Electronic and Internet voting are a danger to democracy. This blog is dedicated to preserving the existing Canadian paper-based, hand-counted voting system.
Category: electronic voting
Newfoundland and Labrador
April 21, 2021 – All-Party Committee Established to Modernize the Elections Act
May 26, 2021 – Members of All-Party Committee to Modernize the Elections Act Confirmed
EngageNL – Legislative Review of the Elections Act, 1991 (consultation closed January 31, 2022)
Committee members would do well to read the Internet Voting Privacy and Security Risks report from OIPC Newfoundland.
There are no, zero, standards for voting technologies in Canada. It’s kind of mindboggling considering we use both computer vote counting in some provinces, as well as Internet voting in some municipalities.
Thankfully Ontario recognized this and recommended establishing standards and certification for elections technology.
That recommendation has now been implemented, in the
Advisory Committee on Standards for Voting Technologies
The committee is made up of individuals chosen by each political party in the Legislative Assembly of Ontario and three other members appointed by the Chief Electoral Officer.
To date there have been three meetings:
No other material has been posted online.
If you have any questions about the committee, please call 1.855.440.4041 or email advisory.committee@elections.on.ca
I’m going to preface this with a plea: if an electronic voting (Internet voting) system proceeds, please involve computer security, voting system, voting technology, user experience, and web design experts from inside and outside of the government.
Also, for any journalist reporting on this: it does not mean that we could use Internet voting in a general election. Parliamentary votes are not anonymous and not secret. Parliamentarians vote by literally standing up in front of everyone else. It’s a public vote.
I will also mention that in 2016 the ERRE committee already recommended, and in 2017 the government accepted, that there should be no Internet voting in general elections.
In the Parliamentary context, if they wanted to make this simple, they could just have a voice vote over videoconference (one by one, unless you want vocal chaos), or have people hold up their hands one-by-one (with alternatives for people with different abilities), or even have people hold up cards on videoconference that say “Yea” or “Nay”. It’s nothing like an anonymous secret ballot general election.
On May 15, 2020 the Canadian House of Commons Standing Committee on Procedure and House Affairs (“PROC”) released its fifth report of this session: Parliamentary Duties and the COVID-19 Pandemic. I will focus only on section Discussion – A. Observations and recommendations – ii. Legal and procedural matters – (e) Voting.
Committee recommendations are not binding on the Government; the course of action will depend on the Government’s response.
The Committee therefore recommends:
That the House of Commons set up a secure electronic voting system for conducting votes in virtual sittings as soon as possible in order to guarantee the right of members to vote safely in the event of a pandemic or any other exceptional circumstances threatening their safety and/or that of their families and communities.
Par conséquent, le Comité recommande :
Que la Chambre des communes mette sur pied un système électronique de vote sécurisé pour la tenue des votes dans le cadre des séances virtuelles, et ce, aussitôt que possible, afin de garantir le droit des députés à voter en toute sécurité en cas de pandémie ou dans toute autre circonstance exceptionnelle menaçant leur sécurité et/ou celle de leurs proches et de leurs communautés.
Note that these procedure changes are intended to be temporary.
(b) Temporary nature of procedural changes
Witnesses appearing before the Committee have been unanimous in their viewpoint that any changes made to the procedures and practices of the House of Commons should be temporary and made in response to the challenges of the COVID-19 outbreak.[85]
[85] For example, see House of Commons, Standing Committee on Procedure and House Affairs, Evidence, 1st Session, 43rd Parliament, Meeting 11, 23 April 2020, 1240 (Emmett Macfarlane, University of Waterloo); and [Hon. Anthony Rota, Speaker of the House of Commons], 1120. [original footnote link: [85]]
Following the submission of the recommendations, the Government has tasked the committee with producing a report on how to enact remote voting by June 23, 2020.
See the end of this post for the current process of Putting the Question, as it is called. I will walk through each of the voting scenarios as it applies to remote presence and then Internet voting. The basic consideration is that anonymous or mass voting (simultaneous shouting) is not possible online.
Speaker puts the question.
So I’m not actually convinced you need Internet voting. Except for voice division, you could just call on people one by one over videoconference the same way we already do when they are physically present in the House.
UPDATE 2020-06-02: There are additional procedure considerations when conducting remote voting. For example, I don’t know of any way to challenge the results of a division once the Clerk has tallied the votes. In the UK, they gave the Speaker the authority to re-run a remote division if necessary, if issues were detected.
The Speaker has the authority to call a revote:
If problems in the conduct of a remote division which might have affected the result are reported after the result is announced, the Speaker may declare the division to be null and void and make arrangements for it to be re-run.
END UPDATE
I’m not sure what the driver for introducing electronic voting (Internet voting) would be, other than the hope that it would be faster than calling on people over videoconference. It means a big and rapid investment in authentication infrastructure, web infrastructure, and software design.
The UK implementation of “remote voting” built on an entire pre-existing infrastructure, was developed by a dedicated UK Parliamentary Digital Service, and still encountered challenges. I’m not sure that Canada has the same technology infrastructure in place, and we definitely don’t have a Canadian Parliamentary Digital Service.
Hidden inside that single word “secure” in the Procedure Committee (PROC) recommendation is a whole world of technology complexity.
There really needs to be a separate, dedicated, technology-focused report just on electronic voting (Internet voting) for the House of Commons that gives more specific guidance including an assessment of risks and risk mitigations.
UPDATE 2020-05-27: The committee has been called upon to produce a report on how to enact remote voting by June 23, 2020. See my blog post How to enact remote voting for the Canadian House of Commons for more information. END UPDATE
As I indicated in my post about the UK system, you have to consider a variety of complex issues when introducing a voting system.
Considerations for a voting system include the chain-of-custody, as multiple systems are most likely involved with the transmission and counting of the vote, concerns about auditability and concerns about security, as well as usability.
Auditability is a really challenging one. Basically either each individual MP would have to check that their vote has been counted based on their intention, and even then, they’re no longer all standing in a room where they can see how other members voted. Unlike counting people in a room, online it’s hard if not impossible to get a good sense of whether the vote count reflects the votes cast.
Auditability considerations are somewhat mitigated by the party system, in which votes are whipped and party whips will check to see that members voted as expected. Auditability is an even greater concern in the case of a free vote.
Usability is a key consideration for any new interface. It only took a day for some UK members to vote the opposite way from what they intended.
Security is also a challenging one given that computers can lie, with customized malware capable of showing one result (e.g. a Yea vote) on screen and sending another (e.g. a Nay vote) to the voting software. In that light, it’s worth mentioning that every month there is a Patch Tuesday, with May’s software updates including both Microsoft and Adobe releasing patches for vulnerabilities (“A remote attacker could exploit some of these vulnerabilities to take control of an affected system.”)
There is also a larger question, deeply related to human intentionality, about the physical and psychological differences between literally standing to be counted versus tapping a square on a screen.
The House would do well to draw upon the Government’s existing guidance for modern software development, including the Digital Standards. The Standards surface a number of key approaches that help mitigate the risks of software development, including:
You can see all the briefs submitted in evidence to this study. The only ones relevant to electronic voting (Internet voting) :
Parliamentary voting, on the other hand, is entirely workable from a cybersecurity perspective because it differs from general elections in three crucial ways.
First, an MP’s vote is a matter of public record, which makes it possible to verify it was correctly recorded and counted. Second, the federal government has the resources to provide MPs with the necessary cybersecurity infrastructure to ensure the protection of electronic information. Third, the government has the capacity to provide MPs training on procedures necessary to ensure votes are successfully entered into the record.
Bearing in mind the ever-present failings of computer-based systems, if the House decides to function in a virtual fashion, perhaps even on a temporary basis, it should gather two fundamental and vital working groups from among the staff of the House Administration:
- a working group of legal advisors to engage in liaison with like-minded jurisdictions, especially from Commonwealth states, designed to exchange information on the best ways to ensure democracy, constitutionalism and the maintenance of parliamentary privilege, and
- a working group of technical experts, whose principal task would be to design failsafe methods for the protection of MPs identity in their access to the system.
In order to render a virtual functioning of the House of Commons viable, the highest grade of hardware and software should be placed at the disposal of Member. Particular care should be taken in methodologies to verify each participating Member’s identity. In its preparation for the 43rd federal general election, Elections Canada worked extensively to prevent computer intrusion and fraud. That experience could be put to good use here.
If you find it surprising that only 1 of 14 briefs submitted would have independent expert technology analysis, the normal number of briefings from computer science subject matter experts submitted to a Canadian Parliamentary committee is sadly zero. Witnesses called to present at committee and briefs submitted are overwhelmingly individuals with political science or social science backgrounds. In the 2016 Special Committee on Electoral Reform (ERRE) they called a single computer science expert in online voting, out of 196 witnesses called, even though online voting was a specific subject of consideration for the committee.
Canadian Parliamentary committees need to do better in seeking out computer science subject matter expertise. On this topic, I will mention I have a list of over a dozen experts with Internet voting and computer security expertise.
The issue of electronic voting within the House has been considered. House of Commons Procedure and Practice, Third Edition, 2017 (referred to as Bosc and Gagnon) says basically there hasn’t been any recent action to implement electronic voting.
Chapter 12 – The Process of Debate – Decisions of the House – Calling the Vote and Announcing the Results – The Issue of Electronic Voting
The Issue of Electronic Voting
Proposals to install a system for electronic voting in the Chamber have been made over the years with a view to improving the management of the time of the House.382 In 1985, the Second Report of the McGrath Committee recommended computerized electronic voting, but the matter was not taken up by the House.383 In 1995, the Standing Committee on Procedure and House Affairs, noting that the practices of deferring several votes to the same day and time, and of applying results of votes, had “greatly speeded up the voting process”, recommended that the House not proceed at that time to a system of electronic voting.384 In 1997, the Committee briefly returned to consideration of the question of electronic voting, but did not report to the House.385 In 2003, a special committee endorsed the principle of electronic voting in the Chamber and recommended in two of its reports to the House that the necessary electronic infrastructure be installed in the Chamber during the summer of 2004.386 While the greater part of this infrastructure was installed as recommended, no further action has been taken in respect of electronic voting.
I’ve left in place the footnote links to the Procedure and Practice website, rather than pulling them all out within this blog post.
I have written a previous blog post considering this issue: Electronic voting in the Canadian House of Commons.
UPDATE 2020-05-21 & 2020-06-03: Two briefs were submitted by the Speaker.
May 11, 2020 – Virtual Chamber: A Report in Response to the Statement of the Speaker of the House on April 8, 2020 – May 7, 2020 – Version 2.0 (PDF) is available. It has a brief section related to remote voting under the heading “Decision making” on page 18. It’s a report from the House of Commons Administration on their considerations and analysis of what is possible; it’s not the same as a committee report.
A followup brief – May 13, 2020 – Virtual Chamber: key procedural issues (PDF).
END UPDATE
As one might expect, Bosc and Gagnon provides a detailed explanation of the voting process in the House.
Chapter 12 – The Process of Debate – Decisions of the House – Putting the Question
You can read all the details there, but I have to include the marvelous Figure 12.3 Putting the Question. Law as code, if you will.
In Ontario, there are no standards in place for choosing, testing, certifying or auditing election technology, including the online voting used in Ontario municipal elections.
This is a huge gap that has opened the door to what is currently basically an unregulated process where individual municipalities choose whether or not to use Internet voting and then procure vendor-based solutions without any guidance.
UPDATE 2022-05-23: The standards committee has been created, see blog post Elections Ontario Advisory Committee on Standards for Voting Technologies. END UPDATE
It is heartening to see Elections Ontario recognize the gap in standards for voting technology in its Report on Ontario’s 42nd General Election (Modernizing Ontario’s Electoral Process, June 7, 2018). Elections Ontario makes a long recommendation which I am going to quote in full
Establish common evaluative standards and a certification process for election technology
The Chief Electoral Officer recommends that Ontario establish common evaluative standards and a certification process for technology used in the electoral process in Ontario.
Technology holds a lot of promise for the elections of the future. Increasingly, Ontarians expect that technology will be used to make voting easier, offer more choice to electors for when, where and how to vote, and find efficiencies in the electoral process. Electoral management bodies, including Elections Ontario, are increasingly turning to technology to solve logistical challenges.
In Ontario, the adoption of technology into the electoral process has been done in an ad-hoc way since the late 1980s, and has been led by municipalities. This approach made sense when voting technologies were new and there were no best practices from which to draw. It also allowed municipalities to pioneer technology and discover fit-for-purpose solutions to address their local needs.
With more than 20 years of practical experience at hand, we are at a point where we are actively learning from our past so that we can create best practices and develop future guidelines. Standards can provide consistent guidance for municipalities and the province as we adopt proven technologies using a principled and measured approach.
It is critical that our approach to technology be intentional and evidence-based. Even as the public expects electoral management bodies to find efficiencies through technology, they are also increasingly aware of the possible failures of technology. While there are many benefits to using technology, there are risks involved, as illustrated by recent failures of systems at large organizations.
As the public becomes more informed about software, malware and manipulation of technology data systems, they are increasingly interested in knowing exactly how election technology preserves the integrity of our electoral process and the confidentiality of their personal information. For the public to trust the integrity of the electoral process they must be assured that:
- Technology used to cast a vote will accurately count the vote as intended.
- Technology used to cast a vote will uphold the secrecy of the vote.
- Technology used to tabulate votes will be verifiable and protected from tampering.
- Technology used to transmit election results will be verifiable and protected from tampering.
- Technology will not result in the breach of their confidential and personal information.
To ensure we maintain public trust in our electoral system as we adopt technology, the Chief Electoral Officer recommends that Ontario establish a set of common evaluative standards and guidelines. These will advise election administrators as they consider which technology to adopt, how to evaluate the technology, and the specific technical standards to consider for adopted technology.
This is a very significant step forward for Elections Ontario. In particular I laud the phrase “It is critical that our approach to technology be intentional and evidence-based.”
There is also a strong statement of principles at the end of the report
We continue to balance making voting easier for Ontarians with the need to preserve the integrity of the electoral process. We want to provide modernized, flexible, and convenient ways to vote, but cannot compromise the core covenants of our democracy: accessibility, one vote per elector, secrecy, integrity and security. As we continue on this modernization journey, these values will continue to be at the centre of the work we do.
As a starting point, the principles above are very good, and to them I would add the implementation criteria from Ontario’s own 2013 report on Alternative Voting Technologies.
Our implementation criteria are:
- Accessibility:
The voting process is equally accessible to all eligible voters, including voters with disabilities. The voting process will be performed by the voter without requiring any assistance for making their selections.- Individual verifiability:
The voting process will provide means for the voter to verify that their vote has been properly deposited inside the virtual ballot box.- One vote per voter:
Only one vote per voter is counted for obtaining the election results. This will be fulfilled even in the case where the voter is allowed to cast their vote on multiple occasions (in some systems, people can cast their vote multiple times, with only the last one being counted).- Voter authentication and authorization:
The electoral process will ensure that before allowing a voter to cast a vote, that the identity of the voter is the same as claimed, and that the elector is eligible to vote.- Only count votes from valid voters:
The electoral process shall ensure that the votes used in the counting process are the ones cast by valid eligible voters.- Voter privacy:
The voting process will prevent at any stage of the election the ability to connect a voter and the ballots cast by the voter.- Results validation:
The voting process will provide means for verifying if the results clearly represent the intention of the voters that participated in the voting process.- Service availability:
The election process and any of its critical components (e.g., voters list information, cast votes, voting channel, etc.) will be available as required to voters, election managers, observers or any other actor involved in the process.
However, those principles need to be refined for a computer-based system, which the report also does
If the implementation of the network voting system does not both support the Chain of Trust and provide auditable evidence, then the process is open to question. This Chain of Trust is a compilation of all the following measures:
- Source code audit to verify that the code will do only what it is intended to do.
- Digital signature of the audited source code to protect its authenticity and integrity.
- Trusted build of the executable code in front of auditors (based on audited source code).
- Signature of the executable code to protect its authenticity and integrity.
- Deployment of the executable software in a clean system. Logical sealing of the system to detect any later additions.
- Logic and accuracy testing of the voting system to validate it works properly.
- Continuous audit of the voting system during the election, through review and validation of logs and other data. The logs must be protected from external manipulations by using cryptographic measures.
- Post-election audit that validates that the system behaved correctly by reviewing the logical seals and the protected logs.
- Individual voter verification that proves their ballots were used in the final tally (by using special receipts).
A strong emphasis must be placed on audit. Independent auditors must be able to review the source code, verify the build and deployment, audit system logs during the election event, and finally to review both the counting process and the results.
Those are strong starting points, and even more so because they emerge from Ontario’s own multi-year research into the subject.
That being said, Ontario also needs to heed the conclusion of the Alternative Voting Technologies report:
At this point, we do not have a viable method of network voting that meets our criteria and protects the integrity of the electoral process.
It is possible that the introduction of standards for municipal online voting could open the door to provincial online voting, and indeed the very-high-level Elections Ontario Strategic Plan 2019 – 2023 (PDF) says
Advance modern elections in a measured and principled manner
- Assess and analyze the environment to inform the modernization of future elections.
- Better understand electors’ needs and behaviours to build modern and responsive services.
- Recommend legislative change to support modernization of electoral services.
- Pilot modernization initiatives through by-elections.
It’s not at all clear what this “modernization” might include.
It is critical that both the current deployment and any potential further expansion of online voting should be subject to extensive analysis by computer security experts.
By applying an evidence-based approach to technology with extensive public, independent, unrestricted testing of election technology, Elections Ontario has the opportunity to move from what it acknowledges has been an ad-hoc approach to one that brings the appropriate levels of standards, testing, certification and auditing in what is a high-risk cybersecurity environment.
Additionally, Elections Ontario needs to close an auditing gap by putting in place risk-limiting audits for the computer vote counting it is now using for provincial elections. We cannot simply trust the counts produced by the vote tabulators (because computers can be programmed to produce whatever result the programmer wants); we must have a public audit to increase the confidence in the results.
I hope that municipalities and the provincial government will accept that putting standards in place may result in the decertification and withdrawal of voting technology, as has happened when “electronic voting machines” were examined in the United States and when Switzerland made one of its online voting solutions available for public testing.
Paper Vote Canada 2 