Category: Links to documents

NWT Chief Electoral Officer’s Report on the Administration of the 2019 Territorial General Election

The Legislative Assembly of the Northwest Territories will hold a public briefing on the Chief Electoral Officer’s Report on the Administration of the 2019 Territorial General Election on Tuesday June 30, 2020 at noon Eastern time.  This report is significant because this was the first Canadian general election in which online voting was permitted at a provincial or territorial level.

The Standing Committee on Rules and Procedure, …, will hold a public briefing regarding the Chief Electoral Officer’s Report on the Administration of the 2019 Territorial General Election on Tuesday, June 30, [2020] at 10:00 AM MDT [noon Eastern time]. Dr. Aleksander Essex will be in attendance.

To watch the meeting, tune in to the live stream on ntassembly.ca, or on the Legislative Assembly’s Facebook, Youtube, or Twitter accounts.

They identify five election technology systems:

  1. Elections NWT website hosted by GNWT
  2. Electorhood website hosted by ColdFront Labs (was electorhood . ca, but website is now gone)
  3. Elections NWT Learning Management System (LMS) hosted by Kellett Communications
  4. Elections NWT Elections Management System (EMS) hosted by DataFix
  5. Online Voting Platform hosted by Simply Voting

In case this terminology isn’t clear, the online voting was procured from the third-party, for-profit company Simply Voting, which ran the entire online voting system.  The code is proprietary and has not been made available for independent analysis.  This model of handing over the entire operation of online voting to a private for-profit company is the one used in all Canadian online voting to date.

I will quote part of the Security section of the report

To ensure the security and integrity of all Elections NWT online environments, and the election process as a whole, a security assessment was conducted on all five of Elections NWT online Platforms.

An agreement was made with Hitachi Systems Security to perform a Web Application Assessment and Penetration Test of the Elections NWT online systems.

This is a routine measure to secure an ordinary web server used for government services.  It treats online voting as if it is any other web-based government service.  But online voting has a uniquely higher level of risk and may attract sophisticated attackers, who will do a lot more than a vulnerability scan in order to compromise a system.

The Hitatchi Systems Security report has not been made public, even though there is no security in obscurity.

Overall, the Election Technology section of the report does not propose any threat model.  Without a threat model, there is no way to determine what assessments should be used.

The most basic possible online voting model must include:

  • the client
  • the network
  • the online voting server
  • the code running on the online voting server

Security – The Client

The client (the voter casting the vote) is a huge security gap that is simply not considered in most online voting security analysis conducted by governments.  Votes are cast from personal computers and smartphones.  Computers and smartphones that are notoriously insecure.  And often not updated with operating system and software application patches for known vulnerabilities.  Where is the vulnerability scan and assessment for every single voter?

In the absence of client security, there are a wide variety of possible attacks, including software that watches for voting activity and alters the votes cast.  If this sounds theoretical, this is exactly what banking trojan software does.  F5 identifies over a dozen different major named banking trojans, it’s not an uncommon type of attack.  In another type of attack, realistic-looking false websites are set up to direct voters to fake voting websites or applications for a variety of malicious purposes.  If this sounds theoretical, it’s exactly what some ransomware attackers did when a Canadian COVID-19 contact tracing application was announced.

If you want an analogy, considering online voting secure if the server and network were somehow secure, but without client security, is like having thousands of dollars visible in the front window of your unlocked house, but then transporting it by armored car to a bank vault.  Where do you think a thief is going to target their attack?

But of course the network and the server aren’t secure.

Security – The Network

From the client’s router through to the core network hardware, there are continuous vulnerabilities in networks.  How continuous?  Well here are three different network vulnerabilities from just the past week:

Security – The Server

There are very sophisticated attackers that target specific government activities.  You don’t have to believe me.  You can read e.g. the Canadian Centre for Cyber Security Cyber threats to Canadian health organizations (AL20-008 – Update 1).  The counter-argument to that is usually “why would anyone attack my election?”  But that is no counter-argument.  To quote the Centre for Cyber Security

Sophisticated threat actors may choose to target Canadian organizations

There’s nothing about elections that would prevent them from being targeted; if anything they are potentially a very attractive target for many reasons.

Patching the kind of routine web vulnerabilities a penetration test is going to find is a necessary measure but almost meaningless against sophisticated attackers who can exploit much more challenging and obscure vulnerabilities using entire teams of people trained in compromising computer systems.

In addition to this, Canada has no mechanism whatsoever for inspecting the actual code that the third-party vendors are running on their servers.  Even if somehow the entire chain of client through network to server were secure, the online voting code itself could have bugs.

Look to Switzerland

We need much stronger security assessment of Canadian online voting, including independent security analysis with access to the actual online voting code.  Switzerland has been a world leader in putting in place the legislative framework for this kind of inspection, as I outline in my blog post

Swiss voting technology law sets the standard, in theory

and finding even that inadequate, Switzerland has now surveyed international experts for guidance on how to further enhance the legislative framework for examining the security of online voting systems.  And notably Switzerland has paused all online voting until they can get a system that passes that assessment.

Security – Summary

It is good that the Northwest Territories conducted penetration testing

All tested applications showed good resilience against known Web attacks and were not vulnerable to any injection flows, privileged escalation, broken access controls or sensitive data exposure.

Many Canadian municipalities procuring online voting don’t conduct even this very most basic security measure.

However, this level of basic web server security is wildly inadequate for online voting.  The threat actors are much more sophisticated, the level of risk is much higher, and the integrity of the system requires the entire voting process to be secure, end-to-end.  Canada needs to examine online voting security using a threat model that includes every step actually involved, including the client, the network, and the online voting code.  Collaboration with Canada’s Centre for Cyber Security and developing much more extensive independent assessment criteria based on the Swiss model would be a starting point.

The Actual Online Voting Numbers and Countries

Online voting was made available for absentee voting only.  489 ballots were cast, making this voting channel 3.7% of all ballots cast.

In the table “Absentee Poll Electronic Ballot Turnout by Country” the report indicates that ballots were cast from Canada (459 ballots), the US, France, Philippines, Denmark, Serbia, Spain, Japan, Norway, New Zealand, Zambia, Switzerland, Italy, Mexico, Morocco, and Germany.

Keep in mind how much additional, uncontrolled, non-Canadian Internet infrastructure some of these online voting interactions had to traverse.

Analysis of Recommendations for Legislative Changes

Many of the recommendations are about clearly separating voting by mail from voting online.

43 Powers of the Chief Electoral Officer – Create – report page 94

The Chief Electoral Officer may establish procedures in respect of voting by online ballot.

This would effectively make online voting a permanent option for Territorial elections, with basically no parameters around what the procedures should be.

If we are to have online voting (and to be clear, I don’t think we should), this lack of requirements and standards is a huge gap that could be addressed with a Swiss model that is much more prescriptive about assessing online voting.

45 Security of the Ballot Box – Section 153 (2) – Create – report page 95

The Chief Electoral Officer shall take precautions to ensure the safekeeping and security of the ballot box and ballots used for voting by online ballot.
S.N.W.T. 2010,c.15,s.17; S.N.W.T. 2014, c.19,s.20, 21.

As above, this is better than nothing, but far from the level of prescriptive requirements that would be needed, starting with an actual threat model including every step and participant in online voting, and advancing with Canadian Centre for Cyber Security guidance to a model much more like Switzerland where there is outside independent assessment by experts.

Just compare the level of requirements actually needed with the current model, which is a routine web server penetration test, with results in a secret report not provided to the public, and no assessment whatsoever of the vendor’s secret computer code that actually runs the online voting.

How can we have trust in an election where the security measures are a secret assessment of only the web servers, an assessment that didn’t even include looking at the actual computer code?

There is more in the recommendations but quite frankly I’m out of time.

Next Election

The next Territorial General Election is expected on October 2nd, 2023.

SIDEBAR: The Chief Electoral Officer’s Report on the Administration of the 2019 Territorial General Election is also available from the Elections NWT website (PDF).  END SIDEBAR

Previously:
May 21, 2019  Questions about online absentee voting in the NWT

Internet Voting Privacy and Security Risks report from OIPC Newfoundland

The Newfoundland and Labrador Office of the Information and Privacy Commissioner (OIPC) has released a very clear report that explains the unique characteristics of the secret ballot and elections, and examines the risks that would be introduced by implementing Internet voting.

Internet Voting – Privacy and Security Risks (PDF)

It also asks a very fundamental question: what problem is Internet voting trying to solve?

In reviewing reports and public documentation from Canadian jurisdictions where internet voting has been implemented it appears that there has been little to no concerted effort on the part of governments, prior to implementing internet voting, to 1) identify the problem to be addressed and 2) understand what has caused the problem.

In the case of internet voting, it is not even clear that there is a problem [that is being solved]. If the problem can be framed as lack of participation in the democratic process, this is a much broader problem than the method of voting.

The report was authored by Sean Murray, Director of Research and Quality Assurance.

The report is particularly timely as Newfoundland and Labrador has established a Select Committee on Democratic Reform that is to review voting systems and methods.

For more on OIPC Newfoundland and Labrador, see:

Internet voting in Switzerland

There is currently no Internet voting in Switzerland, primarily due to security issues.

It’s complicated to write about Internet voting in Switzerland for several reasons:

  • Switzerland has a political structure of cantons, voting is done by canton with different systems in each canton
  • Switzerland does not have a history of voting privacy; historically and in a few locations even today voting is done by a public show of hands
  • Switzerland has many votes throughout the year on what are basically referenda
  • Switzerland has a good, but quite complex, set of regulations around Internet voting

Internet voting has been an option in some cantons.  I believe testing began in 2004.  Because of the Swiss Internet voting regulations, as best I understand the maximum percentage that can vote online is 30%.  (More than 30% voting online triggers additional requirements.)

The 30% figure is a bit misleading however.  Because only some cantons participated in online voting trials, it was open to just 3.8% of the overall electorate in September 2018 (and now is not available at all).1

1 Source – Slides “Trust in e-voting” (PDF, 1 MB, 07.02.2019), from Federal Chancellery FCh > E-Voting

As indicated above, the absolute number of voters was always relatively small.  In my own analysis of reports available online, I find that under 5% of the eligible voters vote online, representing 200,000 or fewer votes per voting period.  (My understanding is that voters have to register in advance to vote online; it’s not clear to me whether the numbers in these reports are just the number of registrations, or the actual number of ballots cast online.)

The map below summarizes the online voting testing that has been done by cantons, as well as making it clear that there is currently no online voting at all (in French « Pour l’instant, il n’est pas possible de voter par voie électronique en Suisse », roughly translated “For the moment, it is not possible to vote online in Switzerland”).

La Suisse - Essais de vote électronique dan le cadre de scrutins fédéraux
La Suisse – Essais de vote électronique dans le cadre de scrutins fédéraux

Above map from Chancellerie fédérale ChF > Vote électronique.

Turnout

Research indicates that turnout did not increase, specifically youth turnout didn’t increase.2

2 Internet voting and turnout: Evidence from Switzerland, by Micha Germann and Uwe Serdült in Electoral Studies, Volume 47, June 2017, Pages 1-12. https://doi.org/10.1016/j.electstud.2017.03.001

Background on Geneva and Swiss Post

Geneva developed two systems, CHvote 1 and CHvote 2.  As best I can understand CHvote 1 has been suspended, and there’s no money to further develop CHvote 2 to the level it would need to reach.

Swiss Post developed two systems, including a new one with a third-party for-profit private vendor.  The old system is being discontinued.  As required by Swiss law, the new system was put to a public intrusion test (with restrictive conditions) and the source code was made available (with restrictive conditions).

Swiss Post makes a remarkable claim about the new system.

The new system with universal verifiability was subject to a public intrusion test (PIT) in spring 2019. During the test, it withstood attacks from over 3,000 international hackers.

This is at best misleading.

The conditions on both the general testing and the availability of source code were restrictive.

There was not in any sense either unrestricted public testing nor unrestricted publicly available open source code.

And, through access to the source code outside of the restrictive agreement, three serious flaws in the system were found.

You can read e.g. Researchers Find Critical Backdoor in Swiss Online Voting System by Kim Zetter.

Three reports are available about the Swiss Post system from the Swiss government site, two in English and one in German.

    • Final report Locher, Haenni and Koenig (English) – (PDF, 1 MB, 29.07.2019) – Members of the e-voting research group at the Bern University of Applied Sciences BFH (Philipp Locher, Rolf Haenni, Reto E. Koenig): analysis of the cryptographic implementation of the Swiss Post voting protocol
    • Final report Teague and Pereira (English) – (PDF, 731 kB, 29.07.2019) – Vanessa Teague (The University of Melbourne, Parkville, Australia) and Olivier Pereira (Université catholique de Louvain, Belgium): analysis of the cryptographic protocol and its implementation according to the system specification
    • Final report Oneconsult (German) – (PDF, 303 kB, 29.07.2019) – Oneconsult: Review of Swiss Post’s operational security measures

Estonian Parliamentary Elections 2019 – ODIHR Election Expert Team Final Report – Internet Voting

The Office for Democratic Institutions and Human Rights (ODIHR) is a division of the Organization for Security and Co-operation in Europe.  The ODIHR has produced a report on the 3 March 2019 Estonian Parliamentary Elections.

ODIHR Election Expert Team Final Report – Estonia – Parliamentary Elections 3 March 2019 (PDF)

The ODIHR reviews a wide range of election conduct against international standards.  I will only extract selected parts of their report from section VII. Internet voting.  Numerous issues were identified.

In extracts below, EET = Election Expert Team and SEO = Estonian State Electoral Office.

Internal Attacks

the detection and prevention of internal attacks has been largely omitted. A review of operational and technical frameworks by the ODIHR EET indicates that an internal attacker with privileged access to digital ballots could break the vote secrecy of any voter who published an image of the QR code online, even after the expiry of the code’s validity. This contradicts national legislation and international standards pertaining to vote secrecy.21

RECOMMENDATION: The SEO could develop strategies to mitigate the risk of internal attacks, conduct third-party risk assessments, and publish any findings and audit reports well ahead of the next elections.

21 See Article 1(2) of the Election Act. Paragraph 7.4 of the OSCE Copenhagen Document requires that votes are cast by secret ballot or by equivalent free voting procedure. Paragraph 19 of the Council of Europe Committee of Ministers Recommendation CM/Rec(2017)5 on standards for e-voting requires that “E-voting shall be organized in such a way as to ensure that the secrecy of the vote is respected at all stages of the voting procedure”.

above from page 8 of the report

Software Errors May Cause Election Errors

The Internet voting system is not software independent, meaning that software errors in its components, such as the key generation system or the processor, may cause undetected errors in the election results. Considering publicly available records the system has undergone quality control activities but, contrary to international good practice, no reports were published on the SEO’s website, while updates to the source code were made as recently as three days before election day and well after Internet voting commenced.22

In addition, a limited source code review of the system by the ODIHR EET indicated issues regarding the treatment of concurrency, error handling, and error reporting.

RECOMMENDATION: The SEO could integrate quality assurance activities into the maintenance schedule of the voting solution and publish the security rationale and all quality assurance results, including design review, security analysis, and penetration testing results.

22 Paragraph 42 of the Recommendation CM/Rec(2017)5 on standards for e-voting states that “Before any e-election takes place, the electoral management body shall satisfy itself that the e-voting system is genuine and operates correctly.”

above from page 8 of report

External Auditors Did Not Audit All Operations

A team of external auditors was dispatched to assist the SEO with establishing vote secrecy during the computation of preliminary Internet voting results and the integrity of final Internet voting results by verifying the correctness of the cryptographic shuffle and decryption proofs. The team did not audit other critical operations, most notably the correct transmission of the final aggregation of the decrypted Internet votes.23

RECOMMENDATION: The SEO could strengthen its auditing process by developing a complete strategy and requiring auditors to implement critical auditing tools independently and from scratch.

23 Software independence requires that other operations are also independently audited, such as digital signature checking of all e-votes, removal of all duplicate and other ineligible votes from the digital ballot box, revocation, and anonymization. Paragraph 39 of the Recommendation CM/Rec(2017)5 on standards for e-voting states that “the audit system shall be open and comprehensive, and actively report on potential issues and threats.”

above from page 9

Technical Specifications Need Improvement

some key properties are not precisely formulated and left open to interpretation by the SEO and the vendor tasked to implement the Internet voting system, including minimal acceptable levels of cryptographic strength, and accountability and verifiability requirements. This may negatively impact the system’s overall performance and future innovation. The specifications also lack information about timelines and milestones for software development and deployment, and quality assurance.25

RECOMMENDATION: The technological specifications accompanying the legal framework could define acceptable voting systems in more general terms, but include additional requirements related to cryptographic strength, quality assurance, software development and deployment, as well as accountability and verifiability.

25 The Supreme Court considered two post-election appeals against NEC decisions related to Internet voting. While appeals were rejected, the Court recognized the need for more clear procedures and called for a legal clarification of rules on the implementation of Internet voting, in particular regarding counting and mixing of electronic ballots.

above from page 9