in Canada : Principles, Process and Public Engagement for Electoral Reform – http://www.parl.gc.ca/HousePublications/Publication.aspx?Language=e&Mode=1&Parl=42&Ses=1&DocId=8853290 – “The Government accepts this recommendation.  We will not implement online voting at this time.”

[3] March 2017 – Elections Canada RFP – https://buyandsell.gc.ca/cds/public/2017/03/02/967d72343b6234a0571287c709b7ae1f/ecrs-rfp-16-0167_-_anpp_-_ec-vsm-pppe_-_bilingual.pdf – “Elections Canada has no plans to introduce electronic casting or counting of votes. Polling places will continue using paper ballots, marked and counted by hand.”

[4] June 2013 – Alternative Voting Technologies Report – Ontario Chief Electoral Officer’s Submission to the Legislative Assembly (PDF) – http://www.elections.on.ca/content/dam/NGW/sitecontent/2014/reports/Alternative%20Voting%20Technologies%20Report%20%282012%29.pdf – “At this point, we do not have a viable method of network voting that meets our criteria and protects the integrity of the electoral process.”

Additional Context

In fact, there is no provincial online voting anywhere in Canada, and there is only municipal online voting in Nova Scotia and Ontario.  Reports from Nova Scotia [5], New Brunswick [6] and British Columbia [7] have all recommended against provincial online voting.  Quebec has had a moratorium on provincial online voting since investigating problems with its electronic voting machines in 2005.[8]

[5] Elections Nova Scotia: Annual Report of the Chief Electoral Officer April 1, 2012 – March 31, 2013 (PDF) – https://electionsnovascotia.ca/sites/default/files/ENS%20AR%20Web%202012_13.pdf – specifically pp. 14-16 Appendix I: Internet and Telephone Voting in Nova Scotia.

[6] March 2017 – A pathway to an inclusive democracy (PDF) – http://www2.gnb.ca/content/dam/gnb/Departments/eco-bce/Consultations/PDF/PathwayToAnInclusiveDemocracy.pdf – specifically pp. 20-21 E-voting

[7] February 2014 – Independent Panel on Internet Voting: Recommendations Report to the Legislative Assembly of British Columbia (PDF) – http://www.internetvotingpanel.ca/docs/recommendations-report.pdf

[8] October 2006 – Electronic voting – Le Directeur général des élections du Québec (DGEQ)http://www.electionsquebec.qc.ca/english/municipal/media/electronic-voting.php

There is a consensus statement from US computer scientists advising against Internet voting.[9]

[9] http://usacm.acm.org/evoting/category.cfm?cat=30&E-Voting – “At the present, paper-based systems provide the best available technology….”

END COMMENT

Here are additional documents I tracked down as part of writing the above comment:

2014 Election Cycle

July 16, 2013 — An Analysis of Alternative Voting Methods (PDF) — by Blair Labelle, City Clerk

July 16, 2013 — Staff Report CHR – 2013 – 30 — 2014 Municipal Election:  Methods of Voting (PDF) — Prepared and Recommended by Blair Labelle, City Clerk

June 2, 2014 (Amended September 15, 2014) — Procedures for Voting and Vote  Counting Equipment for the 2014  Municipal Election (PDF)

2018 Election Cycle

September 6, 2016 — Staff Report CS-2016-73 –Municipal  Election  Modernization,  Service  Expansion  and  Ranked  Ballot  Election (PDF; pp. 255-289) – Prepared by Jennifer Slater, Approved by Stephen O’Brien, City Clerk

April 3, 2017 — 2018 Municipal Election Voting Methods  (PDF; pp. 99-109) – by Stephen O’Brien, City Clerk and Returning Officer

April 3, 2017 — Staff Report CS  -2017.51 — 2018  Municipal Election: Methods of Voting (PDF, pp. 110-115) — Prepared by Tina Agnello, Deputy City Clerk; Approved by Stephen O’Brien, City Clerk

Other Reports Cited by Guelph

June 23, 2005 — Risk Analysis of Traditional, Internet, and other Types of Voting  Alternatives for Town of Markham — by Harry M. Kim

Eurasia Review – Democracy In The 21st Century – comment

My comment on December 9, 2016 Eurasia Review article Democracy In The 21st Century – Analysis.

COMMENT

In support of Antony Hodgson’s point, British Columbia does not have Internet voting at either the provincial or municipal level. The BC Independent Panel on Internet Voting recommended against online voting in 2014 and there has been no change from Elections BC since then. A small number of First Nations communities in British Columbia have offered Internet voting. Those are small elections however, with a few hundred votes cast in total.

ENDCOMMENT

The Hill Times – Electoral reform will not happen in this Parliament – comment

Here is the comment I posted on The Hill Times article Electoral reform will not happen in this Parliament – December 12, 2016

COMMENT

“online voting would definitely entice more millennial and younger generation citizens to the polls”

With respect, no it wouldn’t. Evidence from all over the world shows that online voting doesn’t increase voter turnout. The people who vote online are the same people who would have voted offline. Youth turnout is low with online voting, because it is low with paper voting. In the PEI Plebiscite, with ten days of online voting, turnout for ages 18-24 was the lowest of any age range, at 25.47%.

Here are four reports that include the topic of online voting and turnout:

Gosse, R. (2012, December 10). FCS-12- 191 – Alternate Voting – Internet Voting. Retrieved from City of Kitchener – Laserfiche WebLink: https://lf.kitchener.ca/WebLinkExt/DocView.aspx?id=1235356&dbid=0

Archer, K., Beznosov, K., Crane, L.-A., King, V., & Morfitt, G. (2014, February 12). Recommendations Report to the Legislative Assembly of British Columbia. Retrieved from British Columbia Independent Panel on Internet Voting: http://www.internetvotingpanel.ca/docs/recommendations-report.pdf

Goodman, N., & Stokes, L. C. (2016, October 6). Reducing the Cost of Voting: An Empirical Evaluation of Internet Voting’s Effect on Local Elections. Retrieved from Social Science Research Network (SSRN): https://ssrn.com/abstract=2849167

McLeod, G. B. (2016, November 9). Interim Report of the Chief Electoral Officer for the 2016 Plebiscite on Democratic Renewal. Retrieved from Elections Prince Edward Island: http://www.gov.pe.ca/photos/original/elec_demrefpleb.pdf

For over a dozen references on this topic you can see https://papervotecanada2.wordpress.com/2016/12/12/online-voting-doesnt-increase-turnout/

ENDCOMMENT