Category: electronic voting

Wales consults on electronic and Internet voting

The Government of Wales is running a consultation: Electoral reform in local government in Wales.  The consultation closes 10 October 2017.

A variety of questions are considered, but for the purposes of this blog there are three of interest:

  • Q21 electronic voting (this appears to be defined solely as paperless touch-screen voting in polling places)
  • Q22 remote voting (Internet voting)
  • Q23 electronic counting

In what I have found is fairly typical fashion, the main consultation paper (PDF) does not cite any references, and makes brief, broad, generally positive statements.  (The youth and “easy read” consultation versions in turn simplify and amplify these statements to an extreme degree.)

Responding to the Consultation

You can fill in an online form,

but in order to be able to provide more extensive comments, you may instead want to download the email response form (DOCX), complete it (or complete whichever sections are relevant to you) and send it to RLGProgramme@wales.gsi.gov.uk

Reminder that the deadline is 10 October 2017.

Q21 Electronic Voting

(page 18 in main consultation document)

This is defined solely as touch-screen voting. There is no mention of paper output, so presumably paperless touch-screen voting.

Extracts from statements + commentary

5.14. This implies the installation of equipment at polling stations (and possibly other locations) to enable touch-screen voting. …

5.15.  Electronic voting is already used widely internationally, particularly in India but also in Belgium and Estonia amongst others.

I think this is a misunderstanding of voting in Estonia.  As far as I know, Estonia doesn’t use paperless touch screens.  On voting day, voting is on paper.

There isn’t any serious examination of security risks to voting machines (voting computers), but there is the rather extraordinary assertion that electronic voting could lead to less challenging of “votes” (presumably this means fewer challenges to election results).

5.19. … there would need to be secure procedures in place to ensure the security of data being transmitted from the polling places to the central count operations. The challenging of votes could become less likely.

I, on the other hand, think paperless touch-screen voting would introduce not only high security risks, but would make challenges to election results both more likely and impossible to satisfactorily resolve (as there is no physical trail to audit).

Q22 Remote Voting (Internet Voting)

(page 19 in main consultation document)

It’s clear this means Internet voting.

Extracts from statements + commentary

5.20. This refers to a process of voting through access of the internet by an electronic device, using an individual recognition code. The use of codes of different sorts to ensure that only the intended person is accessing a system is now commonly used for purchasing, banking, voting in elections within political parties, trade unions and other organisations. Registration to vote is now routinely performed online, as is registering/taxing a motor vehicle and accessing a multitude of other public services or transactions.

Where to begin?  Voting doesn’t have the same requirements as banking; voting has much harder to satisfy requirements as the transactions have to be anonymous and aren’t reversible.  Voting is not a regular online personalised transactional service.

5.21. Remote voting was piloted in local elections at South Buckinghamshire in May 2007. Although only a minority made use of the facility, 10 years later the option is likely to be more popular. There were no particular technical difficulties but the Electoral Commission called for the pilots to be suspended – along with all others – until the system was generally more secure. There is a risk that, with registering being done remotely, fictitious voters could be created and that voting might not take place in secure environments. In addition, realistic concerns exist about cyber security, and any system needs to be as secure as possible from the dangers of hacking and manipulating votes. This must be weighed against this method becoming more and more commonplace in relation to other types of voting or completion of official forms and having likely efficiency savings. There are remote voting procedures operating in at least one European country allowing the casting of a vote more than once by the same person, with only the final vote cast before close of poll counting. This is to provide for the possibility that an elector may be subject to intimidation when voting but would take a later opportunity to vote in private.

In the list of examples that might have been chosen, South Buckinghamshire in 2007 is a rather oddly specific choice.  Plus which it’s very hard to locate those old voting trial documents online.

The usual assertion that online voting will be “popular”, without any context that online voting provably does not increase turnout.

I do like that there is at least some consideration given to security risks, but the idea that we should weigh “realistic concerns” about security against some vague notion of method popularity is odd.  One should weigh the security risks of one type of voting against the security risks of another, and optimise for voting system integrity.

While being oddly specific about South Buckhamshire, the document is oddly vague about “at least one European country” – in fact there is only one country in the world that offers national Internet voting, Estonia, and it is only able to have multiple vote casting because it has a comprehensive nationwide system of digital ID, something which the Wales document doesn’t mention.

There is also no mention of the many countries that have had reports recommending against Internet voting (such as Canada) or countries that have withdrawn Internet voting due to security concerns (such as France).

Q23 Electronic Counting

(pages 19-20 of the main consultation document)

I don’t really have the energy to examine the electronic counting piece in detail.  Basically what you need to know about electronic counting is that you MUST audit the counts because you cannot trust the counting machines (counting computers).  Which, if you have a simple count anyway, means that you’ve generated more work and expense, not less.  Electronic counting, with audits, only makes sense if you have a complicated count, and nevertheless distances the process of the election from direct public inspection and understanding.

UK Evidence

As I have mentioned, a lot of the UK evidence from previous voting trials is now hard to locate online.  But here are some nice clear statements from the UK Office of the Deputy Prime Minister (ODPM) in Implementation of Electronic Voting in the UK Technical Options Report circa 20031

A Comparison with Other Secure Transactions

It is useful to compare voting with other online transactions for which security is needed.

The most obvious comparison is with banking. Attacking an electronic voting system is unlikely to bring the immediate financial rewards that a successful attack on the banking system would, and thus some types of well-resourced attack are less likely. However, the likelihood of well-resourced attacks is still sufficiently high to be problematic.

The consequences of a successful attack are very different with electronic voting, than with banking, though. Banks can, and do, take a financial analysis of how much loss they can stand and insure against such losses. It may be that a political decision could be taken that the loss of a certain percentage of votes is acceptable, but in the absence of such a decision, security appropriate for banking cannot be considered sufficient for electronic voting. Banks have also maintained confidence in the face of repeated losses through computer crime by covering up the cause of those losses. It is inconceivable that, in the event of a successful attack on electronic voting, such a cover-up would be acceptable to the electorate if subsequently disclosed. In a similar vein, individuals can be, and are, compensated for financial losses due to disruption/failures/hacking of online banking. It is not easy to see how there could be equivalent compensation for disruption/failures/hacking of an individuals vote, even if somehow it was discovered which individuals were affected (which might not be possible with some sorts of disruption).

Another issue is anonymity: electronic voting differs from the aforementioned applications due to the fact that, in addition to the requirements for accuracy and privacy, there is the mandated necessity to provide … anonymity. In other words, banking applications can (in fact must) allow tracking back to the user of the system, but the [electronic voting system] must ensure that such tracking is impossible. (Mercuri, 2001, pp8-9).

Electronic voting also differs from financial transactions in that the risk that an election delayed by a few days will have a different result is unacceptably high. By contrast substantial financial transactions between two willing partners usually can be conducted a few days later if there are problems with ecommerce applications, since such transactions are rarely conducted on a whim.

The Mercuri citation above is to
Mercuri, Rebecca, 2001 Electronic Vote Tabulation: Checks and Balances PhD thesis, University of Pennsylvania.

1 From Paper Vote Canada blog post electronic voting in the UK – technical report, September 17, 2004. As the OPDM site is no longer available, a 31 July 2003 version from the Internet Archive is linked above.

Electronic voting in the Canadian House of Commons

While I am not a fan of electronic voting in the House of Commons, it would be possible to design a system that would mitigate potential risks, whereas it is not possible to design a system that will adequately mitigate the risks of Internet voting in a public election.  Comparing the two may be illustrative.

Voting in the House of Commons

A decision on a motion before the House can be made with no dissenting voices, in which case the motion is adopted and no division is taken.[255] When there are dissenting voices, a vote (or division) is taken. This can be either a voice vote or a recorded vote[256] where the House is called upon to divide into the “yeas” and the “nays”.[257]

above from House of Commons Procedure and Practice – Decisions of the House

When consensus isn’t heard on a voice vote, votes are cast by individual Members of Parliament (I think this is sometimes called “on division”).  The vote is cast by MPs standing one-by-one and saying their vote out loud.

Three key things about these votes:

  • they are not anonymous
  • they are not secret
  • they can be coerced

Because an individual MP stands up and states their vote in front of everyone, their votes are not anonymous or secret. Because of that, their vote can additionally be coerced, which is to say they can be incentivized to vote a particular way, and then rewarded or punished once they cast their vote (the Canada the system of whipped votes, with a Party Whip, is the very definition of coerced votes).

Designing Electronic Voting in the House of Commons

Technologically this is straightforward.  Each MP should be able to vote once and only once.  Everyone should be able to see the individual votes.  It should be hard to vote the opposite of how you intend.  Preferably the MP should be physically present in the House, ideally at their seat.  No other MP should be able to cast a vote on another’s behalf.

The obvious way to do this is low-technology.  Have voting buttons at each MP’s seat.  Have them well-designed, ideally physically separated with different shapes and colours to distinguish the yes vote from the no vote, so that you don’t press the wrong button by accident.  You could have e.g. a round green yes button on the left hand of the seat, and a red octagonal no button on the right hand side of the seat.

In case you think people can’t make mistakes:

In May 2010, however, [Paula] Fletcher accidentally voted against a proposal to install bike lanes on University Avenue in downtown Toronto. The proposal failed on a 15-13 vote. She said she had intended to vote in favour of the proposal and cited fatigue and city hall technology for her mis-vote.[15][16]

above from Wikipedia – Paula Fletcher

Now, the question becomes whether MPs still vote one-by-one or whether they now all vote simultaneously.  One-by-one is much better as you get much more time for everyone involved to check that the vote was cast as expected.  But this doesn’t save much time over standing to vote.  The inclination will be for simultaneous votes.  In this case, there would ideally be a display (e.g. red and green lights, right and left) at each MP’s station to show how they just voted, plus a screen listing each MP and their vote, plus a summary screen, plus possibly a line display in front of the MP displaying either YES/OUI or NO/NON back to them.  This is so that individual MPs can verify their vote was cast as intended and also so that MPs can check on one another.

In case you think MPs won’t be tempted to vote for absent members, watch this US video of representatives voting for absent members:

So the system should have individual member voting buttons activated if they are (at least) physically in the chamber and (ideally) physically at their desk. This means a lot of monitoring who goes in and out. And there needs to be frequent testing of the buttons. And they should be hard-wired and electro-mechnical, with a sensory and possibly audible click when pushed, in addition to lighting up.

Hard-wired is to make them impossible to tamper with from outside. Electro-mechanical is because you want them to last a really long time, which means they have to be outside the very rapid technology obsolence cycle of computing devices. You do still need some central counting and display technology, but it should also be very very simple.

You need to make sure that the final vote tallies match the individual votes as cast.  Preferably through both verification in the House as well as after-the-fact spot checks (independent audits) by third parties checking the votes cast against the tallies.

When casting a vote, you want a mechanical click, because you want intentionality.
This has nothing to do with technology, it’s about humans.
Standing and speaking your vote is a very strong human statement. It is a physical risk, it is a social statement. It’s a very deep part of how humans behave. “Stand and be counted” is an expression for a reason. Standing up and making a statement requires a very deliberate choice.

It’s very hard to capture that level of accountability and deliberation in any kind of electronic voting situation. The best I can do is to have the voting system be physical with feedback, so that you have to be quite deliberate about pushing the button.

What you absolutely don’t want is iPads with wifi.
What they will want to do is iPads with wifi. Because innovation! progress!

iPads with wifi is terrible on many many fronts. In brief:

  • it introduces the risk that the voting system can be attacked from outside
  • it introduces a constant cycle of technological maintenance and upgrades, with associated never-ending costs and ever-escalating risks
  • it introduces the risk that MPs can vote without being physically in the chamber
  • it introduces the risk that MPs can vote for other members
  • it removes the physical intention that standing to vote embodies
  • it moves the vote into a noisy distraction space where people are used to clicking without consequences: to buy things, to select news headlines, to play music, etc.
  • it introduces a huge potential distraction in front of MPs, unless the iPad is extremely locked-down in terms of its features

To mitigate this you could physically wire the iPads into the desks and have the vote only possible to be cast by transmission over the iPad connector, but there is pretty much zero chance they would design it this way.

If it’s not iPads with wifi, the temptation will be to use “clickers” because they are easy to procure.  However clicker systems break down all the time.

The error was caused by the electronic clickers used in voting, said  General Synod Chancellor David Jones.

above from Anglican Journal –  Voting error reveals Anglican same-sex marriage motion passed after all

All of the voting data would have to be published as open data (which it already is), ideally with analysis ongoing to check for anomalies.

Summary of Electronic Voting in the House of Commons

In summary, it is possible to design a system because you can have visible indicators and checks.  Each individual MP can check that their vote was properly cast and counted, and the House as a whole can observe the votes and validate them against expectations.  Because the vote is not secret and not anonymous, it’s possible for multiple individuals and groups to validate the vote.

I’m not saying it’s a good idea.  I’m saying you could design it to mitigate risks.

My ideal system would have:

  • one-by-one voting
  • clear indication of how each member has voted, with cross-checking
  • design that limits the possibility of accidentally voting the wrong way
  • design that forces you to be very intentional and physically aware of your vote

The current stand-and-speak division voting has these properties, but a very-well-designed electromechanical system could come close.

Internet Voting in a Public Election

Internet voting (or voting in a public election in general) is very different from voting in the House of Commons.  Voting is secret.  If only the Elections Act said it that clearly.  Oh wait, it does:

Secrecy
Secret vote
163 The vote is secret.

above from Canada Elections Act
Sidebar: The Canada Elections Act is beautiful. Readable and extremely well-designed to mitigate risks to voting. END Sidebar

Not only is the vote secret, but individual voters are not permitted to share how they voted, in order to limit coercion.

  • Secrecy at the poll
    (2) Except as provided by this Act, no elector shall

    • (a) on entering the polling station and before receiving a ballot, openly declare for whom the elector intends to vote;
    • (b) show his or her ballot, when marked, so as to allow the name of the candidate for whom the elector has voted to be known; or
    • (c)before leaving the polling station, openly declare for whom the elector has voted.

above from Canada Elections Act

Votes used to be cast by individual voters stating their vote out loud (the exact system that is still in use in the House of Commons). This led to voters being coerced in many different ways. You can see more about the history of how we ended up with secret ballots in Andrew Appel’s presentation and my presentation.

Therefore in order to meet the same standards we have for paper ballots, the Internet vote in a public election must be

  • secret
  • anonymous
  • difficult to coerce

It is, simply put, not possible to do this with Internet voting systems today.  It may never be possible.  The risks can’t be mitigated in the way that they can for the very different requirements of non-secret, non-anonymous, possible-to-coerce electronic voting in the House.

Background

In case you’re wondering why this discussion comes up now, electronic voting in the House is proposed in the March 2017 document Reforming the Standing Orders of the House of Commons.

Updates on Internet voting worldwide

Many things are happening.  Too many things for me to write separate blog posts.  Here’s the situation as of March 8, 2017:

Canada

  • Canadian Parliamentary Special Committee on Electoral Reform recommended against national Internet voting – see December 1, 2016 blog post ERRE Electoral Reform Committee Recommends Against Online Voting
  • Canada’s Minister of Democratic Institutions was directed in her Mandate Letter to defend the Canadian electoral process against cyberthreats – see January 23, 2017 blog post defend Canadian electoral process from cyber threats
  • New Brunswick legislature Commission on Electoral Reform recommended against Internet voting – see March 23, 2017 blog post New Brunswick Internet voting and page 21 of Commission report A pathway to an inclusive democracy
  • Vancouver Independent Election Task Force recommended to city council that Vancouver conduct an online voting pilot, including asking the province to establish an independent technical committee – see slide 17 “Conduct an online voting pilot” of the Task Force presentation to council and pages 27-28 of the Task Force final report
  • Many Ontario municipalities have approved Internet voting for the 2018 municipal elections (far more than this blog can track; it will probably end up being about 200 municipalities)

Everywhere Else

video – An Uninvited Security Audit of the U.S. Presidential Election

Computer security researchers J. Alex Halderman and Matt Bernhard report on US voting computer security and the attempts to conduct comprehensive audits of the 2016 election results (recounts) in Wisconsin, Michigan and Pennsylvania.

Video also available (including for download) at https://media.ccc.de/v/33c3-8074-recount_2016_an_uninvited_security_audit_of_the_u_s_presidential_election#video

Halderman and Bernhard were presenting at the hacker conference Chaos Communication Conference (CCC) on December 28, 2016.

The slides may become available on the presentation page https://fahrplan.events.ccc.de/congress/2016/Fahrplan/events/8074.html

Matt Bernhard tweets @umbernhard

You can find more about J. Alex Halderman in my list of computer security experts https://papervotecanada2.wordpress.com/2016/11/19/internet-voting-and-computer-security-expertise/#JAlexHalderman

More on Marc Mayrand and electronic voting in Canada

Outgoing Chief Electoral Officer Marc Mayrand wants to explore the use of electronic technology in the polling place for Canadian national elections. It’s not entirely clear what kind of technology. In his recommendations he points to the use of vote counting computers. Speaking to CBC’s The House on December 2, 2016, starting at 09:40 in, he speaks more generally about electronic voting.

Mark Mayrand 02-Dec-2016 electronic voting

I think the next step for Elections Canada is to bring technology at the polls. … If we could automate the processes at the polls, there would be fewer errors. … we also need to think about a form of electronic voting. Again technology is changing quickly, there’s new [technologies] that are more robust from a point of view of integrity and security and auditability, so we need to explore those [technologies] and begin at some point testing it.

He also spoke about this in an earlier interview, again on CBC’s The House, on September 30, 2016, starting basically at the beginning (0:07 in).

Mark Mayrand 30-Sept-2016 modernizing voting system

I think we need to increase our reliance on technology. Our system is entirely paper-based, it’s entirely manual, it’s very rigid, and it’s not scalable. … We want to get rid of the paper as much as we can. We want to automate processes, forms… filling those paper forms is also often a source of errors.

Right now our entire voting process fits on a single page. That’s not rigid, that’s beautiful code.

The Source Code of Canadian Democracy

(Slide from my presentation to Shopify about Internet voting.)

The outgoing Chief Electoral Officer is recommending we replace that one nationwide standard process with counting processes, including vote counting computers, as determined solely by the Chief Electoral Officer. I think this would be a major step backwards for Canada’s elections.

It’s hard to know how the recommendation about the use of technology at the polling places is being received, because  other than the first meeting, all 9 of the subsequent meetings on the topic to date at the Standing Committee on Procedure and House Affairs (PROC) were closed (in camera; a meeting with a lock symbol).

These discussions are taking place in an environment where almost no one involved is a technology expert, let alone a voting technology expert, and where there has been no broad discussion in the media about electronic voting.  The consultation process associated with electoral reform did ask about electronic voting (despite not having a clear mandate to do so), but provided no briefing or even definition of electronic voting to provide context for discussions.

So basically as usual we’re making decisions about technology without involvement of technology experts, and without any information provided either from the government or by the media.

It is not clear how the public can provide input into the discussions, other than by contacting PROC.

PROC@parl.gc.ca

(“Yesterday” in the image below means December 6, 2016.)

PROC closed meetings about Chief Electoral Officers report 2016