Category: electronic voting

Elections Ontario recommends establishing standards and certification for elections technology

In Ontario, there are no standards in place for choosing, testing, certifying or auditing election technology, including the online voting used in Ontario municipal elections.

This is a huge gap that has opened the door to what is currently basically an unregulated process where individual municipalities choose whether or not to use Internet voting and then procure vendor-based solutions without any guidance.

It is therefore heartening to see Elections Ontario recognize this gap in its Report on Ontario’s 42nd General Election (Modernizing Ontario’s Electoral Process, June 7, 2018).  Elections Ontario makes a long recommendation which I am going to quote in full

Establish common evaluative standards and a certification process for election technology

The Chief Electoral Officer recommends that Ontario establish common evaluative standards and a certification process for technology used in the electoral process in Ontario.

Technology holds a lot of promise for the elections of the future. Increasingly, Ontarians expect that technology will be used to make voting easier, offer more choice to electors for when, where and how to vote, and find efficiencies in the electoral process. Electoral management bodies, including Elections Ontario, are increasingly turning to technology to solve logistical challenges.

In Ontario, the adoption of technology into the electoral process has been done in an ad-hoc way since the late 1980s, and has been led by municipalities. This approach made sense when voting technologies were new and there were no best practices from which to draw. It also allowed municipalities to pioneer technology and discover fit-for-purpose solutions to address their local needs.

With more than 20 years of practical experience at hand, we are at a point where we are actively learning from our past so that we can create best practices and develop future guidelines. Standards can provide consistent guidance for municipalities and the province as we adopt proven technologies using a principled and measured approach.

It is critical that our approach to technology be intentional and evidence-based. Even as the public expects electoral management bodies to find efficiencies through technology, they are also increasingly aware of the possible failures of technology. While there are many benefits to using technology, there are risks involved, as illustrated by recent failures of systems at large organizations.

As the public becomes more informed about software, malware and manipulation of technology data systems, they are increasingly interested in knowing exactly how election technology preserves the integrity of our electoral process and the confidentiality of their personal information. For the public to trust the integrity of the electoral process they must be assured that:

  • Technology used to cast a vote will accurately count the vote as intended.
  • Technology used to cast a vote will uphold the secrecy of the vote.
  • Technology used to tabulate votes will be verifiable and protected from tampering.
  • Technology used to transmit election results will be verifiable and protected from tampering.
  • Technology will not result in the breach of their confidential and personal information.

To ensure we maintain public trust in our electoral system as we adopt technology, the Chief Electoral Officer recommends that Ontario establish a set of common evaluative standards and guidelines. These will advise election administrators as they consider which technology to adopt, how to evaluate the technology, and the specific technical standards to consider for adopted technology.

This is a very significant step forward for Elections Ontario.  In particular I laud the phrase “It is critical that our approach to technology be intentional and evidence-based.”

There is also a strong statement of principles at the end of the report

We continue to balance making voting easier for Ontarians with the need to preserve the integrity of the electoral process. We want to provide modernized, flexible, and convenient ways to vote, but cannot compromise the core covenants of our democracy: accessibility, one vote per elector, secrecy, integrity and security. As we continue on this modernization journey, these values will continue to be at the centre of the work we do.

As a starting point, the principles above are very good, and to them I would add the implementation criteria from Ontario’s own 2013 report on Alternative Voting Technologies.

Our implementation criteria are:

  • Accessibility:
    The voting process is equally accessible to all eligible voters, including voters with disabilities. The voting process will be performed by the voter without requiring any assistance for making their selections.
  • Individual verifiability:
    The voting process will provide means for the voter to verify that their vote has been properly deposited inside the virtual ballot box.
  • One vote per voter:
    Only one vote per voter is counted for obtaining the election results. This will be fulfilled even in the case where the voter is allowed to cast their vote on multiple occasions (in some systems, people can cast their vote multiple times, with only the last one being counted).
  • Voter authentication and authorization:
    The electoral process will ensure that before allowing a voter to cast a vote, that the identity of the voter is the same as claimed, and that the elector is eligible to vote.
  • Only count votes from valid voters:
    The electoral process shall ensure that the votes used in the counting process are the ones cast by valid eligible voters.
  • Voter privacy:
    The voting process will prevent at any stage of the election the ability to connect a voter and the ballots cast by the voter.
  • Results validation:
    The voting process will provide means for verifying if the results clearly represent the intention of the voters that participated in the voting process.
  • Service availability:
    The election process and any of its critical components (e.g., voters list information, cast votes, voting channel, etc.) will be available as required to voters, election managers, observers or any other actor involved in the process.

However, those principles need to be refined for a computer-based system, which the report also does

If the implementation of the network voting system does not both support the Chain of Trust and provide auditable evidence, then the process is open to question. This Chain of Trust is a compilation of all the following measures:

  1. Source code audit to verify that the code will do only what it is intended to do.
  2. Digital signature of the audited source code to protect its authenticity and integrity.
  3. Trusted build of the executable code in front of auditors (based on audited source code).
  4. Signature of the executable code to protect its authenticity and integrity.
  5. Deployment of the executable software in a clean system. Logical sealing of the system to detect any later additions.
  6. Logic and accuracy testing of the voting system to validate it works properly.
  7. Continuous audit of the voting system during the election, through review and validation of logs and other data. The logs must be protected from external manipulations by using cryptographic measures.
  8. Post-election audit that validates that the system behaved correctly by reviewing the logical seals and the protected logs.
  9. Individual voter verification that proves their ballots were used in the final tally (by using special receipts).

A strong emphasis must be placed on audit. Independent auditors must be able to review the source code, verify the build and deployment, audit system logs during the election event, and finally to review both the counting process and the results.

Those are strong starting points, and even more so because they emerge from Ontario’s own multi-year research into the subject.
That being said, Ontario also needs to heed the conclusion of the Alternative Voting Technologies report:

At this point, we do not have a viable method of network voting that meets our criteria and protects the integrity of the electoral process.

It is possible that the introduction of standards for municipal online voting could open the door to provincial online voting, and indeed the very-high-level Elections Ontario Strategic Plan 2019 – 2023 (PDF) says

Advance modern elections in a measured and principled manner

  • Assess and analyze the environment to inform the modernization of future elections.
  • Better understand electors’ needs and behaviours to build modern and responsive services.
  • Recommend legislative change to support modernization of electoral services.
  • Pilot modernization initiatives through by-elections.

It’s not at all clear what this “modernization” might include.

Conclusion

It is critical that both the current deployment and any potential further expansion of online voting should be subject to extensive analysis by computer security experts.

By applying an evidence-based approach to technology with extensive public, independent, unrestricted testing of election technology, Elections Ontario has the opportunity to move from what it acknowledges has been an ad-hoc approach to one that brings the appropriate levels of standards, testing, certification and auditing in what is a high-risk cybersecurity environment.

Additionally, Elections Ontario needs to close an auditing gap by putting in place risk-limiting audits for the computer vote counting it is now using for provincial elections.  We cannot simply trust the counts produced by the vote tabulators (because computers can be programmed to produce whatever result the programmer wants); we must have a public audit to increase the confidence in the results.

I hope that municipalities and the provincial government will accept that putting standards in place may result in the decertification and withdrawal of voting technology, as has happened when “electronic voting machines” were examined in the United States and when Switzerland made one of its online voting solutions available for public testing.

Considering online voting including Estonia

There are three fundamental challenges with public discussions about online voting:

  • The majority of computer scientists, particularly computer scientists with expertise in voting systems, recommend again online voting, but journalistic false balance often presents this as one computer scientist vs. one online voting advocate.
  • The dedicated resources available from nations and vendors to promote online voting vastly outweigh the nondedicated volunteer resources available from computer security experts to explain the issues with online voting.
  • Voting appears simple but is actually complex, with many essential requirements that are hard to capture in a soundbite.  This makes it easier to make a convincing-sounding but incorrect “common sense” convenience argument for online voting than to make the correct technical requirements counter-argument.

Consensus Opinion

Basically if the press were actually representative about this “debate”, it would be like John Oliver’s classic expert-weighted debate, with 97 experts on one side and 3 sceptics on the other.  So any time you see an online voting “debate” on TV or in print, I want you to imagine 97 expert computer scientists recommending against online voting, and 3 promoters with various agendas advocating for it.

I don’t have the ability to construct that kind of visual, but just to make it clear, what I am writing recommending against online voting is not just one voice, and it’s not just 16 leading computer security experts, it’s the overwhelming consensus view. It’s the view in the computer scientist community.  In 2004 the Association for Computing Machinery, the world’s largest scientific and educational  computing society (with a membership now of approximately 100,000) issued a Statement on Voting Systems, which includes the following text

voting systems should enable each voter to inspect a physical (e.g., paper) record to verify that his or her vote has been accurately cast and to serve as an independent check on the result produced and stored by the system.

It’s this consensus view that is summarized by the City of Toronto

The overwhelming consensus among computer security experts is that Internet voting is fundamentally insecure and cannot be safely implemented because of security vulnerabilities inherent in the architecture and organization of both the Internet and commonly used software/hardware

And if you wish there were some process to assemble a scientifically representative consensus into a document, well, I have good news.  The US National Academies of Sciences, Engineering and Medicine (NASEM) knows exactly how to run a process to report on expert consensus, and they did.  Their report recommends against Internet voting.

Secure Internet voting will likely not be feasible in the near future.

So to be blunt, if you’re in favour of online voting, you’re against the scientific consensus.  You’re also against the conclusion of 99.5% of the countries in the world.

National Online Voting Only In One Country

There are approximately 200 countries in the world.  Of those, the number of countries that offer online voting for all citizens in all elections is one.  One country of approximately 1.3 million citizens, where the total number of votes cast in each election is roughly 600,000.  Where the majority of voters still cast their votes on paper, on election day.

One country where offering online voting is part of branding the nation as e-Estonia, including consistent promotion.  Does your country invest in promoting its election system internationally?  Maybe that’s why there aren’t many international news stories about your country’s voting system, but there are lots about Estonia’s.

Computer security experts simply don’t have the scale and reach that a national public relations initiative has.

It takes months of dedicated journalism to do a comprehensive story about the issues with online voting.  Which, fortunately Eric Geller did: Online voting is a cybersecurity nightmare.

Unfortunately, the reality of deadlines, lack of expertise in computer security and lack of expertise in the actual requirements for voting systems means that most articles don’t go into the same depth.

As a result, reporting on Estonia’s online voting tends to be relentlessly positive.

But in article after article there are also a number of things that don’t get said about Estonian elections, including:

  • turnout declined in the last national election, in the last two local elections, and in the 2014 European Parliamentary election
  • turnout in the 2015 Estonian national election was lower than turnout in Canada and the UK

Estonia national turnout 2015

  • the smallest number of votes cast is by the 18-24 year old age group
  • online voting is offered for advance voting only, and requires a national digital identification infrastructure
  • Although Estonia has observing, auditing and testing procedures, the only time international computer security experts were invited to observe the process was in 2014.  Those outside observers found “There were staggering gaps in procedural and operational security, and the architecture of the system leaves it open to cyberattacks from foreign powers”. Since that report, international computer security experts have not been invited back.

You can read about the 2014 study in Practical Attacks on Real-world E-voting, 7.3.2 Estonia’s Internet Voting System. Or you can watch J. Alex Halderman explain it

SIDEBAR: The 2016 study by the Cyber Studies Programme at the Department of Politics and International Relations, University of Oxford.

The University of Oxford conducted a study of Estonia’s Internet voting in 2016, entitled The Estonian Internet Voting System – An Independent Assessment of the Procedural Components.

It’s important to note the “procedural components” part of the description.  The study (PDF) states specifically:

We review the general procedural security components of the system, particularly procedural security controls, …. We therefore do not focus on software engineering or encryption related issues in the computer systems.

Additionally, this study was based on reported procedures, not direct observation.

Finally, we must state that there is one main limitation to our work. This relates to the fact that our research relies on interview reports on voting processes and systems from individuals in Estonia, as opposed to direct observation of the I-Voting system in process.

The 2016 Oxford study is therefore not comparable in either scope or methods to the direct observations of the international experts in the 2014 Independent Report on E-voting in Estonia.

END SIDEBAR

All Countries That Study Online Voting Reject It

At a national level, Internet voting has been studied by the Parliament of Australia, by a Canadian Parliamentary Committee, and by Finland.  Each study recommended against online voting.

Lithuania was considering online voting, but as best I can conclude through a layer of Google translation, has rejected it on national security grounds.

“Interior Minister Eimutis Misiūnas is still skeptical about online voting, according to him, until there is an absolute guarantee of security, elections must take place in a traditional way.”

LRT.lt – E. Misiūnas dėl balsavimo internetu – kol kas skeptiškas (March 1, 2018)

Rytis Rainys, Director of the National Cyber ​​Security Center, is not sure about the security of online voting.
“Fears about cyber security are one of the main reasons why this process stops,” he said. – These fears are not only justified but also based on facts, mass incidents that we have in Lithuania.”

LRT.lt – Internetu balsuojanti estė: tai nepalanku kai kurioms partijoms (February 28, 2019)

Online Voting And National Security

When Deloitte studied cybersecurity as it relates to elections for Australia, they found

The main concern is not the actual damage that cyber attacks can cause to individual electoral system components, although it exposes the individual jurisdiction to significant reputational damage. The bigger concern is that any reports of attempted or successful breaches gives adversaries the ability to sow doubt in the security and integrity of electoral processes.

Australia – Electoral Cyber Security Maturity Review: Whole of Nation Report (Deloitte Touche Tohmatsu report CN3550609 for the Department of Home Affairs – October 2018 – redacted)

So it’s not just that an online election can and will be attacked, it’s that the obscurity and lack of transparency of an online election opens it up to the opportunity of undermining trust in elections as a whole.

These are real threats.  Canada’s Centre for Cyber Security says

In 2018, half of all advanced democracies holding national elections had their democratic process targeted by cyber threat activity. This represents about a three-fold increase since 2015 and we expect the upward trend to continue in 2019.

2019 Update: Cyber Threats to Canada’s Democratic Process – Executive Summary

Online Voting Fails In Independent Testing

But even if you’re not convinced by the fact that the majority of computer scientists, and the majority of nations, and national security advisors are all against online voting, what about a real-world independent test?

Well, Switzerland fortunately has a legal framework in place that requires independent testing of proposed online voting solutions.

And when their online voting was independently examined (outside of the restrictions they had placed on the testing), it was found to be insecure. So they have withdrawn it.

Online Voting Fails When Deployed

Online municipal voting in Ontario failed in 2010 and again in 2018.

Home Computers Are Insecure

And remember you don’t just have to be concerned that the online voting code itself is insecure, people vote from their home computers, over the Internet to centralised servers.  Elections agencies have no control over the security of home computers and the Internet, and they have no control over when major security flaws will be discovered and patches will be released.  Such as for example the week of May 13th, 2019, when there was:

In fact, the US Computer Emergency Readiness Team (US-CERT) listed 99 (yes, ninety-nine) high-severity computer security vulnerabilities just for the week of May 13, 2019 alone.  And all of those computer security vulnerabilities, some of which will take weeks or months for consumers and organisations to patch (if ever), they all took place in the same week that Estonia opened its online voting on May 16th.  So you can be guaranteed that people were voting from insecure computers.

Vendors Control Most Internet Voting

And in addition to all of those factors, the reality in Canada and most other countries is that elections technology is created by third-party, for-profit vendors who shield their code and processes from inspection using intellectual property law.  This means elections are effectively outsourced to opaque third-party organisations.  I’ve written about this in the context of Ontario’s computer vote counting, and I would add that Ontario specifically stated their need to work closely with vendors

Throughout the planning phase, we worked closely with our vendors to establish accurate requirements, conduct necessary testing, determine support, and ensure the integrity of the election was never compromised. We were able to integrate vendors into the design and administration of the election, and we look forward to a strong working relationship with our vendors into the future.

Elections Ontario – Modernizing Ontario’s Electoral Process: Report on Ontario’s 42nd General Election June 7, 2018 – Section 2: Planning a Transformative Election, B. Building the Team, Vendors

Tell me, if you wanted to increase the connection that the public feels with its election system, if you wanted to bridge the gap between the public and its democratic system, would your first choice be less involvement of the public?  Because “integrating vendors” means removing the public from the inner workings of the election system itself.

And if you think at least the vendors must be experts in computer security, their record is abysmal.  In the 2007 Ohio EVEREST study, independent researchers found

“exploitable security weaknesses in all three vendors’ systems”

Ohio EVEREST Voting StudyStatement

Conclusion

With all that to consider, if you only have one takeaway from this entire blog post it is this:

you must demand public, independent, expert testing without restrictions before you place your confidence in online voting

Such testing has not taken place for the online voting in Ontario and Nova Scotia municipal elections.

There are too many other problems with online voting for me to summarize in what is already a long blog post, so I will conclude with two previous summaries I have done:

Open Source code and Canadian elections

Here’s what I wrote in response to some confusion about Canadian elections in the comments on Schneier on Security blog post DARPA Is Developing an Open-Source Voting System

Sfan and Earnest – In response to Sfan’s statement “FWIW, Elections Canada used a paper & marker ballot system and a human & paper based voter validation system until 2015.”

Elections Canada runs federal elections only, and continues to use hand-marked paper ballots that are hand counted. See e.g. https://twitter.com/ElectionsCan_E/status/1105136418639233024

You might be confusing Elections Canada with Elections ONTARIO, which has recently switched from hand-counted ballots to vote counting computers for provincial elections. With, I might add, zero provision for risk-limiting audits.

Municipal elections in Ontario, which are governed by provincial election law, use a mix of vote counting computers (as in the City of Ottawa) and completely unregulated Internet voting. Internet voting run by third-party for-profit companies with zero public availability of source code, zero public security testing, and no legislative provisions for either.

In terms of the substance of Schneier’s blog post, there are also some issues. He quotes

The system will use fully open source voting software, instead of the closed, proprietary software currently used in the vast majority of voting machines, which no one outside of voting machine testing labs can examine. More importantly, it will be built on secure open source hardware, made from special secure designs and techniques developed over the last year as part of a special program at DARPA [Defense Department’s Defense Advanced Research Projects Agency].

(Emphasis on special mine.)

Issues to consider:

  • Open source is better (because it can be inspected) but ultimately useless as a voting computer improvement because you cannot prove what code is running on a computer.
  • In theory you can address the issue of what code is running by having secure hardware but there is no perfect hardware security, just like there is no perfect software security.  Additionally, election security is about universally understandable verifiability.  Any citizen should be able to understand the election process and the results.  “Trust us, this special hardware is secure” is no different than “trust us while we go in this special locked room and secretly produce the election results”.
  • Similarly, in theory you can use cryptographic techniques to improve the security and verifiability of the election, but the only people who can actually understand them is a tiny set of cryptographers.  To everyone else you’re saying “trust us, this special crypto code is secure” which is no different than “trust us while we go in this special locked room and secretly produce the election results”.

Having open source is better, having public inspection and testing of the code is better, having verified cryptography is better, but none of these improvements to computer vote counting address the fundamental issue which is that you can’t do computer vote counting in a way that is transparently understandable by every voter, and so you shouldn’t be doing computer vote counting at all.

Plus which, in practice you can’t tell what code is running on a computer anyway, because computers can lie.  Computer programs are written by people; people can lie, and so they can tell computers to lie.  You can ask the computer “are you running this open source code” and the computer can say “oh yes, absolutely” even as it triggers the hidden election day malware that slightly alters votes just enough to tip the result to a different candidate.

At most, when you have very complicated ballots as in the US you can consider doing computer vote counting with hand-marked paper ballots and a risk limiting audit.  But for Canada’s extraordinarily simple elections, computer vote counting adds needless complexity, obscurity and risk to an already optimised system.

That being said, if we are stuck with Internet voting in Canadian municipal elections, open source code and public security testing is absolutely essential, as much because it will demonstrate repeatedly that the source code is both ridiculously complicated and insecure, as for the fact that it helps reduce (but definitely not eliminate) security risks.

In other words, open source and public security inspections are only about making something we shouldn’t be doing in the first place less terrible.  They are not an actual solution.  The actual solution is not to have Internet voting and computer vote counting at all in Canadian elections.

Securing the Vote – US National Academies 2018 consensus report

The US National Academies of Sciences, Engineering and Medicine (NASEM) uses a comprehensive study process http://www.nationalacademies.org/studyprocess/ to ensure high standards of scientific and technical quality.

On September 6, 2018 they released their 2018 consensus report

Securing the Vote: Protecting American Democracy

The report is available to download as a PDF (login isn’t required, you can download as a guest) and is also posted to read online.  (See blog note 1 for the definition of a consensus report.)

The key conclusions highlighted in the introduction to the release are:

All U.S. Elections Should Use Paper Ballots by 2020 …; Internet Voting Should Not Be Used at This Time

Emphasis (bolding) above mine.

Ensuring the Integrity of Elections

Chapter 5: Ensuring the Integrity of Elections contains many sections relevant to voting technology.  Below are selected extracts only; please read the entire chapter for the full details.

Malware (pp. 86-87)

Malware can be introduced at any point in the electronic path of a vote—from the software behind the vote-casting interface to the software tabulating votes—to prevent a voter’s vote from being recorded as intended.

Maintaining Voter Anonymity (pp. 87-88)

With remote voting—voting outside of publicly monitored poll sites—it may not be difficult to compromise voter privacy. When voting, for example, by mail, fax, or via the Internet, individuals can be coerced or paid to vote for particular candidates outside the oversight of election administrators.

Election Cybersecurity

Election Cybersecurity (pp. 88-93)

Vulnerabilities arise because of the complexity of modern information technology (IT) systems and human fallibility in making judgments about what actions are safe or unsafe from a cybersecurity perspective. Moreover, cybersecurity is a never-ending challenge. It is unlikely that permanent protections against cyber threats will be developed in the near future given that cybersecurity threats evolve and that adversaries continually adopt new techniques to compromise systems or overcome defenses.

Election Cybersecurity: Cybersecurity and Vote Tabulation (p. 91)

Because there is no realistic mechanism to fully secure vote casting and tabulation computer systems from cyber threats, one must adopt methods that can assure the accuracy of the election outcome without relying on the hardware and software used to conduct the election. Uniform adoption of auditing best practices does not prevent tampering with the results collected and tabulated by computers. It can allow such tampering to be detected and often corrected.

I would clarify that it can only allow such tampering to be detected if there are paper ballots to audit.

Election Cybersecurity: Factors that Exacerbate Cybersecurity Concerns (p. 92)

Changing threat. Traditionally, the goal has been to secure against election fraud by corrupt candidates or their supporters who may attempt to favor a particular candidate by altering or destroying votes or tampering with the vote tally. The 2016 election vividly illustrated that hostile state actors can also pose a threat. These actors often possess more sophisticated capabilities and can apply greater resources to the conduct of such operations. Moreover, they may have other goals than shifting the outcome for a particular candidate.

Specifically they may be seeking to undermine confidence in the election process and systems, which is a different kind of attack than changing an outcome.  Any kind of visible or detectable interference such as defacing websites, Distributed Denial of Service (DDoS), or disclosure of information from within voting systems may achieve the goal of undermining confidence.

Election Cybersecurity: [Consensus] Findings (p. 92-93)

There is no realistic mechanism to fully secure vote casting and tabulation computer systems from cyber threats.

In comparison with other sectors (e.g., banking), the election sector is not following best security practices with regard to cybersecurity.

Even if best practices are applied, systems will not be completely secure.

Foreign state–sponsored attacks present a challenge for even the most responsible and well-resourced jurisdictions. Small, under-resourced jurisdictions are at serious risk.

Better cybersecurity is not a substitute for effective auditing.

I will highlight just one item from the review of End-to-end-verifiability, and I want to make it clear it is a conclusion about voting technology, not about end-to-end verifiability

Complicated and technology-dependent voting systems increase the risk of (and opportunity for) malicious manipulation.

Internet Voting

Internet Voting is covered on pages 101 to 106, including specific examination of Blockchains from pages 103 to 105.  Below are selected extracts only; please read the entire section in the document for the full details.

Internet Voting (pp. 101-106)

Insecure Internet voting is possible now, but the risks currently associated with Internet voting are more significant than the benefits. Secure Internet voting will likely not be feasible in the near future.

Emphasis (bolding) above mine.

Internet Voting: Blockchains (pp. 103-105)

blockchain technology does little to solve the fundamental security issues of elections, and indeed, blockchains introduce additional security vulnerabilities. In particular, if malware on a voter’s device alters a vote before it ever reaches a blockchain, the immutability of the blockchain fails to provide the desired integrity, and the voter may never know of the alteration.

Internet Voting: [Consensus] Findings (p. 106)

The Internet is not currently a suitable medium for the transmission of marked ballots, as Internet-based voting systems in which votes are cast on remote computers or other electronic devices and submitted electronically cannot be made adequately secure today.

The use of blockchains in an election scenario would do little to address the major security requirements of voting, such as voter verifiability. … In the particular case of Internet voting, blockchain methods do not redress the security issues associated with Internet voting.

Internet Voting: Recommendations (p. 106)

5.11 At the present time, the Internet (or any network connected to the Internet) should not be used for the return of marked ballots.35,36 Further, Internet voting should not be used in the future until and unless very robust guarantees of security and verifiability are developed and in place…

35 Inclusive of transmission via email or fax or via phone lines.

36 The Internet is an acceptable medium for the transmission of unmarked ballots to voters so long as voter privacy is maintained and the integrity of the received ballot is protected.

[1] Note: The NASEM defines a consensus report as follows

Consensus Study Report: Consensus Study Reports published by the National Academies of Sciences, Engineering, and Medicine document the evidence-based consensus on the study’s statement of task by an authoring committee of experts. Reports typically include findings, conclusions, and recommendations based on information gathered by the committee and the committee’s deliberations. Each report has been subjected to a rigorous and independent peer-review process and it represents the position of the National Academies on the statement of task.

[2] The report may be cited as e.g.

National Academies of Sciences, Engineering, and Medicine. 2018. Securing the Vote: Protecting American Democracy. Washington, DC: The National Academies Press. doi:10.17226/25120

UK 2005 Securing the Vote report and 2007 e-voting trials

Nothing remains of the May 2005 Securing the Vote report on the UK Electoral Commission site.  There used to be a page Securing the vote – detailed proposals for electoral change announced but it is now gone.

The only location where a copy could be found was in a document repository from The Guardian newspaper: http://image.guardian.co.uk/sys-files/Politics/documents/2005/05/20/eleccommission.pdf

The UK did extensive reporting on the 2007 pilots, the website was http://www.electoralcommission.org.uk/elections/pilots/May2007 but it is no longer online. There is a copy in the Internet Archive.

Although there is no longer an organising page on the Electoral Commission page, some of the reports from 2007 are still available from them, as well as being copied in the Internet Archive.

There are two considerations to highlight from the UK Electronic Voting Summary:

  • New voting methods should be rolled out only once their security and reliability have been fully tested and proven and they can command wide public confidence.
  • The necessary costs for secure and reliable systems must be able to be reasonably met by the public purse.

I will highlight only one item from the Technical Assessments of the e-voting Pilots, item 3.4.4 from Assessment of the pilot process – Quality management:

While there were variations between the different pilots, in all cases the quality and testing arrangements appeared to be inadequate. It is difficult to tell whether this was purely because of lack of time, or whether some of the suppliers were not used to implementing effective quality processes. Significant quality management failings include:
a. Lack of detailed design documentation;
b. Lack of evidence of design or code reviews or other mechanisms for ensuring that the solutions operate correctly and do not include deliberate or accidental security flaws;
c. Lack of evidence of effective configuration management.

This kind of haphazard voting software development has been shockingly common, e.g. for US voting machines as well.

Note: The preceding is extracted from previous blog post Province of Ontario Internet voting.

UPDATE 2019-07-08: Just to bring all the pieces of the puzzle together, I will also point to a 2008 news release – Official report on internet voting pilot at Rushmoor elections published.

Other key findings in the report are that:

  • there was no impact on turnout, which actually decreased very slightly from 36 percent in 2006 to 35.2 per cent at these elections;
  • most internet voters (70 per cent) said they would have voted anyway;

computer vote counting is a radically different trust model

Computer vote counting is a radically different trust model than a hand-counted election.

Instead of a vote counted in public by known individuals, with observers, you have a third-party for-profit vendor counting the vote in private, with testing by the election authority, but no meaningful observation.

If an elections authority proposed to pay a vendor’s employee to count votes in private, even with a complete background check of the employee, I have the feeling that not many people would go for it.

But in what is essentially the same scenario, except with the employee replaced with a “machine”, people don’t seem to have a problem.

I thought about why this might be the case, and it seems to one primary and one secondary thing.  Primary is the idea that a person has unlimited freedom of action, but a “machine” does not.  Secondary is the confusion that because the vote tabulator itself is in public, somehow the vote count is still “in public”, even though it’s taking place inside the literal black box of the tabulator.

This is I guess a 20th Century collision with 21st Century realities.  If you have an assembly line with a machine that makes pins, if you turn your back, it won’t suddenly decide to secretly make hammers.  Because the vote tabulator looks like some sort of machine, and is described usually as either “electronic” or “machine”, people think it is a single-function device.  But it’s actually a general purpose computer.  Which means that not only does it have a wide range of freedom of action, just like a human being, it can lie to you about what it is doing, just like a human being.

It would be interesting to see a polling station set up with a giant human-sized black box that the ballots go into to be counted, and see how people reacted to that.  Because there really is no difference between that and the computer vote tabulator.  Basically you’ve taken a very limited trust in known people you can watch in public, and changed it to a very extensive trust in unknown vendor employees and in the elections organisation itself operating in private.

If you have a very complicated count and very high expectations of a fast count, then there is some justification in using a vote counting computer, as long as you don’t trust the computer.  You have to audit the paper, not the computer.  You can test the computer as much as you want, it can always lie.  This is exactly what happened in the Volkswagen diesel emissions scandal, where the car’s computer could detect when it was being tested and would change its behaviour accordingly.  So when you use a computer to count paper, you have to audit the paper with a manual count (a risk-limiting audit).  Unfortunately as far as I know, no Canadian jurisdiction follows a computer ballot count with a risk-limiting audit.

In any case, Canadian federal and provincial elections are trivial to count.  You literally just sort the ballots into a few piles.  And because the count is simple it is also fast.

The Ontario provincial switch to vote counting computers is wrapped with PR about technology, but it’s actually about staffing.  (The underlying concept is literally called "Proposal for a technology-enabled staffing model for Ontario Provincial Elections".)  Basically it’s hard to get people to staff elections now, and they’re tired by the end of the day which means they are sometimes not in the best shape to do a bunch of precise counting.  There are many many ways to address elections staffing.  For example, you could simply bring in people, e.g. High School students, to do the count at the end of the day.

Addressing a staffing problem by completely changing the counting trust model wouldn’t have been my choice.  And I would assert that the only reason it’s even possible is because people don’t realise the trust model has been radically changed.

In any case, online voting is a much much worse problem that vote counting computers, so this is about all I have to say about the vote tabulators issue.

Previously:
May 11, 2018  2018 Ontario Provincial Election to use vote counting computers